File And Printer Sharing And The Internet



The essence of computer networking is that computers share data or resources. "File and Printer Sharing" is Microsoft's descriptive name for this function in its networked Windows and NT systems.

Though this information does apply broadly, this page is written with the home PC user in mind. It's an attempt to explain Windows file sharing in the context of computer networking, not merely in terms of the superficial open-this-click-here mechanics of the Windows interface.

 

Some Networking Basics

Most people who've used the Internet for very long have encountered networking terms like TCP/IP (Internet Protocol/Transmission Control Protocol), FTP (File Transfer Protocol), and so forth; and they often have at least a rudimentary idea what such terms mean. But I find few Windows users who are familiar with the networking which is built into their own machines.

The "native" network software of Win9x/NT machines, while similar in many respects to Internet (IP) networking, is NOT the same thing. It consists primarily of NetBIOS -- Network Basic Input Output System.

NetBIOS is software that allows applications on different computers to communicate within a local network. It was originally created by IBM, for use in early PCs, was adopted by Microsoft, and has become an industry standard.

NetBIOS is quick and efficient on a small network. Data is simply sent out via the network interface and in effect is broadcast to all machines on the LAN (Local Area Network). No routing outside the LAN is involved or supported.

Because NetBIOS does not contain a mechanism for routing data outside its LAN, applications communicating on a segmented network (often called an enterprise network) or wide area network (WAN) must use a transport protocol such as IPX or TCP/IP.

The IPX (Internetwork Packet eXchange) protocol, enabled by default on Win/NT machines, is comparable in function to IP. IPX establishes the format of network data packets and like IP, can serve to implement NetBIOS over a wide area network.

NetBIOS is typically paired with a protocol called NETBEUI (Netbios Extended User Interface), an extension of NetBIOS which defines the format of its data packets and thereby also serves to help implement NetBIOS over a WAN.

NetBIOS Compared to Internet

Like IP networking, NetBIOS works primarily on a server/client model. Any system which shares its resources (File And Printer Sharing) is a server. Any system which accesses them is a client.

NetBIOS uses names rather like domain names, and a vaguely similar method of distributing name and address information.

Any computer on a NetBIOS network can gather name, address and resource information and/or distribute such info to others. Because of this, simple peer-to-peer networking is very easy to implement between any two NetBIOS-equipped machines.

NetBIOS has its limits. Because all communications are sent to all machines on the LAN over a single continuous link, congestion quickly becomes a problem as the number of systems on the LAN increases.

NetBIOS in Relation to The Internet

NetBIOS adapts to and works with IP networking. NetBIOS names can be mapped to (made synonymous with) IP addresses on a network using both protocols. And, NetBIOS can be "ported" to an IP network, whereby the NetBIOS communications take the form of TCP packets for transmission to another NetBIOS machine.

This last is the means by which Windows resources can be readily shared with other machines across the Internet.

Home Networking

Increasing numbers of people have caught on to the ease with which Windows computers can be networked. In homes with more than one Microsoft machine, I see and hear more and more often of people availing themselves of the benefits of networking.

And those benefits are numerous! Given one machine with a huge hard drive, other machines can utilize that storage capacity. Games can be played interactively. Printers can be shared. And so on. For many home users, networking is a quantum leap ahead in computing.

 

Managing Shared Resources - The Windows Loophole

Windows 95/98 users can unwittingly compromise their own security by way of File and Printer Sharing. The problem is simply this: when File and Printer Sharing is first enabled, it is enabled on all network devices, including even Dial-Up Networking.

This means that when a home user sets up his own LAN using Microsoft's simple, handy, built-in networking, and if that user turns on file sharing, his shared resources immediately become available over the existing dial-up and/or cable modem link to the Internet.

Shared resources are easily protected with passwords. But on a tiny home network or in a small business, passwords may often be omitted on the assumption all users are trusted.

As a result, a significant number of people have wound up with unprotected shares, accessible to mischief-makers and the curious, enemies and friends alike; any user on the global Net. It requires only the necessary Windows configuration and a little know-how to access those shares.

File sharing is, after all, a feature -- not a bug! The problem is merely that its implementation on the dial-up or cable modem link is turned on by default when it is enabled for networking purposes; and that the inexperienced user may not know it.

Another Microsoft Security Legacy

In the earliest version of Win95 (mid-to-late 1995), the average LAN user who connected to the Net via dialup was actually unlikely to be informed of the risk, was never warned when sharing was enabled on the dial-up, and might very often wind up inadvertently sharing unprotected resources. The same was true of NT at about the same time.

Fortunately, stand-alone Win9x systems do not arrive in the user's hands with File and Printer Sharing enabled. Most ordinary home Internet users have no need to share resources, and unless they have tinkered with network settings or set up a home LAN, they have nothing whatever to worry about. Only a very small percentage of home users have ever had this problem.

Also fortunately, Windows nowadays doesn't leave the user totally in the dark, so percentage-wise, fewer people than ever are suffering from this misconfiguration on their dialup link. Starting with a Dial-Up Networking upgrade first available with Service Pack 1 in late 1995, Windows 95 and 98 have incorporated a prominent warning dialog which appears whenever a user first connects with sharing newly enabled on Dial-Up Networking. The warning reads:

File and printer sharing is running on the TCP/IP connection you
will use to access the Internet. Other users on the Internet
might be able to access your files.

Would you like Windows to disable file and printer sharing on the
TCP/IP connection to the Internet?

The user is given the option to answer yes or no, and a checkbox to disable future appearance of the warning:

A similar warning was implemented for NT. In more recent NT versions (4.x), it is now virtually impossible to set up open file shares, and it cannot be done by accident.

User Error

Unfortunately, Win9x users who for whatever reason don't understand its implications will sometimes answer "no" to the warning above. If they negate this alert, and if their NetBIOS shares lack passwords, they're then wide open to intrusion. Whatever is shared, be it entire drives or specific folders, it will be open to access by virtually anyone as if it were his own hard drive, limited only by the relatively slow speed of the dialup connection.

Cable Modems

For cable modem users, the situation is a bit more perilous; both because the abovementioned warning dialog will not appear when sharing is enabled (a cable modem doesn't use Dial-Up Networking), and because the fast cable link may allow huge quantities of data to be quickly accessed by an intruder. Cable service customers are therefore a favorite target of potential intruders. Mere installation of the cable-modem software will not enable unwanted sharing. But because the speedy cable link readily accommodates any number of home systems' Internet needs, a cable user whose household contains more than one computer is all the more likely to network his systems so they can use the cable access in common. The home user will then usually enable sharing; sometimes without realizing NetBIOS sharing applies to the Internet link as well as the home LAN.

However, cable modem providers are well aware of this potential problem. Many include specific instructions on their websites and in installation manuals advising their users how to avoid indavertent sharing; also many cable providers prohibit resource sharing and/or connecting networked systems to the cable service.

In addition, a proxy application such as WinGate or NAT32 is necessary in order to share a single point of Net access with other systems on a LAN. The makers of such software routinely include warnings and instructions to help their customers avoid insecure shares.

Easily Solved

In any case, unwanted file sharing on a Win9x system is readily disabled on any network device using the Network Properties dialog in the Control Panel. One merely finds the TCP/IP protocol associated with the device in question, opens its properties, selects its Bindings tab, and disables binding to File and Printer Sharing with a single click of the mouse. The change takes effect on the next reboot.

To completely disable all sharing, open the Network dialog in Control Panel, click on the button labeled File and Print Sharing... and de-select the checkboxes that appear. Hit "OK" twice. The change takes effect on the next reboot.

If the user actually wants to share resources over the Net, each shared resource can be readily password-protected. See below for more on passwords.

Denying access isn't the only means of protecting oneself. Sharing a folder (directory) allows access only to that folder and its subdirectories. If sharing is limited to folders containing data that isn't sensitive, an open share may be no security risk no matter who accesses it. If its only purpose is to provide outgoing information or files and not to receive files, a shared folder can simply be made read-only.

 

Further on Security

A few more useful points about sharing and security:

WARNING: Sharing Printers

When a printer is shared on a Win9x machine, Windows creates a hidden system share called PRINTER$ which grants no-password-required read-only access to the WINDOWS\SYSTEM folder and all its subfolders.

I have browsed around on the Net a bit for systems offering this share, and I find Win98 machines (as identified by the contents of their System folders) behave this way just as my Win95 systems do.

While access to this share is read-only and therefore an intruder can't engage in any direct mischief; a great deal can often be determined about a system and/or its users by reading the information in this folder.

Access to this folder could exacerbate other security problems, by helping to identify your system software to a potential invader. As one simple example, if a Back Orifice server (including BO2K) were running on your system, and this share also existed, someone could readily obtain a copy of the trojan, read its plaintext configuration, and gain access to the trojan using its own port and password. It is conceivable that mainstream remote-access software, Web or FTP servers or the like may also be crackable by this approach.

I know of no way to prevent Windows from creating this hidden share when a printer is shared, and I know no way to password-protect its access. Also unfortunately, as far as I know printer sharing in particular cannot be turned off on a per-device basis; it can only be disabled globally. If your Win9x system is on a LAN and you share a printer, and if you also share resources on the public Net, this hidden share will be accessible on the Internet link by default.

If you must share a printer, and also have sharing enabled on the dialup/Internet link, there is just one method I know to avoid this exposure. Locate the file VNBT.386 in your Windows\System folder. Rename the file to VNBT_386.BAK (or some suitable name so it can be restored if you need it later). Once you reboot, this will disable all NetBIOS function over the Internet (TCP/IP).

VNBT.386 is the Windows "virtual device" which enables NetBIOS to run over TCP. Because most home Win9x networks use the simple and easily set up IPX/SPX protocol with Windows (NetBIOS) networking, the loss of VNBT.386 has no effect on the LAN, but only affects the Internet link. However, if your LAN is running on the TCP/IP protocol, and you also require file sharing, then as far as I can determine you have to turn off all sharing of printers to avoid sharing your Windows\System folder with the Internet at large.

Unless you have carefully assessed and accepted the potential consequences of granting read-only access to your System folder to the whole world, I VERY strongly advise against sharing printers on the Net with your Win9x system.

When I discovered the existence of this hidden share on one of my own machines, I immediately searched using Altavista, for online information on the subject. I was amazed to discover how little coverage this has received. I found only this FAQ reproduced in a number of locations [1,2,3,4,5,6,7] and a small handful of other pages [1,2,3,4] which warn of this phenomenon from a security standpoint. I also found this page, which mentions the existence of the hidden share only in passing and with no reference to its security implications. This does not appear to be a very broadly-known fact.

To turn off printer sharing of any particular printer, open your Printers folder, select any shared printers (they'll have an obvious hand symbol overlaid on the icon), right-click the icon, select Sharing... (the option will exist only if printer sharing is enabled), and select Not Shared. If you do this for all shared printers, then reboot, the hidden System folder share should disappear.

For good measure, I suggest killing printer sharing altogether. Open the Network Properties dialog in the Control Panel, select the button labeled File and Print Sharing... and de-select the checkbox labeled I want to be able to allow others to print to my printer(s). Now reboot, and the PRINTER$ share will definitely be gone.

While we're on the subject, I want to offer my deepest sympathies to whoever at Microsoft perpetrated this nigh-incomprehensible error. The person(s) responsible must be suffering from a tragic and debilitating mental illness. Sharing the System folder must sometimes have its uses in relation to networking a printer. But to leave the user unaware of it -- ? Inexcusable.

Disable Sharing if Unused

Anyone using the Internet whose system is not otherwise networked and who has no desire to share resources can and should simply make sure File and Printer Sharing is disabled altogether. It serves no purpose in such a case and will only be enabled by error or for purposes of unwanted intrusion. Just turn it off.

Limit What You Share

Unless it's necessary, don't share whole drives, especially your C: drive, where virtually all critical operating system programming normally resides. Instead, share only specific folders.

Limit sharing to read-only access wherever practical. This way files can't be added, deleted or changed from remote.

Passwords

Password protection of Windows' NetBIOS shares is not necessarily 100% secure. Anyone who wishes to make repeated attempts to determine your password may do so indefinitely and you may never notice; Windows offers no mechanism to alert you to such attempts.

However, It is a HUGE task to try every possible password on someone's shares. Windows allows up to 8 case-insensitive characters on a share password. Assuming only 26 letters and 10 numerals (more characters are allowed but I'm not sure how many), this makes for a possible 2,821,109,907,456 (36^8) 8-character passwords. That's 2.8 trillion. It would require something like 1000 guesses per second for a century to try every password!

Password-guessing programs exist which use a dictionary to shorten this task, on the theory many people will use common words as part or all of their password. It works quite well; any number of people will use plain-English passwords like "bingo" or "aardvark". There are maybe 30,000 words in the English language; trying them all is not difficult. Given a typical list of encrypted passwords, a significant number of them can usually be cracked in a few hours' time. Though I believe it is rarely done, a similar approach can certainly be used online to attack a password-protected share. You can render this approach completely ineffective by choosing a secure password.

A secure password is as long as possible, includes both letters and numerals, and contains no words found in a dictionary. Adding other allowed symbols such as #$% really slams the door. If your password meets this description, only a brute-force approach (attempting every possible password systematically) will crack it. It's inconceivable anyone with a clue would consider it worthwhile to go to such lengths to find that password. They'd be better off breaking into your house and stealing your computer.

NetBIOS Names And Share Names

The NetBIOS name table of your computer is available to anyone who wishes to query your system directly over the Internet using its IP address. There's a simple utility in all Windows machines called NBTSTAT.EXE which performs these queries. If your name table discloses something you don't wish to tell the world, you should change its entries to something less informative. I have often encountered people who desired anonymity but had their personal name or other identifying information displayed openly via the NetBIOS name table.

If sharing is enabled on the Internet link, the shared resources' names and descriptions are also available for anyone to see, regardless of passwords. If those names or descriptions contain information you don't want the whole world to see, you should change them accordingly.

On a standalone computer, for the average user, there's no reason to have NetBIOS working on the Internet link. Here's how you can kill it altogether:

Locate the file VNBT.386 in your Windows\System folder. Rename the file to VNBT_386.BAK (or some suitable name so it can be restored if you need it later). VNBT.386 is the Windows "virtual device" which enables NetBIOS to run over TCP. Once you reboot, this will disable all NetBIOS function over the Internet. (This has the added benefit of making all file sharing impossible. Some trojan-horse exploits are designed to grant access through unwanted shares.)

 

Benefits

It is certainly not my purpose to cause fear and concern over file sharing. Given the above caveats, anyone can take full advantage of file sharing, on or off the Internet. In fact I encourage it for those who can gain by it. Offering share access judiciously and with adequate password protection can provide a way of exchanging data in relative security, for whatever purpose. One might view it as the NetBIOS analogue of FTP.

Bear in mind that for secure transfer of sensitive data, some sort of encryption would be a necessity.