XP Pro does not map Computer Names to Network IP addresses Why?

[Chuck]

I want to block my Son's access to any shared folders but not the printer that
is on a USB linksys Server.

My Sons laptop has to have a dynamic IP because he has to connect at school
which has a different set of internal IP's than my router.

As an experiment I set my Laptop to a fixed IP address and on the desktop ZAP I
deleted all Trusted DHCP zones. I could not delete the trusted network in ZAP
which was xxx.xxx.1.0/255.255.255.0 for ZAP would not allow.

The laptop still had full access to the desktop's folders.

I blocked xxx.xxx.1.1 to xxx.xxx.1.255 in ZAP but I could still access the
decktop computers shared files.

How do you block all IPs except those that you trust?

Thanks.

Dennis,

Under TCP/IP - Properties, if you select "Obtain an IP address automatically",
you will have an Alternate Configuration tab. You can select "User configured",
and enter fixed information, just as you would do on your other computers. This
fixed information, though, will only be used if a DHCP server is NOT available.
At his school, he'll still get dynamic settings.
<http://www.microsoft.com/resources/...l/proddocs/en-us/sag_tcpip_pro_altconfig.mspx>

On the subject of the Trusted Zone, I'm not sure what your problem is. The only
ZAP I've worked with (which was V5.5 IIRC), I set the scope to individual
addresses, not subnet. I then entered the individual addresses, one at a time.

Once you have your Trusted Zone set, you set the protection level to Medium
there (read the description for Medium), and you set to High for the Internet
Zone (read description for High).

I'm not sure how protected (if at all) a Linksys print server would be. My
guess is if he addresses it directly, he should have no problem. If you're
sharing the printer from one of your computers, you'll have to read up on ZAP
and how to make custom rules, ie put your son's computer into a special IP
group, with special access.

 

[Chuck]

In experimenting, I assigned fixed sequencial IP's to the computers that need to
share files. In the router I have the DHCP Server assign the starting IP
addresses outside of my fixed IP range. In ZAP I block all IP's outside this
range. This seemed to block those computers that were outside the fixed IP
range. If I set the subnet to 255.255.255.240 this will limit the total IP's to
15

The problem is that if a hacker was able to determine my fixed IPs and one of or
more of the computers with a fixed IP was not up the hacker would be able to
access the shared files. A lot of if's but possible?

Dennis,

If you have a wireless LAN, the possibility of a hacker gaining access to the
LAN by hijacking a trusted IP address is a valid concern. Unfortunately, that's
one you have to mitigate in other ways.
<http://nitecruzr.blogspot.com/2005/05/setting-up-wifi-lan-please-protect.html>

# Enable MAC filtering.

# Enable the router activity log. Examine it regularly. Know what each
connection listed represents - you? a neighbor?.

# Use non-trivial accounts and passwords on every computer connected to a
wireless LAN. Disable or delete Guest userid, if possible (a computer with XP
Home is a bad choice for a wireless LAN, connected wired or wireless). Rename
Administrator, to a non-trivial value, and give it a non-trivial password. Never
use the Administrator renamed account for day to day activities, only when
intentionally doing administrative tasks.

# Stay educated - know what the threats are. Newsgroups alt.internet.wireless
and microsoft.public.windows.networking.wireless are good places to start.

As wireless LANs become more common, your concerns will be more and more valid.
But hopefully the technology will improve too.

 

[Dennis]

Under TCP/IP - Properties, if you select "Obtain an IP address automatically",
you will have an Alternate Configuration tab. You can select "User configured",
and enter fixed information, just as you would do on your other computers. This
fixed information, though, will only be used if a DHCP server is NOT available.
At his school, he'll still get dynamic settings.
<http://www.microsoft.com/resources/...l/proddocs/en-us/sag_tcpip_pro_altconfig.mspx>

In the Router DHCP SERVER should be Disabled? Then only Static IP's can be
routed?

On the subject of the Trusted Zone, I'm not sure what your problem is. The only
ZAP I've worked with (which was V5.5 IIRC), I set the scope to individual
addresses, not subnet. I then entered the individual addresses, one at a time.

The desktop ZAP 5.5 only has the network xxx.xxx.1.0/255.255.255.0 as trusted
and the DNS's IP addresses as trusted.

The Laptop has a fixed IP of xxx.xxx.1.200. That IP was not in the ZAP trusted
zone yet I had full access to the Desktop's shared files. xxx.xxx.1.200 was not
block.

It seems that ZAP lets anything from the network in if the network is trusted.

Does your ZAP have the network line in the trusted zone?

Thanks

Dennis

 

[Chuck]

In the Router DHCP SERVER should be Disabled? Then only Static IP's can be
routed?

The desktop ZAP 5.5 only has the network xxx.xxx.1.0/255.255.255.0 as trusted
and the DNS's IP addresses as trusted.

The Laptop has a fixed IP of xxx.xxx.1.200. That IP was not in the ZAP trusted
zone yet I had full access to the Desktop's shared files. xxx.xxx.1.200 was not
block.

It seems that ZAP lets anything from the network in if the network is trusted.

Does your ZAP have the network line in the trusted zone?

Thanks

Dennis

Dennis,

The DHCP server is only used to assign IP settings to computers which request
them. Any computer can assign settings on its own, ie fixed settings.

The DHCP server being on or off does not affect routing. A NAT router routes
incoming traffic to its destination whether or not the recipient of the traffic
used a dynamic or fixed address, and whether or not the address was assigned by
DHCP.

The ZAP network that I setup has 3 computers which only trust each other. I did
do a brief demo where I changed the IP address of one, which was then blocked
from file shares access, in showing the owners why fixed IP addresses are a good
layer of defense. I'm not sure why yours is acting strangely. Would you like
to try email or IM, so we can explore this in depth?

 

[Chuck]

In the Router DHCP SERVER should be Disabled? Then only Static IP's can be
routed?

The desktop ZAP 5.5 only has the network xxx.xxx.1.0/255.255.255.0 as trusted
and the DNS's IP addresses as trusted.

The Laptop has a fixed IP of xxx.xxx.1.200. That IP was not in the ZAP trusted
zone yet I had full access to the Desktop's shared files. xxx.xxx.1.200 was not
block.

It seems that ZAP lets anything from the network in if the network is trusted.

Does your ZAP have the network line in the trusted zone?

Thanks

Dennis

Dennis,

What level is Internet Zone set at?

 

[Dennis]

If you have a wireless LAN, the possibility of a hacker gaining access to the
LAN by hijacking a trusted IP address is a valid concern. Unfortunately, that's
one you have to mitigate in other ways.
<http://nitecruzr.blogspot.com/2005/05/setting-up-wifi-lan-please-protect.html>

Thanks I read that yesterday. Thanks for making this valuable information
available.

Done
# Enable the router activity log. Examine it regularly. Know what each
connection listed represents - you? a neighbor?. I've always done this.

# Use non-trivial accounts and passwords on every computer connected to a
wireless LAN. Disable or delete Guest userid, if possible (a computer with XP
Home is a bad choice for a wireless LAN, connected wired or wireless). Rename
Administrator, to a non-trivial value, and give it a non-trivial password. Never
use the Administrator renamed account for day to day activities, only when
intentionally doing administrative tasks.

When I disabled the guest account in the desktop XP Pro the laptop with a fixed
IP displayed a window asking for a Guest account password before it would let me
access the shared files. But the guest account was disabled so I'm not sure on
whats happening.
..

 

[Dennis]

What level is Internet Zone set at?

High .

The Trusted Zone is set at Medium.

When I set the Guest account on the desktop XP Pro to disabled the Laptop XP
Home was unable to access the shared files even though I put the laptop fixed IP
address into ZAP.

When I Enabled the desktop guest account(it has a password) the laptop was able
to access the desktop shared files (it seemed to remember the guest password)
even though the laptop fixed IP was deleted from the ZAP trusted zone.

The guest account cannot be disabled if you wish to share files?

Thanks

Dennis

 

[Dennis]

The ZAP network that I setup has 3 computers which only trust each other. I did
do a brief demo where I changed the IP address of one, which was then blocked
from file shares access, in showing the owners why fixed IP addresses are a good
layer of defense. I'm not sure why yours is acting strangely. Would you like
to try email or IM, so we can explore this in depth?

I don't have IM but yes I would like to email you. Thank you for your offer I
appreciate your kindness.

I will not be able to email until later approx 6PM chicago USA time.

Should I send you a zip file of ZAP pages Gif's

Thanks.

Dennis

 

[Chuck]

Thanks I read that yesterday. Thanks for making this valuable information
available.
When I disabled the guest account in the desktop XP Pro the laptop with a fixed
IP displayed a window asking for a Guest account password before it would let me
access the shared files. But the guest account was disabled so I'm not sure on
whats happening.

Dennis,

You have to setup all computers identically:
- Disable Simple File Sharing.
- Disable Guest, as in "net user Guest /active:no"
- Setup and use a common non-Guest account on all computers with identical,
non-blank password.
<http://nitecruzr.blogspot.com/2005/04/windows-xp-file-sharing-not-so-simple.html>

 

[Chuck]

High .

The Trusted Zone is set at Medium.

When I set the Guest account on the desktop XP Pro to disabled the Laptop XP
Home was unable to access the shared files even though I put the laptop fixed IP
address into ZAP.

When I Enabled the desktop guest account(it has a password) the laptop was able
to access the desktop shared files (it seemed to remember the guest password)
even though the laptop fixed IP was deleted from the ZAP trusted zone.

The guest account cannot be disabled if you wish to share files?

Thanks

Dennis

Dennis,

Yuck. XP Home. Bad choice for a wireless LAN, so you're stuck with using
Guest, but try and give it an identical, non-trivial non-blank password on all
computers.

Authentication / authorisation (Simple vs Advanced File Sharing, Guest vs
non-Guest authentication) should be unrelated to Zone Alarm and Trust Zones,
excepting that authentication wont take place if the Trust Zone is properly
setup, and file sharing is blocked.
<http://nitecruzr.blogspot.com/2005/04/windows-xp-file-sharing-not-so-simple.html>

 

[Chuck]

I don't have IM but yes I would like to email you. Thank you for your offer I
appreciate your kindness.

I will not be able to email until later approx 6PM chicago USA time.

Should I send you a zip file of ZAP pages Gif's

Thanks.

Dennis

Dennis,

Sure. Give it a shot.