Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs: 
| reply to dave
Re: Windows File Sharing: Facing The Mystery
said by dave  :One more thing: You forgot to mention that file-sharing requests are all subject to access control -- i.e., generally speaking, you need to log in before you can get access. True, but again, I wanted to limit my scope. Because once I mentioned that credentials were often required I'd have had to mention the fact that NULL Sessions are often possible in default configurations. It was a path I didn't want to take. A good idea though...
--
dmiessler.com - grep understanding knowledge |
dave
Premium,MVM
join:2000-05-04
not in ohio
 ·Verizon Online DSL
 ·Verizon FIOS
| reply to Daniel
One more thing:
You forgot to mention that file-sharing requests are all subject to access control -- i.e., generally speaking, you need to log in before you can get access.
This is frequently overlooked in the "OMFG!!!! I have an open port!!!!!" view of the world. That doesn't mean that it's wise to expose TCP/445 to the greater Internet, but it does mean that there is layered protection.
In the obsolete Win9x implementation (and optionally in Samba), you have 'share level' authentication. A password is associated with the share, and if you know the password, you get access.
In Windows NT and most other modern implementations, you have 'user level' authentication. Accessors must know a username and password that is valid on the server, and (in implementations with decent authorization mechanisms), they get exactly the access that is due to the named user.
There is another wrinkle to user-level authentication, and that is 'guest access'. Windows may choose to allow unknown users to log in as user Guest for network accesses. This is generally a bad thing in my opinion. The Guest account is disabled by default in Win2000 and XP Pro, and you should only enable it if you understand the security ramifications. Rumour says it's on by default in XP Home. |
