The essence of computer networking is that computers share data or resources. "File and Printer Sharing" is Microsoft's descriptive name for this function in its networked Windows and NT systems.
Though this information does apply broadly, this page is written with the home PC user in mind. It's an attempt to explain Windows file sharing in the context of computer networking, not merely in terms of the superficial open-this-click-here mechanics of the Windows interface.
Most people who've used the Internet for very long have encountered networking terms like TCP/IP (Transmission Control Protocol/Internet Protocol), FTP (File Transfer Protocol), and so forth; and they often have at least a rudimentary idea what such terms mean. But I find few Windows users who are familiar with the networking which is built into their own machines.
The "native" network software of Win9x/NT machines, while similar in many respects to Internet (IP) networking, is NOT the same thing. It consists primarily of NetBIOS -- Network Basic Input Output System.
NetBIOS is software that allows applications on different computers to communicate within a local network. It was originally created by IBM for use in early PCs, was adopted by Microsoft, and has become a widely-supported standard.
NetBIOS is quick and efficient on a small network. Computers on the LAN (Local Area Network) typically connect in a sort of daisy-chain along a single cable. Data is simply sent out via the network interface (an add-on card in the computer) and in effect is broadcast to all machines on the LAN. No routing outside the LAN is involved or supported.
Because NetBIOS does not contain a mechanism for routing data outside its LAN, applications communicating on a segmented network (often called an enterprise network) or WAN (Wide Area Network -- the Internet is a WAN) must use a "transport protocol" such as IPX or TCP/IP.
The IPX (Internetwork Packet eXchange) protocol, enabled by default on Win/NT machines, is comparable in function to IP. IPX establishes the format of network data packets and like TCP/IP, can serve to implement NetBIOS over a larger network.
NetBIOS is typically paired with a protocol called NETBEUI (Netbios Extended User Interface), an extension of NetBIOS which also serves to implement NetBIOS over a WAN.
Like the TCP/IP networking of the Internet, NetBIOS works primarily on a server/client model. Any system which shares its resources (as in File And Printer Sharing) is a server. Any system which accesses them is a client.
NetBIOS uses human-readable names rather like domain names, and a method vaguely similar to that of the Internet for distributing name and address information; which is vital to the task of inter-computer communications.
Unlike the Internet, any computer on a NetBIOS network can gather name, address and resource information and/or distribute such info to others. Because of this, simple peer-to-peer networking is very easy to implement between any two NetBIOS-equipped machines. All systems on the NetBIOS network are both client and server.
NetBIOS has its limits. Because all communications are sent to all machines on the LAN over a single continuous link, congestion quickly becomes a problem as the number of systems on the LAN increases.
NetBIOS adapts to and works with IP networking just as it does with IPX. NetBIOS names can be mapped to (made synonymous with) IP addresses on any network that's using both protocols. And, NetBIOS can be "ported" to an IP network, whereby the NetBIOS communications take the form of TCP packets for transmission to another NetBIOS machine.
This last is the means by which Windows resources can be readily shared with other machines across the Internet.
Increasing numbers of people have caught on to the ease with which Windows computers can be networked. In homes with more than one Microsoft machine, I see and hear more and more often of people availing themselves of the benefits of networking.
And those benefits are numerous! Given one machine with a huge hard drive, other machines can utilize that storage capacity. Games can be played interactively. A printer can be shared to spare expense. And so on. For many home users, networking is a quantum leap ahead in computing.
Windows 95/98 users can unwittingly compromise their own security by way of File and Printer Sharing. The problem is simply this: when File and Printer Sharing is first enabled, it is enabled on all network devices, including even Dial-Up Networking.
This means that when a home user sets up his own LAN using Microsoft's simple, handy, built-in networking, and if that user turns on file sharing, his shared resources immediately become available over the existing dial-up or other link to the Internet.
In most cases, users are warned by Windows and can avoid trouble. Shared resources are also easily protected with passwords. But on a tiny home network or in a small business, passwords may often be omitted on the assumption all users are trusted, and in some cases, the user may be unaware of the risk.
A significant number of people have wound up with unprotected shares, accessible to mischief-makers and the curious, enemies and friends alike; in short, any user on the global Net. On the part of a potential intruder, it requires only the necessary Windows configuration and a little know-how to access others' open shares.
File sharing is, after all, a feature -- not a bug! The problem is merely that it is implemented on all network devices by default when it is enabled; and that the inexperienced user may not know it.
In the earliest version of Win95 (mid-to-late 1995), the average LAN user who connected to the Net via dialup was actually unlikely to be informed of the risk, was never warned when sharing was enabled on the dial-up, and might very often wind up inadvertently sharing unprotected resources. The same was true of NT at about the same time.
Fortunately, stand-alone Win9x systems do not arrive in the user's hands with File and Printer Sharing enabled. Most ordinary home Internet users have no need to share resources, and unless they have tinkered with network settings or set up a home LAN, they have nothing whatever to worry about. Only a very small percentage of home users have ever had this problem.
Also fortunately, Windows nowadays doesn't leave the user totally in the dark, so percentage-wise, fewer people than ever are suffering from this misconfiguration on their dialup link. Starting with a Dial-Up Networking upgrade first available with Service Pack 1 in late 1995, Windows 95 and 98 have incorporated a prominent warning dialog which appears whenever a user first connects with sharing newly enabled on Dial-Up Networking. The warning reads:
File and printer sharing is running on the TCP/IP connection you will use to access the Internet. Other users on the Internet might be able to access your files.
Would you like Windows to disable file and printer sharing on the TCP/IP connection to the Internet?
The user is given the option to answer yes or no, and a checkbox to disable future appearance of the warning:
A similar warning was implemented for NT. In more recent NT versions (4.x), it is now virtually impossible to set up open file shares, and it cannot be done by accident.
Unfortunately, Win9x users who for whatever reason don't understand its implications will sometimes answer "no" to the warning above. If they negate this alert, and if their NetBIOS shares lack passwords, they're then wide open to intrusion. Whatever is shared, be it entire drives or specific folders, it will be open to access by virtually anyone as if it were his own hard drive, limited only by the relatively slow speed of the dialup connection.
For cable modem users and for some DSL (Digital Subscriber Line) users, the situation is a bit more perilous; both because the abovementioned warning dialog will not appear when sharing is enabled (a cable or DSL link works like any ordinary network interface to a LAN and so doesn't use Dial-Up Networking), and because the fast link may allow huge quantities of data to be quickly accessed by an intruder. Cable service customers are therefore a favorite target of potential intruders. Mere installation of the networking software will not enable unwanted sharing. But because the speedy link readily accommodates any number of home systems' Internet needs, a cable user whose household contains more than one computer is all the more likely to network his systems. The home user will then usually enable sharing; sometimes without realizing NetBIOS sharing applies to the Internet link as well as the home LAN.
However, cable and DSL providers are well aware of this potential problem. Many include specific instructions on their websites and in installation manuals advising their users how to avoid inadvertent sharing; also many high-speed access providers prohibit resource sharing and/or connecting networked systems to the service.
In addition, a proxy application such as WinGate or NAT32 is necessary in order to share a single point of Net access with other systems on a LAN. The makers of such software routinely include warnings and instructions to help their customers avoid insecure shares.
In any case, unwanted file sharing on a Win9x system is readily disabled on any network device using the Network Properties dialog in the Control Panel. One merely finds the TCP/IP protocol associated with the device in question, opens its properties, selects its Bindings tab, and disables binding to File and Printer Sharing with a single click of the mouse. The change takes effect on the next reboot.
To completely disable all sharing, open the Network dialog in Control Panel, click on the button labeled File and Print Sharing... and de-select the checkboxes that appear. Hit "OK" twice. The change takes effect on the next reboot.
If the user actually wants to share resources over the Net, each shared resource can be readily password-protected. See below for more on passwords.
Denying access isn't the only means of protecting oneself. Sharing a folder allows access only to that folder and its subfolders. If sharing is limited to folders containing data that isn't sensitive, an open share may be no security risk no matter who accesses it. If its only purpose is to provide outgoing information or files and not to receive files, a shared folder can simply be made read-only. Others may then read the data, but they cannot erase files or place new ones in the shared folder.
A few more useful points about sharing and security:
When a printer is shared on a Win9x machine, Windows creates a hidden system share called PRINTER$ which grants no-password-required read-only access to the WINDOWS\SYSTEM folder and all its subfolders.
While access to this share is read-only and therefore an intruder can't engage in any direct mischief; a great deal can often be determined about a system and/or its users by reading the information in this folder.
Access to this folder could exacerbate other security problems, by helping to identify your system software to a potential invader. As one simple but extreme example, if a Back Orifice server (including BO2K) were running on your system, and this share also existed, anyone could readily obtain a copy of the trojan, read its plaintext configuration, and gain access to the trojan using its own port and password.
Probably the existence of this share is a primary reason why many trojans are installed in this particular folder.
It is conceivable that mainstream remote-access software, Web or FTP servers or the like may also be crackable by this approach. It all depends on what the application may place in the System folder.
I know of no way to prevent Windows from creating this hidden share when a printer is shared, and I know no way to password-protect its access. Also unfortunately, as far as I know printer sharing in particular cannot be turned off on a per-device basis; it can only be disabled globally. If your Win9x system is on a LAN and you share a printer, and if you also share resources on the public Net, this hidden share will be accessible on the Internet link by default.
Unless you have carefully assessed and accepted the potential consequences of granting read-only access to your System folder to the whole world, I VERY strongly advise against sharing printers on the Net with your Win9x system.
When I discovered the existence of this hidden share on one of my own machines, I immediately searched using Altavista, for online information on the subject. I was amazed to discover how little coverage this has received.. I found this page, which mentions the existence of the hidden share only in passing and with no reference to its security implications. I found only this FAQ reproduced in a number of locations [1,2,3,4,5,6,7] and a discussion on NTBugTraq [1,3,4] which comment on this phenomenon from a security standpoint.
The NTBugTraq discussion about the PRINTER$ share includes a statement from a Microsoft representative which downplays its significance, yet he clearly recognizes its real implications when he adds: "We have always been quite clear that Win95 and Win98 are not the systems to use if you are in a hostile security environment. We recommend Windows NT for those environments." Microsoft, get honest. The Internet is a hostile security environment.
The existence of this share does not appear to be a very broadly-known fact. Tell your friends.
While we're on the subject, I want to offer my deepest sympathies to whomever at Microsoft perpetrated this incomprehensible blunder. The person(s) responsible must be suffering from a tragic and debilitating mental illness. Sharing the System folder has its uses in relation to networking a printer, because printer drivers the remote system may need are kept in that folder. Those drivers could easily have been put somewhere safer for such access. And to hide the share? To leave the user completely unaware of it? To make it impossible to switch off? That's inexcusable.
To turn off printer sharing of any particular printer, open your Printers folder, select any shared printers (they'll have an obvious hand symbol overlaid on the icon), right-click the icon, select Sharing... (the option will exist only if printer sharing is enabled), and select Not Shared. If you do this for all shared printers, then reboot, the hidden System folder share should disappear.
For good measure, I suggest killing printer sharing altogether. Open the Network Properties dialog in the Control Panel, select the button labeled File and Print Sharing... and de-select the checkbox labeled I want to be able to allow others to print to my printer(s). Now reboot, and the PRINTER$ share will definitely be gone.
If you must share a printer on your network, and you also have an Internet link on the machine to which that printer is connected, there is just one method I know to avoid this exposure. Locate the file VNBT.386 in your Windows\System folder. Rename the file to VNBT_386.BAK (or some suitable name so it can be restored if you need it later). Once you reboot, this will disable all NetBIOS function over TCP/IP. (Note: some Windows updates such as Winsock2 or a Win98 upgrade will re-install VNBT.386.)
VNBT.386 is the Windows "virtual device" which enables NetBIOS to run over TCP. Because most home Win9x networks use the simple and easily set up IPX/SPX protocol with Windows (NetBIOS) networking, the loss of VNBT.386 has no effect on the LAN, but only affects the Internet link.
However, if your LAN is running on the TCP/IP protocol, and you also require file sharing, removal of NetBIOS over TCP isn't an option. As far as I can determine you'd have to turn off all sharing of printers on the Internet-connected machine in order to avoid sharing your System folder with the Internet at large.
Anyone using the Internet whose system is not otherwise networked and who has no desire to share resources can and should simply make sure File and Printer Sharing is disabled altogether. It serves no purpose in such a case and will only be enabled by error or for purposes of unwanted intrusion. Just turn it off.
Unless it's necessary, don't share whole drives, especially your C: drive, where virtually all critical operating system programming normally resides. Instead, share only specific folders.
Limit sharing to read-only access wherever practical. This way files can't be added, deleted or changed from remote.
Password protection of Windows' NetBIOS shares is not necessarily 100% secure. Anyone who wishes to make repeated attempts to determine your password may do so indefinitely and you may never notice; Windows offers no mechanism to alert you to such attempts.
However, It is a HUGE task to try every possible password on someone's shares. Windows allows up to 8 case-insensitive characters on a share password. Assuming only 26 letters and 10 numerals (more characters are allowed but I'm not sure how many), this makes for a possible 2,821,109,907,456 (36^8) 8-character passwords. That's 2.8 trillion. It would require something like 1000 guesses per second for a century to try every password! (And to do it that fast over the Internet is impossible! There is significant lag over the public Net, usually on the order of 1/4 second or more. Even on the fastest connections it would be impossible to execute more than 20 or so guesses per second.)
Password-guessing programs exist which use a dictionary to shorten this task, on the theory many people will use common words as part or all of their password. It works quite well; any number of people will use plain-English passwords like "bingo" or "aardvark". There are maybe 30,000 words in the English language; trying them all is not difficult. Given a typical list of encrypted passwords, a significant number of them can usually be cracked in a few hours' time. Though I believe it is rarely done, a similar approach can certainly be used online to attack a password-protected share. You can render this approach completely ineffective by choosing a secure password.
A secure password is as long as possible, includes both letters and numerals, and contains no words found in a dictionary. Adding other allowed symbols such as #$% really slams the door. If your password meets this description, only a brute-force approach (attempting every possible password systematically) will crack it. It's inconceivable anyone with a clue would consider it worthwhile to go to such lengths to find that password. They'd be better off breaking into your house and stealing your computer.
The NetBIOS name table of your computer is available to anyone who wishes to query your system directly over the Internet using its IP address. There's a simple utility in all Windows machines called NBTSTAT.EXE which performs these queries. If your name table discloses something you don't wish to tell the world, you should change its entries to something less informative. I have often encountered people who desired anonymity but had their personal name or other identifying information displayed openly via the NetBIOS name table.
If sharing is enabled on the Internet link, the shared resources' names and descriptions are also available for anyone to see, regardless of passwords. If those names or descriptions contain information you don't want the whole world to see, you should change them accordingly.
To see what others see in your NetBIOS nametable, open a DOS window while online and type: nbtstat -n ...then hit Enter.
To change this information, open the Network icon in the Control Panel. Select the Identification tab and you'll see the configurable entries. You must reboot to bring changes into effect.
On a standalone computer, for the average user, there's really no reason to have NetBIOS working at all on the Internet link. Here's how you can kill it altogether:
Locate the file VNBT.386 in your Windows\System folder. VNBT.386 is the Windows "virtual device" which enables NetBIOS to run over TCP. Rename the file to VNBT_386.BAK (or some suitable name so it can be restored if you need it later). Once you reboot, this will disable all NetBIOS function over the Internet. This has the added benefit of making all file sharing impossible. Some trojan-horse exploits are designed to grant illicit access through hidden shares; the absence of VNBT.386 will render that trick ineffective.
Be aware: The Winsock2 upgrade or Win98 upgrade will re-install VNBT.386, as may some other updates or installations.
It is certainly not my purpose to cause fear and concern over file sharing. Given the above caveats, anyone can take full advantage of file sharing, on or off the Internet. I encourage it for those who can gain by it. Offering share access judiciously and with adequate password protection can provide a way of exchanging data in relative security, for whatever purpose. One might view file sharing as the NetBIOS equivalent of FTP.
Bear in mind that for secure transfer of sensitive data, some sort of encryption would be a necessity.
No comments:
Post a Comment