Is this the way Windows XP was designed?

[David Sherman]

I use Vmware and Virtual PC to test operating systems. I have several
Operating system in Vmware 4.52. I have "shared folder" in my Virtual
PC session for Windows XP, service pack 2 and all the patches. The
shared folder is called whatever. It was created my right clicking on
the folder name in explorer.exe.

I can then open a Vmware session of Fedora Core 3 (Suse 9.3 and
Knoppix 3.8) and in the KDE konqueror program, I can then do a
smb:\\IP address of the windows Xp machine in Virtual PC. Konqueror
will display all my shares. The shares include C$, D$ and "whatever".
If I click on C$ or D$, I am asked for user name and password. If I
click on "whatever", I am not asked for user name and password. If I
open up a Windows 2000 session, I see the shares C$ and D$ and my
shared folder. I still am asked for user name and password when I
click on C$ and D$ but I am also asked for user name for the
"whatever" shared folder.

It seems to me that the permissions in the Shared Folders are
different in XP and Windows 2000. The security in XP is weaker than
Windows 2000.

All I need is a Linux box and nmap and do a warp drive session and
find all the IP addresses and do my damage.

Is this the way Windows XP was designed?

I asked security at Microsoft and here is their response:

For further assistance on this issue I'm going to direct you to
technical support. What I'm seeing below is not a vulnerability from
my point of view and technical support can help understand your
concern directly since email does not seem to be doing the trick.

 

[Kerry Brown]

I use Vmware and Virtual PC to test operating systems. I have several
Operating system in Vmware 4.52. I have "shared folder" in my Virtual
PC session for Windows XP, service pack 2 and all the patches. The
shared folder is called whatever. It was created my right clicking on
the folder name in explorer.exe.

I can then open a Vmware session of Fedora Core 3 (Suse 9.3 and
Knoppix 3.8) and in the KDE konqueror program, I can then do a
smb:\\IP address of the windows Xp machine in Virtual PC. Konqueror
will display all my shares. The shares include C$, D$ and "whatever".
If I click on C$ or D$, I am asked for user name and password. If I
click on "whatever", I am not asked for user name and password. If I
open up a Windows 2000 session, I see the shares C$ and D$ and my
shared folder. I still am asked for user name and password when I
click on C$ and D$ but I am also asked for user name for the
"whatever" shared folder.

It seems to me that the permissions in the Shared Folders are
different in XP and Windows 2000. The security in XP is weaker than
Windows 2000.

All I need is a Linux box and nmap and do a warp drive session and
find all the IP addresses and do my damage.

Is this the way Windows XP was designed?

I asked security at Microsoft and here is their response:

For further assistance on this issue I'm going to direct you to
technical support. What I'm seeing below is not a vulnerability from
my point of view and technical support can help understand your
concern directly since email does not seem to be doing the trick.

Is this XP Home or Pro? You are using "Simple File Sharing". If it is Pro it
can be turned off.

http://support.microsoft.com/default.aspx?scid=kb;en-us;307874

http://support.microsoft.com/default.aspx?scid=kb;en-us;304040

Kerry

 

[David Sherman]

I have XP pro.
I know that file sharing can be turned off and on. But what if users
want it on.
If I bring in a Linux machine to the network, I would hope that this
Linux can't get to the XP shared files. If a :inux box hits a Windows
2000 machine, the Linux user is asked a user name and password. Why
isn't this the case with Windows XP?

thanks

 

[Dave]

you may also find that the 'guest' account is disabled by default on the xp
pro machine. this may be different than 2000. the c$ type admin shares
probably require an admin login, where the other shares can be accessed by
the default guest account.

 

[Gordon]

Dave wrote:
|| you may also find that the 'guest' account is disabled by default on
|| the xp pro machine. this may be different than 2000. the c$ type
|| admin shares probably require an admin login, where the other shares
|| can be accessed by the default guest account.

Actually, probably the other way around. The Guest account is probably
enabled on the Pro machines - W2K doesn't have a "guest" account.

 

[Dave]

my win2k pro has a guest account.

 

[Kerry Brown]

I have XP pro.
I know that file sharing can be turned off and on. But what if users
want it on.
If I bring in a Linux machine to the network, I would hope that this
Linux can't get to the XP shared files. If a :inux box hits a Windows
2000 machine, the Linux user is asked a user name and password. Why
isn't this the case with Windows XP?

thanks

David

Did you read the links? There are two types of file sharing in XP. By
default it uses simple file sharing. If you turn off simple file sharing off
you will get access to the whole gamut of file permissions, user accounts
and so on. It is similar to win2k in that you have to add users, give them
rights, set up shares etc. With simple file sharing you simply share a
folder and the guest account automatically has access. By default in XP
guest is enabled. By default in win2k it is not. I'm not sure what linux
uses but from the sounds of what you are describing it is authenticating as
guest. If you enable the guest account on the win2k session you will be able
to accss the "whatever" share. Your best best is to turn simple file sharing
off and disable the guest account in XP. You could then allow access for
only authenticated accounts.

Kerry

 

[Gordon]

Dave wrote:
|| my win2k pro has a guest account.

You're quite right! So has mine! never noticed OR used that before.......

 

[Malke]

Linux, like all other grown-up operating systems except for XP Home, has
a Guest account which is usually disabled by default for security
reasons. XP Pro is exactly like this, too. Disable your Simple Sharing
on XP Pro and Pro will require users to be authenticated just like
Win2k or Linux, etc. You've just got XP Pro set up with Simple Sharing,
that's all.

Malke

 

[David Sherman]

True but lets take it like many users do it.

I right click on a folder in Windows 2000 and Windows XP and share it.
I don't care whether it is simple sharing or not. Most users use
simple sharing

XP should automatically ask for user name and password like Windows
2000 does. Try it.

Take a Linux Live Distrubition like Knoppix 3.8 and/or Suse 9.2 or
9.3. Boot it and tell me what you see.

Run nmap in Linux and get all the ip addesses.

Go for the files!!

 

[Kerry Brown]

True but lets take it like many users do it.

I right click on a folder in Windows 2000 and Windows XP and share it.
I don't care whether it is simple sharing or not. Most users use
simple sharing

XP should automatically ask for user name and password like Windows
2000 does. Try it.

Take a Linux Live Distrubition like Knoppix 3.8 and/or Suse 9.2 or
9.3. Boot it and tell me what you see.

Run nmap in Linux and get all the ip addesses.

Go for the files!!

True, I don't agree with Microsoft's decision to make simple file sharing
the default. I especially don't like the fact that Home can only use simple
file sharing. A lot of homes have multiple computers hooked up to a router.
Then add wireless and the fact that most home users don't set up any
security in to the equation. I can see three of my neighbour's networks
right now. It's a disaster waiting to happen. I thought you were asking for
help in your OP, not making a philisophical judgement

Kerry

 

[David Sherman]

My problem is bad but can you thinks about all those who use BearShare
and find out that there tax return was shared across the county?

http://www.cbsnews.com/stories/2005/05/03/eveningnews/main692765.shtml