Re: XP Home: selective folder sharing

From: DaddySchlich (DaddySchlich_at_discussions.microsoft.com)
Date: 01/19/05 

Date: Wed, 19 Jan 2005 12:17:03 -0800

Chuck,

Thanks. You've given me a lot to think about, which is as it should be. As
I mentioned earlier, we were using the wireless connection on and off -
largely because of the potential problems caused. I'm comfortable with the
network doing dial-up; not so with wireless. And you're telling me I've got
that right.

A few nuts-and-bolts questions that reflect my level of knowledge/ignorance:

1. can you explain further what you mean by "bridge" and by "NAT" early on,
or give me a references? I basically have a cabled Ethernet LAN with a 100
Mbps switch at the center, wtih printers plugged into PCs. As I mentioned
earlier, ICS was not a whole lot of fun (or successful or simple) the last
time I tried, which is why we've been using three separate dial-up
connections.

2. I understand the idea of putting firewalls on all three machines and
putting only these three PCs in the Local Zone, and using manually assigned
IP addresses to make sure those are the only three PCs included.

Alternatively, where I started this exercise was restricting access to all
but selected files on the XP machine to others on the wired LAN, figuring the
same would hold for any wireless connection. Even better would be disabling
SFS for those few files to limit access to specific selected Users. With
user-level access possible on the Win98 machines, limiting access to files on
those machiens to specific selected Users would appear to be easier.

I am bit fuzzy about the reasons for having to have both firewalls and
separate logons. If the wall around the PC prevents any non-trusted source
from getting inside the PC, why is it necessary to ask for a passworded
login? Alternatively, if files are limited to selected Users, why the wall?
Similarly, if I have a wall on the XP machine, the only one with wireless
access, why do I need separate walls on the other PCs?

Similarly, I am a bit unclear about your suggestion that, if I am logged on
as an Administrator, someone from outside can breach the wall and step into
my shoes to wreak havoc as an Administrator on the PC. There must be
something here I'm not understanding.

In short, I have been aware that I need to worry these issues. If you can
help me directly by answering or giving references to read, that would be
most helpful. At the end of the day, I may decide to bag the wireless access
altogether.

If I ultimately do set something up, I would be happy to share with the
group.

Thanks for your help, and your willingness to answer my questions.

  DaddySchlich

>"Chuck" wrote:

>> DaddySchlich
>>...
> >So, where I now stand,
> >
> >1. should I worry about others looking at my files over the wireless link?
> >(I have a firewall on the XP machine.) If so, should I pursue the Safe Mode
> >option you first suggested to disable Simple File Sharing? Can I set it up
> >so that the Falcon boots directly to Desktop, and there is a logged on User
> >that the XP can validate without more?
> >
> >2. independently, is there a way to set up the Falcon so it boots directly
> >to Desktop without showing a Logon screen at all, as it was set up at the
> >beginning? (Coincidentally, I made an image of my Boot partition this past
> >weekend, just before starting all this, so I can just restore that image if
> >need be.)
> >
> >Chuck, thank you for all your help on this matter. This certainly is not
> >easy stuff.
> >
> >What do you think are my options at this point?
> >
> >Thanks,
> >
> > Daddy Schlich
>
> The ethics, and legality, of hijacking a wireless signal (unprotected, unknown
> sources) for internet access are heavily discussed in other forums (maybe
> alt.internet.wireless and / or microsoft.public.windows.networking.wireless), so
> I won't get into that. What I will say is that, IMHO, if your're going to
> connect any computer to a wireless network, you should protect it as well as a
> computer connected directly to the internet.
>
> Simple File Sharing is a bad idea here, which in my book says NO XP Home. But
> yes, if you can disable SFS under XP Home using the recommended (but
> unsupported) procedure, then try it.
>
> If you use ICS, instead of a bridge, on Falcon-II, then Falcon and Micron would
> be protected by the NAT in Falcon-II, at least. As it stands right now, if
> Falcon-II is running a bridge, I would suspect that Falcon and Micron are
> visible to the world outside Falcon-II. Which means your wireless neighbors,
> unknown as they are.
>
> I should note that some of the discussions (mentioned above) include the ethics
> of hacking any computer connected to one's wireless LAN without permission.
> IOW, your computers may be targets, more so than if you were operating the
> wireless LAN. Please protect yourself.
>
> Install a software firewall on Falcon and on Micron, and use fixed ip addresses
> on both. Put manually assigned ip addresses in the Local (highly trusted) Zone.
> Open the firewalls for file sharing, only in the Local Zone, to assigned
> addresses.
>
> You could go back to skipping the logon screen on Falcon, yes. But that won't
> give you authentication for file sharing with Falcon-II. Not without Guest
> access, anyway, but Guest access on an unprotected wireless LAN is also a bad
> idea. Which again means disabling SFS. You should explicitly disable the Guest
> account, and rename the administrative account, whenever possible.
>
> You need to have two accounts for all 3 computers. One administrative (full),
> the other normal (limited). You should use the full account only when
> installing software, and only when not connected to the LAN. Which means,
> again, having to enable Windows Logon.
>
> In short, I don't think I would personally do what you're doing, at least with
> Windows 9x. But, if you're going to do this, please let us know how you set it
> up. This is, at least, a lesson in unconventional LAN topology. Which many
> here can learn from.
>
> --
> Cheers,
> Chuck
> Paranoia comes from experience - and is not necessarily a bad thing.
> My email is AT DOT
> actual address pchuck sonic net.
>

Relevant Pages

  • Re: 3 PC SOHO Network setup problem
    ... >>>so security on the wireless side is not a major concern. ... >>>Our internet connection is via a cable modem connected directly to the ... >> only by the Guest account, which means this computer will be open to anyone. ... >> LAN where you wish to access all files. ...
    (microsoft.public.windowsxp.network_web)
  • Re: 3 PC SOHO Network setup problem
    ... >so security on the wireless side is not a major concern. ... no PC has an internet connection other than through the router. ... XP Home, unfortunately, uses Simple File Sharing, which allows access ... LAN where you wish to access all files. ...
    (microsoft.public.windowsxp.network_web)
  • Re: change node on ipconfig
    ... If I disable the wireless card now, the LAN will claim to be connected to the ... VPN, but it is weak. ... > before you create the VPN usxing the hard-wired connection? ...
    (microsoft.public.windows.server.sbs)
  • Re: Approach to use cross-over connect as part of LAN
    ... Wireless nic was installed on A for access to existing 3-computer LAN ... An alternative is to create a network bridge on A, ... Make ad-hoc connection between A & B maybe even with APIPA addresses. ...
    (microsoft.public.windowsxp.network_web)
  • Re: all-in-one router?
    ... Especially with a wireless LAN, you need to audit what traffic goes up (to the ... Here's a story about somebody's very stupid wireless neighbor. ... connection listed represents - you? ...
    (microsoft.public.windowsxp.network_web)