pop up

[Guest]

Hmm--interesting

I guess I would have to admit to being guilty of cleaning the crumbs of
of my toaster more often than I do off of my pc and keyboard

hmmmm.

 

[cquirke (MVP Win9x)]

On Fri, 16 Apr 2004 20:32:47 -0600, "Jupiter Jones [MVP]"

But if you research my posts starting about the time of Blaster and
going back several months, you will see several, it may take some time
since I do not recall the specific posters or even the specific
newsgroups involved.

Strangely most of these posts suddenly stopped about the time Blaster
hit. Whether you remember or not is not relevant...they were there.
One poster insisted a firewall was unnecessary largely because of the
complexity and potential problems.

There's a risk/benefit with firewalls, and if your OS insists on
waving it's (broken) ass in the air, the benefits of a firewall become
that much more compelling ;-)

More to the point: XP creates situation where it can be that much more
difficult to use a firewall, even though today you'd really want to.

For example, let's say you have:
- a peer-to-peer LAN that uses File & Print Sharing (F&PS)
- a broadband connection shared via ICS or router on the hub

Before XP, you'd use anything other than TCP/IP for the internal LAN's
F&PS, keep F&PS off TCP/IP, and run free firewall software on all PCs.

But XP forces the use of TCP/IP on the LAN, so now you have to bind
F&PS to TCP/IP on the same LAN card that accesses both LAN and 'net.

Now you can't easily use a firewall on all the PCs, because it will
prang your LAN's F&PS. The MS article on securing your PC mentions
how to open ports through the built-in firewall and lists examples,
but the examples are various games and fluff; F&PS is NOT listed!

Even if you manage to get the firewall running with ports open for
F&PS, you now have ports open for F&PS, and thus slightly less
firewall protection than you may have wished for

-------------------- ----- ---- --- -- - - - -

Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.

 

[Bruce Chambers]

Greetings --


Snipped.....

For example, let's say you have:
- a peer-to-peer LAN that uses File & Print Sharing (F&PS)
- a broadband connection shared via ICS or router on the hub

Before XP, you'd use anything other than TCP/IP for the internal
LAN's
F&PS, keep F&PS off TCP/IP, and run free firewall software on all
PCs.

Which is exactly what I do, even with WinXP on every (OK, both)
computer in the house. I recommend the same configuration to anyone I
assist.

But XP forces the use of TCP/IP on the LAN, so now you have to bind
F&PS to TCP/IP on the same LAN card that accesses both LAN and 'net.

I think the phrase "... XP FORCES (emphasis mine) the use of
TCP/IP on the LAN..." is a bit of an over-simplification. Granted,
only TCP/IP is installed by default, but it's remarkably simple to add
IPX/SPX, as I did immediately upon creating a home LAN, or even
NetBEUI. I think that anyone who's done requisite homework before
creating a home network could easily have discovered how to do this,
as well.

Now you can't easily use a firewall on all the PCs, because it will
prang your LAN's F&PS. The MS article on securing your PC mentions
how to open ports through the built-in firewall and lists examples,
but the examples are various games and fluff; F&PS is NOT listed!

Even if you manage to get the firewall running with ports open for
F&PS, you now have ports open for F&PS, and thus slightly less
firewall protection than you may have wished for

You are correct about WinXP's ICF making File and Print Sharing
more difficult for those who use only TCP/IP. As you know, this issue
is fixed with Service Pack 2's Windows Firewall. The newer firewall
isn't perfect, but it is an improvement.


Bruce Chambers

--
Help us help you:




You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH

 

[cquirke (MVP Win9x)]

Which is exactly what I do, even with WinXP on every (OK, both)
computer in the house. I recommend the same configuration to anyone I
assist.

I think the phrase "... XP FORCES (emphasis mine) the use of
TCP/IP on the LAN..." is a bit of an over-simplification. Granted,
only TCP/IP is installed by default, but it's remarkably simple to add
IPX/SPX, as I did immediately upon creating a home LAN, or even
NetBEUI. I think that anyone who's done requisite homework before
creating a home network could easily have discovered how to do this,
as well.

Believe me, I tried this and could not get it to work at all. Neither
IPX, nor the tucked-away "unsupported" NetBEUI, would F&PS on pure
peer-to-peer LANs with Win9x PCs successfully using these protocols.

(I didn't try using Client for Novell, as prior experience with that
in Win9x was enough to make me avoid that thereafter)

That's why I made the assertion I did, not simply because XP waves
TCP/IP in my face <g>. I've made this assertion in posts often,
hoping someone would reply "oh fer folk's sake, do X Y and Z and then
it will work", but the closest I had was a suggestion to retro-fit the
NetBEUI support files from Win2000 instead of using the ones from XP.

I haven't tried that, figuring that if XP is different enough for XP's
own NetBEUI to work differently to Win2000's - and XP's NetBEUI is
unsupported - then using Win2000 code instead would be even more
likely to blow up a few patches and SPs down the line.

So, seriously: If you know a way to do pure serverless F&PS on mixed
Win9x/XP LANs, or even pure XP LANs, using anything other than TCP/IP,
I'd be very interested to hear how. I confess I haven't re-tried this
lately, having given up possibly before SP1, so if something's changed
to fix it, I'd like to know about that too.

You are correct about WinXP's ICF making File and Print Sharing
more difficult for those who use only TCP/IP. As you know, this issue
is fixed with Service Pack 2's Windows Firewall.

SP2's not in the hand, so what I'd really like to know for now is what
ports to open to get F&PS working on current XP installations. I
understand I have to Add a new entry to the canned list of things in
the relevant dialog box, and I can find that article easily enough
from the "Secure your PC" page, but the port addresses I need.

I don't have a LAN here, and won't be testing betaware on clients'
production LANs, so I can't play with SP2 and LANs. I'll also likely
hold off on SP2 for a week or few to see if anything blows up, before
fitting it on the PCs that I see for other reasons, so for a while
past the SP2 release date, I'd have need of pre-SP2 workarounds!

Is SP2 smart enough to know the difference between local and global IP
ranges, and handle these differently?

-- Risk Management is the clue that asks:

"Why do I keep open buckets of petrol next to all the
ashtrays in the lounge, when I don't even have a car?"

 

[Bruce Chambers]

Greetings --

Well, I don't have a Win98 machine on my LAN to test with, so I
can't help there. (But my new copy of Virtual PC just arrived, so I
may give it a try in a few days.) For my LAN, consisting of WinXP Pro
and WinXP Home, I right-clicked My Network Places > Properties >
Highlighted the pertinent LAN connection > Clicked the Advanced menu >
Advanced settings > Adapters and Bindings, and de-selected TCP/IP from
the F&PS Service. (Naturally, I had already installed IPX/SPX.) I
didn't have to take any other special steps.

Bruce Chambers

--
Help us help you:




You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH

 

[Bruce]

Believe me, I tried this and could not get it to work at all. Neither
IPX, nor the tucked-away "unsupported" NetBEUI, would F&PS on pure
peer-to-peer LANs with Win9x PCs successfully using these protocols.

(I didn't try using Client for Novell, as prior experience with that
in Win9x was enough to make me avoid that thereafter)

That's why I made the assertion I did, not simply because XP waves
TCP/IP in my face <g>. I've made this assertion in posts often,
hoping someone would reply "oh fer folk's sake, do X Y and Z and then
it will work", but the closest I had was a suggestion to retro-fit the
NetBEUI support files from Win2000 instead of using the ones from XP.

I haven't tried that, figuring that if XP is different enough for XP's
own NetBEUI to work differently to Win2000's - and XP's NetBEUI is
unsupported - then using Win2000 code instead would be even more
likely to blow up a few patches and SPs down the line.

So, seriously: If you know a way to do pure serverless F&PS on mixed
Win9x/XP LANs, or even pure XP LANs, using anything other than TCP/IP,
I'd be very interested to hear how. I confess I haven't re-tried this
lately, having given up possibly before SP1, so if something's changed
to fix it, I'd like to know about that too.



SP2's not in the hand, so what I'd really like to know for now is what
ports to open to get F&PS working on current XP installations. I
understand I have to Add a new entry to the canned list of things in
the relevant dialog box, and I can find that article easily enough
from the "Secure your PC" page, but the port addresses I need.

I don't have a LAN here, and won't be testing betaware on clients'
production LANs, so I can't play with SP2 and LANs. I'll also likely
hold off on SP2 for a week or few to see if anything blows up, before
fitting it on the PCs that I see for other reasons, so for a while
past the SP2 release date, I'd have need of pre-SP2 workarounds!

Is SP2 smart enough to know the difference between local and global IP
ranges, and handle these differently?


"Why do I keep open buckets of petrol next to all the
ashtrays in the lounge, when I don't even have a car?"

Hi,

My 2 cents worth...

I use NetBEUI for FS between 4 machines behind a router (I don't care
about PS, as all machines have their own printer), connected to a cable
modem. Three are Win98s and the other is an XP box. For security
purposes, I don't bind FS to TCP/IP. I do find that sometimes one of the
Win98 machines doesn't show up on the XP machine's Network Neighborhood
unless I refresh.

I'd like to use IPX/SPX because to play the old version of Battle Ship
with my son, but I've never gotten it to work across my LAN.

I guess all of our experiences are different.

Sincerely,

Bruce

 

[Kevin Davis³]

Kevin;
I do not recall the specific posts.
But if you research my posts starting about the time of Blaster and
going back several months, you will see several, it may take some time
since I do not recall the specific posters or even the specific
newsgroups involved.
Strangely most of these posts suddenly stopped about the time Blaster
hit.
If you start looking, you will soon see why I can not recall the
specific post.
When I said "these newsgroups", I was referring to all of Microsoft
newsgroups, not just this one.

Whether you remember or not is not relevant...they were there.
One poster insisted a firewall was unnecessary largely because of the
complexity and potential problems.

I wanted to make sure you weren't referring to me. Many times over I
have been falsely accused of this and lied about.

 

[Kevin Davis³]

Rich;
A few years ago is was usually OK not to have a firewall on a home
computer.
However as you know times have changed and continue to change.
You did what I would have done at that time with that knowledge.

Users need to learn how to properly maintain their computers.
However the computer sellers should do more to help educate new users
if not at least point them to a good starting point on the web.
Microsoft also should share in the education process and in fact they
have been going a long way as can be demonstrated by their program to
Protect Your PC:
http://www.microsoft.com/security/protect/default.asp

The days have passed where a new computer user needs to know nothing
about maintaining the computer.
In this respect a computer is more like an automobile than a toaster,
yet users treat computers like a toaster.

One part of a user's education is about having a firewall running and
properly configured. Another part - and just as essential - is for
that user to realize that firewalls are not a panacea for security.
They should not place all their confidence in them. Several of the
most popular firewalls have been found to have vulnerabilities in them
that could be exploited. Users should be educated in the concept of
defense in depth. That way if a hacker does get by the firewall, it
makes it harder and not a cakewalk. Having a SOHO router running NAT,
anti-virus, all patches installed, and all unnecessary services
disabled are all part of this.

 

[Kevin Davis³]

For example, let's say you have:
- a peer-to-peer LAN that uses File & Print Sharing (F&PS)
- a broadband connection shared via ICS or router on the hub

Before XP, you'd use anything other than TCP/IP for the internal LAN's
F&PS, keep F&PS off TCP/IP, and run free firewall software on all PCs.

You can still do this with XP.

But XP forces the use of TCP/IP on the LAN, so now you have to bind
F&PS to TCP/IP on the same LAN card that accesses both LAN and 'net.

No, you don't. You can install an alternate protocol (like NetBeui)
to handle file sharing. Keep NetBeui bound to File sharing and
unbind fromTCP\IP and disable NetBIOS over TCP\IP. File sharing
within the LAN still works with that configuration. You can even use
IPX instead of NetBeui if you like.

Now you can't easily use a firewall on all the PCs, because it will
prang your LAN's F&PS. The MS article on securing your PC mentions
how to open ports through the built-in firewall and lists examples,
but the examples are various games and fluff; F&PS is NOT listed!

Even if you manage to get the firewall running with ports open for
F&PS, you now have ports open for F&PS, and thus slightly less
firewall protection than you may have wished for

A good part of the file sharing risk is mitigated if you unbind the
file sharing protocol from TCP\IP or disable NetBIOS over TCP\IP.
Still not rock solid but much better. You don't have to have file
sharing bound to TCP\IP to use it.

Also many personal firewalls have features built in that will allow
File Sharing only on the LAN and block anything else trying to use it.

 

[Guest]

stop the messenger services via services.msc - you don't need it

 

[Jupiter Jones [MVP]]

Merlin;
If that is your solution to stop Messenger Service ads, VERY BAD and
DANGEROUS advice.
These ads are using Messenger Service.
Messenger Service is a valuable tool many use.
Like many tools, it can be exploited.

No need to pay for the fix.
For Messenger Service ads:
You need to install or enable a firewall:
http://support.microsoft.com/?kbid=330904
http://www.microsoft.com/windowsxp/pro/using/howto/communicate/stopspam.asp
Disabling Messenger Service can be a good idea, but it does not solve
the real problem.
The ads are not the real problem, the ads are only a symptom.
The real problem is open ports that allow unwanted traffic into the
computer.
Disabling Messenger does nothing for the open ports.
The firewall controls the traffic.

Internet Connection Firewall will not work if you have AOL.
AOL is not compatible with Windows XP Internet Connection Firewall
(ICF)
If you have AOL, you should contact AOL and/or get a 3rd party
firewall:
http://www.zonelabs.com/store/content/home.jsp
http://www.symantec.com/sabu/nis/npf/

Disable Messenger Service:
Start/Control Panel, click Administrative Tools, double click
Services.
Go down to "Messenger".
Right click "Messenger" and select Properties.
Then under Start-up select DISABLE
Click OK and follow prompts

 

[Kevin Davis³]

Believe me, I tried this and could not get it to work at all. Neither
IPX, nor the tucked-away "unsupported" NetBEUI, would F&PS on pure
peer-to-peer LANs with Win9x PCs successfully using these protocols.

Works fine for me. In fact my home network is set up with peer to
peer on the internal LAN using NetBEUI unbound from TCP\IP. I have
the following mix of systems all of which can talk to each other:

Win98SE (2 ea)
WinXP Pro
WinXP Home

I also have had Win 2000 and Win NT4 working on the same network.
I've also used IPX instead of NetBEUI for a brief time.

So, seriously: If you know a way to do pure serverless F&PS on mixed
Win9x/XP LANs, or even pure XP LANs, using anything other than TCP/IP,
I'd be very interested to hear how. I confess I haven't re-tried this
lately, having given up possibly before SP1, so if something's changed
to fix it, I'd like to know about that too.

It can work. I have done it several times. I don't know that there's
any secret recipe to get it to work, but I do remember that sometimes
it has not been as cooperative as others.