Microsoft Windows File Sharing Risks
Microsoft Windows systems provide easy to use file sharing functionality. You
can easily make any folder on your computer available to the entire JMU
community or only to those who know a secret password. It is important to realize,
however, that misuse of this functionality can result in a total compromise of
your computer, everything stored on it, everything typed into it, and everything accessed from it (email,
PeopleSoft and Ecampus accounts, network drives, outside accounts, etc.).
If you were directed here by a warning placed on your desktop (an icon with
the name JMU
SECURITY ALERT - READ THIS ASAP), or a popup
message appearing on your screen, your computer is a sitting duck for any
virus or hacker that comes along. In fact, anyone on the JMU network ( or in
control of a computer on the JMU network ) is able to read, write, modify,
or delete anything on your computer. If its a home computer in this condition,
anyone in the world can do the same thing.
There are three common mistakes people make with Microsoft file sharing.
Mistake #1 Share an entire hard drive either on purpose or
because you don't have an Administrator password.
If your hard drive (e.g. C:) is shared with read/write permissions, it has
the same effect as letting everyone borrow your computer, copy your keystrokes,
and use your passwords and accounts. People are free to load and run software of
their choice on your computer. Even if shared read-only, there are areas that
can be abused. For example, the My Documents folder and password files are
available to anyone who cares to look at them. It is extremely important that you guard against sharing
your entire hard drive.
Windows computers allow people and programs (or criminals and viruses) that
can guess the Administrator password to take full control of your computer over
the network. This happens quite often. Use the procedures below to set a strong
Administrator password.
If, when you follow these instructions, you get an error message like "access
denied", it means you're logged into the machine with a non-privileged
account. Simply logout (Start->Log Off (username)) and log back in as
Administrator using a blank password. If your computer normally logs into
Novell, you'll need to click the box on the login screen that says
"workstation only" so you only log in to the local computer and not
Novell.
On Windows NT systems:
- Click Start->Programs->Administrative Tools->User Manager.
- Double-click the Administrator entry and
set a strong password..
- Do not forget the password.
On Windows 2000 systems:
- Right-click on the My Computer icon on your desktop and select
Manage
- Double-click on Local Users and Groups
- Double-click on the Users folder.
- Right-click on the Administrator icon and click once on Set
Password.
-
Set a strong password. Do not forget the password.
- Click OK
On Windows XP systems:To change the Windows XP Administrator
account password if you're logged in as Administrator:
- Hit the Ctrl Delete and Alt keys simultaneously.
- Click Change Password
- Type Administrator into the user box.
- Type in a new strong password twice. Do not forget the password.
- Click OK.
To reset the Windows XP Administrator password if you're logged in with
another account with administrative privileges:
- Right-click on the My Computer icon on your desktop and select
Manage
- Double-click on Local Users and Groups
- Double-click on the Users folder.
- Right-click on the Administrator icon and click once on Set
Password.
-
Set a strong password. Do not forget the password.
- Click OK
When creating new users in Windows XP setup, all users are created with
administrative privileges and no password by default. All such accounts
will have access to the hidden shares on Windows XP Professional machines
(Windows XP Home machines don't enable the hidden shares by default). On
either system, you must set a password for each user. See
Microsoft KnowledgeBase article Q293834.
If you share the hard drive temporarily for backup purposes, assign a
password to it. You'd be surprised how often the JMU network gets scanned by
people looking for vulnerable computers. Don't forget to unshare it when
you are finished with the backup.
If you don't want to allow other computers to access your folders, disable file sharing completely by:
- Windows 95,98,ME:
- Click Start->Settings->Control Panel
- Double-click the Network control panel
- Click File and Print Sharing
- Uncheck the box labeled "I want to be able to give others
access to my files"
- Click OK, OK.
- Reboot your computer.
- Windows NT4
- Click Start->Settings->Control Panel
- Double-click the Network control panel
- Click the Bindings tab
- Highlight Server
- Click Disable
- Click OK
- Windows 2000/XP
- Click Start->Settings->Control Panel
- Double-click "Network and Dial-up Connections"
- Right-click "Local Area Connections" and
select Properties
- Uncheck "File and Printer Sharing for Microsoft Networks"
Properly configured firewalls block the doors file sharing services leave
open on your computer but its best not to leave the doors open in the first
place. Disable file sharing if you're not going to use it.
If you want to allow others to access folders on your
computer it is best to create a new folder specifically for that purpose.
To get a complete list of all folders you have shared:
- Open an MS-DOS window.
- Type net view
- Servers running on your computer will be listed under "Server
Name". If nothing is listed, Microsoft File Sharing is Disabled.
If something is listed, take each server name and type net view
\\servername. A list of shares will be displayed.
Mistake #2 - Letting Anonymous People (including
criminals) and Programs (including viruses) Write to Your Computer
If you don't control write access to your
shared folder, people may store inappropriate or illegal materials on your
computer which may get you in trouble. Anonymous people may maliciously
change or delete someone else's content that resides in the share. You may
be blamed by people that use your share for the malicious content or
modifications. Viruses
use such open shares to spread themselves. Finally, people may simply fill up your hard drive.
You can prevent this by doing one or both of the following:
- Changing the folder's share properties so the folder is read-only.
- Changing the folder's share properties so a password is necessary to
access it. Be sure to choose a strong password!
Microsoft ships Windows XP so its Shared Documents folder is open to
the world including viruses and criminals. To disable or configure this
share:
- Double-click the My Computer icon
- Right-click the Shared Documents icon and select Sharing and
Security
- Click the Sharing tab and set options as you desire
Security Engineering security vulnerability scanning scripts will place
a warning file named 'JMU Security
Warning.html' in any open, read/write shares it finds on the
134.126.0.0/16 JMU network.
Mistake #3 - Sharing Folders Containing Personal Data
with the World
Some folks properly protect a share with read-only permissions but make
the mistake of sharing the wrong folder or putting sensitive information
in it. Shared folders are easily discovered on the network and unless they
are password protected, anyone can read what they contain. Sharing a folder like My Documents will expose personal data. If
you do it on the JMU network, it will be shared with all of JMU. If you do
it at home, it will be shared with the entire Internet.
It is best to create specific shared folders for each different use.
|
