Part VI ✦ Managing the Network Understanding Pretty Good Privacy Pretty Good Privacy, commonly known as PGP, is a utility that enables computers to exchange messages, secure files, and use network connections with privacy and strong authentication. PGP uses verification of individuals through authentication and encryption of data using keys. In addition to verifying those computers and users from whom you receive messages and files, PGP also stores the encrypted data on your computer, guaranteeing privacy from hackers. PGP uses encryption and decryption keys to ensure privacy. The keys are a pair of mathemat- ically related cryptographic keys. PGP uses a public key for the encryption. Public keys are published on many Internet sites and even on private servers, if you have a PGP or other secure program. You freely distribute your public key so it can be seen and used by all users. A corresponding private key is used for decryption. The private key is unique; it remains on the individual user’s PC. Private keys are securely protected. Private keys are located in a keystore, which is protected by many security measures. Anyone who attacks your computer Optimizing the Network You can take some steps to optimize a network that is sluggish. Sometimes, just adding some memory helps. At other times, however, you might have to add more hardware to keep the net- work running smoothly. You should weigh the benefits to the cost. Adding hardware isn’t a cheap way to optimize your network, but you might not think the network is slow enough to warrant these measures. ✦ Most computers are at the least Pentium III and the newer ones are Pentium 4’s and 5’s. There are also Celeron processors, which are good for home and even small-business computers but are a bit limited in some areas, such as with some computer games and with heavy-duty accounting, graphics, or mathematics programs. Xeon is the most devel- oped processor you can get now, and it’s more in the range of a server processor because of its power, speed, and cost. Stick with Pentium to optimize network and com- puter efficiency. ✦ Add memory to your computers if you have less than 128MB; 256MB or more is better. ✦ Break up large files — video, music, data, and so on — to help reduce network traffic. If, for example, someone uses a lot of video files each day, try saving the files to a faster com- puter or to the user’s computer instead of running the files over the network. ✦ Consider changing your network design. If you’re using phone line networking and you want a faster transmission speed, consider going to 10Base-T. If you’re using 10Base-T, consider changing to 100Base-T. ✦ If you’re using multiple protocols — such as NetBEUI and IPXSPX or TCPIP and NetBEUI — consider changing over to just one protocol. This change could eliminate many bottlenecks and improve performance. Choose TCPIP for the most flexibility and effi- ciency and remove the other, unused protocols from your computers. Extra protocols on a computer might slow the processing. Chapter 22 ✦ Using Network Management Tools needs the physical keystore to decrypt your files. With PGP, your server or computer gener- ates a public key that it sends to others over the network, Internet, e-mail, and so on. Others use that public key to encrypt data and then send it back to you. You are the only one with the private key; therefore, you are the only one who can decrypt the files. Some PGP programs are freeware, or you can pay for programs that offer similar and often more intricate features. PGP is a basic program you can use with Windows, Macs, and many Linux distributions. Generally, the freeware is for use by individuals as opposed to corpora- tions. For more information about freeware, see www.pgpi.org. PGP comes in the simplest of versions, such as GnuPG, for example. GnuPG Privacy Guard is a command-line utility that is a basic PGP utility for open source programming. GnuPG does not use the IDEA algorithm, which makes true PGP what it is. IDEA is a 128-bit encryp- tion that is patented for use with PGP. Many varied other PGP versions exist, some freeware, some shareware, and some commercial products. The most recent release of a commercial product is PGP version 8.0, for Macs and Windows users. You can purchase a single seat license for individual or small-business use for around 50. PGP 8 encrypts e-mail, files, instant messages, plus it enables you to manage your PGP keys. PGP 8 also encrypts data on your computer so that it cannot be hacked. There are other forms of encryption and protection over the Internet or on your own net- work. Certificates and digital signatures are two additional methods you can use to secure your data. For more information, see the sidebar “Certificates and Digital Signatures” or see www.articsoft.com. Note Certificates and Digital Signatures Public Key Infrastructure PKI is a security solution that provides digital security through authen- tication, data integrity, data confidentiality, and access control. The main question about your security structure is who should you trust? Certificates and digital signatures are a part of PKI that enable you not only to know who has access to your data but also to control who has access to your data. A user who wants to take part in a specific PKI generates a public and private key pair; actually, a software program generates the keys and performs all of the encryption, decryption, signing, and so on, in the background. Anyone can get ahold of the public key, but only the original user and the certificate authorities CAs have access to the private key. The public key encrypts the data; the private key decrypts data. To someone who does not have the private key, the encrypted data is worthless. With the private key, the sender puts a digital signature on data and files as a stamp of sorts, say- ing that data and signature is uniquely that user’s. Certificate authorities are the delivery and administration mechanism for certificates also called digital certificates. The certificate is a file containing information identifying the sender and the public key. The CA is a trusted third party that verifies the information. So when you receive data using PKI, the CAs have verified that the data is from who it says it’s from. Data not matching the appropriate certificates and digital signatures does not make it through the certificate authorities. Part VI ✦ Managing the Network Monitoring on the Mac Apple has created many system monitors for the Macintosh. Some, as with Windows system monitors, analyze on the computer; but many system monitors manage the network as well as the computer. Most of the network monitors you find are for the Mac OS X, although you can search the Internet and find monitors for earlier Mac operating systems. Many Mac moni- tors employ PGP. ✦ InterMapper is one of the most common and popular shareware programs. Made by Dartware, LLC, InterMapper shows you a graphical view of your computer network, including routers, servers, workstations, and so on. InterMapper includes an auto- discovery feature that locates your resources and creates the network map for you. It also uses various built-in network probes, such as ping and SNMP, to help you locate connection problems, track e-mails, and find failed network components www.intermapper.com. ✦ AysMon Are You Serving Monitor is one system monitor that also analyzes the net- work. Not only can you monitor your Cable or DSL connection, you can also learn about other network services, such as login, disk space usage, and open network ports. AysMon is manufactured by Pepsan Associates, Inc., and it is freeware. AysMon requires Mac OS X version 10.x or higher. You can get it from www.apple.com. ✦ Net Monitor, by Guy Meyer, is a shareware program for Mac OS X 10.1 or later. Net Monitor uses various graphs to display network information, such as network configura- tion, location, data throughput, and so on. For a single-user version, Net Monitor costs around 8 if you plan to continue using it after you try it out www.macupdate.com. ✦ LoginManager is another application for the Macintosh that is also shareware. Made by Bright Light Software, LoginManager enables you to limit login time for each user, moni- tors disk usage for each user, and displays a basic login time accounting www.zope.org. ✦ Granet Graph Networking is a freeware utility by Pepsan Associates, Inc. Granet is a utility that displays the throughput of active computers on the network in a graph. Granet works with Ethernet, AirPort, and PPP www.pepsan.comgranet. Considering Linux Network Monitoring You can find many Linux network-monitoring utilities available on the Internet. Linux utilities are GNU General Public License, which means you can download and use the utilities for free. Make sure you match the utility with your distribution of Linux. ✦ InterMapper, as described in the previous section, also includes installers for Red Hat, Debian, Mandrake, and other Linux distributions. As a network monitor, InterMapper works well for Windows, Macs, and Linux www.intermapper.com. ✦ Another monitoring utility is Iperf. Iperf measures bandwidth, data loss, and more in a Linux, Mac, or Windows environment. Iperf is copyrighted under the University of Illinois and is a GNU General Public License utility. Chapter 22 ✦ Using Network Management Tools ✦ nPULSE is a Web-based network monitor for Linux distributions. The utility monitors hundreds of sites on multiple ports. There have been problems with nPULSE and Red Hat and other distribution; make sure you read all the information you can before using any utility or application with your Linux distribution www.graal-npulse.com. ✦ NetWatch, Cricket, and IPTraf are more examples of Linux-based network monitoring utilities www.linux.org. You’ll need to do research on your distribution to see which monitor best suits your network. Summary In this chapter, you’ve learned about applications you can use to monitor a network. Specifically, the chapter covered the following: ✦ Windows Net Watcher, Local Area Connection status, and Network Diagnostics ✦ System Monitor ✦ Monitoring on Macs and Linux In the next chapter, you learn about the System Policy Editor and how to control users on your LAN. ✦ ✦ ✦ Using Policies to Secure Windows I f someone on your network tends to experiment with the computer settings or change configurations that he or she shouldn’t, you can limit that person’s access to one or all computers. Suppose someone gets into your system, such as a friend or relative? You can protect the computers on your network from prying eyes. You can even pre- vent accidental deletions and changes, using policies for security in Windows. Understanding Policies The Windows operating system uses policies to control users, com- puters, and access to data. Policies are Windows’ way of managing computers and users. User or group policies define limits and permis- sions for users, such as the user’s desktop environment or Start menu options. Windows also uses local computer policies, which define application and security settings, permissions for folders and files, and so on. Windows 98 enables you to use the System Policy Editor to manage policies for both users and computers. Windows 2000 and XP use a Group Policy Editor for similar configurations. Some of the policies you can edit and manage are as follows. Some of these settings are available only in Windows 2000 and XP. ✦ Account policies — Manage settings on passwords, such as password age, length, encryption, and so on; edit account lock- out settings that govern if and when a user account is turned off; and set Kerberos policy, which is an authentication service that allows users and services to authenticate themselves and each other. ✦ Local policies — Configure settings for users rights, such as accessing the computer from the network, backing up files on the network, changing system time, creating shared objects, and so on; edit security options, like renaming accounts, audit- ing services, and controlling devices; and set audit policies, such as what services or activities are monitored. ✦ Event log settings — Set and manage configuration of the event log, such as the log size, how long the log is maintained, and so on. The event log contains information about applications, the system, and security. 23 23 C H A P T E R ✦ ✦ ✦ ✦ In This Chapter Understanding policies Using the System Policy Editor Using Group policies Configuring computer security ✦ ✦ ✦ ✦ Part VI ✦ Managing the Network ✦ Restricted groups — Defines who is a member of a restricted group, such as adminis- trators or other security-sensitive groups. ✦ System services — Are mini-programs the operating system runs to perform activities to keep your computer working. Services work in the background, and they include such tasks as system processes, print spooling, and so on. System services policies enable a person to start, pause, or stop system services. For your home network, you need worry only about local policies. You might want to keep a teenager or his friends from editing files on the server or renaming user accounts. In general, if your home network consists of adults, such as your spouse and grandmother, you don’t have to worry about security from within. In your small-business network, consider which computers need the most protection. For example, the server and the payroll and accounting computers most likely need the most protection. In these cases, you make sure security on these computers is tighter by applying more policies and fewer permissions. Understanding the System Policy Editor The System Policy Editor is a network administration program you can use with a client server network and Windows 98. Using the System Policy Editor, you can configure settings that control individual users, individual computers, or groups of users. As administrator of the network, you can override any local settings a user might make, such as standard desktop settings, hardware configuration, and Windows environment settings. The administrator is the person in charge of the network. Administrators troubleshoot con- nection problems, upgrade applications, set up networking hardware and software, and so on. They also have special permissions and access to computers on the network. Note Small Business Tip Note Encryption, Authentication, and Cryptography As you read and learn more about security with your computer and networks, you’ll see more and more about encryption, authentication, and cryptography. Cryptography is actually a means of keeping communications private. There are many contributing elements to good cryptography, two of which include encryption and authentication: ✦ Encryption is a method of transforming data so that it is impossible to read without the exact decryption method, or key. Encryption is meant to ensure privacy in data transmis- sion. With a key, decryption is possible; decryption transforms the encrypted data back to a readable form. ✦ Authentication is a method of ensuring you are who you say you are. You might sign your name to a contract, for example, thus authenticating yourself. Electronic authentica- tion uses digital signatures or digital timestamps to authenticate data traveling over the Internet, a network, an intranet, and so on. Chapter 23 ✦ Using Policies to Secure Windows You can use the System Policy Editor on a Windows 98 or NT computer. The policies you set, however, apply only to other computers with the same operating system. In other words, a Windows 98 computer must create the policy files for other Windows 98 computers. Windows 2000 and XP, Macintosh, and Linux are not affected by the System Policy Editor. Additionally, all computers must be on a clientserver network run by a network operating system NOS. You can place the policies on a server and set them to download onto individ- ual computers as they log on. When a user logs on to the server, the server authenticates him or her, and then downloads the System Policy Editor file that controls the user’s computer and settings. The System Policy Editor is a simple way to edit the Registry files on your com- puters. Registry files control all settings and the environment display, colors, and other con- figurations for the computer. You must be careful with the System Policy Editor; it’s a powerful tool. Install it on only one computer on the network, and make sure that you restrict access to the System Policy Editor files. Before you create a system policy file, back up your Registry files. See Chapter 21 for information about backing up files and folders. Changing user policies Following are some policies you can control with the System Policy Editor: ✦ Keep users from changing the Control Panel settings. ✦ Prevent users from accessing applications and Windows features. ✦ Force users to use the same desktop environment. ✦ Control the menus a user can access. ✦ Hide the Start menu subfolders. ✦ Remove the Run command. ✦ Remove the Taskbar from the Settings menu you access from the Start menu. ✦ Hide all drives in the My Computer window. ✦ Hide all desktop items. ✦ Disable the Shutdown command. ✦ Prevent the user from viewing or using the Display, Network, Passwords, Printers, and System icons in the Control Panel. ✦ Restrict the user’s use of wallpaper or color schemes. ✦ Disable the Registry Editor. ✦ Disable the MS-DOS prompt. Most of these settings are to keep users from modifying settings on their own computer. Some of the restricted activities, such as changing the Registry, could be dangerous. Many of the settings you can apply, however, take the user’s fun out of working with the computer and with Windows. You probably won’t want to apply these restrictions to a home-networked computer. Note