Windows XP shared folder security

[ChrisB]

I've have two PCs on a home network for a while, one runs XP Pro, one Win 98SE. They are connected via an ADSL router - no problems with the hardware.

I've shared folders on each of these, using share names hidden with a $ on the name; to access the 98SE shares I need a password, and to access the XP Pro shares I need to be logged in with the same user name as a user on the XP Pro box who has permission to see them. So anyone who hacks into my router has to guess either a share name and a password, or a share name, as user name and a password. This is all OK.

Now the problem. I've bought an XP Home box to replace the 98SE. I can access the shares on the XP Pro box from the XP Home, as I did for the 98SE. However, I can't share folders on the XP Home box without making them freely available to everyone. Am I missing something, or is this really true? Does XP Home have less security functionality than 98SE? Surely, sharing a folder between 2 home machines in a secure manner is an obvious thing for a home user to do?

I've tried simple file sharing, and I've tried changing ownership of the folder I'm sharing so that only one user can access them - in which case I can map the shared folder but can't access any files. The only way I can access them is to give access to Everyone; which means that if anyone gets into my router, they only need to guess the share name.

Have I missed something, or am I being paranoid and is sharing openly behind an NAT router actually safe enough?

Thanks

[+BudMan MVC]

Remote access to XP home is limited to Guest acesss.. Yes this is HOW XP home works ;)

http://support.microsoft.com/default.aspx?...kb;en-us;304040

How to configure file sharing in Windows XP

Simple File Sharing is always turned on in Windows XP Home Edition-based computers

all remote users authenticate as Guest.

If you do NOT want this - then use PRO.

As to being paranoid -- Unless you are forwarding file sharing ports inbound from your router.. you should be fine.

[ChrisB]

Thanks, Budman. I won't be forwarding any ports to the Home box; I forward 25 to a mail server on the Pro.

I would have bought Pro, if I'd realised how limited Home was; I thought it was just unable to join Domains, which wouldn't be a problem. Upgrading to Pro now would be a lot more expensive than buying in the first place.

I have actually tweaked Home a little, as discussed later on in the following thread:

http://www.dslreports.com/forum/remark,8261090

I downloaded the NT4 Security Configuration Manager but didn't install it all - just substituted rshx32_5.dll for rshx32.dd and changed the registry key. This gives me the security tab without going into Safe Mode, but it's of limited benefit without being share permissions.

Thanks for your reassurance.

[MajorSham]

I do not use authentication for public shares on my network, and I've disabled admin shares. If anything is shared, there is no password. I run W2K on a HTPC, and I effectively enabled a poor man's Simple File Sharing on Windows 2000 by turning on the Guest account in the Computer Management console. I would imagine you can do the reverse (turning off SFS) by disabling the Guest account on a Windows XP Home box. Once the Guest account is disabled, it will have to prompt for a password.

[+BudMan MVC]

No turning off the guest account in XP home does NOT allow you to access shares with different users.

It just does not allow you to connect.. Disable the account is very simple

net user guest /active:no

Now you just can not access the machine remotely

I know of no HACK to allow you to access xp home remotely with an account other than 'guest'.. Not saying there is not one - but this would be circumvention of the designed use of XP home.. and would not be open for discussion here on neowin anyway.

Yes there are plenty of known ways of giving you access to the file permissions without having to be in safe mode.. but this does not change that remote users always auth as guest in XP home.. yes you can set file permissions all you want .. this only effects local access. Well it could effect remote access in the sense you could remove guest access to some subfolders of share, etc..

Yes you will see talk of changing the forceguest reg key.. does not work in home.

http://support.microsoft.com/default.aspx?...kb;en-us;307874

How to disable simplified sharing and set permissions on a shared folder in Windows XP

Note You cannot turn off simple file sharing in Microsoft Windows XP Home Edition.

About the only thing you can do is give the guest account a password.. Which would basically make SFS how it worked in 9x

net user guest somepassword

Now when you remote access your home machine it will prompt you for the guest password.