-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Saturday 07 July 2001 12:43, thus spake Judith Miner:
> Not so! Please consider this from the perspective of the normal,
> standalone Windows user. We're not talking about large networks here,
> which Linux folks seem unable to comprehend many times.
All I have ever dealt with are network of less than 100 nodes, and several
were less than 10. That qualifies for small, yes?
> A small LAN in Windows should be using the NetBEUI protocol, not TCP/IP.
> File and printer sharing is enabled *only* for NetBEUI. TCP/IP is *only*
> for your Internet connection and you do not have file and printer
> sharing enabled for TCP/IP. NetBIOS is not to be enabled for TCP/IP. So
> with no file and printer sharing for TCP/IP, your hard drive cannot be
> viewed by the outside world.
That's nice in theory, but I've never seen such a setup. Most *small*
networks are set up in one of two ways: all protocols are installed and
running (the Microsoft default -- NetBEUI, IPX/SPX, and TCP/IP all at
once), or else someone has gone and removed everything except TCP/IP, so
that is the only protocol being used.
If I see all protocols in use, I will cut out all but TCP/IP if I can,
because running multiple protocols is extremely inefficient on a PC, and
it hurts overall network performance. Also, NetBEUI is a very "chatty"
protocol, in that hosts are constantly announcing themselves to the
network, and so even on a small network, performance can suffer because of
heavy network traffic.
If only TCP/IP is in use, then file/print sharing is being done over that
protocol, and network shares *will* be visible to the Internet if no
firewall or proxy is in place. Use a port scanning tool against a wide IP
range on the Internet, and look for open ports 137 and 138, these are used
by Windows file/print sharing (the SMB protocol, upon which Samba is
based). You will be amazed, probably depressed, at the number of open
hosts you find.
> An always-on broadband connection absolutely needs a software or
> hardware firewall, or both.
I even use pmfirewall on my laptop, when I am using ppp to connect to my
ISP. Just because I'm only connected for a relatively short time, doesn't
mean I won't be randomly scanned and possibly attacked.
> Other security problems, such as trojans and viruses, are due to user
> error, such as opening attachments and downloaded files without checking
> them first with one
> or more antivirus programs. A Windows system becomes much safer if
> Windows Script Host is disabled system wide, which is easily done and
> has no adverse consequences for a SOHO or home user.
Again, I have never seen Windows Scriopting Host disabled, *except* on the
networks I have administered myself. Most people just don't know about
this kind of stuff, even though it is extremely easy to do.
> Microsoft has set up terrible defaults for someone setting up a small
> network. They are easily changed and you don't have to know much to do
> it, but "out of the box" the defaults are very unsafe and Microsoft is
> to blame for that.
> --Judy Miner
I must agree with you there. Microsoft's defaults are horrible. And even
their documentation stinks -- their own help files only show you enough to
set up a basic network running all three protocols! It takes outside
reading and/or experience to learn the "right" way of doing things.
Dave
- --
"Nihil tam munitum quod non expugnari pecunia possit." (No
fortification is such that it cannot be subdued with money.)
- - Marcus Tullius Cicero, 106-43 B.C.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE7R2CZOiMJhTaLf3MRAmsBAJ4g7eL9suwce8a+s4TjzsTd3Xcp2QCfe2Qq
ITZU8YceDzXXbvU5LFdG3ek=
=eWpZ
-----END PGP SIGNATURE-----
