Is this the way Windows XP was designed?

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I use Vmware and Virtual PC to test operating systems. I have several
Operating system in Vmware 4.52. I have "shared folder" in my Virtual
PC session for Windows XP, service pack 2 and all the patches. The
shared folder is called whatever. It was created my right clicking on
the folder name in explorer.exe.

I can then open a Vmware session of Fedora Core 3 (Suse 9.3 and
Knoppix 3.8) and in the KDE konqueror program, I can then do a
smb:\\IP address of the windows Xp machine in Virtual PC. Konqueror
will display all my shares. The shares include C$, D$ and "whatever".
If I click on C$ or D$, I am asked for user name and password. If I
click on "whatever", I am not asked for user name and password. If I
open up a Windows 2000 session, I see the shares C$ and D$ and my
shared folder. I still am asked for user name and password when I
click on C$ and D$ but I am also asked for user name for the
"whatever" shared folder.

It seems to me that the permissions in the Shared Folders are
different in XP and Windows 2000. The security in XP is weaker than
Windows 2000.

All I need is a Linux box and nmap and do a warp drive session and
find all the IP addresses and do my damage.

Is this the way Windows XP was designed?

I asked security at Microsoft and here is their response:

For further assistance on this issue I'm going to direct you to
technical support. What I'm seeing below is not a vulnerability from
my point of view and technical support can help understand your
concern directly since email does not seem to be doing the trick.

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

"David Sherman" <dshermin@ameritech.net> wrote in message
news:0qbc71d9mpa0dksqlij06512ln1rbd9c2u@4ax.com...
>I use Vmware and Virtual PC to test operating systems. I have several
> Operating system in Vmware 4.52. I have "shared folder" in my Virtual
> PC session for Windows XP, service pack 2 and all the patches. The
> shared folder is called whatever. It was created my right clicking on
> the folder name in explorer.exe.
>
> I can then open a Vmware session of Fedora Core 3 (Suse 9.3 and
> Knoppix 3.8) and in the KDE konqueror program, I can then do a
> smb:\\IP address of the windows Xp machine in Virtual PC. Konqueror
> will display all my shares. The shares include C$, D$ and "whatever".
> If I click on C$ or D$, I am asked for user name and password. If I
> click on "whatever", I am not asked for user name and password. If I
> open up a Windows 2000 session, I see the shares C$ and D$ and my
> shared folder. I still am asked for user name and password when I
> click on C$ and D$ but I am also asked for user name for the
> "whatever" shared folder.
>
> It seems to me that the permissions in the Shared Folders are
> different in XP and Windows 2000. The security in XP is weaker than
> Windows 2000.
>
> All I need is a Linux box and nmap and do a warp drive session and
> find all the IP addresses and do my damage.
>
> Is this the way Windows XP was designed?
>
> I asked security at Microsoft and here is their response:
>
> For further assistance on this issue I'm going to direct you to
> technical support. What I'm seeing below is not a vulnerability from
> my point of view and technical support can help understand your
> concern directly since email does not seem to be doing the trick.

Is this XP Home or Pro? You are using "Simple File Sharing". If it is Pro it
can be turned off.

http://support.microsoft.com/default.aspx?scid=kb;en-us;307874

http://support.microsoft.com/default.aspx?scid=kb;en-us;304040

Kerry

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I have XP pro.
I know that file sharing can be turned off and on. But what if users
want it on.
If I bring in a Linux machine to the network, I would hope that this
Linux can't get to the XP shared files. If a :inux box hits a Windows
2000 machine, the Linux user is asked a user name and password. Why
isn't this the case with Windows XP?

thanks

On Mon, 2 May 2005 07:02:30 -0700, "Kerry Brown"
<kerry@kdbNOSPAMsystems.c*o*m> wrote:

>"David Sherman" <dshermin@ameritech.net> wrote in message
>news:0qbc71d9mpa0dksqlij06512ln1rbd9c2u@4ax.com...
>>I use Vmware and Virtual PC to test operating systems. I have several
>> Operating system in Vmware 4.52. I have "shared folder" in my Virtual
>> PC session for Windows XP, service pack 2 and all the patches. The
>> shared folder is called whatever. It was created my right clicking on
>> the folder name in explorer.exe.
>>
>> I can then open a Vmware session of Fedora Core 3 (Suse 9.3 and
>> Knoppix 3.8) and in the KDE konqueror program, I can then do a
>> smb:\\IP address of the windows Xp machine in Virtual PC. Konqueror
>> will display all my shares. The shares include C$, D$ and "whatever".
>> If I click on C$ or D$, I am asked for user name and password. If I
>> click on "whatever", I am not asked for user name and password. If I
>> open up a Windows 2000 session, I see the shares C$ and D$ and my
>> shared folder. I still am asked for user name and password when I
>> click on C$ and D$ but I am also asked for user name for the
>> "whatever" shared folder.
>>
>> It seems to me that the permissions in the Shared Folders are
>> different in XP and Windows 2000. The security in XP is weaker than
>> Windows 2000.
>>
>> All I need is a Linux box and nmap and do a warp drive session and
>> find all the IP addresses and do my damage.
>>
>> Is this the way Windows XP was designed?
>>
>> I asked security at Microsoft and here is their response:
>>
>> For further assistance on this issue I'm going to direct you to
>> technical support. What I'm seeing below is not a vulnerability from
>> my point of view and technical support can help understand your
>> concern directly since email does not seem to be doing the trick.
>
>Is this XP Home or Pro? You are using "Simple File Sharing". If it is Pro it
>can be turned off.
>
>http://support.microsoft.com/default.aspx?scid=kb;en-us;307874
>
>http://support.microsoft.com/default.aspx?scid=kb;en-us;304040
>
>Kerry
>

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

"David Sherman" <dshermin@ameritech.net> wrote in message
news:c8jc71lg432l6fk468p9j2mcadv16aua87@4ax.com...
>I have XP pro.
> I know that file sharing can be turned off and on. But what if users
> want it on.
> If I bring in a Linux machine to the network, I would hope that this
> Linux can't get to the XP shared files. If a :inux box hits a Windows
> 2000 machine, the Linux user is asked a user name and password. Why
> isn't this the case with Windows XP?
>
> thanks
>

David

Did you read the links? There are two types of file sharing in XP. By
default it uses simple file sharing. If you turn off simple file sharing off
you will get access to the whole gamut of file permissions, user accounts
and so on. It is similar to win2k in that you have to add users, give them
rights, set up shares etc. With simple file sharing you simply share a
folder and the guest account automatically has access. By default in XP
guest is enabled. By default in win2k it is not. I'm not sure what linux
uses but from the sounds of what you are describing it is authenticating as
guest. If you enable the guest account on the win2k session you will be able
to accss the "whatever" share. Your best best is to turn simple file sharing
off and disable the guest account in XP. You could then allow access for
only authenticated accounts.

Kerry


> On Mon, 2 May 2005 07:02:30 -0700, "Kerry Brown"
> <kerry@kdbNOSPAMsystems.c*o*m> wrote:
>
>>"David Sherman" <dshermin@ameritech.net> wrote in message
>>news:0qbc71d9mpa0dksqlij06512ln1rbd9c2u@4ax.com...
>>>I use Vmware and Virtual PC to test operating systems. I have several
>>> Operating system in Vmware 4.52. I have "shared folder" in my Virtual
>>> PC session for Windows XP, service pack 2 and all the patches. The
>>> shared folder is called whatever. It was created my right clicking on
>>> the folder name in explorer.exe.
>>>
>>> I can then open a Vmware session of Fedora Core 3 (Suse 9.3 and
>>> Knoppix 3.8) and in the KDE konqueror program, I can then do a
>>> smb:\\IP address of the windows Xp machine in Virtual PC. Konqueror
>>> will display all my shares. The shares include C$, D$ and "whatever".
>>> If I click on C$ or D$, I am asked for user name and password. If I
>>> click on "whatever", I am not asked for user name and password. If I
>>> open up a Windows 2000 session, I see the shares C$ and D$ and my
>>> shared folder. I still am asked for user name and password when I
>>> click on C$ and D$ but I am also asked for user name for the
>>> "whatever" shared folder.
>>>
>>> It seems to me that the permissions in the Shared Folders are
>>> different in XP and Windows 2000. The security in XP is weaker than
>>> Windows 2000.
>>>
>>> All I need is a Linux box and nmap and do a warp drive session and
>>> find all the IP addresses and do my damage.
>>>
>>> Is this the way Windows XP was designed?
>>>
>>> I asked security at Microsoft and here is their response:
>>>
>>> For further assistance on this issue I'm going to direct you to
>>> technical support. What I'm seeing below is not a vulnerability from
>>> my point of view and technical support can help understand your
>>> concern directly since email does not seem to be doing the trick.
>>
>>Is this XP Home or Pro? You are using "Simple File Sharing". If it is Pro
>>it
>>can be turned off.
>>
>>http://support.microsoft.com/default.aspx?scid=kb;en-us;307874
>>
>>http://support.microsoft.com/default.aspx?scid=kb;en-us;304040
>>
>>Kerry
>>
>

 

[Malke]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Kerry Brown wrote:

> "David Sherman" <dshermin@ameritech.net> wrote in message
> news:c8jc71lg432l6fk468p9j2mcadv16aua87@4ax.com...
>>I have XP pro.
>> I know that file sharing can be turned off and on. But what if users
>> want it on.
>> If I bring in a Linux machine to the network, I would hope that this
>> Linux can't get to the XP shared files. If a :inux box hits a
>> Windows 2000 machine, the Linux user is asked a user name and
>> password. Why isn't this the case with Windows XP?
>>

Linux, like all other grown-up operating systems except for XP Home, has
a Guest account which is usually disabled by default for security
reasons. XP Pro is exactly like this, too. Disable your Simple Sharing
on XP Pro and Pro will require users to be authenticated just like
Win2k or Linux, etc. You've just got XP Pro set up with Simple Sharing,
that's all.

Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User

 

[Dave]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

you may also find that the 'guest' account is disabled by default on the xp
pro machine. this may be different than 2000. the c$ type admin shares
probably require an admin login, where the other shares can be accessed by
the default guest account.

"David Sherman" <dshermin@ameritech.net> wrote in message
news:c8jc71lg432l6fk468p9j2mcadv16aua87@4ax.com...
>I have XP pro.
> I know that file sharing can be turned off and on. But what if users
> want it on.
> If I bring in a Linux machine to the network, I would hope that this
> Linux can't get to the XP shared files. If a :inux box hits a Windows
> 2000 machine, the Linux user is asked a user name and password. Why
> isn't this the case with Windows XP?
>
> thanks
>
> On Mon, 2 May 2005 07:02:30 -0700, "Kerry Brown"
> <kerry@kdbNOSPAMsystems.c*o*m> wrote:
>
>>"David Sherman" <dshermin@ameritech.net> wrote in message
>>news:0qbc71d9mpa0dksqlij06512ln1rbd9c2u@4ax.com...
>>>I use Vmware and Virtual PC to test operating systems. I have several
>>> Operating system in Vmware 4.52. I have "shared folder" in my Virtual
>>> PC session for Windows XP, service pack 2 and all the patches. The
>>> shared folder is called whatever. It was created my right clicking on
>>> the folder name in explorer.exe.
>>>
>>> I can then open a Vmware session of Fedora Core 3 (Suse 9.3 and
>>> Knoppix 3.8) and in the KDE konqueror program, I can then do a
>>> smb:\\IP address of the windows Xp machine in Virtual PC. Konqueror
>>> will display all my shares. The shares include C$, D$ and "whatever".
>>> If I click on C$ or D$, I am asked for user name and password. If I
>>> click on "whatever", I am not asked for user name and password. If I
>>> open up a Windows 2000 session, I see the shares C$ and D$ and my
>>> shared folder. I still am asked for user name and password when I
>>> click on C$ and D$ but I am also asked for user name for the
>>> "whatever" shared folder.
>>>
>>> It seems to me that the permissions in the Shared Folders are
>>> different in XP and Windows 2000. The security in XP is weaker than
>>> Windows 2000.
>>>
>>> All I need is a Linux box and nmap and do a warp drive session and
>>> find all the IP addresses and do my damage.
>>>
>>> Is this the way Windows XP was designed?
>>>
>>> I asked security at Microsoft and here is their response:
>>>
>>> For further assistance on this issue I'm going to direct you to
>>> technical support. What I'm seeing below is not a vulnerability from
>>> my point of view and technical support can help understand your
>>> concern directly since email does not seem to be doing the trick.
>>
>>Is this XP Home or Pro? You are using "Simple File Sharing". If it is Pro
>>it
>>can be turned off.
>>
>>http://support.microsoft.com/default.aspx?scid=kb;en-us;307874
>>
>>http://support.microsoft.com/default.aspx?scid=kb;en-us;304040
>>
>>Kerry
>>
>

 

[Gordon]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Dave wrote:
|| you may also find that the 'guest' account is disabled by default on
|| the xp pro machine. this may be different than 2000. the c$ type
|| admin shares probably require an admin login, where the other shares
|| can be accessed by the default guest account.

Actually, probably the other way around. The Guest account is probably
enabled on the Pro machines - W2K doesn't have a "guest" account.


--
Gordon Burgess-Parker
Interim Systems and Management Accounting
www.gbpcomputing.co.uk

 

[Dave]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

my win2k pro has a guest account.

"Gordon" <gordonbp1@yahoo.co.uk.invalid> wrote in message
news:uKu8qezTFHA.2664@TK2MSFTNGP15.phx.gbl...
> Dave wrote:
> || you may also find that the 'guest' account is disabled by default on
> || the xp pro machine. this may be different than 2000. the c$ type
> || admin shares probably require an admin login, where the other shares
> || can be accessed by the default guest account.
>
> Actually, probably the other way around. The Guest account is probably
> enabled on the Pro machines - W2K doesn't have a "guest" account.
>
>
> --
> Gordon Burgess-Parker
> Interim Systems and Management Accounting
> www.gbpcomputing.co.uk
>

 

[Gordon]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Dave wrote:
|| my win2k pro has a guest account.

You're quite right! So has mine! never noticed OR used that before.......

--
Gordon Burgess-Parker
Interim Systems and Management Accounting
www.gbpcomputing.co.uk

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

True but lets take it like many users do it.

I right click on a folder in Windows 2000 and Windows XP and share it.
I don't care whether it is simple sharing or not. Most users use
simple sharing

XP should automatically ask for user name and password like Windows
2000 does. Try it.

Take a Linux Live Distrubition like Knoppix 3.8 and/or Suse 9.2 or
9.3. Boot it and tell me what you see.

Run nmap in Linux and get all the ip addesses.

Go for the files!!


On Mon, 02 May 2005 12:00:58 -0700, Malke <notreally@invalid.com>
wrote:

>Kerry Brown wrote:
>
>> "David Sherman" <dshermin@ameritech.net> wrote in message
>> news:c8jc71lg432l6fk468p9j2mcadv16aua87@4ax.com...
>>>I have XP pro.
>>> I know that file sharing can be turned off and on. But what if users
>>> want it on.
>>> If I bring in a Linux machine to the network, I would hope that this
>>> Linux can't get to the XP shared files. If a :inux box hits a
>>> Windows 2000 machine, the Linux user is asked a user name and
>>> password. Why isn't this the case with Windows XP?
>>>
>
>Linux, like all other grown-up operating systems except for XP Home, has
>a Guest account which is usually disabled by default for security
>reasons. XP Pro is exactly like this, too. Disable your Simple Sharing
>on XP Pro and Pro will require users to be authenticated just like
>Win2k or Linux, etc. You've just got XP Pro set up with Simple Sharing,
>that's all.
>
>Malke

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

"David Sherman" <dshermin@ameritech.net> wrote in message
news:ag0f715qc9rj7fsomtjh33f8hl8sot1t5l@4ax.com...
> True but lets take it like many users do it.
>
> I right click on a folder in Windows 2000 and Windows XP and share it.
> I don't care whether it is simple sharing or not. Most users use
> simple sharing
>
> XP should automatically ask for user name and password like Windows
> 2000 does. Try it.
>
> Take a Linux Live Distrubition like Knoppix 3.8 and/or Suse 9.2 or
> 9.3. Boot it and tell me what you see.
>
> Run nmap in Linux and get all the ip addesses.
>
> Go for the files!!
>
>

True, I don't agree with Microsoft's decision to make simple file sharing
the default. I especially don't like the fact that Home can only use simple
file sharing. A lot of homes have multiple computers hooked up to a router.
Then add wireless and the fact that most home users don't set up any
security in to the equation. I can see three of my neighbour's networks
right now. It's a disaster waiting to happen. I thought you were asking for
help in your OP, not making a philisophical judgement

Kerry



> On Mon, 02 May 2005 12:00:58 -0700, Malke <notreally@invalid.com>
> wrote:
>
>>Kerry Brown wrote:
>>
>>> "David Sherman" <dshermin@ameritech.net> wrote in message
>>> news:c8jc71lg432l6fk468p9j2mcadv16aua87@4ax.com...
>>>>I have XP pro.
>>>> I know that file sharing can be turned off and on. But what if users
>>>> want it on.
>>>> If I bring in a Linux machine to the network, I would hope that this
>>>> Linux can't get to the XP shared files. If a :inux box hits a
>>>> Windows 2000 machine, the Linux user is asked a user name and
>>>> password. Why isn't this the case with Windows XP?
>>>>
>>
>>Linux, like all other grown-up operating systems except for XP Home, has
>>a Guest account which is usually disabled by default for security
>>reasons. XP Pro is exactly like this, too. Disable your Simple Sharing
>>on XP Pro and Pro will require users to be authenticated just like
>>Win2k or Linux, etc. You've just got XP Pro set up with Simple Sharing,
>>that's all.
>>
>>Malke
>

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

My problem is bad but can you thinks about all those who use BearShare
and find out that there tax return was shared across the county?

http://www.cbsnews.com/stories/2005/05/03/eveningnews/main692765.shtml




On Tue, 3 May 2005 08:00:48 -0700, "Kerry Brown"
<kerry@kdbNOSPAMsystems.c*o*m> wrote:

>"David Sherman" <dshermin@ameritech.net> wrote in message
>news:ag0f715qc9rj7fsomtjh33f8hl8sot1t5l@4ax.com...
>> True but lets take it like many users do it.
>>
>> I right click on a folder in Windows 2000 and Windows XP and share it.
>> I don't care whether it is simple sharing or not. Most users use
>> simple sharing
>>
>> XP should automatically ask for user name and password like Windows
>> 2000 does. Try it.
>>
>> Take a Linux Live Distrubition like Knoppix 3.8 and/or Suse 9.2 or
>> 9.3. Boot it and tell me what you see.
>>
>> Run nmap in Linux and get all the ip addesses.
>>
>> Go for the files!!
>>
>>
>
>True, I don't agree with Microsoft's decision to make simple file sharing
>the default. I especially don't like the fact that Home can only use simple
>file sharing. A lot of homes have multiple computers hooked up to a router.
>Then add wireless and the fact that most home users don't set up any
>security in to the equation. I can see three of my neighbour's networks
>right now. It's a disaster waiting to happen. I thought you were asking for
>help in your OP, not making a philisophical judgement
>
>Kerry
>
>
>
>> On Mon, 02 May 2005 12:00:58 -0700, Malke <notreally@invalid.com>
>> wrote:
>>
>>>Kerry Brown wrote:
>>>
>>>> "David Sherman" <dshermin@ameritech.net> wrote in message
>>>> news:c8jc71lg432l6fk468p9j2mcadv16aua87@4ax.com...
>>>>>I have XP pro.
>>>>> I know that file sharing can be turned off and on. But what if users
>>>>> want it on.
>>>>> If I bring in a Linux machine to the network, I would hope that this
>>>>> Linux can't get to the XP shared files. If a :inux box hits a
>>>>> Windows 2000 machine, the Linux user is asked a user name and
>>>>> password. Why isn't this the case with Windows XP?
>>>>>
>>>
>>>Linux, like all other grown-up operating systems except for XP Home, has
>>>a Guest account which is usually disabled by default for security
>>>reasons. XP Pro is exactly like this, too. Disable your Simple Sharing
>>>on XP Pro and Pro will require users to be authenticated just like
>>>Win2k or Linux, etc. You've just got XP Pro set up with Simple Sharing,
>>>that's all.
>>>
>>>Malke
>>
>