-
January 19th, 2007, 11:13 PM
#1
File and Printer Sharing vulnerabilities
I used to hear a lot of things about file and printer sharing causing a security risk, I never was interested and never read into it so I just disabled it since I had no use for it. Now, I'm setting up a network between two Windows XP SP2 computers, and I wish to enable file and printer sharing. What if any are the security risks, do you recommend leaving it enabled or only enabling it when needed? What would I be able to do to help prevent some of these vulnerabilities (if any).
WARNING: THIS SIGNATURE IS SHAREWARE PLEASE REGISTER THIS SIGNATURE BY SENDING ME MONEY TO SEE THE COMPLETE SIGNATURE!
-
January 20th, 2007, 12:40 AM
#2
well befor i get into a huge typing frenzie you could help me out by letting me know what kind of netwrok is it going to be. I.E. Wireless, or hardlined. is it going to be behind a router?
-
January 20th, 2007, 02:42 AM
#3
It's going to be EVENTUALLY (as soon as my laptops PCIMIA card arrives) wireless, in the meantime it's "hardlined". Yeah it's going through a router, this router has some firewall settings but I just got it today so haven't done much exploring of the options yet.
WARNING: THIS SIGNATURE IS SHAREWARE PLEASE REGISTER THIS SIGNATURE BY SENDING ME MONEY TO SEE THE COMPLETE SIGNATURE!
-
January 20th, 2007, 07:21 PM
#4
I am afraid that I am not much of a help here as I have only ever shared printers in a home environment.
However I do believe that a lot of the "security risk" you refer to was based on the precept that if you don't use something then turn it off so you won't have to worry about it, and it cannot be used to harm you.
Obviously, file and printer sharing are commonplace in commercial and institutional environments, so they are not inherently dangerous, provided they are set up properly and the rest of your system is secure.
I would be inclined to argue that it is the act of networking that is potentially dangerous, rather than the sharing..................and there wouldn't be much point in networking two production PCs without some sort of sharing?
-
January 22nd, 2007, 02:21 PM
#5
Originally Posted by Raion
It's going to be EVENTUALLY (as soon as my laptops PCIMIA card arrives) wireless, in the meantime it's "hardlined". Yeah it's going through a router, this router has some firewall settings but I just got it today so haven't done much exploring of the options yet.
Raion,
I think that the thing you need to look at is blocking any incoming traffic on the printer and file sharing ports (can't remember them of the top of my head).
The risk of file and printer sharing is that you open a listener on additional ports, which intruders can try to hijack. If you block these at your router, you start limiting the risk.
The second thing to do is to beef up your firewall on the PC which is going to be doing the sharing. Only allow incoming connections from the address (ideally MAC address) of the other PC. You could also look at what limits you can configure in your router to do MAC address filtering.
Basically, the more you can limit who is allowed to do what the less chances you take.
Cheers,
BrainStop
"To estimate the time it takes to do a task, estimate the time you think it should take, multiply by two, and change the unit of measure to the next highest unit. Thus we allocate two days for a one-hour task." -- Westheimer's Rule
-
January 22nd, 2007, 03:50 PM
#6
If setup properly with user permissions and file security...there should be no issues.
Protect the lan with a router\firewall
although I have seen many poorly setup networks...where every C$ is shared...everyone full control
Your just asking for problems..
MLF
How people treat you is their karma- how you react is yours-Wayne Dyer
-
January 22nd, 2007, 05:43 PM
#7
I think that the thing you need to look at is blocking any incoming traffic on the printer and file sharing ports (can't remember them of the top of my head).
I was looking at the Windows Firewall settings, which is turned on by default when I setup a network, and it doesn't accept connections from IP addresses that aren't on my network. I don't trust Windows Firewall but would it do? My computer isn't very high on resources to take on an AV and a software firewall (and the one included with my router is highly annoying).
BTW if it helps, I have a Netgear wgr614
although I have seen many poorly setup networks...where every C$ is shared...everyone full control
lol didn't Win2000 come with that as default once, I found that quite funny the first time I installed it, after a fresh install it was a shared.
However, I won't be using it to share files too much; I would just simply use AIM for that if I didn't setup the network. My main purpose is to share my printer.
WARNING: THIS SIGNATURE IS SHAREWARE PLEASE REGISTER THIS SIGNATURE BY SENDING ME MONEY TO SEE THE COMPLETE SIGNATURE!
-
January 22nd, 2007, 07:41 PM
#8
In my thinking it's not so much print and file sharing that is vulnerable but that it enables NETBIOS when using it. It's the NETBIOS you want to focus on securing, mostly via the anonymous login and of course being patched
Look into RestrictAnonymous at the below URL, it's about half way down.
http://technet2.microsoft.com/Window....mspx?mfr=true
There are two rules for success in life:
Rule 1: Don't tell people everything you know.
-
January 22nd, 2007, 08:27 PM
#9
Some random thoughts on locking a share down a bit:
1) Make sure that tcp/445 and tcp/139 are blocked at your Internet/Home Network boundary (I'd hope they already are).
2) Use the built-in firewall provided with XP SP2 (make sure that you create a rule allowing the two systems to talk to each other).
3) Make sure the share is restricted ONLY to the specific directory needed (Ie, avoid sharing the whole drive or system critical areas (like \Windows, \Documents and Settings, etc). Make sure that the share requires authentication (preferably with a good password), ie no single dictionary words, upper/lower case, symbols, numbers, blah blah blah)...
4) Enforce LANMAN2 encryption/negotiation (much stronger and harder to crack)
5) Make sure you have auditing/logging enabled so you will have an idea if something has gone wrong (like a brute force attack). This will be especially important if you move to all wireless.
6) Make sure you keep your system(s) fully up to date in regards to patches/anti-virus (you are after all opening your system up by making the daemon accessible).
7) Consider using, if not already, NTFS so that you can further restrict the permissions of the share.
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|