On 18 Sep 2006 10:51:21 -0700 said:
I've just inherited a Win9x network, W95, W98 and WMe. I can access any
PC with the "C" Drive shared using my shared password.
Don't ever full-share the whole of C:\ !!
If you do, you allow malware to be dropped into the system and
integreated into Windows so that it will be autorun from then on.
You should avoid full-sharing any part of the startup axis, i.e.:
- root of C:
- all StartUp groups
- the Windows subtree (think Win.ini, System.ini etc.)
Also, be careful to keep File and Print Sharing from being exposed to
the Internet - don't rely on passwords to block such access!
On installing a new XP PC, I cannot set the "C" Drive to be shared as
in Win 9x. It only works if I set full read/write access with no
password so anyone can modify the files.
XP Pro is so dumb, it will full-share all HD volumes behind your back
via hidden "admin shares". Hidden they may be, but the names are
always the same and thus trivial for attackers to use programatically.
First things first:
1) Make sure nothing's exposed to the Internet
If you have separate controller cards for Internet vs. LAN, then you
can unbind File and Print Sharing (F&PS) from the card that connects
to the Internet. This is what one does with dial-up.
If the same LAN card connects both your LAN PCs and the Internet, then
use the NAT feature of a router to block direct Internet access to the
PCs - else F&PS will expose RPC and admin shares to the world.
If you cannot hide behind NAT, then you could try using a network
protocol other than TCP/IP (NetBEUI or IPX) for F&PS. This works
brilliantly with Win9x, but XP has been useless at this in my
experience; even if you find the hidden and "unsupported" NetBEUI and
install it, it doesn't work, and neither does IPX.
If you are forced to use TCP/IP on the same LAN card that connects to
the Internet, then you're forced to fall back on some band-aids:
- prefer XP Home to XP Pro ad Home doesn't expose admin shares
- if using XP Pro, either use no password at all, or use STRONG pwd
- disable admin shares, but expect them to lapse into enabled
- try using firewalls to limit F&PS exposure
XP Home doesn't expose hidden admin shares over network. XP Pro will
expose them if the account password is anything other than blank - so
if you use an account password, it has to be so strong that it can't
be brute-forced or guessed by bots out there (fat chance?)
2) Try to get F&PS to work on LAN
Win9x and XP systems often don't "see" each other if they use multiple
network protocols. In theory, you should be able to force F&PS to use
IPX (or with some work, NetBEUI) while TCP/IP has no F&PS, but in
practice this doesn't seem to work in a mixed XP, Win9x environment.
F&PS must be bound to the same protocol on all PCs, and there must be
something shared on any PC that is to be seen by other PCs. The Win9x
systems must bind a network client to that protocol and the user of
the system must not cancel the login when Windows starts up.
All PCs should have unique names and IP addresses, and it's easier if
they are all using the same workgroup name. If TCP/IP is used and IP
addresses are specified, they must lie within the same netmask and use
a private range of addresses - typically 10.x.x.x or 192.168.y.x,
where the y must be same for all systems and x should be unique to
each system. Netmasks are 255.0.0.0 and 255.255.255.0 respectively.
Choose what you share with care, and use read-only shares where you
can. Note that XP cannot use the password facility that Win9x can use
to mildly control access to shares.
------------ ----- --- -- - - - -
Drugs are usually safe. Inject? (Y/n)