Years ago, I heard that enabling file and print sharing in Windows
reduces network security and allows exploitation of Windows
vulnerabilities.  Is this still true, or have these holes been
patched?  If they have been patched, which Microsoft update or service
pack took care of this problem?

Context:  I configure home networks for a living.  Many customers want
to be able to wirelessly print from a laptop to a desktop printer without the
added expense of a print server.  Windows XP certainly has the ability
to do that, but what happens when the customer is away from home with
their laptop?  If they're sitting at a Starbucks, in a hotel lobby, or
at some other wireless hotspot where untrusted PCs are on the LAN,
will their PC be at greater risk because file sharing is enabled?  I
want to make informed recommendations to my customers.

---

Request for Question Clarification by pafalafa-ga on 16 Jul 2006 16:11 PDT

fungicord-ga,

Perhaps I'm just misunderstanding things, but I don't quite get your concern, here.

I have a wireless system that is set up for printer sharing -- that
is, wirelessly sending files from any computer in the house to a
common printer.  However, my network is not set up for file sharing. 
As far as I know, these are two different things entirely.

Agaih, I may be misunderstanding your question...can you perhaps
clarify your concerns, here.

Thanks.

pafalafa-ga

---

Clarification of Question by fungicord-ga on 16 Jul 2006 22:28 PDT

pafalafa-ga,

A person doesn't have to share a printer or any files to enable "file
and print sharing" in Windows.  But if you are sharing a printer on
your own home network using Windows, then you must have file and print
sharing enabled.  On your computer, if you open Control Panel, then go
to Network and Internet Options, then choose Network Connections, then
right-click on the network adapter you use, then click
"Properties...", you'll see a list of items with checkboxes next to
them.  One of those will be File and Printer Sharing for Microsoft
Networks.  You'll notice that it's checked, which means it's active. 
That's the item I'm referring to.  It can be on or off, but if it's
on, it's on for both files and printers.

---

Request for Question Clarification by pafalafa-ga on 17 Jul 2006 05:25 PDT

I see what you mean.

In Windows XP, at least, you can separately engage/disengaqe access to
files, even while sharing printers, as described here:


http://www.aroundcentralflorida.com/help/security/fileprint.shtml



In other words, I think you have to explicity activate File Sharing
for a folder before it becomes accessible, which should increase the
overall level of security for those Starbucks type situations you
described.

For older Windows OS's, though...let the user beware!

Is this on track...?


paf

---

Request for Question Clarification by pafalafa-ga on 17 Jul 2006 05:32 PDT

By the way, this information in an earlier question might be useful to you:


http://answers.google.com/answers/threadview?id=722262


especially regarding Windows Defender, which I find to be a very good
security enhancement.


paf

I believe the information you are searching for is located here

http://www.longwood.edu/infosec/alerts/sharepasswd.html

I know this password hack works because I used to use it on test
machines and it works without fail.
Once microsoft patched it no longer worked.

Windows 2000 and XP were not and still are not affected by this,
creating shares using Windows XP is inherently more secure due to the
fact that as well as Share resources access (which is what the 9X
family of computers used) Windows 2000/XP machines use NTFS on their
hard drives allowing permissions to be limited to the faile as well as
the network share. Even if the user can break the network share, if
they don't have the right token to access to the file it won't matter.

You are always best to Err on the side of caution, but with the better
security placed within Windows XP SP2 and Windows 2003 Server SP1 / R1
you should be more than safe setting up Network shares on an NT based
network.

--Keystroke-ga

I understand using windows "file and printer sharing" as default would
be logical however, why not try a third party print server.

As far as I'm aware, there are no outstanding flaws and exploits in
Microsofts file and printer sharing, providing your clients copy of
windows has been updated.

This along with a firewall and sp2 is generally enough for protection. 

With regards to using this option in a public hotspot, as long as you
set the share permissions carefully, anyone else on the same hotspot
will not be able to do any damage. You can also alternatively set up
network share passwords. With those options you have a good sense of
security, however nothing is unbreakable.

I repeat finally, the most vulnerable computer and outstanding exploit
(at time of writing) is fixed providing you upgrade.

It depends.  If they are running a print server from a desktop that is
behind a broadband router it'll be ok.  However, if the printer is
going to be plugged into the laptop and the laptop will be acting as a
print server, don't do it.

You cannot rely on the fact that the machine has been patched and
there are no known vulernabilities.  This is because new
vulnerabilities may be discovered later.  As a result, you put
yourself at risk anytime you expose ports to the outside world.  On a
desktop, you would be relatively safe because the exposed ports would
only be accessible to the home network.

This is not true with a laptop that gets moved around.  Even if the
firewall is configured to only permit certain hosts on a private
network, say 192.168.1.0/24 to print, there is no guarantee that when
they go to star bucks and use dhcp they won't get an address in this
range along with other computers thus putting them at risk.