Kendas
join:2001-02-26
Tucson, AZ
| reply to dolphins
Re: Windows Explorer bypasses router password
This is why you never leave the default IP address on the router.
Of course that IP didn't work for me as I use a different IP address for the router.
Cheap security: Use a "non-routable" IP address/subnet mask and a good firewall to keep people out.  |
|
planet
join:2001-11-05
Olmsted Falls, OH
 ·Cox HSI
| Dolphins,
I understand your concern. But, would this be an issue from the WAN side or only the LAN side? Ya gotta love a password protected software FW in cases like this.
This could pose a real problem for business' if employees can access the router via Windows Explorer. |
|
fcisler
Premium
join:2004-06-14
Riverhead, NY | reply to dolphins
I'm gonna take a stab at this.....
How many of you who can type your routers address directly into windows explorer, and have it give you access, have NOT disabled the security risk UPnP service?!?! |
|
speeddemon100
join:2001-02-18
West Hempstead, NY | reply to dolphins
Well I've been testing Vista for a while and it can't be duplicated here. (192.168.2.1)(Belkin) Typing this in Explorer launches internet explorer, and then prompts for password. |
|
speeddemon100
join:2001-02-18
West Hempstead, NY | On XP Home SP2, I can not duplicate dolphins issue. Like I said with Vista I have a Belkin Router - 192.168.2.1. Windows Explorer will prompt for password as well as IE6. |
|
dolphins
Miami Dolphins
Premium
join:2001-08-22
Westville, NJ
·Comcast
| reply to fcisler
One of the first things I did when I got this machine up and running was to disable UPnP. Also Since all I did was swap machines(old for new) on the router UPnP was already disabled in my router settings.
--
Prevent Malware |
|
dolphins
Miami Dolphins
Premium
join:2001-08-22
Westville, NJ
·Comcast
| reply to planet
said by planet  :Dolphins, I understand your concern. But, would this be an issue from the WAN side or only the LAN side? Ya gotta love a password protected software FW in cases like this. This could pose a real problem for business' if employees can access the router via Windows Explorer. An attack would have to come from the WAN in order to reach the LAN but a well written web page with intent to steal could bypass my router if I had no other security in place.
As for this being widespread I'm unsure cause only the 2 of us so far have been able to do this.
--
Prevent Malware |
|
jack b
Gone Fishing
Premium,MVM
join:2000-09-08
Cape Cod
clubs:
·Comcast
| This stinks
I thought I had it licked with a reboot, but once I successfully logged in to the router in IE, and then closed the browser, I opened windows explorer, pasted the address and went right in... no password challenge.
Trying again using IE, dialog box popped up, pre-filled in.
I DO NOT have auto complete or upnp service active!
--
~Help find a cure for Cancer~
~Proud Member of Team Discovery ~ |
|
jbob
Reach Out and Touch Someone
Premium
join:2004-04-26
Little Rock, AR
·Comcast
 ·AT&T Southwest
| reply to dolphins
Re: Windows Explorer bypasses router password
This are my results. 1st I'm not sure one can separate Windows Explorer from Internet Explorer. From my feeble memory I seem to remember one of the features programmed into Explorer was to be able to Explore/Browse a network similar or even via HTTP which is why the two are almost inseparable. If you type in a web link in Windows Explorer it will bring up the Web browser and take you to the site.
One of the things I discovered using FireFox with multiple tabs open is that once you log in to a site that requires a login name/password unless you completely close all the tabs and Firefox itself it will remember the login name and password for each site entered. Example: If I have Firefox open with two tabs, one on DSLR and one on Yahoo Mail, if I close the tab to DSLR and then open a new tab and go back to DSLR I will not be asked to login again. Same with Yahoo Email. As long as one instance of my browser remains open it will retain that info.
In my testing if I open IE and login to my router then close my browser fully it will ask every time. If I add my router web address to Windows Explorer it opens FireFox for me(my default browser) and again asks for login each time. But to get this to happen I have to make sure my browser is shutdown each time. If you leave your browser window(IE or FX in my case) open and have Windows Explorer open on top of it and enter the router IP again the browser will have retained the login info and not ask you to login again.
That is what I experienced. |
|
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire
| reply to dolphins
All of you that can confirm the issue, do you have the same model router/firmware
BEFSR41 V3 Firmware Version: 1.05.00 as dolphins ? |
|
dolphins
Miami Dolphins
Premium
join:2001-08-22
Westville, NJ
·Comcast
1 edit | reply to jack b
Re: This stinks
Ok, Got a response from Linksys.com forums and it's pretty much what you did(rebooted)and what jbob is saying.
»forums.linksys.com/linksys/board···ue#M2576
quote:
As long as windows is running, windows explorer is running, too. If you enter the password once it remains cached until windows is rebooted. It is the same with internet explorer: as long as one internet explorer window remains open the password entered before remains cached. You have to close all internet explorer windows (ending iexplore.exe) before you have to enter it again. This is on purpose. Else you would have to enter the password again and again for all router pages.
Edit: I still can't see why this isn't happening to everyone? Is everybody but me and jack_b rebooting everytime they close windows?
--
Prevent Malware |
|
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire
| They think of it as feature? I've got 2 browsers accessing the router from same machine and still explorer is challenged when it tries. Unless they change the firmware not much you can do except prevent explorer access with firewall.
Cudni
--
Some are born to failure, others achieve it, all deserve it.Help yourself so God can help you.MVP, Microsoft Windows Security 2006 |
|
dolphins
Miami Dolphins
Premium
join:2001-08-22
Westville, NJ
·Comcast
| reply to jbob
Re: Windows Explorer bypasses router password
said by jbob :This are my results. 1st I'm not sure one can separate Windows Explorer from Internet Explorer. From my feeble memory I seem to remember one of the features programmed into Explorer was to be able to Explore/Browse a network similar or even via HTTP which is why the two are almost inseparable. If you type in a web link in Windows Explorer it will bring up the Web browser and take you to the site. You are correct. Windows Explorer opens IE when an web address or IP is typed into address bar but the problem we are having is that even after closing all windows we can still enter router without being prompted for password.
The only thing I can think is that me and jack_b have something running that keeps Windows open? I thought it might have been WallWatcher but I removed it and still the same problem.
--
Prevent Malware |
|
dolphins
Miami Dolphins
Premium
join:2001-08-22
Westville, NJ
·Comcast
| reply to Cudni
Re: This stinks
No it's not a router feature it's a windows feature. jack_b is running a D-Link router and has the same problem.
That's why I can't understand why no one else has this problem.
--
Prevent Malware |
|
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire
2 edits | Probably not, but try with another router or connect another comp? I think there would be many more people able to confirm you finding if it was just windows.
edit@ It is the combination of Explorer and IE (i use Firefox usually). I have accessed the router with IE and then followed with explorer. This time it displayed both the user name and password populated and i all i have to do is press ok and now it remembers the setting even though i didn't click the remember the password. If i close IE explorer is challenged on subsequent tries 
Cudni
--
Some are born to failure, others achieve it, all deserve it.Help yourself so God can help you.MVP, Microsoft Windows Security 2006 |
|
BandHeight
join:2004-08-30
Portland, TX
| reply to dolphins
If I uncheck:
Windows Explorer->Tools->Folder Options->View->
Launch Folder Windows In A Separate Process
I can recreate your issue (no user / password prompt). However, with the setting checked (as I always have it set), the prompt occurs each time Windows Explorer is used to launch the router administration page (D-Link router). |
|
dolphins
Miami Dolphins
Premium
join:2001-08-22
Westville, NJ
·Comcast
2 edits | BINGO! We have a winner!
Thank You Thank You Thank You
Edit: The only thing now is how did mine get unchecked? |
|
jack b
Gone Fishing
Premium,MVM
join:2000-09-08
Cape Cod
clubs: | YUP.
Checking that stopped the "feature".
Seems unchecked IS default setting. |
|
BandHeight
join:2004-08-30
Portland, TX
| reply to dolphins
said by dolphins :BINGO! We have a winner! Thank You Thank You Thank You Edit: The only thing now is how did mine get unchecked? You're welcome.
By the way, Jack B is correct that default is "unchecked". My intent, though not clear, by saying "as I always have it set" was to let you know that I actually set the option.
As to why everyone else here seems to have the setting changed from default: it is a fairly common and often recommended tweak. However, the reason usually cited for the recommendation is that it decreases the chances of a crashed Explorer window taking down the entire system because each instance of Explorer (with the option checked) is opened in a separate process as should be clear from the option's name. However, as you have found out and as can be easily imagined , the issues that can be caused by the default setting are more wide ranging. |
|
dolphins
Miami Dolphins
Premium
join:2001-08-22
Westville, NJ
·Comcast
| Thanks for the follow up. You are now one of my close friends whether you like it or not.
--
Prevent Malware |
|
