Runsafe:Microsoft Windows File Sharing Risks
Microsoft Windows systems provide easy to use file sharing functionality. You can easily make any folder on your computer available to the entire JMU community or only to those who know a secret password. It is important to realize, however, that misuse of this functionality can result in a total compromise of your computer, everything stored on it, everything typed into it, and everything accessed from it (email, PeopleSoft and Ecampus accounts, network drives, outside accounts, etc.).
If you were directed here by a warning placed on your desktop (an icon with the name <a href="sharealert.html">JMU SECURITY ALERT - READ THIS ASAP</a>), your computer is a sitting duck for any virus or hacker that comes along. In fact, anyone at JMU is able to read, write, modify, or delete anything on your computer. If its a home computer in this condition, anyone in the world can do the same.
There are three common mistakes people make with Microsoft file sharing.
- Mistake #1: Share an entire hard drive (or letting lack of Administrator password do it for you!).
- Mistake #2: Letting Anonymous People (including criminals) and Programs (including viruses) Write to Your Computer
- Mistake #3: Sharing Folders Containing Personal Data with the World
If your hard drive (e.g. C:) is shared with read/write permissions, it has the same effect as letting everyone borrow your computer, copy your keystrokes, and use your passwords and accounts. People are free to load and run software of their choice on your computer. Even if shared read-only, there are areas that can be abused. For example, the My Documents folder and password files are available to anyone who cares to look at them. It is extremely important that you guard against sharing your entire hard drive.
Windows computers allow people and programs (or criminals and viruses) that can guess the Administrator password to take full control of your computer over the network. This happens quite often. Use the procedures below to set a strong Administrator password.
If, when you follow these instructions, you get an error message like "access denied", it means you're logged into the machine with a non-privileged account. Simply logout (Start->Log Off (username)) and log back in as Administrator using a blank password. If your computer normally logs into Novell, you'll need to click the box on the login screen that says "workstation only" so you only log in to the local computer and not Novell.
- Click Start->Programs->Administrative Tools->User Manager.
- Double-click the Administrator entry and set a strong password.
- Do not forget the password.
- Right-click on the My Computer icon on your desktop and select Manage
- Double-click on Local Users and Groups
- Double-click on the Users folder.
- Right-click on the Administrator icon and click once on Set Password.
- Set a strong password. Do not forget the password.
- Click OK
To change the Windows XP Administrator account password if you're logged in as Administrator:
- Hit the Ctrl Delete and Alt keys simultaneously.
- Click Change Password
- Type Administrator into the user box.
- Type in a new strong password twice. Do not forget the password.
- Click OK.
To reset the Windows XP Administrator password if you're logged in with another account with administrative privileges:
- Right-click on the My Computer icon on your desktop and select Manage
- Double-click on Local Users and Groups
- Double-click on the Users folder.
- Right-click on the Administrator icon and click once on Set Password.
- Set a strong password. Do not forget the password.
- Click OK
When creating new users in Windows XP setup, all users are created with administrative privileges and no password by default. All such accounts will have access to the hidden shares on Windows XP Professional machines (Windows XP Home machines don't enable the hidden shares by default). On either system, you must set a password for each user. See Microsoft KnowledgeBase article Q293834.
If you share the hard drive temporarily for backup purposes, assign a password to it. You'd be surprised how often the JMU network gets scanned by people looking for vulnerable computers. Don't forget to unshare it when you are finished with the backup.
If you don't want to allow other computers to access your folders, disable file sharing completely by:
- Windows 95,98,ME:
- Click Start->Settings->Control Panel
- Double-click the Network control panel
- Click File and Print Sharing
- Uncheck the box labeled "I want to be able to give others access to my files"
- Click OK, OK.
- Reboot your computer.
- Windows NT4
- Click Start->Settings->Control Panel
- Double-click the Network control panel
- Click the Bindings tab
- Highlight Server
- Click Disable
- Click OK
- Windows 2000/XP
- Click Start->Settings->Control Panel
- Double-click "Network and Dial-up Connections"
- Right-click "Local Area Connections" and select Properties
- Uncheck "File and Printer Sharing for Microsoft Networks"
Properly configured firewalls block the doors file sharing services leave open on your computer but its best not to leave the doors open in the first place. Disable file sharing if you're not going to use it.
If you want to allow others to access folders on your computer it is best to create a new folder specifically for that purpose.
To get a complete list of all folders you have shared:
- Open an MS-DOS window.
- Type net view
- Servers running on your computer will be listed under "Server Name". If nothing is listed, Microsoft File Sharing is Disabled. If something is listed, take each server name and type net view \\servername. A list of shares will be displayed.
Mistake #2 - Letting Anonymous People (including criminals) and Programs (including viruses) Write to Your Computer
If you don't control write access to your shared folder, people may store inappropriate or illegal materials on your computer which may get you in trouble. Anonymous people may maliciously change or delete someone else's content that resides in the share. You may be blamed by people that use your share for the malicious content or modifications. Viruses use such open shares to spread themselves. Finally, people may simply fill up your hard drive.
You can prevent this by doing one or both of the following:
- Changing the folder's share properties so the folder is read-only.
- Changing the folder's share properties so a password is necessary to access it. Be sure to choose a strong password!
Microsoft ships Windows XP so its Shared Documents folder is open to the world including viruses and criminals. To disable or configure this share:
- Double-click the My Computer icon
- Right-click the Shared Documents icon and select Sharing and Security
- Click the Sharing tab and set options as you desire
Mistake #3 - Sharing Folders Containing Personal Data with the World
Some folks properly protect a share with read-only permissions but make the mistake of sharing the wrong folder or putting sensitive information in it. Shared folders are easily discovered on the network and unless they are password protected, anyone can read what they contain. Sharing a folder like My Documents will expose personal data. If you do it on the NCSU network, it will be shared with all of NCSU. If you do it at home, it will be shared with the entire Internet.
It is best to create specific shared folders for each different use.