Microsoft Windows File Sharing Risks
Microsoft Windows systems provide easy to use file sharing functionality. You can easily make any folder on your computer available to the entire JMU community or only to those who know a secret password. It is important to realize, however, that misuse of this functionality can result in a total compromise of your computer, everything stored on it, everything typed into it, and everything accessed from it (email, PeopleSoft and Ecampus accounts, network drives, outside accounts, etc.).
If you were directed here by a warning placed on your desktop (an icon with the name JMU SECURITY ALERT - READ THIS ASAP), or a popup message appearing on your screen, your computer is a sitting duck for any virus or hacker that comes along. In fact, anyone on the JMU network ( or in control of a computer on the JMU network ) is able to read, write, modify, or delete anything on your computer. If its a home computer in this condition, anyone in the world can do the same thing.
There are three common mistakes people make with Microsoft file sharing.
Mistake #1 Share an entire hard drive either on purpose or because you don't have an Administrator password.
If your hard drive (e.g. C:) is shared with read/write permissions, it has the same effect as letting everyone borrow your computer, copy your keystrokes, and use your passwords and accounts. People are free to load and run software of their choice on your computer. Even if shared read-only, there are areas that can be abused. For example, the My Documents folder and password files are available to anyone who cares to look at them. It is extremely important that you guard against sharing your entire hard drive.
Windows computers allow people and programs (or criminals and viruses) that can guess the Administrator password to take full control of your computer over the network. This happens quite often. Use the procedures below to set a strong Administrator password.
If, when you follow these instructions, you get an error message like "access denied", it means you're logged into the machine with a non-privileged account. Simply logout (Start->Log Off (username)) and log back in as Administrator using a blank password.
To change the Windows XP Administrator account password if you're logged in as Administrator:
To reset the Windows XP Administrator password if you're logged in with another account with administrative privileges:
When creating new users in Windows XP setup, all users are created with administrative privileges and no password by default. All such accounts will have access to the hidden shares on Windows XP Professional machines (Windows XP Home machines don't enable the hidden shares by default). On either system, you must set a password for each user. See Microsoft KnowledgeBase article Q293834.
If you share the hard drive temporarily for backup purposes, assign a password to it. You'd be surprised how often the JMU network gets scanned by people looking for vulnerable computers. Don't forget to unshare it when you are finished with the backup.
If you don't want to allow other computers to access your folders, disable file sharing completely by:
Properly configured firewalls block the doors file sharing services leave open on your computer but its best not to leave the doors open in the first place. Disable file sharing if you're not going to use it.
If you want to allow others to access folders on your computer it is best to create a new folder specifically for that purpose.
To get a complete list of all folders you have shared:
Mistake #2 - Letting Anonymous People (including criminals) and Programs (including viruses) Write to Your Computer
If you don't control write access to your shared folder, people may store inappropriate or illegal materials on your computer which may get you in trouble. Anonymous people may maliciously change or delete someone else's content that resides in the share. You may be blamed by people that use your share for the malicious content or modifications. Viruses use such open shares to spread themselves. Finally, people may simply fill up your hard drive.
You can prevent this by doing one or both of the following:
Microsoft ships Windows XP so its Shared Documents folder is open to the world including viruses and criminals. To disable or configure this share:
Security Engineering security vulnerability scanning scripts will place a warning file named 'JMU Security Warning.html' in any open, read/write shares it finds on the 22.214.171.124/16 JMU network.
Some folks properly protect a share with read-only permissions but make the mistake of sharing the wrong folder or putting sensitive information in it. Shared folders are easily discovered on the network and unless they are password protected, anyone can read what they contain. Sharing a folder like My Documents will expose personal data. If you do it on the JMU network, it will be shared with all of JMU. If you do it at home, it will be shared with the entire Internet.
It is best to create specific shared folders for each different use.