Win XP, NAT, DSL and File Sharing

[QuickHare]

Yup, this is a common question raised, but this one is slightly different as I
hope someone out there can just read through what I write and confirm or correct
my understanding. Also, any names of systems, workgroups, user accounts, etc are
used for generic reasons so others can learn too, and the set-up does not use
any default names for security (eg, not on the Workgroup workgroup).

---

Right, I have two machines, A and B. A is a desktop machine, B is a laptop. Both
run Window XP Home SP2 with all the updates fully installed and working great. A
(desktop) is connected to a router by wire (ethernet cable). B (laptop) is
connected via a wireless connection to the router, set up with passwords,
encryption and MAC filtering (to keep the unwanted connections out). The router
is a DSL/cable router with built in hardware firewall and NAT (network address
translation). It connects to the internet.

Now, I wish to allow B to see the entire hard disks of A using File and Printer
Sharing. On looking into this, it is a bad idea when connected direct to the
Internet. However, I have found a Scope button in the Exceptions tab of the
Windows XP firewall, which I can limit only to the local IP addresses only
(which are not likely to change).

So.......
Can I do the following safely with no trouble outside?

1. Enable File and Print Sharing.
2. Change the scope settings to only allow it to be open for my known computers
on my local network.
3. Using this, share the root of all harddrives.

Any help would be appreciated.

QuickHare

 

[David H. Lipman]

From: "QuickHare" <[email protected]>

| Yup, this is a common question raised, but this one is slightly different as I
| hope someone out there can just read through what I write and confirm or correct
| my understanding. Also, any names of systems, workgroups, user accounts, etc are
| used for generic reasons so others can learn too, and the set-up does not use
| any default names for security (eg, not on the Workgroup workgroup).
|
| ---
|
| Right, I have two machines, A and B. A is a desktop machine, B is a laptop. Both
| run Window XP Home SP2 with all the updates fully installed and working great. A
| (desktop) is connected to a router by wire (ethernet cable). B (laptop) is
| connected via a wireless connection to the router, set up with passwords,
| encryption and MAC filtering (to keep the unwanted connections out). The router
| is a DSL/cable router with built in hardware firewall and NAT (network address
| translation). It connects to the internet.
|
| Now, I wish to allow B to see the entire hard disks of A using File and Printer
| Sharing. On looking into this, it is a bad idea when connected direct to the
| Internet. However, I have found a Scope button in the Exceptions tab of the
| Windows XP firewall, which I can limit only to the local IP addresses only
| (which are not likely to change).
|
| So.......
| Can I do the following safely with no trouble outside?
|
| 1. Enable File and Print Sharing.
| 2. Change the scope settings to only allow it to be open for my known computers
| on my local network.
| 3. Using this, share the root of all harddrives.
|
| Any help would be appreciated.
|
| QuickHare
|

Yes, it can be done safely.
To increase your security I always suggest blocking TCP and UDP Ports 135 ~ 139 and 445 on
*any* SOHO Router.

Since you are running XP HE, I don't think admin shares like c$ are created so you will have
to actually share the root of drive "C:". Just make sure both PCs have the same named
account and the same password and you will access data with no problems. I do suggest that
you use passwords on all accounts, disable the "guest" account and use strong passwords on
the accounts.

 

[QuickHare]

| Yup, this is a common question raised, but this one is slightly different as

I
| hope someone out there can just read through what I write and confirm or
correct
| my understanding. Also, any names of systems, workgroups, user accounts, etc
are
| used for generic reasons so others can learn too, and the set-up does not
use
| any default names for security (eg, not on the Workgroup workgroup).
|
| ---
|
| Right, I have two machines, A and B. A is a desktop machine, B is a laptop.
Both
| run Window XP Home SP2 with all the updates fully installed and working
great. A
| (desktop) is connected to a router by wire (ethernet cable). B (laptop) is
| connected via a wireless connection to the router, set up with passwords,
| encryption and MAC filtering (to keep the unwanted connections out). The
router
| is a DSL/cable router with built in hardware firewall and NAT (network
address
| translation). It connects to the internet.
|
| Now, I wish to allow B to see the entire hard disks of A using File and
Printer
| Sharing. On looking into this, it is a bad idea when connected direct to the
| Internet. However, I have found a Scope button in the Exceptions tab of the
| Windows XP firewall, which I can limit only to the local IP addresses only
| (which are not likely to change).
|
| So.......
| Can I do the following safely with no trouble outside?
|
| 1. Enable File and Print Sharing.
| 2. Change the scope settings to only allow it to be open for my known
computers
| on my local network.
| 3. Using this, share the root of all harddrives.
|
| Any help would be appreciated.
|
| QuickHare
|

Yes, it can be done safely.
To increase your security I always suggest blocking TCP and UDP Ports 135 ~
139 and 445 on
*any* SOHO Router.

I'm not too up with all my abbreviations. What is SOHO? I take it you mean the
router is to block anything on the File and Print Sharing ports (the ones you
listed) from crossing the boundary from local to internet connection?

Since you are running XP HE, I don't think admin shares like c$ are created so
you will have
to actually share the root of drive "C:". Just make sure both PCs have the
same named
account and the same password and you will access data with no problems. I do
suggest that
you use passwords on all accounts, disable the "guest" account and use strong
passwords on
the accounts.

When I shared before (for a few minutes to transfer a few files), I had FAT32 on
computer "B". I managed to copy into it from "A", but not the other way round.
Was this because Windows didn't let me access an NTFS filesystem from a FAT32 or
something?

I have used the same password, which is strong, and the Guest is off. I've set a
strong password for the Admin account. Some accounts do not have passwords as it
is a shared machine. Is it still safe considering the IP filtering the firewall
will be doing?

QuickHare

 

[David H. Lipman]

From: "QuickHare" <[email protected]>


Replieas are inline...


|
| I'm not too up with all my abbreviations. What is SOHO? I take it you mean the
| router is to block anything on the File and Print Sharing ports (the ones you
| listed) from crossing the boundary from local to internet connection?
|


SOHO -- Small Office Home Office.
Yes, specifically blocking those posrt will block NetBIOS over IP, RPC and SMB over IP.
Thus no MS Networking leaks out to the Internet and hackers and Internet worms (Sasser,
SDbot, Lioten, Blaster, etc.) can't get in.

|
| When I shared before (for a few minutes to transfer a few files), I had FAT32 on
| computer "B". I managed to copy into it from "A", but not the other way round.
| Was this because Windows didn't let me access an NTFS filesystem from a FAT32 or
| something?
|
| I have used the same password, which is strong, and the Guest is off. I've set a
| strong password for the Admin account. Some accounts do not have passwords as it
| is a shared machine. Is it still safe considering the IP filtering the firewall
| will be doing?
|
| QuickHare
|

No. Once you setup F&P Shares the OS handles File Allocation therefore it doesn't make a
difference if the PC/notebook is NTFS or FAT32.

I suggest all accounts have passwords. It is the safe way to compute. One must *always*
practice Safe Hex. Having a FireWall on the LAN/WAN will help with Internet intrusions but
it does nothing for security on the LAN side of the Router.