In short, we have a Windows 7 and a Windows XP machine that are going to be available to whomever waltzes through the house. They both have virus protection and a firewall, but not much more. I know nothing about user accounts, and am wondering if to protect the machines (and especially one of the network file servers) I need to set one up, what to look for, and if there’s anything else I should be aware/wary of.
Detailed version is below (I never know how much/what detail is relevant). Skip the rest if the answer is clear.
We now have a Win 7 and a Win XP Pro machine in public areas of the house (i.e., not in the office). They’re set up as entertainment machines, which means that friends, parents, in-laws, babysitters, troglodytes and the occasional C.H.U.D. will have relatively unfettered access to the Web and our music server.
This scares the crap out of me.
I’m the only user on my office machine, so I’ve never thought about user accounts or privileges or what else I need to know to keep a PC safe without thinking about it. Not that I think my mother-in-law is going to hit warez sites in the kitchen, but wasn’t Comet Cursor so cute? Aren’t those pop-ups so persuasive? Hasn’t even the Board had problems with ad buys?
Here are the key pieces of hardware in the network: [ul]
[li]Linksys 310N router (mentioned because it has the NAT in it)[/li][li]D-Link Gigabit switch (I have no idea if this enters into the security question, so I thought to mention it)[/li][li]Office computers (PC, Mac, and a Linux box all in the home office so not accessible by people)[/li][li]Synology DS209 NAS (this is sacred. It’s our office file server. Damage to it would be devastating to our business.) [/li][li]D-Link DNS-321 NAS (this is the music/movie/picture server. Guests will need relatively unfettered read access, possibly write access, but NO delete access. Losing the contents of this would be emotionally devastating.) [/li][li]Linux file server (a home-built machine, as a Linux noob its security is pretty much left at the defaults. Its sole use is to backup the two NAS devices. No one outside the office should have access to it.) [/li][li]**Public machines **(HP TouchSmart running Win 7 and a home-built machine running Win XP Pro. (Neither will have files of any consequence stored on them (game saves, temp files, etc.), but I’d rather not have to reinstall the OS and applications).[/li][/ul]
[ul]
[li]The Win 7 machine has Microsoft Security Essentials and Windows Firewall running on it. [/li][li]The XP box has Zone Alarm Pro on it (but may be switching it to MSSE eventually). [/li][li]Both have Firefox with AdAware but not NoScript. [/li][li]The router has the wireless MAC filter enabled.[/li][/ul]
Basically, I want to find the balance that maximizes ease of use for the public computers with security and stability. They both need to be able to connect to the D-Link media server automatically. Neither should be able to connect to the Synology office NAS without manually logging in. This is likely a user group setting I need to make on the Synology, but if all I need to do is log in as a different user, that would be great.
Aside from virus and basic malware protection (which I’m pretty sure MSSE and Windows Firewall should take care of), the other thing that I crap myself over is some script kiddie halfway around the world scanning, exploiting, and then taking over one of the public machines to wreak havoc on the rest of the network.
I assume the way to take care of all this is through user accounts, but before I let the public loose on a machine, I thought to ask.
Thanks,
Rhythm