How can I prevent PC from seeing/connecting to other PCs on the LAN?

roman29 · 01 Mar 2011

Hey there,

I have a Windows 7 workstation that people connect to remotely via LogMeIn.

I recently decided to move it to my home LAN, because it has faster Internet than work LAN. My home LAN has many personal computers on it, with file and printer sharing enabled. Most of these shares are not password protected for convenience.

So the problem is that this workstation is able to see and connect to personal computers. I do not want this. I've temporarily password protected as many shares as I could, but it's not a permanent solution because it's a big family, and there are many computers, and I probably missed some. Unfortunately I can't use that Windows 7 homegroup sharing feature because more than half of the computers are Linux or Macs or Windows XP.

I've researched the ports used by Windows File sharing, and made an Access Control policy in my router to block IP and Port ranges specifically for this workstation, to try and prevent it from discovering my other computers, but it did not help. I suspect this network access policy only applies to IPs and Port ranges on the Internet, not on the LAN. (btw router is D-Link DGL-4300)

I'm looking for some solution either by tweaking settings in the workstation to make it blind, or making some changes with the networking gear. Or maybe there is another way of accomplishing this.

Most literature on the internet is focused on making file sharing work, but mine is working perfectly out of the box, I'm trying to brake it.

Thank you.

RayFinkle · 18 Mar 2011

Roman29, you are right about the fact that those policies on your router only affect connections from the Internet. I have never seen a SOHO router that can do those types of policies for the LAN.

I just realized you want the opposite of what I originally had interpreted your post to be. You are concerned that your Windows 7 workstation can see other workstations on your network. I am not an expert on this specific situation, but take a look at the Advanced Settings in the Windows Firewall. Specifically, look at Outbound Rules. I would consider disabling File and Print Sharing, and also the Network Discovery rules.

kegobeer · 18 Mar 2011

Why not just enable password protected sharing on all computers? Just go to each computer, enable password protected sharing, and create identical users/passwords on that computer (make a list of all users/passwords, then make sure each computer has that list on it). No one will be asked to provide a password, because if you did everything correctly that user/password exists on the target computer. However, if you keep your one computer user off the list, that user won't have access to any of the other computer files.

RayFinkle · 19 Mar 2011

That will not only be less convenient because of having to do it on all the other workstations, but then, roman29 will always have to keep up with the workstations, making sure changes aren't made that affect the security, such as replacing a workstation or adding a workstation. Don't you think it would be safer and more convenient to do it at the source?

Roman29, somthing that just popped into my head: There is another issues to consider: You probably want to block the users RDPed into your machine from accessing the GUI on your router, too? They could completely open up the firewall to that PC allowing other types of connections. They could see what clients are connected to your router, and forward ports to those workstations, and then access them. Something to think about.....