Local networks often consist of a cable snaking through a building with sockets in each room into which users can plug their personal computers. Using such a network for building a coherent distributed or network operating system is difficult because the system administrators have no control over the user's machine ¿ not the applications programs, not the system kernel, not even the choice of hardware. In this paper we discuss a general method to protect such systems against malicious users without placing any restrictions on the kinds of operating systems that can be constructed. Depending on the details of the hardware, either one-way functions or public key cryptography forms the basis for the protection. As an example of our method, we show how a traditional object-oriented capability system can be implemented on top of the basic protection mechanism, and how a service for accounting and resource control can be constructed.