Best security practice for small networks - wifi, lan,

Solution 1:

Some suggestions:

Start by attempting to prevent physical access to the network.

  1. Place switches inside locked cabinets to prevent physical access to them.
  2. Deploy 802.1x authentication if possible for medium-sized organizations to force workstations to authenticate to the network.
    In smaller orgs, use port-security on the switches with sticky mac addresses so long as machines don't move around. Disable any unused switch ports.
  3. On your Wireless network, use WPA2 with AES and a long key (> 15)

Next, assume physical access has been obtained and limit further access.

If you do not have resources for a domain and file server and must share files between workstations, create a single (non-admin) account on each workstation with the same password that can be used to access files on different machines.
Do not allow the "everyone" group access to anything.

You can also configure your DHCP servers to deny leases to unknown clients - This doesn't stop someone with physical access from watching traffic and assigning themselves an IP, but it may slow down casual intruders.


Finally, monitor the situation to see if anyone is accessing the network that shouldn't be. One way would be to check your DHCP server leases to see if any unknown machines have requested IPs.