CheekyChimp

Just got my network up and running again but this time I'm using W2K Pro on two of the machines (98 on the other two). Now here's my problem, I have created a user name and password for each of my mates to access my shared folders but can't find a way of allowing them access without having to enter a user name and password every time (previously they all used the 'Guest' login, but the access was a little odd). I have also had to change the security and sharing properties to allow them to access each folder. This is bloody annoying as these silly passwords are not needed to get into the '98 machines, only our 2K Pro ones. Is there any way of just letting everyone on the network access any shared folder on any machine without having to fumble around with passwords etc. You guys haven't failed me yet so any help would be greatly appreciated.

Gedi

It worried me to read this post. Passwords are there for a reason and are deffinitely not silly.
I am a little apprehensive about telling you this, as you seem to have little understanding for computer security.
Before applying this, make sure that your gateway to the internet is completly blocked for incomming connections on 135 - 139, 443.

On the the win2k machine , right click my computer, click manage , open local users and groups. Click on users, and add the names of the users from the other machines. Select either no password and password never expires. Give this user full permissions to the share on the win2k machine.

On your head be it.....I don't run windows machines, so I don't care if you contribute to the esculating viri on the net.

CheekyChimp

we've all got norton 2003 up to date and all use the firewall, there is also a firewall built into the Linksys cable router and we've not had an attack of any kind yet. It's just the inconvienience of having to bother with passwords when XP and 98 seemed to manage fine without them. I've been very good in avoiding viruses, spyware, spam and other crap so far and give the system a thorough clean every week, I'm not a total newbie! Just need a bit of help with the network

Gedi

aagghh, now you've gotten me more worried....hehe. Your going over the net!!!!!

Norton and any ACL built into the router are very easy to bypass. Your gonna have to have the ports I mentioned open. You should idealy be running this via SSL.

There is so much to go into here but i'll just leave it down to you.

Note, if your controlling connections onto your network by IP addrress, at least set up some kind of ARP watching software to control IP to MAC pairs.

CheekyChimp

We got the router simply to share the internet and also to network. As I say we've never had any problems with viruses, trojans etc, norton has managed to block em all. But now I'm worried about the overall security of the whole network. What do you recommend I do to thoroughly secure ourselves (I did port scans using symantecs security tool and the security report came out fine, all ports cloaked etc.). This is a simple home network with little value to hackers, I know there is potential for an attack but what is the liklihood that we'd recieve a major assault when so many other broadband users (the AOL crowd for instance) have little or no protection whatsoever? I know you're probably used to dealing with big corps and all the problems a big company network can have and so are therefore inherintly over-cautious about this type of thing (which is no bad thing! )but do I now frantically run home in order to sort this little mess or should I be okay?

Ta!

Hobo_Jojo

lol y would anyone really bother going to so much trouble to access 1 persons pc when theres bugger all for them to get from it?

Gedi

Hi, sorry I missed you reply earlier....just seen it now.

As a general rule, one of the best security measures a home machine can take, it to recieve no connections (SYN) packets from anyone. If you have no services running, then this is no problem. This will by no means make them secure, but it will greatly assist them.

If you keep your AV software updated then net loose viri should not be able to hit you, however this is not always the case. Look how many people got hit with worms like blaster and slammer. Sometimes code can esculate on the net before AV companies get time to release a patch. If these people had secured their networks, then you could have sat there with no AV software and still not got hit. Blaster was exploiting a vunl in the DCOM RPC which runs over SMB......using port 135. If you had this open, you must have just have been lucky to have got been patched before you were scanned. (either that, or you had dissalowed port forwarding on your router at the time)

Anyway, i'm rambbling about nothing here......hehehe.

Don't be fouled into thinking hackers don't want your machine.
Skript kiddies like to use tools to break in, just for the thrill of compromising a machine, then they can tell their mates.
More advanced skript kiddies will break into machines to install things like zombies for DDoS attaks. You network could be involved in major DoS incidents on targets, and you would never even know about it. They upload relativly small amounts so as not to arouse suspicion.
Your AV software will not pick this up, because they probably roll their own. It would be relativly easy to write a trojan in a day or 2. As this is a new trajan, AV companies won't have the signatures. If the attacker keeps them to himself and doesn't let them spread, hes got a trojan that will probalby never be picked by any AV software.

most worrying of all.....good hackers will compromise your machine and install proxies on it. They will then use your machine, along with others to bounce their connection through when launching attacks. They will then go back through the machines and clean their tracks.
It makes them pretty much anonomous.

So, back to the original thing.....should you be allowing your mates into your machine over NetBIOS? NO. Its very very very insecure. Its not hard to get a machine to release its NTLM hash if you have NetBIOS open, all it then takes is a day or to and they have you password, your network, and a free node on the internet to play with.

I've seen and done many hacks on the internet since I was a nipper, its a dangerous and very very insecure place.

The solution.....use SSH
Its not 100% safe, nothing is, but if you secure your machine well and you need a service running to exchange data, you'll be have superior security in comparison to most other net users.
Anyway, SSH a more feature ricj protocol. You can transfer your entire desktop via it if you want, making for secure remote access to your entire machine from anywhere

phew, thats enough typing, sorry for any bad English but I can't be arsed to read it all back and make corrections.....hehe

*oh well, couldn't resist, there was some bad sentances in there

[Edited by Gedi - 1/9/2004 10:44:21 PM]

ChrisB

I just read your post Gedi and thought, wow, SSH is a bit OTT for a home network. Then realised the topic is using shares over the 'Net

Mr.Cookie

Gedi

As you know i have a http server, used to do an ftp one but some mates couldn't grasp ftp so i set up http instead. Previously this was on a winxp box as you know it's now a linux one.

Couple of questions

Which is more secure ftp: or http: obviously http is more involving as you need to make index.html unless you leave directory tree's (sorry not sure of wording i cook for a living ) open.

What is the best means of file sharing over net.

Cheers
Si

Gedi

Hi Si,

Its difficult to say which is more secure as any flaws won't be in the underlying architecture of the protocol, but in the server software itself.

Basically, as long as you set up the config files correctly, and make sure the software is always patched to the latest version they should both be as secure as each other.

This is a completly different ball game than sharing files over NetBIOS. SMB was designed to be structularly part of windows. This means that pretty much anything you can do on the local machine is possible over NetBIOS. You'd be amazed at how much information can be gained about a machine, just by connecting to the IPC$ share on a windows machine. This share will always let you connect with a null password.
FTP / HTTP were written with one purpose only. They don't stray into the structure of the Windows OS.

Having said that, they both send data in clear text format. Sniffers can pick up all sorts of info, including passwords.
For added security, you could consider HTTPS or SFTP, both which will encript the data.

Mr.Cookie

Cheers

Got the smb stuff sorted now on server to xbox too

Si

Mr.Cookie

sheilds up

Did a quick one of these before i went to bed, 80 is open unless i close down my http, 113 is showing as closed everything else is just plain not responding

Si
Ps Dare anyone else to run that lol

CheekyChimp

Cheers for the advice but could you explain why we are connected over the net? I was under the impression that the router enabled us to share the broadband connection but connect our machines through the router itself without going over the internet. I do apologise if I've totally missed the point but as I say I'm fairly new to networking.

Mr.Cookie

Cheeky Chimp

It may be everyone else who's confused lol, are all the pc's you share with plugged into the router (ie in same house) or do you share files with say you in for instance london and a mate in say cornwall

Si

CheekyChimp

all under one roof on the same router.