Access to drive C denied
Thread Starter
Join Date: Jan 2000
Location: Melbourne, Australia
Posts: 77
Likes: 0
Received 0 Likes
on
0 Posts
Access to drive C denied
I have two Dell notebooks which are networked though a hub and ethernet cables. They both are running XPPro SP2. The network is good for My Documents which I can access on each. The problem comes when I try to access the Drive C on the other computer. I can see them in Network Neighbourhood but I get an error message to the effect that Access to Drive C denied, see the administrator.
Both drives are shared in My Computer.
Any suggestions appreciated.
Both drives are shared in My Computer.
Any suggestions appreciated.
Plastic PPRuNer
By default, sharing of the root of any drive is disabled (and quite right too, there's almost never any need to and to leave it shared is very bad security).
You CAN however share it if you wish (and at your own risk) - just find the C: drive in Explorer, right click in Properties/Sharing/New share and define a new share. You may receive warnings about sharing a root folder. Ignore them if you must (not a good idea).
Alternatively you can invoke the "Shares Wizard" - Start/Run and put in shrpubw.exe <enter>
You CAN however share it if you wish (and at your own risk) - just find the C: drive in Explorer, right click in Properties/Sharing/New share and define a new share. You may receive warnings about sharing a root folder. Ignore them if you must (not a good idea).
Alternatively you can invoke the "Shares Wizard" - Start/Run and put in shrpubw.exe <enter>
Spoon PPRuNerist & Mad Inistrator
By default, "Everyone" has NO ACCESS to the root of C.
What you have done is to create a share, pointing to the root of C, to which Everyone has no access.
You would also need to allow Everyone (or else each explicit user) at least Read and List NTFS rights to make this work - although it is very poor security to do so, as Mac has already pointed out.
Of course, you can always Map a drive to the root of C on the other system using the c$ admin share - you then need to Logon As and supply an account with admin rights on the target PC: PCName\Username.
SD
What you have done is to create a share, pointing to the root of C, to which Everyone has no access.
You would also need to allow Everyone (or else each explicit user) at least Read and List NTFS rights to make this work - although it is very poor security to do so, as Mac has already pointed out.
Of course, you can always Map a drive to the root of C on the other system using the c$ admin share - you then need to Logon As and supply an account with admin rights on the target PC: PCName\Username.
SD
Thread Starter
Join Date: Jan 2000
Location: Melbourne, Australia
Posts: 77
Likes: 0
Received 0 Likes
on
0 Posts
Thank you Mac the Knife and SD for your replies. In view of your advice I will not persue the idea.
What I was trying to achieve was the ability to share software between the machines. I realise that I could load it on both, but perhaps there is a better way?
What I was trying to achieve was the ability to share software between the machines. I realise that I could load it on both, but perhaps there is a better way?
Join Date: Jun 2003
Location: EuroGA.org
Posts: 13,787
Likes: 0
Received 0 Likes
on
0 Posts
While the security advice is correct, it is possibly overdone for a private (home) LAN. Who is going to hack into it? The KGB perhaps.
If your internet access is from behind a NAT router then nobody can see your network unless you open up a load of ports including netbios and god knows what else.
The easy way to get in would be via the wireless access point (if you have one) but if you set up WPA/PSK then again nobody short of the KGB will be able to hack that.
In the end, there is no security without physical security. What this means is that if you allow somebody to walk up to your PC unobserved, that PC is considered compromised. Somebody could install a keylogger on it, for example.
I'd share the lot. Makes life a lot easier
However, in my house I have a 14 year old who would hack anything he can, so he has his own account on his own PC and that account has no privileges on the other PCs. One can achieve that (using the login/password stuff) while leaving shares on all drives.
If your internet access is from behind a NAT router then nobody can see your network unless you open up a load of ports including netbios and god knows what else.
The easy way to get in would be via the wireless access point (if you have one) but if you set up WPA/PSK then again nobody short of the KGB will be able to hack that.
In the end, there is no security without physical security. What this means is that if you allow somebody to walk up to your PC unobserved, that PC is considered compromised. Somebody could install a keylogger on it, for example.
I'd share the lot. Makes life a lot easier
However, in my house I have a 14 year old who would hack anything he can, so he has his own account on his own PC and that account has no privileges on the other PCs. One can achieve that (using the login/password stuff) while leaving shares on all drives.
Official PPRuNe Chaplain
Join Date: Apr 2001
Location: Witnesham, Suffolk
Age: 80
Posts: 3,498
Likes: 0
Received 0 Likes
on
0 Posts
For reasons that lie in the dim dark recesses of ancient history, I always partition my hard drives. Drive C is the Windows operating system, and any other operating system stuff that either Windows insists must be there, or that I want there for security.
Everything else - pictures (E), documents (F), spreadsheets(G), music(H), etc goes on its specific drive. Those drives are shared over the network, some with no restriction (so visiting daughter can troff away at Dad's latest downloads and stuff) and some (my confidential documents) password protected.
That works a treat. C is never shared.
Everything else - pictures (E), documents (F), spreadsheets(G), music(H), etc goes on its specific drive. Those drives are shared over the network, some with no restriction (so visiting daughter can troff away at Dad's latest downloads and stuff) and some (my confidential documents) password protected.
That works a treat. C is never shared.
Join Date: Jun 2003
Location: EuroGA.org
Posts: 13,787
Likes: 0
Received 0 Likes
on
0 Posts
I agree with the theory, Keef, but the security of this is entirely illusory.
If somebody can get to your drive c: and can place a little prog into one of the many "startup" locations, all it takes is the next time you reboot the machine and the intruder has total control of the machine. NTFS or no NTFS, etc, makes no difference. Once you can run code of your choice on somebody's machine, all software-implemented security goes out of the window.
If somebody can get to your drive c: and can place a little prog into one of the many "startup" locations, all it takes is the next time you reboot the machine and the intruder has total control of the machine. NTFS or no NTFS, etc, makes no difference. Once you can run code of your choice on somebody's machine, all software-implemented security goes out of the window.
Official PPRuNe Chaplain
Join Date: Apr 2001
Location: Witnesham, Suffolk
Age: 80
Posts: 3,498
Likes: 0
Received 0 Likes
on
0 Posts
Yes Peter, agree absolutely - hence
Nobody will get into my network either, unless they are in the house and sitting at the PC.
Originally Posted by Keef
C is never shared.
Plastic PPRuNer
UNLESS you have implemented some pretty sophisticated security Keef, given your IP address any reasonably good cracker (I'm only an amateur) could root your box within a couple of hours and you'd never know it.
And if you've got something I want, then your IP address is findable.
Linux is a bit harder than Windows, but unless you have a specially hardened install like Bastille Linux - http://www.bastille-linux.org/ - or SELinux - http://www.nsa.gov/selinux/ - there's a way in. And even then.
Is it worth it for the average Joe? No. Crackers are like a guy walking down the street twisting doorknobs, there are plenty of houses wide open, with everything unlocked and CC numbers for the taking. Easy pickings. If the door is locked it usually ain't that hard to break in, but it's only worth the effort if there's something you want specifically.
Don't fool yourselves, if the pro's really want access to your box your amateur security is nothing, all it does is keep casual snoopers at bay.
And if you never connect to the Net, it's easy to break into your house and steal the whole PC to bust at leisure. You can even sell it afterwards
And if you've got something I want, then your IP address is findable.
Linux is a bit harder than Windows, but unless you have a specially hardened install like Bastille Linux - http://www.bastille-linux.org/ - or SELinux - http://www.nsa.gov/selinux/ - there's a way in. And even then.
Is it worth it for the average Joe? No. Crackers are like a guy walking down the street twisting doorknobs, there are plenty of houses wide open, with everything unlocked and CC numbers for the taking. Easy pickings. If the door is locked it usually ain't that hard to break in, but it's only worth the effort if there's something you want specifically.
Don't fool yourselves, if the pro's really want access to your box your amateur security is nothing, all it does is keep casual snoopers at bay.
And if you never connect to the Net, it's easy to break into your house and steal the whole PC to bust at leisure. You can even sell it afterwards
Join Date: Jun 2003
Location: EuroGA.org
Posts: 13,787
Likes: 0
Received 0 Likes
on
0 Posts
Well, one's IP is logged by pprune so the admins here can find it
Anyway, I wonder how you would get in from the outside, via a NAT router.
I don't think there is a way if you don't have any open ports and assuming the router has no back doors.
Obviously if you con the punter to run software of your choice (a trojan) then all bets are off again but I don't think one can break through NAT.
What would you spend a couple of hours doing? Run a dictionary attack on the router's admin port, 443? People do that all day and all night on my office server... but ours isn't open.
Keef - are you sure that having c: closed and d: e: f: etc open is secure? Doesn't Windoze ever execute anything on other drives? Let's say somebody placed a specially corrupted desktop.ini file in one of the folders?
Anyway, I wonder how you would get in from the outside, via a NAT router.
I don't think there is a way if you don't have any open ports and assuming the router has no back doors.
Obviously if you con the punter to run software of your choice (a trojan) then all bets are off again but I don't think one can break through NAT.
What would you spend a couple of hours doing? Run a dictionary attack on the router's admin port, 443? People do that all day and all night on my office server... but ours isn't open.
Keef - are you sure that having c: closed and d: e: f: etc open is secure? Doesn't Windoze ever execute anything on other drives? Let's say somebody placed a specially corrupted desktop.ini file in one of the folders?
Plastic PPRuNer
"What would you spend a couple of hours doing? Run a dictionary attack on the router's admin port, 443?"
No, nothing that crude (but lots of "secure" routers still have the default password [admin:admin]). And there's a lot of useful information in Keef's profile that could indicate possible passwords [I'd try PA28R201 for a start] and avenues for social engineering.
From the responses to probes it is possible to deduce the make/model of router and what services it is offering, then it's just a question of sending it the right queries/packets to exploit vulnerabilities and gain access to the network. Once in, there's always a weakly secured host that will contain information that gives useful tips to crack the others.
No, nothing that crude (but lots of "secure" routers still have the default password [admin:admin]). And there's a lot of useful information in Keef's profile that could indicate possible passwords [I'd try PA28R201 for a start] and avenues for social engineering.
From the responses to probes it is possible to deduce the make/model of router and what services it is offering, then it's just a question of sending it the right queries/packets to exploit vulnerabilities and gain access to the network. Once in, there's always a weakly secured host that will contain information that gives useful tips to crack the others.
Join Date: Jun 2003
Location: EuroGA.org
Posts: 13,787
Likes: 0
Received 0 Likes
on
0 Posts
I once got a network security specialist from Cisco (a friend of a friend) to crack my business website. He quickly identified the router as Draytek but after half a day was unable to get in anywhere.
He did indicate some funny social engineering attacks; for example I had some pics on another website hosted on the same server, taken with a Sony camera. Apparently, an email (with a keylogging trojan attached) purporting to come from Sony and containing a special upgrade offer on their cameras, does the job in a lot of cases
Official PPRuNe Chaplain
Join Date: Apr 2001
Location: Witnesham, Suffolk
Age: 80
Posts: 3,498
Likes: 0
Received 0 Likes
on
0 Posts
Well, assuming you know my IP address (which the PPRuNe admins will have instant access to), then you can try connecting to it. You find that it doesn't respond to pings, that there are no open ports, and that any attempt to connect to any port elicits no response whatever.
So you send me an e-mail with a trojan in it. But it's not a plain text e-mail, so the filters look at it, decide they don't like it, and put it in the "disinfect" folder.
You drive round and park your car outside my house. You find the WLAN. You try to connect. It wants to know your MAC code, ID and password. You listen for a few days, till I turn on the laptop, and then try to clone that.
Yes, it's hackable. If you're really determined, you'll get in. Smashing down the door is probably quicker and easier.
IO540 - I don't have any desktop folders on any other drives than C. Yes, folks could park a virus-laden Excel workbook on the relevant drive. They would need to connect to the network first.
If someone is that determined, they can spend a lot of time trying, and may achieve something. There has to be a better way to spend time
The basic security rules work - don't share drive C unless you're sure your kids won't be on the network.
So you send me an e-mail with a trojan in it. But it's not a plain text e-mail, so the filters look at it, decide they don't like it, and put it in the "disinfect" folder.
You drive round and park your car outside my house. You find the WLAN. You try to connect. It wants to know your MAC code, ID and password. You listen for a few days, till I turn on the laptop, and then try to clone that.
Yes, it's hackable. If you're really determined, you'll get in. Smashing down the door is probably quicker and easier.
IO540 - I don't have any desktop folders on any other drives than C. Yes, folks could park a virus-laden Excel workbook on the relevant drive. They would need to connect to the network first.
If someone is that determined, they can spend a lot of time trying, and may achieve something. There has to be a better way to spend time
The basic security rules work - don't share drive C unless you're sure your kids won't be on the network.
Official PPRuNe Chaplain
Join Date: Apr 2001
Location: Witnesham, Suffolk
Age: 80
Posts: 3,498
Likes: 0
Received 0 Likes
on
0 Posts
