Sorry to jump in like this,
If you have two cards in the machine, you definitely want to make sure you
disable routing between the cards.
>A attackker would probably use this because it is the easiest way. I'm
>not sure if Windows95 or NT can or will route pakkets between to
>segments. But a hacker can change the systems to do so.
You may want to setup system policies and machine policies using user
profiles and hardware profiles to prevent this also. It works great on NT
systems, Win95 can still be coerced, but the profiles get reloaded upon
logon again. This tends to gets users really frustrated. It also starts
to give you a good idea of who is playing around with their machine. They
will typically call you and let you know that they can't perform a specific
function that should be reserved for admin use only.
From: GRJN @
nl [SMTP:GRJN @
Sent: Monday, March 02, 1998 4:06 AM
To: Firewalls @
COM; klinec @
Subject: AW: Dial-up security breach?
In my opinion this is not very secure. It is something like guard the
frontdoor with a army and let the back door wide open.
A attackker would probably use this because it is the easiest way. I'm
not sure if Windows95 or NT can or will route pakkets between to
segments. But a hacker can change the systems to do so.
I realyze it is a problem to prevent users from getting their own dailup
account. Just offer them the same or better service from your WAN or
make it cheaper for them. Also inform them properly about the risks they
Also make it a company-rule that it is forbidden. If they break the rule
just disconnect them from yout WAN.
you have to make sure the management agree with this.
>Van: klinec @
>Verzonden: vrijdag 27 februari 1998 21:42
>Aan: Firewalls @
>Onderwerp: Dial-up security breach?
>This is a little off-topic, but I thought I would try it anyway.
>We provide Internet access to 300 users enterprise-wide through our
>frame-relay WAN connections and our firewall at our corporate
>Some users have decided to go out and get accounts with local ISPs and
>dial-up connections in Windows95 or Windows NT to these ISPs. How much of
>a security risk does everyone think this may be? Since these users are
>typically dynamically assigned an IP address when they log in to their
>they then have TWO IP addresses on their system. One for the network card
>and one for the dial-up PPP connection. Could an attacker use this
>situation to attack our network? How likely is this?
>We are trying to eradicate this from our network, but some of these users
>are pretty stubborn.
>Network System Engineer
>MAPCO Coal, Inc.