On Sun, 25 Apr 2004 11:02:38 -0600, "Bruce Chambers"
The long and the short of it is that WinXP can't do what the older OSs
can do, and force you to use potentially stronger alternative
approaches that you may have good reason to avoid.
The main limitations you really need to overcome are based upon
your limited experience with, and knowledge of, Microsoft networking.
I'm afraid you have it backwards. WinXP, properly configured, is
much more secured than Win9x. However, it should be pointed out that
WinXP is a _client_ operating system, and, as such, is not designed to
provide the full functionality of a server OS, to include more
rigorous security permissions.
Like WinNT and Win2K, WinXP's file security paradigm doesn't rely
on, or allow, the cumbersome method of password protection for
individual applications, files, or folders. Instead, it uses the
superior method of explicitly assigning file/folder permissions to
individual users and/or groups.
Oh, XP can be as cumbersome as hell. Ever tried chasing up settings
across multiple user accounts, or had to go deep into NTFS's per-file
permissions to fiddle with those assigned to each file? Hm.
Note that anything other than full admin rights in XP Home will mean
you lose the ability to control a number of settings in that account,
such as "show file name extensions" etc. Swap one risk for another.
HOW TO Set, View, Change, or Remove File and Folder Permissions
http://support.microsoft.com/default.aspx?scid=kb;en-us;q308418
Requires NTFS, which forces another trade-off; no maintenance OS,
can't formally scan for malware, limited data recovery.
HOW TO Set, View, Change, or Remove Special Permissions for Files and
Folders
http://support.microsoft.com/default.aspx?scid=kb;[LN];Q308419
Of course, if you have WinXP Pro, you can also encrypt the desired
files/folders.
Oh, and NetBEUI is pretty much a thing of the past, useful _only_
on small peer-to-peer networks that require no Internet access. It's
sole virtue was that it required virtually no networking knowledge,
beyond installing the NIC and selecting the protocol, to implement.
No, it's main advantage was that it was not routable, did not carry a
wad of TCP/IP services, and could be used independently of TCP/IP.
That meant PCs could freely operate File and Print Sharing on a LAN
(via NetBEUI) while running firewall software with default settings to
manage TCP/IP risks. It meant that File and Print Sharing could be
kept off TCP/IP entirely, so even if badly configured, the Internet
would have no F&PS access unless a beach-head was established.
As it is, adding TCP/IP-only XP to an existing Win9x LAN can weaken
the security of that LAN, by forcing those PCs to use TCP/IP and thus
requiring them to open ports in the firewalls (if you know how to do
that and/or your firewall supports it) or running with no firewall.
XP may be more secure in its own world, as long as you do everything
its way, and turn a blind eye to the additional risks it opens up.
But when required to operate in the same way as existing Win9x clients
on a peer-to-peer LAN, it has limitations:
- poor support for anything other than TCP/IP
- can't password-block shares
- dangerous hidden "admin" shares exposing the startup axis
- limit of 5, not 10, incomming connects
It's a case of "be reasonable, do it my way" - and depending on your
requirements and limitations, the result may be far riskier.
-------------------- ----- ---- --- -- - - - -
Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.