Networking ME, XP Securely on LAN

[Guest]

To network a Windows ME and XP computer together on a LAN securely I
shouldn't use TCP, so I will unbind TCP and bind IPX/SPX to the ME, unbind
TCP on the XP, run the networking wizard on the XP, create a network disk,
then run it on the ME.



The web page http://www.easydesksoftware.com/news/news24.htm says that the
Networking Wizard on the XP computer will create a network floppy disk that
will add a new service to the ME's
HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\runservices
key, SSDPSRV, which is the "Simple Service Discovery Protocol Service".



What is the purpose of the network floppy disk? Why is it necessary to add
the SSDP service to the ME, if the ME already supports NetBIOS and IPX/SPX?


Thank you.

 

[Chuck]

To network a Windows ME and XP computer together on a LAN securely I
shouldn't use TCP, so I will unbind TCP and bind IPX/SPX to the ME, unbind
TCP on the XP, run the networking wizard on the XP, create a network disk,
then run it on the ME.



The web page http://www.easydesksoftware.com/news/news24.htm says that the
Networking Wizard on the XP computer will create a network floppy disk that
will add a new service to the ME's
HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\runservices
key, SSDPSRV, which is the "Simple Service Discovery Protocol Service".



What is the purpose of the network floppy disk? Why is it necessary to add
the SSDP service to the ME, if the ME already supports NetBIOS and IPX/SPX?


Thank you.

Using alternative protocols is occasionally recommended by those who don't want
to take the time to work out a secure network properly. Alternate protocols
have their advantages in rare occasions.
<http://nitecruzr.blogspot.com/2005/07/windows-networking-and-alternate.html>
http://nitecruzr.blogspot.com/2005/07/windows-networking-and-alternate.html

A properly designed layered security strategy is much more effective in the long
run.
<http://nitecruzr.blogspot.com/2005/05/please-protect-yourself-layer-your.html>
http://nitecruzr.blogspot.com/2005/05/please-protect-yourself-layer-your.html

The network floppy disk contains nothing that you can't do by hand, just as
easily.
<http://nitecruzr.blogspot.com/2005/05/using-network-setup-wizard-in-windows.html>
http://nitecruzr.blogspot.com/2005/05/using-network-setup-wizard-in-windows.html

 

[Steve Winograd [MVP]]

To network a Windows ME and XP computer together on a LAN securely I
shouldn't use TCP, so I will unbind TCP and bind IPX/SPX to the ME, unbind
TCP on the XP, run the networking wizard on the XP, create a network disk,
then run it on the ME.

The web page http://www.easydesksoftware.com/news/news24.htm says that the
Networking Wizard on the XP computer will create a network floppy disk that
will add a new service to the ME's
HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\runservices
key, SSDPSRV, which is the "Simple Service Discovery Protocol Service".

What is the purpose of the network floppy disk? Why is it necessary to add
the SSDP service to the ME, if the ME already supports NetBIOS and IPX/SPX?

Thank you.

Why do you say that TCP/IP isn't secure on a LAN? Using TCP/IP as the
only network protocol is by far the most common LAN setup, and it's
easy to make it secure.

Using TCP/IP is secure if a LAN connects to the Internet through a
broadband router. By default, the router acts as a firewall,
preventing other Internet users from accessing your LAN or your
computers.

The only setup I know of where TCP/IP isn't secure is when:

1. All of the computers connect directly to the Internet through a
network hub or switch, without a router.

and:

2. All of the computers receive public IP addresses from a cable
modem, DSL modem, etc.

If your computer's IP address is in one of these ranges, it's a
private IP address, not a public IP address, and it's safe to use
TCP/IP for File and Printer Sharing:

10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255

Despite what XP's Network Setup Wizard says, you don't have to run the
Network Setup Wizard on Windows 98/Me computers. You can make their
network settings manually. In fact, the default network settings in
Windows 98/Me work fine with XP.

The Network Setup Wizard's main purpose is to configure a computer for
File and Printer Sharing using TCP/IP. The Wizard can't configure a
computer to use NetBEUI or IPX/SPX for File and Printer Sharing.

The SSDP service can detect and display an icon for an Internet
gateway (ICS host computer or broadband router) on the LAN. Of
course, if the LAN has an ICS host computer or a broadband router,
it's safe to use TCP/IP for File and Printer Sharing.
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com

 

[Guest]

Why do you say that TCP/IP isn't secure on a LAN? Using TCP/IP as the
only network protocol is by far the most common LAN setup, and it's
easy to make it secure.

Using TCP/IP is secure if a LAN connects to the Internet through a
broadband router. By default, the router acts as a firewall,
preventing other Internet users from accessing your LAN or your
computers.

The only setup I know of where TCP/IP isn't secure is when:

1. All of the computers connect directly to the Internet through a
network hub or switch, without a router.

and:

2. All of the computers receive public IP addresses from a cable
modem, DSL modem, etc.

If your computer's IP address is in one of these ranges, it's a
private IP address, not a public IP address, and it's safe to use
TCP/IP for File and Printer Sharing:

10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255

Despite what XP's Network Setup Wizard says, you don't have to run the
Network Setup Wizard on Windows 98/Me computers. You can make their
network settings manually. In fact, the default network settings in
Windows 98/Me work fine with XP.

The Network Setup Wizard's main purpose is to configure a computer for
File and Printer Sharing using TCP/IP. The Wizard can't configure a
computer to use NetBEUI or IPX/SPX for File and Printer Sharing.

The SSDP service can detect and display an icon for an Internet
gateway (ICS host computer or broadband router) on the LAN. Of
course, if the LAN has an ICS host computer or a broadband router,
it's safe to use TCP/IP for File and Printer Sharing.
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com

I read this from a website:

"The most dangerous issue for any computer running any version of the
Windows operating system is that file and print sharing is, by default,
enabled and bound to TCP/IP. That means, simply, that the same capability
that allows peer-to-peer networking and file sharing on your home/office LAN
is available to anyone on the Internet!! In particular, the following ports
are open and listening:

UDP port 137, nbname (NetBIOS name service)
UDP port 138, nbdatagram (NetBIOS datagram service)
TCP port 139, nbsession (NetBIOS session service)

There is no reason for file and print sharing to use TCP/IP. Before
connecting in any way to the Internet, Windows users should block file and
print sharing over TCP/IP. This is simply done; go into the Network
configuration under Control Panel, and unbind "Client for Microsoft Networks"
and "File and print sharing for Microsoft Networks" in the TCP/IP properties
for all adapters using TCP/IP (Screen #1). You can still do all of the file
and print sharing that you want over the LAN because Microsoft networks use
the NetBIOS protocol and don't need to have these functions bound to TCP/IP."




Someone told me to always close these TCP file-sharing ports when connected
to the Internet.


Will a router's firewall or a software firewall provide protection if I
configure it properly?



Thanks.

 

[Steve Winograd [MVP]]

I read this from a website:

"The most dangerous issue for any computer running any version of the
Windows operating system is that file and print sharing is, by default,
enabled and bound to TCP/IP. That means, simply, that the same capability
that allows peer-to-peer networking and file sharing on your home/office LAN
is available to anyone on the Internet!! In particular, the following ports
are open and listening:

UDP port 137, nbname (NetBIOS name service)
UDP port 138, nbdatagram (NetBIOS datagram service)
TCP port 139, nbsession (NetBIOS session service)

I assume that you're referring to
http://www.vtinfragard.org/protecting_home_systems.html

Note that the paragraph right above the one you quoted says "These
rules apply to both dial-up and dedicated (DSL/cable modem) access."
I interpret "dedicated (DSL/cable modem) access" to be the type of
direct Internet connection, without a broadband router, that I
mentioned in my first reply. In that case, and only in that case, I
agree that it's insecure to use TCP/IP for File and Printer Sharing.

I don't think that the rules on that page apply to a LAN that gets
Internet access through a broadband router. Only the router is
visible to other people on the Internet. The computers and their
shared files are invisible and inaccessible to other people on the
Internet, regardless of what ports are open and listening.

There is no reason for file and print sharing to use TCP/IP. Before
connecting in any way to the Internet, Windows users should block file and
print sharing over TCP/IP. This is simply done; go into the Network
configuration under Control Panel, and unbind "Client for Microsoft Networks"
and "File and print sharing for Microsoft Networks" in the TCP/IP properties
for all adapters using TCP/IP (Screen #1). You can still do all of the file
and print sharing that you want over the LAN because Microsoft networks use
the NetBIOS protocol and don't need to have these functions bound to TCP/IP."

In my opinion, there's no reason to use anything but TCP/IP for File
and Printer Sharing, except in the specific setup that I described.
I've written a web page about it:

Windows XP Network Protocols
http://www.practicallynetworked.com/sharing/xp/network_protocols.htm

Note that Microsoft dropped support for NetBEUI in Windows XP, and it
has dropped support for IPX/SPX in Windows Vista. TCP/IP is the only
protocol available in Windows Vista.

Someone told me to always close these TCP file-sharing ports when connected
to the Internet.

That statement is much too broad.

Will a router's firewall or a software firewall provide protection if I
configure it properly?

Yes, a router's firewall provides protection. To verify that, set up
a LAN using TCP/IP for File and Printer Sharing behind a broadband
router, then run a port scan, such as Shields Up!! at http://grc.com

Thanks.

You're welcome!
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com

 

[Guest]

Yes, a router's firewall provides protection. To verify that, set up
a LAN using TCP/IP for File and Printer Sharing behind a broadband
router, then run a port scan, such as Shields Up!! at http://grc.com

So if I have a router with NAT, and several computers with privately
assigned IP addresses on a LAN with shared files (and with ports 137-139 and
445 opened), the router won't pass any requests from the Internet for these
ports to the private IP addresses?


Is this automatic or does the router have to be configured to block specific
ports? I have a Netgear "Wireless Firewall Router" but there is no option for
blocking individual ports.



Again, thanks for the feedback.

 

[Steve Winograd [MVP]]

So if I have a router with NAT, and several computers with privately
assigned IP addresses on a LAN with shared files (and with ports 137-139 and
445 opened), the router won't pass any requests from the Internet for these
ports to the private IP addresses?

That's right. The router will drop all such requests, because they're
unsolicited. That's how NAT works. See the explanation here:

http://www.networkclue.com/routing/Firewalls/nat.aspx

Is this automatic or does the router have to be configured to block specific
ports? I have a Netgear "Wireless Firewall Router" but there is no option for
blocking individual ports.

It's automatic.

Again, thanks for the feedback.

You're welcome.
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com