|
windows
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Networking ME, XP Securely on LANshouldn't use TCP, so I will unbind TCP and bind IPX/SPX to the ME, unbind TCP on the XP, run the networking wizard on the XP, create a network disk, then run it on the ME. The web page http://www.easydesksoftware.com/news/news24.htm says that the Networking Wizard on the XP computer will create a network floppy disk that will add a new service to the ME's HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\runservices key, SSDPSRV, which is the "Simple Service Discovery Protocol Service". What is the purpose of the network floppy disk? Why is it necessary to add the SSDP service to the ME, if the ME already supports NetBIOS and IPX/SPX? Thank you. On Sun, 24 Dec 2006 18:35:00 -0800, MEK <spr3***@NOTmsn.com> wrote:
Show quoteHide quote >To network a Windows ME and XP computer together on a LAN securely I Using alternative protocols is occasionally recommended by those who don't want>shouldn't use TCP, so I will unbind TCP and bind IPX/SPX to the ME, unbind >TCP on the XP, run the networking wizard on the XP, create a network disk, >then run it on the ME. > > > >The web page http://www.easydesksoftware.com/news/news24.htm says that the >Networking Wizard on the XP computer will create a network floppy disk that >will add a new service to the ME's >HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\runservices >key, SSDPSRV, which is the "Simple Service Discovery Protocol Service". > > > >What is the purpose of the network floppy disk? Why is it necessary to add >the SSDP service to the ME, if the ME already supports NetBIOS and IPX/SPX? > > >Thank you. to take the time to work out a secure network properly. Alternate protocols have their advantages in rare occasions. <http://nitecruzr.blogspot.com/2005/07/windows-networking-and-alternate.html> http://nitecruzr.blogspot.com/2005/07/windows-networking-and-alternate.html A properly designed layered security strategy is much more effective in the long run. <http://nitecruzr.blogspot.com/2005/05/please-protect-yourself-layer-your.html> http://nitecruzr.blogspot.com/2005/05/please-protect-yourself-layer-your.html The network floppy disk contains nothing that you can't do by hand, just as easily. <http://nitecruzr.blogspot.com/2005/05/using-network-setup-wizard-in-windows.html> http://nitecruzr.blogspot.com/2005/05/using-network-setup-wizard-in-windows.html -- Cheers, Chuck, MS-MVP [Windows - Networking] http://nitecruzr.blogspot.com/ Paranoia is not a problem, when it's a normal response from experience. My email is AT DOT actual address pchuck mvps org. In article <90F030C6-5AB5-49E4-B879-A687855A4***@microsoft.com>, MEK
<spr3***@NOTmsn.com> wrote: Show quoteHide quote >To network a Windows ME and XP computer together on a LAN securely I Why do you say that TCP/IP isn't secure on a LAN? Using TCP/IP as the>shouldn't use TCP, so I will unbind TCP and bind IPX/SPX to the ME, unbind >TCP on the XP, run the networking wizard on the XP, create a network disk, >then run it on the ME. > >The web page http://www.easydesksoftware.com/news/news24.htm says that the >Networking Wizard on the XP computer will create a network floppy disk that >will add a new service to the ME's >HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\runservices >key, SSDPSRV, which is the "Simple Service Discovery Protocol Service". > >What is the purpose of the network floppy disk? Why is it necessary to add >the SSDP service to the ME, if the ME already supports NetBIOS and IPX/SPX? > >Thank you. only network protocol is by far the most common LAN setup, and it's easy to make it secure. Using TCP/IP is secure if a LAN connects to the Internet through a broadband router. By default, the router acts as a firewall, preventing other Internet users from accessing your LAN or your computers. The only setup I know of where TCP/IP isn't secure is when: 1. All of the computers connect directly to the Internet through a network hub or switch, without a router. and: 2. All of the computers receive public IP addresses from a cable modem, DSL modem, etc. If your computer's IP address is in one of these ranges, it's a private IP address, not a public IP address, and it's safe to use TCP/IP for File and Printer Sharing: 10.0.0.0 - 10.255.255.255 172.16.0.0 - 172.31.255.255 192.168.0.0 - 192.168.255.255 Despite what XP's Network Setup Wizard says, you don't have to run the Network Setup Wizard on Windows 98/Me computers. You can make their network settings manually. In fact, the default network settings in Windows 98/Me work fine with XP. The Network Setup Wizard's main purpose is to configure a computer for File and Printer Sharing using TCP/IP. The Wizard can't configure a computer to use NetBEUI or IPX/SPX for File and Printer Sharing. The SSDP service can detect and display an icon for an Internet gateway (ICS host computer or broadband router) on the LAN. Of course, if the LAN has an ICS host computer or a broadband router, it's safe to use TCP/IP for File and Printer Sharing. -- Best Wishes, Steve Winograd, MS-MVP (Windows Networking) Please post any reply as a follow-up message in the news group for everyone to see. I'm sorry, but I don't answer questions addressed directly to me in E-mail or news groups. Microsoft Most Valuable Professional Program http://mvp.support.microsoft.com
Show quote
Hide quote
"Steve Winograd [MVP]" wrote: I read this from a website:> In article <90F030C6-5AB5-49E4-B879-A687855A4***@microsoft.com>, MEK > <spr3***@NOTmsn.com> wrote: > >To network a Windows ME and XP computer together on a LAN securely I > >shouldn't use TCP, so I will unbind TCP and bind IPX/SPX to the ME, unbind > >TCP on the XP, run the networking wizard on the XP, create a network disk, > >then run it on the ME. > > > >The web page http://www.easydesksoftware.com/news/news24.htm says that the > >Networking Wizard on the XP computer will create a network floppy disk that > >will add a new service to the ME's > >HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\runservices > >key, SSDPSRV, which is the "Simple Service Discovery Protocol Service". > > > >What is the purpose of the network floppy disk? Why is it necessary to add > >the SSDP service to the ME, if the ME already supports NetBIOS and IPX/SPX? > > > >Thank you. > > Why do you say that TCP/IP isn't secure on a LAN? Using TCP/IP as the > only network protocol is by far the most common LAN setup, and it's > easy to make it secure. > > Using TCP/IP is secure if a LAN connects to the Internet through a > broadband router. By default, the router acts as a firewall, > preventing other Internet users from accessing your LAN or your > computers. > > The only setup I know of where TCP/IP isn't secure is when: > > 1. All of the computers connect directly to the Internet through a > network hub or switch, without a router. > > and: > > 2. All of the computers receive public IP addresses from a cable > modem, DSL modem, etc. > > If your computer's IP address is in one of these ranges, it's a > private IP address, not a public IP address, and it's safe to use > TCP/IP for File and Printer Sharing: > > 10.0.0.0 - 10.255.255.255 > 172.16.0.0 - 172.31.255.255 > 192.168.0.0 - 192.168.255.255 > > Despite what XP's Network Setup Wizard says, you don't have to run the > Network Setup Wizard on Windows 98/Me computers. You can make their > network settings manually. In fact, the default network settings in > Windows 98/Me work fine with XP. > > The Network Setup Wizard's main purpose is to configure a computer for > File and Printer Sharing using TCP/IP. The Wizard can't configure a > computer to use NetBEUI or IPX/SPX for File and Printer Sharing. > > The SSDP service can detect and display an icon for an Internet > gateway (ICS host computer or broadband router) on the LAN. Of > course, if the LAN has an ICS host computer or a broadband router, > it's safe to use TCP/IP for File and Printer Sharing. > -- > Best Wishes, > Steve Winograd, MS-MVP (Windows Networking) > > Please post any reply as a follow-up message in the news group > for everyone to see. I'm sorry, but I don't answer questions > addressed directly to me in E-mail or news groups. > > Microsoft Most Valuable Professional Program > http://mvp.support.microsoft.com > "The most dangerous issue for any computer running any version of the Windows operating system is that file and print sharing is, by default, enabled and bound to TCP/IP. That means, simply, that the same capability that allows peer-to-peer networking and file sharing on your home/office LAN is available to anyone on the Internet!! In particular, the following ports are open and listening: UDP port 137, nbname (NetBIOS name service) UDP port 138, nbdatagram (NetBIOS datagram service) TCP port 139, nbsession (NetBIOS session service) There is no reason for file and print sharing to use TCP/IP. Before connecting in any way to the Internet, Windows users should block file and print sharing over TCP/IP. This is simply done; go into the Network configuration under Control Panel, and unbind "Client for Microsoft Networks" and "File and print sharing for Microsoft Networks" in the TCP/IP properties for all adapters using TCP/IP (Screen #1). You can still do all of the file and print sharing that you want over the LAN because Microsoft networks use the NetBIOS protocol and don't need to have these functions bound to TCP/IP." Someone told me to always close these TCP file-sharing ports when connected to the Internet. Will a router's firewall or a software firewall provide protection if I configure it properly? Thanks. In article <A257DCA1-F7F1-4AB8-8B54-721B2AF1F***@microsoft.com>, MEK
<spr3***@NOTmsn.com> wrote: >I read this from a website: I assume that you're referring to> >"The most dangerous issue for any computer running any version of the >Windows operating system is that file and print sharing is, by default, >enabled and bound to TCP/IP. That means, simply, that the same capability >that allows peer-to-peer networking and file sharing on your home/office LAN >is available to anyone on the Internet!! In particular, the following ports >are open and listening: > >UDP port 137, nbname (NetBIOS name service) >UDP port 138, nbdatagram (NetBIOS datagram service) >TCP port 139, nbsession (NetBIOS session service) http://www.vtinfragard.org/protecting_home_systems.html Note that the paragraph right above the one you quoted says "These rules apply to both dial-up and dedicated (DSL/cable modem) access." I interpret "dedicated (DSL/cable modem) access" to be the type of direct Internet connection, without a broadband router, that I mentioned in my first reply. In that case, and only in that case, I agree that it's insecure to use TCP/IP for File and Printer Sharing. I don't think that the rules on that page apply to a LAN that gets Internet access through a broadband router. Only the router is visible to other people on the Internet. The computers and their shared files are invisible and inaccessible to other people on the Internet, regardless of what ports are open and listening. >There is no reason for file and print sharing to use TCP/IP. Before In my opinion, there's no reason to use anything but TCP/IP for File>connecting in any way to the Internet, Windows users should block file and >print sharing over TCP/IP. This is simply done; go into the Network >configuration under Control Panel, and unbind "Client for Microsoft Networks" >and "File and print sharing for Microsoft Networks" in the TCP/IP properties >for all adapters using TCP/IP (Screen #1). You can still do all of the file >and print sharing that you want over the LAN because Microsoft networks use >the NetBIOS protocol and don't need to have these functions bound to TCP/IP." and Printer Sharing, except in the specific setup that I described. I've written a web page about it: Windows XP Network Protocols http://www.practicallynetworked.com/sharing/xp/network_protocols.htm Note that Microsoft dropped support for NetBEUI in Windows XP, and it has dropped support for IPX/SPX in Windows Vista. TCP/IP is the only protocol available in Windows Vista. >Someone told me to always close these TCP file-sharing ports when connected That statement is much too broad.>to the Internet. >Will a router's firewall or a software firewall provide protection if I Yes, a router's firewall provides protection. To verify that, set up>configure it properly? a LAN using TCP/IP for File and Printer Sharing behind a broadband router, then run a port scan, such as Shields Up!! at http://grc.com >Thanks. You're welcome!-- Best Wishes, Steve Winograd, MS-MVP (Windows Networking) Please post any reply as a follow-up message in the news group for everyone to see. I'm sorry, but I don't answer questions addressed directly to me in E-mail or news groups. Microsoft Most Valuable Professional Program http://mvp.support.microsoft.com > >Will a router's firewall or a software firewall provide protection if I So if I have a router with NAT, and several computers with privately > >configure it properly? > > Yes, a router's firewall provides protection. To verify that, set up > a LAN using TCP/IP for File and Printer Sharing behind a broadband > router, then run a port scan, such as Shields Up!! at http://grc.com > > >Thanks. assigned IP addresses on a LAN with shared files (and with ports 137-139 and 445 opened), the router won't pass any requests from the Internet for these ports to the private IP addresses? Is this automatic or does the router have to be configured to block specific ports? I have a Netgear "Wireless Firewall Router" but there is no option for blocking individual ports. Again, thanks for the feedback. In article <9D7443D9-3154-4D26-9D7A-DE2BF594A***@microsoft.com>, MEK
<spr3***@NOTmsn.com> wrote: >> >Will a router's firewall or a software firewall provide protection if I That's right. The router will drop all such requests, because they're>> >configure it properly? >> >> Yes, a router's firewall provides protection. To verify that, set up >> a LAN using TCP/IP for File and Printer Sharing behind a broadband >> router, then run a port scan, such as Shields Up!! at http://grc.com >> >> >Thanks. > >So if I have a router with NAT, and several computers with privately >assigned IP addresses on a LAN with shared files (and with ports 137-139 and >445 opened), the router won't pass any requests from the Internet for these >ports to the private IP addresses? unsolicited. That's how NAT works. See the explanation here: http://www.networkclue.com/routing/Firewalls/nat.aspx >Is this automatic or does the router have to be configured to block specific It's automatic. >ports? I have a Netgear "Wireless Firewall Router" but there is no option for >blocking individual ports. >Again, thanks for the feedback. You're welcome.-- Best Wishes, Steve Winograd, MS-MVP (Windows Networking) Please post any reply as a follow-up message in the news group for everyone to see. I'm sorry, but I don't answer questions addressed directly to me in E-mail or news groups. Microsoft Most Valuable Professional Program http://mvp.support.microsoft.com 
Other interesting topics
VPN help please
Browsers cannot use port 80 after 5 minutes Problem accessing new Workgroup does router use affect connection speed? Cannot ping DHCP server, but ipconfig/renew works fine Using VPN Via router Windows XP and Profiles With VPN enabled I cannot share files to others PC on network Adding Network Printer initial net logon very slow |
|||||||||||||||||||||||
