Re: Win9x network access works - XP doesnt

On 18 Sep 2006 10:51:21 -0700, "Paul H" <phether2002@xxxxxxxxxxx>

I've just inherited a Win9x network, W95, W98 and WMe. I can access any
PC with the "C" Drive shared using my shared password.

Don't ever full-share the whole of C:\ !!

If you do, you allow malware to be dropped into the system and
integreated into Windows so that it will be autorun from then on.

You should avoid full-sharing any part of the startup axis, i.e.:
- root of C:
- all StartUp groups
- the Windows subtree (think Win.ini, System.ini etc.)

Also, be careful to keep File and Print Sharing from being exposed to
the Internet - don't rely on passwords to block such access!

On installing a new XP PC, I cannot set the "C" Drive to be shared as
in Win 9x. It only works if I set full read/write access with no
password so anyone can modify the files.

Can anyone help?

XP Pro is so dumb, it will full-share all HD volumes behind your back
via hidden "admin shares". Hidden they may be, but the names are
always the same and thus trivial for attackers to use programatically.

First things first:

1) Make sure nothing's exposed to the Internet

If you have separate controller cards for Internet vs. LAN, then you
can unbind File and Print Sharing (F&PS) from the card that connects
to the Internet. This is what one does with dial-up.

If the same LAN card connects both your LAN PCs and the Internet, then
use the NAT feature of a router to block direct Internet access to the
PCs - else F&PS will expose RPC and admin shares to the world.

If you cannot hide behind NAT, then you could try using a network
protocol other than TCP/IP (NetBEUI or IPX) for F&PS. This works
brilliantly with Win9x, but XP has been useless at this in my
experience; even if you find the hidden and "unsupported" NetBEUI and
install it, it doesn't work, and neither does IPX.

If you are forced to use TCP/IP on the same LAN card that connects to
the Internet, then you're forced to fall back on some band-aids:
- prefer XP Home to XP Pro ad Home doesn't expose admin shares
- if using XP Pro, either use no password at all, or use STRONG pwd
- disable admin shares, but expect them to lapse into enabled
- try using firewalls to limit F&PS exposure

XP Home doesn't expose hidden admin shares over network. XP Pro will
expose them if the account password is anything other than blank - so
if you use an account password, it has to be so strong that it can't
be brute-forced or guessed by bots out there (fat chance?)

2) Try to get F&PS to work on LAN

Win9x and XP systems often don't "see" each other if they use multiple
network protocols. In theory, you should be able to force F&PS to use
IPX (or with some work, NetBEUI) while TCP/IP has no F&PS, but in
practice this doesn't seem to work in a mixed XP, Win9x environment.

F&PS must be bound to the same protocol on all PCs, and there must be
something shared on any PC that is to be seen by other PCs. The Win9x
systems must bind a network client to that protocol and the user of
the system must not cancel the login when Windows starts up.

All PCs should have unique names and IP addresses, and it's easier if
they are all using the same workgroup name. If TCP/IP is used and IP
addresses are specified, they must lie within the same netmask and use
a private range of addresses - typically 10.x.x.x or 192.168.y.x,
where the y must be same for all systems and x should be unique to
each system. Netmasks are 255.0.0.0 and 255.255.255.0 respectively.

Choose what you share with care, and use read-only shares where you
can. Note that XP cannot use the password facility that Win9x can use
to mildly control access to shares.



------------ ----- --- -- - - - -
Drugs are usually safe. Inject? (Y/n)
------------ ----- --- -- - - - -
.

Relevant Pages

  • Re: Outrageous lies from Dan Christensen: today he claims internet access in Cuba costs $5 for 2 min
    ... I know what internet access costs and can back it up with lots of sources. ... hour of internet in a Cuba hotel does NOT cost $150 as you claim as anyone can see by following these links. ... Whatever lies and insults you might put here, the facts show that you got your "red fascist but" kicked over and over again as you have here. ... various occasions (adding links that would then expose his lies, ...
    (soc.culture.cuba)
  • Re: Cubans blocked from reading blog on island life, writer say
    ... Unlike you i know what an hour internet access in a hotel costs Mr. ... I exposed Dan Christensen as a fraud in this group years ago when I ... I have also frequently exposed his lies about facts and people in SCC. ... they attack the people that expose their lies in the hope ...
    (soc.culture.cuba)
  • Re: is there a safe marshaler?
    ... > You should not want to expose a Pyro service to the internet because ... Pyro has a few features that are very powerful ... I don't think marshal is inherently insecure, ... to the internet has to be done very carefully, ...
    (comp.lang.python)
  • Re: home network behind NAT and firewall ?
    ... >> In my mind there is no acceptable reason to expose a server or workstation ... servers to their local workstations and then use them locally. ... the internet, download the files from the workstations, and do with them ... > get through whether you use NAT or not. ...
    (comp.security.firewalls)
  • Re: broadband security
    ... XP Home is said to be safe where admin shares are concerned, ... adapter's network stack. ... You can also suppress F&PS at the firewall level, ... for both LAN access and Internet access. ...
    (microsoft.public.windowsxp.security_admin)