«

Hello,

I'll be staying with a family for a few weeks and they have a Home
Network that I'll be connecting to in order to access the internet. Can
the network administrator log on through the network to my laptop as
"administrator" (or something else) and access my files? I know he can
intercept my internet communications (including passwords) and that
doesn't bother me, but I don't want him accessing my files. I checked
the properties for my C:\ drive and it is not shared, yet I have this
feeling there's another door somewhere...

I use XP Home, NTFS filesystem.

wrote in news:1141912785.558503.123940
@v46g2000cwv.googlegroups.com:

> Hello,
>
> I'll be staying with a family for a few weeks and they have a Home
> Network that I'll be connecting to in order to access the internet. Can
> the network administrator log on through the network to my laptop as
> "administrator" (or something else) and access my files? I know he can
> intercept my internet communications (including passwords) and that
> doesn't bother me, but I don't want him accessing my files. I checked
> the properties for my C:\ drive and it is not shared, yet I have this
> feeling there's another door somewhere...
>
> I use XP Home, NTFS filesystem.
>

It depends.

For one thing it matters whether it is a peer-to-peer network (quite likely
for a home) or a domain one. And it depends on the sharing mechanism
(permissions or simple file sharing). And it can depend on other aspects
such as the Guest account.

Note that there can be hidden shares (denoted by a terminal "$" in their
name) such as ADMIN$, C$ and IPC$.

Regards,

PS While hardly exhaustive you might start with:

Securing Windows XP Professional in a Peer-to-Peer Networking Environment
http://www.microsoft.com/technet/sec...ech/windowsxp/
sec_winxp_pro_p2p.mspx

For the next level:

Five steps to lock down peer-to-peer Windows networks
http://searchwindowssecurity.techtar...1,289483,sid45
_gci1094909,00.html

PPS I'm not even considering wireless.

wrote:
> Hello,
>
> I'll be staying with a family for a few weeks and they have a Home
> Network that I'll be connecting to in order to access the internet. Can
> the network administrator log on through the network to my laptop as
> "administrator" (or something else) and access my files? I know he can
> intercept my internet communications (including passwords) and that
> doesn't bother me, but I don't want him accessing my files. I checked
> the properties for my C:\ drive and it is not shared, yet I have this
> feeling there's another door somewhere...
>
> I use XP Home, NTFS filesystem.
>
It depends on system configuration. Is NetBIOS exposed? Is the
administrator account named administrator or admin? Is your system
suitably firewalled blocking all inbound ports below 1024? Does every
account on the system have a complex password (Each of 4 character sets
minimum of 10 character password)? Is sharing turned on anywhere on
local system? Is it part of the families domain and is every password
protected on their system? Have you turned off unneeded windows services?

If NETBIOS is exposed it doesn't require an administrator (or anyone
else) any effort to determine every account name on a system and whether
or not that account has a password.

If you join the domain of the family systems the domain administrator
can get access to your system through the domain account.

If you have sharing turned on (windows default is to include everyone in
share with read only access). There are several exploits to shares that
can allow one to expand the scope of files exposed via share.

There are many potential doors into a system. There are ways if one
controls the hub to attack the system below the transport layer on many
flavors of NIC cards. Depending on your local machine configuration and
the expertise of your family threat there are numerous potential holes.
It is very difficult without more information to assess your security
posture.

If the family member is extremely knowledgeable and willful enough, you
will be hard pressed to prevent access to both the transmitted
information as well as access to local system resources.

Winged

nemo_outis wrote:
> wrote in news:1141912785.558503.123940
> @v46g2000cwv.googlegroups.com:
>
> > Hello,
> >
> > I'll be staying with a family for a few weeks and they have a Home
> > Network that I'll be connecting to in order to access the internet. Can
> > the network administrator log on through the network to my laptop as
> > "administrator" (or something else) and access my files? I know he can
> > intercept my internet communications (including passwords) and that
> > doesn't bother me, but I don't want him accessing my files. I checked
> > the properties for my C:\ drive and it is not shared, yet I have this
> > feeling there's another door somewhere...
> >
> > I use XP Home, NTFS filesystem.
> >
>
> It depends.
>
> For one thing it matters whether it is a peer-to-peer network (quite likely
> for a home) or a domain one.


I think it's peer-to-peer. I know they don't have a central computer,
just a router. Everyone goes through the router to access the internet.



> And it depends on the sharing mechanism
> (permissions or simple file sharing). And it can depend on other aspects
> such as the Guest account.


I have a Guest account and a personal password protected account. I
tried accessing my personal account from the guest account and it
wasn't possible. I only want those files to be unaccessible. I don't
care if they browse in the Program Files or Windows folder.

I guess what I want to know is if network administrator credentials can
allow logging into my personal account. I know there's always a way to
hack in somehow but I don't think he has the skills nor the patience to
do it. But he might try just simply logging in as administrator. Could
he succeed or does XP have some default protection against that?

Another thing is I'm pretty sure they have an MSHOME network...


>
> Note that there can be hidden shares (denoted by a terminal "$" in their
> name) such as ADMIN$, C$ and IPC$.
>
> Regards,
>
> PS While hardly exhaustive you might start with:
>
> Securing Windows XP Professional in a Peer-to-Peer Networking Environment
> http://www.microsoft.com/technet/sec...ech/windowsxp/
> sec_winxp_pro_p2p.mspx
>
> For the next level:
>
> Five steps to lock down peer-to-peer Windows networks
> http://searchwindowssecurity.techtar...1,289483,sid45
> _gci1094909,00.html
>
> PPS I'm not even considering wireless.

Winged wrote:
> wrote:
> > Hello,
> >
> > I'll be staying with a family for a few weeks and they have a Home
> > Network that I'll be connecting to in order to access the internet. Can
> > the network administrator log on through the network to my laptop as
> > "administrator" (or something else) and access my files? I know he can
> > intercept my internet communications (including passwords) and that
> > doesn't bother me, but I don't want him accessing my files. I checked
> > the properties for my C:\ drive and it is not shared, yet I have this
> > feeling there's another door somewhere...
> >
> > I use XP Home, NTFS filesystem.
> >
> It depends on system configuration. Is NetBIOS exposed? Is the
> administrator account named administrator or admin? Is your system
> suitably firewalled blocking all inbound ports below 1024? Does every
> account on the system have a complex password (Each of 4 character sets
> minimum of 10 character password)? Is sharing turned on anywhere on
> local system? Is it part of the families domain and is every password
> protected on their system? Have you turned off unneeded windows services?
>
> If NETBIOS is exposed it doesn't require an administrator (or anyone
> else) any effort to determine every account name on a system and whether
> or not that account has a password.
>
> If you join the domain of the family systems the domain administrator
> can get access to your system through the domain account.
>
> If you have sharing turned on (windows default is to include everyone in
> share with read only access). There are several exploits to shares that
> can allow one to expand the scope of files exposed via share.
>
> There are many potential doors into a system. There are ways if one
> controls the hub to attack the system below the transport layer on many
> flavors of NIC cards. Depending on your local machine configuration and
> the expertise of your family threat there are numerous potential holes.
> It is very difficult without more information to assess your security
> posture.
>
> If the family member is extremely knowledgeable and willful enough, you
> will be hard pressed to prevent access to both the transmitted
> information as well as access to local system resources.
>

Holy cow! I can't possibly verify all that. All I know is this :

Besides the Guest account, I have my personal password protected
account that is not sharable and not accessible from the Guest account.
I once created an account with administrative privileges and tried
accessing my personal account from there and it also failed.

I know any system is vulnerable but I'm worried about access by regular
logging, not hacking and cracking. Can the network administrator log on
and change some settings that would allow him to access files that are
stored in the MyDocuments folder in my personal account?

wrote in
news: ups.com:


> I have a Guest account and a personal password protected account. I
> tried accessing my personal account from the guest account and it
> wasn't possible. I only want those files to be unaccessible. I don't
> care if they browse in the Program Files or Windows folder.
>
> I guess what I want to know is if network administrator credentials
> can allow logging into my personal account. I know there's always a
> way to hack in somehow but I don't think he has the skills nor the
> patience to do it. But he might try just simply logging in as
> administrator. Could he succeed or does XP have some default
> protection against that?
>
> Another thing is I'm pretty sure they have an MSHOME network...


Mshome[.net] is the default name for a Windows XP peer-to-peer network, so
that's probably what it is.

I would disable the guest account.

I wouldn't worry about "network administrator" since this doesn't apply in
a peer-to-peer network.

I would make very sure I had locked down permissions (sharing). You might
want to use an auxiliary tool such as Security Explorer.

And all of this presupposes that your friend will never have direct
physical access to the laptop itself when you leave it unattended - if he
does all bets are off. (Paranoids like myself prefer full-HD OTFE
encryption for this reason.)

Regards,

PS. As others have advised make sure all OS patches, etc. are up to date,
unneccessary services aren't running, you have a firewall and lock down
unused ports, etc.

On 9 Mar 2006, in the Usenet newsgroup alt.computer.security, in article
< .com>, wrote:

>Can the network administrator log on through the network to my laptop as
>"administrator" (or something else) and access my files?

Does the 'network administrator' have an account on your laptop? Does
that person know the/a password to any account?

>I know he can intercept my internet communications (including passwords)
>and that doesn't bother me, but I don't want him accessing my files.

As long as you are aware that all network traffic can be monitored.

>I checked the properties for my C:\ drive and it is not shared, yet I have
>this feeling there's another door somewhere...

Two things. First, do _ALL_ accounts on the laptop have "good" passwords?
By this I mean something that is not a word in any dictionary, has mixed
UPPER and lower case, at least one number, and one punctuation mark? Do
a google search for "CERT Advisory CA-2003-08" from March 2003, and see all
of the ineffectual passwords the 'deloder' worm was using to break into
computers world-wide.

Second - will anyone have unsupervised physical access to the computer?
With many computers, it takes only a few minutes to open the case, and
physically remove the hard disk - moving it to another computer where any
part of the disk can be copied to another location. The solution for that
is physical security, and an encrypted file system.

Passwords are the usual weak spot. All to many have no password, or something
absolutely any five year old can guess. The problem with "good" passwords is
that they are harder to remember. A solution to that is to use FOR EXAMPLE
the first letter of each word of a phrase - perhaps from a song, or the
motto of your school, or similar. Thus, "Twinkle, twinkle, little star, how
I wonder what you are" can become 'Ttl*h1wwUr' - except that I use this
example fairly often, and someone may guess it. So, use your own phrase.

>I use XP Home, NTFS filesystem.

I don't, so pay attention to what the others have posted as well.

Old guy

writes:
> Hello,
>
> I'll be staying with a family for a few weeks and they have a Home
> Network that I'll be connecting to in order to access the internet. Can
> the network administrator log on through the network to my laptop as
> "administrator" (or something else) and access my files? I know he can
> intercept my internet communications (including passwords) and that
> doesn't bother me, but I don't want him accessing my files. I checked
> the properties for my C:\ drive and it is not shared, yet I have this
> feeling there's another door somewhere...
>
> I use XP Home, NTFS filesystem.

You'll be a lot more at ease and informed if you download and run the
free microsoft baseline security analyzer which will help you verify
that you're locked down from a host security standpoint:

http://www.microsoft.com/technet/sec...2/default.mspx

It will tell you good stuff like which accounts have blank or
short/weak passwords, admin shares open for viewing, whether you're
giving out too much NETBIOS info, and goodies like that.


Best Regards,
--
Todd H.
http://www.toddh.net/

on 3/9/2006 10:41 AM said the following:
> Winged wrote:
>
>> wrote:
>>
>>>Hello,
>>>
>>>I'll be staying with a family for a few weeks and they have a Home
>>>Network that I'll be connecting to in order to access the internet. Can
>>>the network administrator log on through the network to my laptop as
>>>"administrator" (or something else) and access my files? I know he can
>>>intercept my internet communications (including passwords) and that
>>>doesn't bother me, but I don't want him accessing my files. I checked
>>>the properties for my C:\ drive and it is not shared, yet I have this
>>>feeling there's another door somewhere...
>>>
>>>I use XP Home, NTFS filesystem.
>>>
>>
>>It depends on system configuration. Is NetBIOS exposed? Is the
>>administrator account named administrator or admin? Is your system
>>suitably firewalled blocking all inbound ports below 1024? Does every
>>account on the system have a complex password (Each of 4 character sets
>>minimum of 10 character password)? Is sharing turned on anywhere on
>>local system? Is it part of the families domain and is every password
>>protected on their system? Have you turned off unneeded windows services?
>>
>>If NETBIOS is exposed it doesn't require an administrator (or anyone
>>else) any effort to determine every account name on a system and whether
>>or not that account has a password.
>>
>>If you join the domain of the family systems the domain administrator
>>can get access to your system through the domain account.
>>
>>If you have sharing turned on (windows default is to include everyone in
>>share with read only access). There are several exploits to shares that
>>can allow one to expand the scope of files exposed via share.
>>
>>There are many potential doors into a system. There are ways if one
>>controls the hub to attack the system below the transport layer on many
>>flavors of NIC cards. Depending on your local machine configuration and
>>the expertise of your family threat there are numerous potential holes.
>> It is very difficult without more information to assess your security
>>posture.
>>
>>If the family member is extremely knowledgeable and willful enough, you
>>will be hard pressed to prevent access to both the transmitted
>>information as well as access to local system resources.
>>
>
>
> Holy cow! I can't possibly verify all that. All I know is this :
>
> Besides the Guest account, I have my personal password protected
> account that is not sharable and not accessible from the Guest account.
> I once created an account with administrative privileges and tried
> accessing my personal account from there and it also failed.
>
> I know any system is vulnerable but I'm worried about access by regular
> logging, not hacking and cracking. Can the network administrator log on
> and change some settings that would allow him to access files that are
> stored in the MyDocuments folder in my personal account?
>

If I understood the previous answers: The "Administrator" you need to
worry about is the administrator of _Your_ computer, not the network.
Just because you are plugged into a network does not mean that the
"administrator" of that network acquires rights to your 'puter.

I also understand that this answer changes if being plugged in means
that you have to log into a "domain" in order to get access. In that
case, you have given the administrator of the domain some rights when
you login. Two points:

1. It does not sound like that's what you have going on. Just plugging
into a home router does not log you to a domain.

2. Be aware that it would be really tough to log into a domain "by
accident" It requires a specific password, etc.

Follow some of the other basic advice you've been given and you should
be fine. Frankly, you're probably ok "as is" for the "threat" you have
described. Heck, I administer my home network and I can't get into my
daughter's computer across the network, and I know everything there is
to know about that computer. Could I do it if I tried? maybe, but it's
easier to go kick her out of her chair if I needed . . .

wrote:
> Winged wrote:
>> wrote:
>>> Hello,
>>>
>>> I'll be staying with a family for a few weeks and they have a Home
>>> Network that I'll be connecting to in order to access the internet. Can
>>> the network administrator log on through the network to my laptop as
>>> "administrator" (or something else) and access my files? I know he can
>>> intercept my internet communications (including passwords) and that
>>> doesn't bother me, but I don't want him accessing my files. I checked
>>> the properties for my C:\ drive and it is not shared, yet I have this
>>> feeling there's another door somewhere...
>>>
>>> I use XP Home, NTFS filesystem.
>>>
>> It depends on system configuration. Is NetBIOS exposed? Is the
>> administrator account named administrator or admin? Is your system
>> suitably firewalled blocking all inbound ports below 1024? Does every
>> account on the system have a complex password (Each of 4 character sets
>> minimum of 10 character password)? Is sharing turned on anywhere on
>> local system? Is it part of the families domain and is every password
>> protected on their system? Have you turned off unneeded windows services?
>>
>> If NETBIOS is exposed it doesn't require an administrator (or anyone
>> else) any effort to determine every account name on a system and whether
>> or not that account has a password.
>>
>> If you join the domain of the family systems the domain administrator
>> can get access to your system through the domain account.
>>
>> If you have sharing turned on (windows default is to include everyone in
>> share with read only access). There are several exploits to shares that
>> can allow one to expand the scope of files exposed via share.
>>
>> There are many potential doors into a system. There are ways if one
>> controls the hub to attack the system below the transport layer on many
>> flavors of NIC cards. Depending on your local machine configuration and
>> the expertise of your family threat there are numerous potential holes.
>> It is very difficult without more information to assess your security
>> posture.
>>
>> If the family member is extremely knowledgeable and willful enough, you
>> will be hard pressed to prevent access to both the transmitted
>> information as well as access to local system resources.
>>
>
> Holy cow! I can't possibly verify all that. All I know is this :
>
> Besides the Guest account, I have my personal password protected
> account that is not sharable and not accessible from the Guest account.
> I once created an account with administrative privileges and tried
> accessing my personal account from there and it also failed.
>
> I know any system is vulnerable but I'm worried about access by regular
> logging, not hacking and cracking. Can the network administrator log on
> and change some settings that would allow him to access files that are
> stored in the MyDocuments folder in my personal account?
>
Can family member physically touch the system at some moment (say 5
minutes unobserved), if so, then yes unless the system has been secured
properly in BIOS and/or Disk encryption.

Do you use a BIOS password? Is the ability to boot from CD-ROM or other
devices other than the HDD enabled in BIOS. If so, yes several common
utilities on the net could allow access to any system information unless
the disk has been encrypted and bios access locked. There are several
utilities that could allow me to create an admin account or change an
administrative password without ever booting windows. Yes, it can be
done, without any great effort. Once one obtains administrative access
there are several ways to hide/disguise any additional accounts. This
does not require true hacking, tools are already widely available on the
net at little to nor charge. This would be more a script kiddie event.

Winged