Recommended Posts

I have a total of three PCs going through a router and I often use them to share files etc, but due to a recent virus attack I would like to isolate one of the PCs from the network so that it can't spread viruses etc through the network.

I'm guessing that once isolated it should still be able to use the printer (which is also plugged into the router) and continue to access the internet as well.

Any help would be much appreciated.

thanks for the reply.

what i meant was that it no longer has the ability to send/receive information to the other computers as it did when I had the recent virus problem. I've tried to change the workgroup but it still seems to be able to see/view/change the other computers information.

hope this clears what i mean!

  popisdead uk said:
Take it out of the same domain/workgroup. That will stop it sharing files
And where did you get that tidbit of misinformation from??

What workgroup your in has NOTHING to do with file sharing, and to be honest either does the domain really -- as long as you auth to the machine with a valid account you can access resources. A domain just makes it easier to give permissions since there is a central userbase.

And this clearly does not isolate the machine from possible viruses or exploits to the ports they are listening on, ie the file sharing ports, etc. Not having a valid account to auth with will not always protect you from a virus/exploit - but it will protect you from that machines virus from infecting every file it has permission too, depending on what account its logged in as, etc.

So blocking the account the other machine logs in with from having file share access would provide some minor protection. But if using SFS, thats not possible -- would need to have pro with the ability to give different accounts different access to files/shares, etc. But that would not protect you from an exploit using the file sharing ports, etc.

If you router does not allow you to setup vlans and put access control lists between them. Then your going to need to run software filewalls on the machines or put them behind a nat compared to the other machine. You would then need to do a port forward to allow printer access. Quite often this is port 9100, it would depend exactly how your sharing your printer - be it connected to a machine or on a stand alone printer server device, or if the printer has its own network card, etc.

Treating a machine(s) as hostile on the same local network is what software firewalls are good for! If you run software firewalls on your machines -- just use them to block access from that one machine.

One way as mentioned to put a line of protection between that machine and your other machines is to put the other machines behind another nat router.

example layout;

post-14624-1218542661_thumb.png

But I would REALLY NOT suggest this -- since the double nat comes with quite a few of its own headaches. Your best bet is to get a router that supports lan to lan firewall rules. There are few out there -- but not recalling any model numbers off the top of my head.. Would have to look around for one that does -- but they are out there for sure. What router do you have now?

Believe me -- I would love to get off the soapbox about FUD -- but it seems no matter how many times you state FACT and discredit FUD, it still manages to stay around. And the misconceptions about what a workgroup is and does just never seems to go way -- Arrrghhh ;)

I would love to know what you thought the question was asking -- that suggesting a different workgroup or domain would isolate it.

  technics said:
I have a total of three PCs going through a router and I often use them to share files etc, but due to a recent virus attack I would like to isolate one of the PCs from the network so that it can't spread viruses etc through the network.

I'm guessing that once isolated it should still be able to use the printer (which is also plugged into the router) and continue to access the internet as well.

Any help would be much appreciated.

So you want to stop computer (1) from giving it's virus to computers (2) and (3) on the network, but still want it to spread the virus to the internet?

You do know they make good FREE anti-virus software don't you? Right here on Neowin.

  BudMan said:
Believe me -- I would love to get off the soapbox about FUD -- but it seems no matter how many times you state FACT and discredit FUD, it still manages to stay around. And the misconceptions about what a workgroup is and does just never seems to go way -- Arrrghhh ;)

I would love to know what you thought the question was asking -- that suggesting a different workgroup or domain would isolate it.

I honestly don't know mate. It was early this morning when I read it. I think I thought he meant, .... I have no idea. Really.

If I had read it properly I would have seen what he was trying to do, and I would have ignored it.

Follow up: Router that supports lan to lan firewall rules, yes I know this model is EOL, but its an example of what I was talking about with lan to lan rules on a home priced router.

post-14624-1218551467.jpg

Also if your router will run dd-wrt or openwrt you can setup vlans and use iptables to deny specific traffic between the vlans, etc. Not sure if tomato can do this?

So you can accomplish what you want fairly simple with home priced network equipment to be sure. I do not believe the current web ui to dd-wrt supports lan to lan firewall rules? But can be done from the command line after a bit of reading for sure. Or I do believe you can run firewall builder on it. http://www.dd-wrt.com/wiki/index.php/Firewall_Builder which would give you a gui in building your rules.

Another option would be to run a linux distro as your router, ipcop I know allows for multiple segments and then rules between them. Any of the router distro's should be able to do something as basic as this.

What I would suggest is if your current router does not support either dd-wrt or lan to lan rules is since you would need to buy another router to use the double nat method anyway -- is purchase one that allows for lan to lan filtering, or one that supports 3rd party firmware that will allow you to do it.

thanks for that.. (just going out atm and will read your post when i return)

i just had a quick idea, which is probably very silly but thought i might ask anyway. would disabling/removing file and printer sharing for Microsoft networks in the local area connection properties help solve the problem i'm having?

thanks for that.. (just going out atm and will read your post when i return)

i just had a quick idea, which is probably very silly but thought i might ask anyway. would disabling/removing file and printer sharing for Microsoft networks in the local area connection properties help solve the problem i'm having?

On which machine? On the machine your worried about, or the other machines. If turn off file and print sharing on the machine your saying is hostile -- that does not prevent some type of infection from doing anything -- just that it would not be able to use the built in file and print sharing to do it.

But without know exactly which infection your looking to protect against.. You would need to understand its method of spreading to know if that could stop it.

Now doing it on the 3 other machines would prevent them from listing, and or anything from accessing file shares, etc.. EVEN yourself for you legit use, etc.. Its a pretty harsh fix -- and this does not mean that they would still be safe from any type of infection the other machine might pick up that uses say a rpc exploit, to compromise the other machines.

You need to isolate the friendly machines from the hostile machine. This can be done with firewalls on each of the friendly machines, or with firewall between them (the lan to lan rules example) or by putting the friendly machines behind a nat to the network the hostile machine is on, etc. etc.

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • My kid tried, so I took her to Microcenter and showed her the differences in price as well as storage and specs. We bought a Windows machine. She loves it, and is off to college this fall with her gaming level windows laptop at the price of a Mac that came with a 512GB SSD, and half the RAM.
    • Hasleo Backup Suite Free 5.4.2.1 by Razvan Serea Hasleo Backup Suite Free is a free Windows backup and restore software, which embeds backup, restore and cloning features, it is designed for Windows operating system users and can be used on both Windows PCs and Servers. The backup and restore feature of Hasleo Backup Suite can help you back up and restore the Windows operating systems, disks, partitions and files (folders) to protect the security of your Windows operating system and personal data. The cloning feature of Hasleo Backup Suite can help you migrate Windows to another disk, or easily upgrade a disk to an SSD or a larger capacity disk. System Backup & Restore / Disk/Partition Backup & Restore Backup Windows operating system and boot-related partitions, including user settings, drivers and applications installed in these partitions, which ensures that you can quickly restore your Windows operating system once it crashes. Viruses, power failure, or other unknown reasons may cause data loss, so it is a good habit to regularly back up the drive that stores important files, you can at least recover lost files from the backup image files in the event of a disaster. System Clone / Disk Clone / Partition Clone Migrate the Windows operating system from one disk to another SSD or larger disk without reinstalling Windows, applications and drivers. Clone entire disk to another disk and ensure that the contents of the source disk and the destination disk are exactly the same. Clone a partition completely to the specified location on the current disk or another disk and ensure that the data will not be changed. File Backup & Restore Back up specified files(folders) instead of the entire drive to another location to protect your data, so you can quickly restore files(folders) from the backup image files when needed. Incremental/Differential/Full Backup Different backup modes are supported, you can flexibly choose data protection schemes, which can improve backup performance and save storage space while ensuring data security. Delta Restore Delta restore uses advanced delta detection technology to check the changed blocks on the destination drive and restore only the changed blocks, so it has a faster restore speed than the traditional full restore. Universal Restore This feature can help us restore the Windows operating system to computers with different hardware and ensure that Windows can work normally without any hardware compatibility issues. Hasleo Backup Suite 5.4.2.1 changelog: The program crashes when sending emails Application notifications cannot be displayed in the Windows Notification Center Updated Italian and German translations Fixed other minor bugs Download: Hasleo Backup Suite 5.4.2.1 | 33.9 MB (Freeware) Links: Hasleo Backup Suite Website | Hasleo Backup Suite Guide | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • 99% of Control Panel will be moved to Settings. Then by 2050, 20% of settings will have been moved to the Configuration Menu. I have no issues with Settings as it exists now in Windows 11. Bring everything over and be done with it.
    • We collect the few carcasses we get (as long as drivers report them, as they should) and while we have our fair share, we don't have nearly enough crashes with deer "to paint the roads with deer carcasses" in Finland. Also, if you can't handle the risks, DO NOT DRIVE. I really don't want everything to be so simple and stupid, that I don't have to worry about my surroundings (I also hate Apple devices because they kind of decide everything for you and offer very little customization vs. Android). Most people probably encounter much higher risks and dangers in their daily jobs than they encounter on roads. Just a few weeks ago I twisted my anckle at work while walking and I haven't had even a near miss with an animal in traffic for many years despite driving something like 27000+ km/year (there were a couple of off years in there too) and seeing many deer, a few moose and many smaller creatures on the road. I find it extremely rare to have deer stumble directly in front of me - it happens, but in my opinion not nearly enough to warrant considering it super dangerous (I actually find it exhilarating when it does happen as it changes the daily commute and it actually requires me to stay focused). It is probably more common to have some idiot with their face glued to their phone wonder in front of you or a kid on an electric scooter disregard all traffic rules. Here in the Nordics we also have plenty of snow and that kind of f's up anything that relies on lines or other clear lane indicators. The one time I have (kind of) started raging while driving was when I had a loan car from service and it had lane guidance. That freaking thing basically felt like it wanted to hit every pothole and bump it could and I really, really freaking hated it (came close to ripping the whole steering wheel of, I tell you . Didn't feel safer at all, quite the contrary, and it distracted me from the road more than anything else I've driven before, constantly fighting that f'ing thing to go where I wanted it to go (no clear lines, a crack in the pavement, etc. and it became confused as hell and required more adjusting than any traditional car). Also noteworthy that globally the amount of people with driver's licenses is pretty low (like under 20 %), many countries have great public transport systems and many walk and cycle (even during the winter).
    • The snipping tool has come a long way. Every feature they add reduces the need for third-party utilities; in the past it seemed MS shied away from adding features to some in-box tools just so there would be a more robust third-party developer base. Now that we finally have boxes, circles and arrows, can they finally add text bubbles?
  • Recent Achievements

    • Week One Done
      BlakeBringer earned a badge
      Week One Done
    • Week One Done
      Helen Shafer earned a badge
      Week One Done
    • First Post
      emptyother earned a badge
      First Post
    • Week One Done
      Crunchy6 earned a badge
      Week One Done
    • One Month Later
      KynanSEIT earned a badge
      One Month Later
  • Popular Contributors

    1. 1
      +primortal
      660
    2. 2
      ATLien_0
      266
    3. 3
      Michael Scrip
      235
    4. 4
      Steven P.
      164
    5. 5
      +FloatingFatMan
      151
  • Tell a friend

    Love Neowin? Tell a friend!