Is this the way Windows XP was designed?

Discussion in 'Windows XP Security' started by David Sherman, May 2, 2005.

  1. I use Vmware and Virtual PC to test operating systems. I have several
    Operating system in Vmware 4.52. I have "shared folder" in my Virtual
    PC session for Windows XP, service pack 2 and all the patches. The
    shared folder is called whatever. It was created my right clicking on
    the folder name in explorer.exe.

    I can then open a Vmware session of Fedora Core 3 (Suse 9.3 and
    Knoppix 3.8) and in the KDE konqueror program, I can then do a
    smb:\\IP address of the windows Xp machine in Virtual PC. Konqueror
    will display all my shares. The shares include C$, D$ and "whatever".
    If I click on C$ or D$, I am asked for user name and password. If I
    click on "whatever", I am not asked for user name and password. If I
    open up a Windows 2000 session, I see the shares C$ and D$ and my
    shared folder. I still am asked for user name and password when I
    click on C$ and D$ but I am also asked for user name for the
    "whatever" shared folder.

    It seems to me that the permissions in the Shared Folders are
    different in XP and Windows 2000. The security in XP is weaker than
    Windows 2000.

    All I need is a Linux box and nmap and do a warp drive session and
    find all the IP addresses and do my damage.

    Is this the way Windows XP was designed?

    I asked security at Microsoft and here is their response:

    For further assistance on this issue I'm going to direct you to
    technical support. What I'm seeing below is not a vulnerability from
    my point of view and technical support can help understand your
    concern directly since email does not seem to be doing the trick.
     
    David Sherman, May 2, 2005
    #1
    1. Advertisements

  2. David Sherman

    Kerry Brown Guest

    "David Sherman" <> wrote in message
    news:...
    >I use Vmware and Virtual PC to test operating systems. I have several
    > Operating system in Vmware 4.52. I have "shared folder" in my Virtual
    > PC session for Windows XP, service pack 2 and all the patches. The
    > shared folder is called whatever. It was created my right clicking on
    > the folder name in explorer.exe.
    >
    > I can then open a Vmware session of Fedora Core 3 (Suse 9.3 and
    > Knoppix 3.8) and in the KDE konqueror program, I can then do a
    > smb:\\IP address of the windows Xp machine in Virtual PC. Konqueror
    > will display all my shares. The shares include C$, D$ and "whatever".
    > If I click on C$ or D$, I am asked for user name and password. If I
    > click on "whatever", I am not asked for user name and password. If I
    > open up a Windows 2000 session, I see the shares C$ and D$ and my
    > shared folder. I still am asked for user name and password when I
    > click on C$ and D$ but I am also asked for user name for the
    > "whatever" shared folder.
    >
    > It seems to me that the permissions in the Shared Folders are
    > different in XP and Windows 2000. The security in XP is weaker than
    > Windows 2000.
    >
    > All I need is a Linux box and nmap and do a warp drive session and
    > find all the IP addresses and do my damage.
    >
    > Is this the way Windows XP was designed?
    >
    > I asked security at Microsoft and here is their response:
    >
    > For further assistance on this issue I'm going to direct you to
    > technical support. What I'm seeing below is not a vulnerability from
    > my point of view and technical support can help understand your
    > concern directly since email does not seem to be doing the trick.


    Is this XP Home or Pro? You are using "Simple File Sharing". If it is Pro it
    can be turned off.

    http://support.microsoft.com/default.aspx?scid=kb;en-us;307874

    http://support.microsoft.com/default.aspx?scid=kb;en-us;304040

    Kerry
     
    Kerry Brown, May 2, 2005
    #2
    1. Advertisements

  3. I have XP pro.
    I know that file sharing can be turned off and on. But what if users
    want it on.
    If I bring in a Linux machine to the network, I would hope that this
    Linux can't get to the XP shared files. If a :inux box hits a Windows
    2000 machine, the Linux user is asked a user name and password. Why
    isn't this the case with Windows XP?

    thanks

    On Mon, 2 May 2005 07:02:30 -0700, "Kerry Brown"
    <*o*m> wrote:

    >"David Sherman" <> wrote in message
    >news:...
    >>I use Vmware and Virtual PC to test operating systems. I have several
    >> Operating system in Vmware 4.52. I have "shared folder" in my Virtual
    >> PC session for Windows XP, service pack 2 and all the patches. The
    >> shared folder is called whatever. It was created my right clicking on
    >> the folder name in explorer.exe.
    >>
    >> I can then open a Vmware session of Fedora Core 3 (Suse 9.3 and
    >> Knoppix 3.8) and in the KDE konqueror program, I can then do a
    >> smb:\\IP address of the windows Xp machine in Virtual PC. Konqueror
    >> will display all my shares. The shares include C$, D$ and "whatever".
    >> If I click on C$ or D$, I am asked for user name and password. If I
    >> click on "whatever", I am not asked for user name and password. If I
    >> open up a Windows 2000 session, I see the shares C$ and D$ and my
    >> shared folder. I still am asked for user name and password when I
    >> click on C$ and D$ but I am also asked for user name for the
    >> "whatever" shared folder.
    >>
    >> It seems to me that the permissions in the Shared Folders are
    >> different in XP and Windows 2000. The security in XP is weaker than
    >> Windows 2000.
    >>
    >> All I need is a Linux box and nmap and do a warp drive session and
    >> find all the IP addresses and do my damage.
    >>
    >> Is this the way Windows XP was designed?
    >>
    >> I asked security at Microsoft and here is their response:
    >>
    >> For further assistance on this issue I'm going to direct you to
    >> technical support. What I'm seeing below is not a vulnerability from
    >> my point of view and technical support can help understand your
    >> concern directly since email does not seem to be doing the trick.

    >
    >Is this XP Home or Pro? You are using "Simple File Sharing". If it is Pro it
    >can be turned off.
    >
    >http://support.microsoft.com/default.aspx?scid=kb;en-us;307874
    >
    >http://support.microsoft.com/default.aspx?scid=kb;en-us;304040
    >
    >Kerry
    >
     
    David Sherman, May 2, 2005
    #3
  4. David Sherman

    Dave Guest

    you may also find that the 'guest' account is disabled by default on the xp
    pro machine. this may be different than 2000. the c$ type admin shares
    probably require an admin login, where the other shares can be accessed by
    the default guest account.

    "David Sherman" <> wrote in message
    news:...
    >I have XP pro.
    > I know that file sharing can be turned off and on. But what if users
    > want it on.
    > If I bring in a Linux machine to the network, I would hope that this
    > Linux can't get to the XP shared files. If a :inux box hits a Windows
    > 2000 machine, the Linux user is asked a user name and password. Why
    > isn't this the case with Windows XP?
    >
    > thanks
    >
    > On Mon, 2 May 2005 07:02:30 -0700, "Kerry Brown"
    > <*o*m> wrote:
    >
    >>"David Sherman" <> wrote in message
    >>news:...
    >>>I use Vmware and Virtual PC to test operating systems. I have several
    >>> Operating system in Vmware 4.52. I have "shared folder" in my Virtual
    >>> PC session for Windows XP, service pack 2 and all the patches. The
    >>> shared folder is called whatever. It was created my right clicking on
    >>> the folder name in explorer.exe.
    >>>
    >>> I can then open a Vmware session of Fedora Core 3 (Suse 9.3 and
    >>> Knoppix 3.8) and in the KDE konqueror program, I can then do a
    >>> smb:\\IP address of the windows Xp machine in Virtual PC. Konqueror
    >>> will display all my shares. The shares include C$, D$ and "whatever".
    >>> If I click on C$ or D$, I am asked for user name and password. If I
    >>> click on "whatever", I am not asked for user name and password. If I
    >>> open up a Windows 2000 session, I see the shares C$ and D$ and my
    >>> shared folder. I still am asked for user name and password when I
    >>> click on C$ and D$ but I am also asked for user name for the
    >>> "whatever" shared folder.
    >>>
    >>> It seems to me that the permissions in the Shared Folders are
    >>> different in XP and Windows 2000. The security in XP is weaker than
    >>> Windows 2000.
    >>>
    >>> All I need is a Linux box and nmap and do a warp drive session and
    >>> find all the IP addresses and do my damage.
    >>>
    >>> Is this the way Windows XP was designed?
    >>>
    >>> I asked security at Microsoft and here is their response:
    >>>
    >>> For further assistance on this issue I'm going to direct you to
    >>> technical support. What I'm seeing below is not a vulnerability from
    >>> my point of view and technical support can help understand your
    >>> concern directly since email does not seem to be doing the trick.

    >>
    >>Is this XP Home or Pro? You are using "Simple File Sharing". If it is Pro
    >>it
    >>can be turned off.
    >>
    >>http://support.microsoft.com/default.aspx?scid=kb;en-us;307874
    >>
    >>http://support.microsoft.com/default.aspx?scid=kb;en-us;304040
    >>
    >>Kerry
    >>

    >
     
    Dave, May 2, 2005
    #4
  5. David Sherman

    Gordon Guest

    Dave wrote:
    || you may also find that the 'guest' account is disabled by default on
    || the xp pro machine. this may be different than 2000. the c$ type
    || admin shares probably require an admin login, where the other shares
    || can be accessed by the default guest account.

    Actually, probably the other way around. The Guest account is probably
    enabled on the Pro machines - W2K doesn't have a "guest" account.


    --
    Gordon Burgess-Parker
    Interim Systems and Management Accounting
    www.gbpcomputing.co.uk
     
    Gordon, May 2, 2005
    #5
  6. David Sherman

    Dave Guest

    my win2k pro has a guest account.

    "Gordon" <> wrote in message
    news:...
    > Dave wrote:
    > || you may also find that the 'guest' account is disabled by default on
    > || the xp pro machine. this may be different than 2000. the c$ type
    > || admin shares probably require an admin login, where the other shares
    > || can be accessed by the default guest account.
    >
    > Actually, probably the other way around. The Guest account is probably
    > enabled on the Pro machines - W2K doesn't have a "guest" account.
    >
    >
    > --
    > Gordon Burgess-Parker
    > Interim Systems and Management Accounting
    > www.gbpcomputing.co.uk
    >
     
    Dave, May 2, 2005
    #6
  7. David Sherman

    Kerry Brown Guest

    "David Sherman" <> wrote in message
    news:...
    >I have XP pro.
    > I know that file sharing can be turned off and on. But what if users
    > want it on.
    > If I bring in a Linux machine to the network, I would hope that this
    > Linux can't get to the XP shared files. If a :inux box hits a Windows
    > 2000 machine, the Linux user is asked a user name and password. Why
    > isn't this the case with Windows XP?
    >
    > thanks
    >


    David

    Did you read the links? There are two types of file sharing in XP. By
    default it uses simple file sharing. If you turn off simple file sharing off
    you will get access to the whole gamut of file permissions, user accounts
    and so on. It is similar to win2k in that you have to add users, give them
    rights, set up shares etc. With simple file sharing you simply share a
    folder and the guest account automatically has access. By default in XP
    guest is enabled. By default in win2k it is not. I'm not sure what linux
    uses but from the sounds of what you are describing it is authenticating as
    guest. If you enable the guest account on the win2k session you will be able
    to accss the "whatever" share. Your best best is to turn simple file sharing
    off and disable the guest account in XP. You could then allow access for
    only authenticated accounts.

    Kerry


    > On Mon, 2 May 2005 07:02:30 -0700, "Kerry Brown"
    > <*o*m> wrote:
    >
    >>"David Sherman" <> wrote in message
    >>news:...
    >>>I use Vmware and Virtual PC to test operating systems. I have several
    >>> Operating system in Vmware 4.52. I have "shared folder" in my Virtual
    >>> PC session for Windows XP, service pack 2 and all the patches. The
    >>> shared folder is called whatever. It was created my right clicking on
    >>> the folder name in explorer.exe.
    >>>
    >>> I can then open a Vmware session of Fedora Core 3 (Suse 9.3 and
    >>> Knoppix 3.8) and in the KDE konqueror program, I can then do a
    >>> smb:\\IP address of the windows Xp machine in Virtual PC. Konqueror
    >>> will display all my shares. The shares include C$, D$ and "whatever".
    >>> If I click on C$ or D$, I am asked for user name and password. If I
    >>> click on "whatever", I am not asked for user name and password. If I
    >>> open up a Windows 2000 session, I see the shares C$ and D$ and my
    >>> shared folder. I still am asked for user name and password when I
    >>> click on C$ and D$ but I am also asked for user name for the
    >>> "whatever" shared folder.
    >>>
    >>> It seems to me that the permissions in the Shared Folders are
    >>> different in XP and Windows 2000. The security in XP is weaker than
    >>> Windows 2000.
    >>>
    >>> All I need is a Linux box and nmap and do a warp drive session and
    >>> find all the IP addresses and do my damage.
    >>>
    >>> Is this the way Windows XP was designed?
    >>>
    >>> I asked security at Microsoft and here is their response:
    >>>
    >>> For further assistance on this issue I'm going to direct you to
    >>> technical support. What I'm seeing below is not a vulnerability from
    >>> my point of view and technical support can help understand your
    >>> concern directly since email does not seem to be doing the trick.

    >>
    >>Is this XP Home or Pro? You are using "Simple File Sharing". If it is Pro
    >>it
    >>can be turned off.
    >>
    >>http://support.microsoft.com/default.aspx?scid=kb;en-us;307874
    >>
    >>http://support.microsoft.com/default.aspx?scid=kb;en-us;304040
    >>
    >>Kerry
    >>

    >
     
    Kerry Brown, May 2, 2005
    #7
  8. David Sherman

    Gordon Guest

    Dave wrote:
    || my win2k pro has a guest account.

    You're quite right! So has mine! never noticed OR used that before.......

    --
    Gordon Burgess-Parker
    Interim Systems and Management Accounting
    www.gbpcomputing.co.uk
     
    Gordon, May 2, 2005
    #8
  9. David Sherman

    Malke Guest

    Kerry Brown wrote:

    > "David Sherman" <> wrote in message
    > news:...
    >>I have XP pro.
    >> I know that file sharing can be turned off and on. But what if users
    >> want it on.
    >> If I bring in a Linux machine to the network, I would hope that this
    >> Linux can't get to the XP shared files. If a :inux box hits a
    >> Windows 2000 machine, the Linux user is asked a user name and
    >> password. Why isn't this the case with Windows XP?
    >>


    Linux, like all other grown-up operating systems except for XP Home, has
    a Guest account which is usually disabled by default for security
    reasons. XP Pro is exactly like this, too. Disable your Simple Sharing
    on XP Pro and Pro will require users to be authenticated just like
    Win2k or Linux, etc. You've just got XP Pro set up with Simple Sharing,
    that's all.

    Malke
    --
    Elephant Boy Computers
    www.elephantboycomputers.com
    "Don't Panic!"
    MS-MVP Windows - Shell/User
     
    Malke, May 2, 2005
    #9
  10. True but lets take it like many users do it.

    I right click on a folder in Windows 2000 and Windows XP and share it.
    I don't care whether it is simple sharing or not. Most users use
    simple sharing

    XP should automatically ask for user name and password like Windows
    2000 does. Try it.

    Take a Linux Live Distrubition like Knoppix 3.8 and/or Suse 9.2 or
    9.3. Boot it and tell me what you see.

    Run nmap in Linux and get all the ip addesses.

    Go for the files!!


    On Mon, 02 May 2005 12:00:58 -0700, Malke <>
    wrote:

    >Kerry Brown wrote:
    >
    >> "David Sherman" <> wrote in message
    >> news:...
    >>>I have XP pro.
    >>> I know that file sharing can be turned off and on. But what if users
    >>> want it on.
    >>> If I bring in a Linux machine to the network, I would hope that this
    >>> Linux can't get to the XP shared files. If a :inux box hits a
    >>> Windows 2000 machine, the Linux user is asked a user name and
    >>> password. Why isn't this the case with Windows XP?
    >>>

    >
    >Linux, like all other grown-up operating systems except for XP Home, has
    >a Guest account which is usually disabled by default for security
    >reasons. XP Pro is exactly like this, too. Disable your Simple Sharing
    >on XP Pro and Pro will require users to be authenticated just like
    >Win2k or Linux, etc. You've just got XP Pro set up with Simple Sharing,
    >that's all.
    >
    >Malke
     
    David Sherman, May 3, 2005
    #10
  11. David Sherman

    Kerry Brown Guest

    "David Sherman" <> wrote in message
    news:...
    > True but lets take it like many users do it.
    >
    > I right click on a folder in Windows 2000 and Windows XP and share it.
    > I don't care whether it is simple sharing or not. Most users use
    > simple sharing
    >
    > XP should automatically ask for user name and password like Windows
    > 2000 does. Try it.
    >
    > Take a Linux Live Distrubition like Knoppix 3.8 and/or Suse 9.2 or
    > 9.3. Boot it and tell me what you see.
    >
    > Run nmap in Linux and get all the ip addesses.
    >
    > Go for the files!!
    >
    >


    True, I don't agree with Microsoft's decision to make simple file sharing
    the default. I especially don't like the fact that Home can only use simple
    file sharing. A lot of homes have multiple computers hooked up to a router.
    Then add wireless and the fact that most home users don't set up any
    security in to the equation. I can see three of my neighbour's networks
    right now. It's a disaster waiting to happen. I thought you were asking for
    help in your OP, not making a philisophical judgement :)

    Kerry



    > On Mon, 02 May 2005 12:00:58 -0700, Malke <>
    > wrote:
    >
    >>Kerry Brown wrote:
    >>
    >>> "David Sherman" <> wrote in message
    >>> news:...
    >>>>I have XP pro.
    >>>> I know that file sharing can be turned off and on. But what if users
    >>>> want it on.
    >>>> If I bring in a Linux machine to the network, I would hope that this
    >>>> Linux can't get to the XP shared files. If a :inux box hits a
    >>>> Windows 2000 machine, the Linux user is asked a user name and
    >>>> password. Why isn't this the case with Windows XP?
    >>>>

    >>
    >>Linux, like all other grown-up operating systems except for XP Home, has
    >>a Guest account which is usually disabled by default for security
    >>reasons. XP Pro is exactly like this, too. Disable your Simple Sharing
    >>on XP Pro and Pro will require users to be authenticated just like
    >>Win2k or Linux, etc. You've just got XP Pro set up with Simple Sharing,
    >>that's all.
    >>
    >>Malke

    >
     
    Kerry Brown, May 3, 2005
    #11
  12. My problem is bad but can you thinks about all those who use BearShare
    and find out that there tax return was shared across the county?

    http://www.cbsnews.com/stories/2005/05/03/eveningnews/main692765.shtml




    On Tue, 3 May 2005 08:00:48 -0700, "Kerry Brown"
    <*o*m> wrote:

    >"David Sherman" <> wrote in message
    >news:...
    >> True but lets take it like many users do it.
    >>
    >> I right click on a folder in Windows 2000 and Windows XP and share it.
    >> I don't care whether it is simple sharing or not. Most users use
    >> simple sharing
    >>
    >> XP should automatically ask for user name and password like Windows
    >> 2000 does. Try it.
    >>
    >> Take a Linux Live Distrubition like Knoppix 3.8 and/or Suse 9.2 or
    >> 9.3. Boot it and tell me what you see.
    >>
    >> Run nmap in Linux and get all the ip addesses.
    >>
    >> Go for the files!!
    >>
    >>

    >
    >True, I don't agree with Microsoft's decision to make simple file sharing
    >the default. I especially don't like the fact that Home can only use simple
    >file sharing. A lot of homes have multiple computers hooked up to a router.
    >Then add wireless and the fact that most home users don't set up any
    >security in to the equation. I can see three of my neighbour's networks
    >right now. It's a disaster waiting to happen. I thought you were asking for
    >help in your OP, not making a philisophical judgement :)
    >
    >Kerry
    >
    >
    >
    >> On Mon, 02 May 2005 12:00:58 -0700, Malke <>
    >> wrote:
    >>
    >>>Kerry Brown wrote:
    >>>
    >>>> "David Sherman" <> wrote in message
    >>>> news:...
    >>>>>I have XP pro.
    >>>>> I know that file sharing can be turned off and on. But what if users
    >>>>> want it on.
    >>>>> If I bring in a Linux machine to the network, I would hope that this
    >>>>> Linux can't get to the XP shared files. If a :inux box hits a
    >>>>> Windows 2000 machine, the Linux user is asked a user name and
    >>>>> password. Why isn't this the case with Windows XP?
    >>>>>
    >>>
    >>>Linux, like all other grown-up operating systems except for XP Home, has
    >>>a Guest account which is usually disabled by default for security
    >>>reasons. XP Pro is exactly like this, too. Disable your Simple Sharing
    >>>on XP Pro and Pro will require users to be authenticated just like
    >>>Win2k or Linux, etc. You've just got XP Pro set up with Simple Sharing,
    >>>that's all.
    >>>
    >>>Malke

    >>

    >
     
    David Sherman, May 4, 2005
    #12
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Evan Reidell
    Replies:
    3
    Views:
    802
    D.Currie
    Oct 20, 2003
  2. Andreww
    Replies:
    3
    Views:
    201
    Andreww
    Mar 25, 2004
  3. Guest

    Easier way to use own designed template

    Guest, Jul 6, 2005, in forum: Microsoft Powerpoint
    Replies:
    2
    Views:
    165
    Guest
    Jul 6, 2005
  4. Guest

    open form the way it was designed from the switchboard

    Guest, Jul 25, 2005, in forum: Microsoft Access Form Coding
    Replies:
    6
    Views:
    171
    Guest
    Jul 26, 2005
  5. John Berg

    It won't stay the way I designed it!

    John Berg, Sep 12, 2005, in forum: Microsoft Frontpage
    Replies:
    5
    Views:
    133
    Murray
    Sep 13, 2005
Loading...

Share This Page