XP Pro Permissions ~ I'm an Idiot (or so my wife tells me)!!!

[Guest]

Hello All,

My problem is that I allowed a "tech" remote-access to my computer to deal
with a shared-resource issue related to basic Workgroup sharing of drives.

Background: I am a novice user that knows just enough to be dangerous to all
machines.

I had been running Norton Systemworks 2005 (all was fine) and recently
upgraded to nsw2006. The result of the upgrade was that the computer nsw2006
installed on would no longer play nice and share.

The tech went into regedit and simply added "everyone" with full access. It
seems to me that this is a way to make his software work, but leaves me with
a rather large security hole. Unfortunately, I know what he did but not what
the ramifications are, or how to get workgroup sharing without risking drive
access when I travel or am on a public WiFi or WAN.

Any help or advice would be greatly appreciated.

Regards,

Eric

 

[Lanwench [MVP - Exchange]]

In

Hello All,

My problem is that I allowed a "tech" remote-access to my computer to
deal with a shared-resource issue related to basic Workgroup sharing
of drives.

Background: I am a novice user that knows just enough to be dangerous
to all machines.

Keheh - knowing that is the first step towards enlightenment, grasshopper.

I had been running Norton Systemworks 2005 (all was fine) and recently
upgraded to nsw2006. The result of the upgrade was that the computer
nsw2006 installed on would no longer play nice and share.

The tech went into regedit and simply added "everyone" with full
access.

Where in the registry did he do this? Do you know?

It seems to me that this is a way to make his software work,
but leaves me with a rather large security hole. Unfortunately, I
know what he did but not what the ramifications are, or how to get
workgroup sharing without risking drive access when I travel or am on
a public WiFi or WAN.

Do you have your Norton firewall/security settings enabled, so that you're
only sharing with computers on your home network & not with the world at
large?

 

[Frankster]

Man....!

The tech went into regedit and simply added "everyone" with full access.

Amazing. Not the "everyone" (get back to that in a second), but the fact
that he used regedit remotely to fix an issue that has all the gui support
you need without regedit.

Anyway, about "everyone", whether this is a security hole or not depends on
exactly where it was placed. It is customary to give "everyone" share
permissions but to be more restrictive with file permissions. Two different
things.

Can you tell us exactly what he did and where? If not, it's almost
impossible to comment on your post.

-Frank

 

[Malke]

Hello All,

My problem is that I allowed a "tech" remote-access to my computer to
deal with a shared-resource issue related to basic Workgroup sharing
of drives.

Background: I am a novice user that knows just enough to be dangerous
to all machines.

I had been running Norton Systemworks 2005 (all was fine) and recently
upgraded to nsw2006. The result of the upgrade was that the computer
nsw2006 installed on would no longer play nice and share.

The tech went into regedit and simply added "everyone" with full
access. It seems to me that this is a way to make his software work,
but leaves me with
a rather large security hole. Unfortunately, I know what he did but
not what the ramifications are, or how to get workgroup sharing
without risking drive access when I travel or am on a public WiFi or
WAN.

You should reverse what the tech did because that was stupid of him/her.
You need to 1) make sure that the Windows Firewall isn't running
because the Norton software is doing your firewalling; 2) configure the
Norton firewall to allow the lan as trusted. I usually do this with my
firewalls with an IP range. Ex. would be 192.168.1.0-192.168.1.254.
Obviously you would substitute your correct subnet.

In addition, since you have XP Pro:

a. If you need Pro's ability to set fine-grained permissions, turn off
Simple File Sharing (Folder Options>View tab) and create identical user
accounts/passwords on all computers.

b. If you don't care about using Pro's advanced features, leave the
Simple File Sharing enabled.

Simple File Sharing means that Guest (network) is enabled. This means
that anyone without a user account on the target system can use its
resources. This is a security hole but only you can decide if it
matters in your situation.

Then create shares as desired. XP Home does not permit sharing of users'
home directories (My Documents) or Program Files, but you can share
folders inside those directories. A better choice is to simply use the
Shared Documents folder.

If that doesn't work for you, here is an excellent network
troubleshooter by MVP Hans-Georg Michna. Take the time to go through it
and it will usually pinpoint the problem area(s) -
http://winhlp.com/wxnet.htm

Malke

 

[Guest]

The general replies thus-far seem to be asking:

a) where did the tech make changes in the registry?
1) he added "everyone" in the following hkey areas:
i) classes-root ~ with full control allow
ii) current-user ~ with full control allow
iii) local-machine ~ with read allow
iv) user ~ with read control allow
v) current-config ~ with full control allow

b) windows vs norton firewall settings?
1) windows firewall is off
2) norton internet worm protect is on
i) with the following general configuration default set to "PERMIT"
1) non-routable ip's
2) inbound icmp
3) inbound dns
4) inbound netbios
5) win file sharing
6) inbound bootp
ii) with the following general configuration default set to "BLOCK"
1) ms-win 2000 smb
2) port 5000 block rule
3) port 1900 block rule

The Grasshopper understands all of your comments, but does not know how to
implement the suggestions.

My home network is set to auto-ip and auto-dns. What I really want is that
when this laptop is on my home workgroup that every other computer in the
house can read and write to this machines drives. BUT, when I travel that
hotel/airport/coffee shop LAN's, WAN's and WiFi's do not have access to my
files.

Again thanks to all for prompt and sage information in continuing to assit
me in resolving this issue.

Regards,

Eric

 

[Guest]

Frankster, thank you, I received 3 salient responses. Therefore, I made one
reply (to me in the post)) for all 3 respondents instead of one to each of
you.

Eric

-----------------------

 

[Guest]

Malke, thank you, I received 3 salient responses. Therefore, I made one
reply (to me in the post)) for all 3 respondents instead of one to each of
you.

Eric

-----------------------

 

[Guest]

Lanwench, thank you, I received 3 salient responses. Therefore, I made one
reply (to me in the post)) for all 3 respondents instead of one to each of
you.

Eric

 

[Lanwench [MVP - Exchange]]

In

The general replies thus-far seem to be asking:

a) where did the tech make changes in the registry?
1) he added "everyone" in the following hkey areas:
i) classes-root ~ with full control allow
ii) current-user ~ with full control allow
iii) local-machine ~ with read allow
iv) user ~ with read control allow
v) current-config ~ with full control allow

Ick. He shouldn't have done that. How long ago did this happen? I'd be
inclined to do a system restore to a point *before* this guy got his sweaty
little paws on your computer.

b) windows vs norton firewall settings?
1) windows firewall is off
2) norton internet worm protect is on

I don't know what the name of the basic firewall is in Norton, but is this
the same thing? Doesn't sound like it. I'd crank up the security.

i) with the following general configuration default set to "PERMIT"
1) non-routable ip's
2) inbound icmp
3) inbound dns
4) inbound netbios
5) win file sharing
6) inbound bootp

I don't use Norton, but surely you can configure it to allow these things
(inbound) from computers on your LAN - and not allow them from anywhere
else.....perhaps there's a 'home' and 'away' profile sort of thing?

ii) with the following general configuration default set to "BLOCK"
1) ms-win 2000 smb
2) port 5000 block rule
3) port 1900 block rule

The Grasshopper understands all of your comments, but does not know
how to implement the suggestions.

My home network is set to auto-ip and auto-dns. What I really want
is that when this laptop is on my home workgroup that every other
computer in the house can read and write to this machines drives.
BUT, when I travel that hotel/airport/coffee shop LAN's, WAN's and
WiFi's do not have access to my files.

Again thanks to all for prompt and sage information in continuing to
assit me in resolving this issue.

I do think system restore will be your best bet, to be honest....and then
I'd figure out what the application you had problems with, actually needs -
and correct it granularly.

BTW, I love that you properly used the word 'salient' in a sentence. Your
vocabulary stands out.

 

[over]

Hello All,

My problem is that I allowed a "tech" remote-access to my computer to
deal with a shared-resource issue related to basic Workgroup sharing
of drives.

Background: I am a novice user that knows just enough to be dangerous
to all machines.

I had been running Norton Systemworks 2005 (all was fine) and recently
upgraded to nsw2006. The result of the upgrade was that the computer
nsw2006 installed on would no longer play nice and share.

The tech went into regedit and simply added "everyone" with full
access. It seems to me that this is a way to make his software work,
but leaves me with a rather large security hole. Unfortunately, I
know what he did but not what the ramifications are, or how to get
workgroup sharing without risking drive access when I travel or am on
a public WiFi or WAN.

Any help or advice would be greatly appreciated.

Regards,

Eric

Some more details would be needed to tell if this is actually much of a
security risk. Particularly what the access was added to. Was the
access rights changed on registry keys themselves, filesystem objects
(files/folders), or to network shares? Depending on the details, the
change may only affect access by users logged in locally, or may also
affect remote users.

Note that "everyone" does not necessarily mean "everyone in the world".
For many purposes, it means something more like "everyone who is in some
local group on this computer".

I have seen many problems caused by users seeing some sort of permissions
for "everyone", and removing them since they think that this is a
security risk. Unfortunately, this sometimes removes access that is
required, and they do not replace it with something else (such as a more
specific access right). For example, if you were to remove permissions
for "everyone", you may have to replace it with more specific permissions
for "administrators", "users", etc. otherwise "no one" has access.

One must know what they are doing if they are to play about with
permissions. If the "tech" did, things may be okay - if not, they may
have created big problems.

 

[Lanwench [MVP - Exchange]]

In (e-mail address removed) <[email protected]> typed:

Some more details would be needed to tell if this is actually much of
a security risk. Particularly what the access was added to.

<snip>

Pardon my intrusion....

.....if you look at the replies to the original post, you should see that
this was asked/answered - maybe the web interface to the groups, which
you're using, isn't able to show you this. I suggest you use a newsreader
client, such as Forte Agent, Thunderbird, or even Outlook Express, rather
than the pretty clunky web interface to the newsgroups. The Microsoft public
news server is msnews.microsoft.com and you can subscribe to as many groups
as you like; no authentication is required.