Re: XP Less Secure than 98 for Sharing Files

From: cquirke (MVP Win9x) (cquirkenews_at_nospam.mvps.org)
Date: 04/28/04 

Date: Wed, 28 Apr 2004 06:07:25 +0200

On Sun, 25 Apr 2004 11:02:38 -0600, "Bruce Chambers"

The long and the short of it is that WinXP can't do what the older OSs
can do, and force you to use potentially stronger alternative
approaches that you may have good reason to avoid.

> The main limitations you really need to overcome are based upon
>your limited experience with, and knowledge of, Microsoft networking.

> I'm afraid you have it backwards. WinXP, properly configured, is
>much more secured than Win9x. However, it should be pointed out that
>WinXP is a _client_ operating system, and, as such, is not designed to
>provide the full functionality of a server OS, to include more
>rigorous security permissions.

> Like WinNT and Win2K, WinXP's file security paradigm doesn't rely
>on, or allow, the cumbersome method of password protection for
>individual applications, files, or folders. Instead, it uses the
>superior method of explicitly assigning file/folder permissions to
>individual users and/or groups.

Oh, XP can be as cumbersome as hell. Ever tried chasing up settings
across multiple user accounts, or had to go deep into NTFS's per-file
permissions to fiddle with those assigned to each file? Hm.

>HOW TO Create and Configure User Accounts in Windows XP
>http://support.microsoft.com/default.aspx?scid=kb;en-us;279783

Note that anything other than full admin rights in XP Home will mean
you lose the ability to control a number of settings in that account,
such as "show file name extensions" etc. Swap one risk for another.

>HOW TO Set, View, Change, or Remove File and Folder Permissions
>http://support.microsoft.com/default.aspx?scid=kb;en-us;q308418

Requires NTFS, which forces another trade-off; no maintenance OS,
can't formally scan for malware, limited data recovery.

>HOW TO Set, View, Change, or Remove Special Permissions for Files and
>Folders
>http://support.microsoft.com/default.aspx?scid=kb;[LN];Q308419

> HOW TO Set the My Documents Folder as Private in Windows XP
>http://support.microsoft.com/default.aspx?scid=kb;en-us;298399

> Of course, if you have WinXP Pro, you can also encrypt the desired
>files/folders.

>Best Practices for Encrypting File System
>http://support.microsoft.com/default.aspx?scid=kb;en-us;223316

> Oh, and NetBEUI is pretty much a thing of the past, useful _only_
>on small peer-to-peer networks that require no Internet access. It's
>sole virtue was that it required virtually no networking knowledge,
>beyond installing the NIC and selecting the protocol, to implement.

No, it's main advantage was that it was not routable, did not carry a
wad of TCP/IP services, and could be used independently of TCP/IP.

That meant PCs could freely operate File and Print Sharing on a LAN
(via NetBEUI) while running firewall software with default settings to
manage TCP/IP risks. It meant that File and Print Sharing could be
kept off TCP/IP entirely, so even if badly configured, the Internet
would have no F&PS access unless a beach-head was established.

As it is, adding TCP/IP-only XP to an existing Win9x LAN can weaken
the security of that LAN, by forcing those PCs to use TCP/IP and thus
requiring them to open ports in the firewalls (if you know how to do
that and/or your firewall supports it) or running with no firewall.

XP may be more secure in its own world, as long as you do everything
its way, and turn a blind eye to the additional risks it opens up.

But when required to operate in the same way as existing Win9x clients
on a peer-to-peer LAN, it has limitations:
  - poor support for anything other than TCP/IP
  - can't password-block shares
  - dangerous hidden "admin" shares exposing the startup axis
  - limit of 5, not 10, incomming connects

It's a case of "be reasonable, do it my way" - and depending on your
requirements and limitations, the result may be far riskier.

>-------------------- ----- ---- --- -- - - - -
  Running Windows-based av to kill active malware is like striking
  a match to see if what you are standing in is water or petrol.
>-------------------- ----- ---- --- -- - - - -

Relevant Pages

  • Re: Connecting WinXP Pro to a WINXP Home workgroup
    ... Checked to see if Netbios over TCP/IP is enabled. ... Make sure the XP's firewall is disabled. ... Use TCP/IP as the only network protocol. ... >> I am trying to connect a Win XP Pro PC to my LAN. ...
    (microsoft.public.windowsxp.network_web)
  • Re: VB5 Webserver secure?
    ... a good firewall - the box will be exploited in the first 10 minutes. ... in quietly through well-formed, straigthtforward, elegant TCP/IP code. ... If you just have one cat flap, and something behind the cat flap with ... them for incoming data because you can use hardware, ...
    (microsoft.public.vb.general.discussion)
  • Re: Moving to Win2k Server - but how to make it a DC?
    ... OS), and before I ever get a firewall installed or setup on it, I start out with just TCP/IP (I ... Ok, if I desicde to do my Win2k Server as my router, what firewall software is available for me to ...
    (microsoft.public.windows.server.general)
  • Re: Unknown Network Attack
    ... disabled on a server using rras. ... Check your tcp/ip configuration to make ... IP to DHCP or changed the entries in tcp/ip such as IP address, dns server, ... >> firewall configurations for some firewalls. ...
    (microsoft.public.windows.server.networking)
  • Re: Firewall Suggestions
    ... TCP/IP to communicate across the network regardless of which protocol you ... Hardware device written all over this one. ... One firewall one configuration. ...
    (comp.security.firewalls)