Home network admin - can he browse my files?

Discussion in 'Computer Security' started by myahact@yahoo.ca, Mar 9, 2006.

  1. Guest

    Hello,

    I'll be staying with a family for a few weeks and they have a Home
    Network that I'll be connecting to in order to access the internet. Can
    the network administrator log on through the network to my laptop as
    "administrator" (or something else) and access my files? I know he can
    intercept my internet communications (including passwords) and that
    doesn't bother me, but I don't want him accessing my files. I checked
    the properties for my C:\ drive and it is not shared, yet I have this
    feeling there's another door somewhere...

    I use XP Home, NTFS filesystem.
     
    , Mar 9, 2006
    #1
    1. Advertising

  2. nemo_outis Guest

    wrote in news:1141912785.558503.123940
    @v46g2000cwv.googlegroups.com:

    > Hello,
    >
    > I'll be staying with a family for a few weeks and they have a Home
    > Network that I'll be connecting to in order to access the internet. Can
    > the network administrator log on through the network to my laptop as
    > "administrator" (or something else) and access my files? I know he can
    > intercept my internet communications (including passwords) and that
    > doesn't bother me, but I don't want him accessing my files. I checked
    > the properties for my C:\ drive and it is not shared, yet I have this
    > feeling there's another door somewhere...
    >
    > I use XP Home, NTFS filesystem.
    >


    It depends.

    For one thing it matters whether it is a peer-to-peer network (quite likely
    for a home) or a domain one. And it depends on the sharing mechanism
    (permissions or simple file sharing). And it can depend on other aspects
    such as the Guest account.

    Note that there can be hidden shares (denoted by a terminal "$" in their
    name) such as ADMIN$, C$ and IPC$.

    Regards,

    PS While hardly exhaustive you might start with:

    Securing Windows XP Professional in a Peer-to-Peer Networking Environment
    http://www.microsoft.com/technet/security/smallbusiness/prodtech/windowsxp/
    sec_winxp_pro_p2p.mspx

    For the next level:

    Five steps to lock down peer-to-peer Windows networks
    http://searchwindowssecurity.techtarget.com/tip/1,289483,sid45
    _gci1094909,00.html

    PPS I'm not even considering wireless.
     
    nemo_outis, Mar 9, 2006
    #2
    1. Advertising

  3. Winged Guest

    wrote:
    > Hello,
    >
    > I'll be staying with a family for a few weeks and they have a Home
    > Network that I'll be connecting to in order to access the internet. Can
    > the network administrator log on through the network to my laptop as
    > "administrator" (or something else) and access my files? I know he can
    > intercept my internet communications (including passwords) and that
    > doesn't bother me, but I don't want him accessing my files. I checked
    > the properties for my C:\ drive and it is not shared, yet I have this
    > feeling there's another door somewhere...
    >
    > I use XP Home, NTFS filesystem.
    >

    It depends on system configuration. Is NetBIOS exposed? Is the
    administrator account named administrator or admin? Is your system
    suitably firewalled blocking all inbound ports below 1024? Does every
    account on the system have a complex password (Each of 4 character sets
    minimum of 10 character password)? Is sharing turned on anywhere on
    local system? Is it part of the families domain and is every password
    protected on their system? Have you turned off unneeded windows services?

    If NETBIOS is exposed it doesn't require an administrator (or anyone
    else) any effort to determine every account name on a system and whether
    or not that account has a password.

    If you join the domain of the family systems the domain administrator
    can get access to your system through the domain account.

    If you have sharing turned on (windows default is to include everyone in
    share with read only access). There are several exploits to shares that
    can allow one to expand the scope of files exposed via share.

    There are many potential doors into a system. There are ways if one
    controls the hub to attack the system below the transport layer on many
    flavors of NIC cards. Depending on your local machine configuration and
    the expertise of your family threat there are numerous potential holes.
    It is very difficult without more information to assess your security
    posture.

    If the family member is extremely knowledgeable and willful enough, you
    will be hard pressed to prevent access to both the transmitted
    information as well as access to local system resources.

    Winged
     
    Winged, Mar 9, 2006
    #3
  4. Guest

    nemo_outis wrote:
    > wrote in news:1141912785.558503.123940
    > @v46g2000cwv.googlegroups.com:
    >
    > > Hello,
    > >
    > > I'll be staying with a family for a few weeks and they have a Home
    > > Network that I'll be connecting to in order to access the internet. Can
    > > the network administrator log on through the network to my laptop as
    > > "administrator" (or something else) and access my files? I know he can
    > > intercept my internet communications (including passwords) and that
    > > doesn't bother me, but I don't want him accessing my files. I checked
    > > the properties for my C:\ drive and it is not shared, yet I have this
    > > feeling there's another door somewhere...
    > >
    > > I use XP Home, NTFS filesystem.
    > >

    >
    > It depends.
    >
    > For one thing it matters whether it is a peer-to-peer network (quite likely
    > for a home) or a domain one.



    I think it's peer-to-peer. I know they don't have a central computer,
    just a router. Everyone goes through the router to access the internet.



    > And it depends on the sharing mechanism
    > (permissions or simple file sharing). And it can depend on other aspects
    > such as the Guest account.



    I have a Guest account and a personal password protected account. I
    tried accessing my personal account from the guest account and it
    wasn't possible. I only want those files to be unaccessible. I don't
    care if they browse in the Program Files or Windows folder.

    I guess what I want to know is if network administrator credentials can
    allow logging into my personal account. I know there's always a way to
    hack in somehow but I don't think he has the skills nor the patience to
    do it. But he might try just simply logging in as administrator. Could
    he succeed or does XP have some default protection against that?

    Another thing is I'm pretty sure they have an MSHOME network...


    >
    > Note that there can be hidden shares (denoted by a terminal "$" in their
    > name) such as ADMIN$, C$ and IPC$.
    >
    > Regards,
    >
    > PS While hardly exhaustive you might start with:
    >
    > Securing Windows XP Professional in a Peer-to-Peer Networking Environment
    > http://www.microsoft.com/technet/security/smallbusiness/prodtech/windowsxp/
    > sec_winxp_pro_p2p.mspx
    >
    > For the next level:
    >
    > Five steps to lock down peer-to-peer Windows networks
    > http://searchwindowssecurity.techtarget.com/tip/1,289483,sid45
    > _gci1094909,00.html
    >
    > PPS I'm not even considering wireless.
     
    , Mar 9, 2006
    #4
  5. Guest

    Winged wrote:
    > wrote:
    > > Hello,
    > >
    > > I'll be staying with a family for a few weeks and they have a Home
    > > Network that I'll be connecting to in order to access the internet. Can
    > > the network administrator log on through the network to my laptop as
    > > "administrator" (or something else) and access my files? I know he can
    > > intercept my internet communications (including passwords) and that
    > > doesn't bother me, but I don't want him accessing my files. I checked
    > > the properties for my C:\ drive and it is not shared, yet I have this
    > > feeling there's another door somewhere...
    > >
    > > I use XP Home, NTFS filesystem.
    > >

    > It depends on system configuration. Is NetBIOS exposed? Is the
    > administrator account named administrator or admin? Is your system
    > suitably firewalled blocking all inbound ports below 1024? Does every
    > account on the system have a complex password (Each of 4 character sets
    > minimum of 10 character password)? Is sharing turned on anywhere on
    > local system? Is it part of the families domain and is every password
    > protected on their system? Have you turned off unneeded windows services?
    >
    > If NETBIOS is exposed it doesn't require an administrator (or anyone
    > else) any effort to determine every account name on a system and whether
    > or not that account has a password.
    >
    > If you join the domain of the family systems the domain administrator
    > can get access to your system through the domain account.
    >
    > If you have sharing turned on (windows default is to include everyone in
    > share with read only access). There are several exploits to shares that
    > can allow one to expand the scope of files exposed via share.
    >
    > There are many potential doors into a system. There are ways if one
    > controls the hub to attack the system below the transport layer on many
    > flavors of NIC cards. Depending on your local machine configuration and
    > the expertise of your family threat there are numerous potential holes.
    > It is very difficult without more information to assess your security
    > posture.
    >
    > If the family member is extremely knowledgeable and willful enough, you
    > will be hard pressed to prevent access to both the transmitted
    > information as well as access to local system resources.
    >


    Holy cow! I can't possibly verify all that. All I know is this :

    Besides the Guest account, I have my personal password protected
    account that is not sharable and not accessible from the Guest account.
    I once created an account with administrative privileges and tried
    accessing my personal account from there and it also failed.

    I know any system is vulnerable but I'm worried about access by regular
    logging, not hacking and cracking. Can the network administrator log on
    and change some settings that would allow him to access files that are
    stored in the MyDocuments folder in my personal account?
     
    , Mar 9, 2006
    #5
  6. nemo_outis Guest

    wrote in
    news::


    > I have a Guest account and a personal password protected account. I
    > tried accessing my personal account from the guest account and it
    > wasn't possible. I only want those files to be unaccessible. I don't
    > care if they browse in the Program Files or Windows folder.
    >
    > I guess what I want to know is if network administrator credentials
    > can allow logging into my personal account. I know there's always a
    > way to hack in somehow but I don't think he has the skills nor the
    > patience to do it. But he might try just simply logging in as
    > administrator. Could he succeed or does XP have some default
    > protection against that?
    >
    > Another thing is I'm pretty sure they have an MSHOME network...



    Mshome[.net] is the default name for a Windows XP peer-to-peer network, so
    that's probably what it is.

    I would disable the guest account.

    I wouldn't worry about "network administrator" since this doesn't apply in
    a peer-to-peer network.

    I would make very sure I had locked down permissions (sharing). You might
    want to use an auxiliary tool such as Security Explorer.

    And all of this presupposes that your friend will never have direct
    physical access to the laptop itself when you leave it unattended - if he
    does all bets are off. (Paranoids like myself prefer full-HD OTFE
    encryption for this reason.)

    Regards,

    PS. As others have advised make sure all OS patches, etc. are up to date,
    unneccessary services aren't running, you have a firewall and lock down
    unused ports, etc.
     
    nemo_outis, Mar 9, 2006
    #6
  7. Moe Trin Guest

    On 9 Mar 2006, in the Usenet newsgroup alt.computer.security, in article
    <>, wrote:

    >Can the network administrator log on through the network to my laptop as
    >"administrator" (or something else) and access my files?


    Does the 'network administrator' have an account on your laptop? Does
    that person know the/a password to any account?

    >I know he can intercept my internet communications (including passwords)
    >and that doesn't bother me, but I don't want him accessing my files.


    As long as you are aware that all network traffic can be monitored.

    >I checked the properties for my C:\ drive and it is not shared, yet I have
    >this feeling there's another door somewhere...


    Two things. First, do _ALL_ accounts on the laptop have "good" passwords?
    By this I mean something that is not a word in any dictionary, has mixed
    UPPER and lower case, at least one number, and one punctuation mark? Do
    a google search for "CERT Advisory CA-2003-08" from March 2003, and see all
    of the ineffectual passwords the 'deloder' worm was using to break into
    computers world-wide.

    Second - will anyone have unsupervised physical access to the computer?
    With many computers, it takes only a few minutes to open the case, and
    physically remove the hard disk - moving it to another computer where any
    part of the disk can be copied to another location. The solution for that
    is physical security, and an encrypted file system.

    Passwords are the usual weak spot. All to many have no password, or something
    absolutely any five year old can guess. The problem with "good" passwords is
    that they are harder to remember. A solution to that is to use FOR EXAMPLE
    the first letter of each word of a phrase - perhaps from a song, or the
    motto of your school, or similar. Thus, "Twinkle, twinkle, little star, how
    I wonder what you are" can become 'Ttl*h1wwUr' - except that I use this
    example fairly often, and someone may guess it. So, use your own phrase.

    >I use XP Home, NTFS filesystem.


    I don't, so pay attention to what the others have posted as well.

    Old guy
     
    Moe Trin, Mar 9, 2006
    #7
  8. Todd H. Guest

    writes:
    > Hello,
    >
    > I'll be staying with a family for a few weeks and they have a Home
    > Network that I'll be connecting to in order to access the internet. Can
    > the network administrator log on through the network to my laptop as
    > "administrator" (or something else) and access my files? I know he can
    > intercept my internet communications (including passwords) and that
    > doesn't bother me, but I don't want him accessing my files. I checked
    > the properties for my C:\ drive and it is not shared, yet I have this
    > feeling there's another door somewhere...
    >
    > I use XP Home, NTFS filesystem.


    You'll be a lot more at ease and informed if you download and run the
    free microsoft baseline security analyzer which will help you verify
    that you're locked down from a host security standpoint:

    http://www.microsoft.com/technet/security/tools/mbsa2/default.mspx

    It will tell you good stuff like which accounts have blank or
    short/weak passwords, admin shares open for viewing, whether you're
    giving out too much NETBIOS info, and goodies like that.


    Best Regards,
    --
    Todd H.
    http://www.toddh.net/
     
    Todd H., Mar 9, 2006
    #8
  9. John Hyde Guest

    on 3/9/2006 10:41 AM said the following:
    > Winged wrote:
    >
    >> wrote:
    >>
    >>>Hello,
    >>>
    >>>I'll be staying with a family for a few weeks and they have a Home
    >>>Network that I'll be connecting to in order to access the internet. Can
    >>>the network administrator log on through the network to my laptop as
    >>>"administrator" (or something else) and access my files? I know he can
    >>>intercept my internet communications (including passwords) and that
    >>>doesn't bother me, but I don't want him accessing my files. I checked
    >>>the properties for my C:\ drive and it is not shared, yet I have this
    >>>feeling there's another door somewhere...
    >>>
    >>>I use XP Home, NTFS filesystem.
    >>>

    >>
    >>It depends on system configuration. Is NetBIOS exposed? Is the
    >>administrator account named administrator or admin? Is your system
    >>suitably firewalled blocking all inbound ports below 1024? Does every
    >>account on the system have a complex password (Each of 4 character sets
    >>minimum of 10 character password)? Is sharing turned on anywhere on
    >>local system? Is it part of the families domain and is every password
    >>protected on their system? Have you turned off unneeded windows services?
    >>
    >>If NETBIOS is exposed it doesn't require an administrator (or anyone
    >>else) any effort to determine every account name on a system and whether
    >>or not that account has a password.
    >>
    >>If you join the domain of the family systems the domain administrator
    >>can get access to your system through the domain account.
    >>
    >>If you have sharing turned on (windows default is to include everyone in
    >>share with read only access). There are several exploits to shares that
    >>can allow one to expand the scope of files exposed via share.
    >>
    >>There are many potential doors into a system. There are ways if one
    >>controls the hub to attack the system below the transport layer on many
    >>flavors of NIC cards. Depending on your local machine configuration and
    >>the expertise of your family threat there are numerous potential holes.
    >> It is very difficult without more information to assess your security
    >>posture.
    >>
    >>If the family member is extremely knowledgeable and willful enough, you
    >>will be hard pressed to prevent access to both the transmitted
    >>information as well as access to local system resources.
    >>

    >
    >
    > Holy cow! I can't possibly verify all that. All I know is this :
    >
    > Besides the Guest account, I have my personal password protected
    > account that is not sharable and not accessible from the Guest account.
    > I once created an account with administrative privileges and tried
    > accessing my personal account from there and it also failed.
    >
    > I know any system is vulnerable but I'm worried about access by regular
    > logging, not hacking and cracking. Can the network administrator log on
    > and change some settings that would allow him to access files that are
    > stored in the MyDocuments folder in my personal account?
    >


    If I understood the previous answers: The "Administrator" you need to
    worry about is the administrator of _Your_ computer, not the network.
    Just because you are plugged into a network does not mean that the
    "administrator" of that network acquires rights to your 'puter.

    I also understand that this answer changes if being plugged in means
    that you have to log into a "domain" in order to get access. In that
    case, you have given the administrator of the domain some rights when
    you login. Two points:

    1. It does not sound like that's what you have going on. Just plugging
    into a home router does not log you to a domain.

    2. Be aware that it would be really tough to log into a domain "by
    accident" It requires a specific password, etc.

    Follow some of the other basic advice you've been given and you should
    be fine. Frankly, you're probably ok "as is" for the "threat" you have
    described. Heck, I administer my home network and I can't get into my
    daughter's computer across the network, and I know everything there is
    to know about that computer. Could I do it if I tried? maybe, but it's
    easier to go kick her out of her chair if I needed . . .
     
    John Hyde, Mar 9, 2006
    #9
  10. Winged Guest

    wrote:
    > Winged wrote:
    >> wrote:
    >>> Hello,
    >>>
    >>> I'll be staying with a family for a few weeks and they have a Home
    >>> Network that I'll be connecting to in order to access the internet. Can
    >>> the network administrator log on through the network to my laptop as
    >>> "administrator" (or something else) and access my files? I know he can
    >>> intercept my internet communications (including passwords) and that
    >>> doesn't bother me, but I don't want him accessing my files. I checked
    >>> the properties for my C:\ drive and it is not shared, yet I have this
    >>> feeling there's another door somewhere...
    >>>
    >>> I use XP Home, NTFS filesystem.
    >>>

    >> It depends on system configuration. Is NetBIOS exposed? Is the
    >> administrator account named administrator or admin? Is your system
    >> suitably firewalled blocking all inbound ports below 1024? Does every
    >> account on the system have a complex password (Each of 4 character sets
    >> minimum of 10 character password)? Is sharing turned on anywhere on
    >> local system? Is it part of the families domain and is every password
    >> protected on their system? Have you turned off unneeded windows services?
    >>
    >> If NETBIOS is exposed it doesn't require an administrator (or anyone
    >> else) any effort to determine every account name on a system and whether
    >> or not that account has a password.
    >>
    >> If you join the domain of the family systems the domain administrator
    >> can get access to your system through the domain account.
    >>
    >> If you have sharing turned on (windows default is to include everyone in
    >> share with read only access). There are several exploits to shares that
    >> can allow one to expand the scope of files exposed via share.
    >>
    >> There are many potential doors into a system. There are ways if one
    >> controls the hub to attack the system below the transport layer on many
    >> flavors of NIC cards. Depending on your local machine configuration and
    >> the expertise of your family threat there are numerous potential holes.
    >> It is very difficult without more information to assess your security
    >> posture.
    >>
    >> If the family member is extremely knowledgeable and willful enough, you
    >> will be hard pressed to prevent access to both the transmitted
    >> information as well as access to local system resources.
    >>

    >
    > Holy cow! I can't possibly verify all that. All I know is this :
    >
    > Besides the Guest account, I have my personal password protected
    > account that is not sharable and not accessible from the Guest account.
    > I once created an account with administrative privileges and tried
    > accessing my personal account from there and it also failed.
    >
    > I know any system is vulnerable but I'm worried about access by regular
    > logging, not hacking and cracking. Can the network administrator log on
    > and change some settings that would allow him to access files that are
    > stored in the MyDocuments folder in my personal account?
    >

    Can family member physically touch the system at some moment (say 5
    minutes unobserved), if so, then yes unless the system has been secured
    properly in BIOS and/or Disk encryption.

    Do you use a BIOS password? Is the ability to boot from CD-ROM or other
    devices other than the HDD enabled in BIOS. If so, yes several common
    utilities on the net could allow access to any system information unless
    the disk has been encrypted and bios access locked. There are several
    utilities that could allow me to create an admin account or change an
    administrative password without ever booting windows. Yes, it can be
    done, without any great effort. Once one obtains administrative access
    there are several ways to hide/disguise any additional accounts. This
    does not require true hacking, tools are already widely available on the
    net at little to nor charge. This would be more a script kiddie event.

    Winged
     
    Winged, Mar 12, 2006
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?R2F2YW4gQnJpZ2h0?=

    Can't Browse Network or use ICS from XP Home Client

    =?Utf-8?B?R2F2YW4gQnJpZ2h0?=, Oct 29, 2004, in forum: Wireless Networking
    Replies:
    0
    Views:
    957
    =?Utf-8?B?R2F2YW4gQnJpZ2h0?=
    Oct 29, 2004
  2. =?Utf-8?B?bWFsaW5reQ==?=

    connected to wireless network but can't browse internet

    =?Utf-8?B?bWFsaW5reQ==?=, Apr 8, 2005, in forum: Wireless Networking
    Replies:
    2
    Views:
    11,207
    scottfg
    Apr 10, 2006
  3. =?Utf-8?B?ZG9vYmxldGFuZ28=?=

    Connect to wireless network, but can't browse

    =?Utf-8?B?ZG9vYmxldGFuZ28=?=, Feb 28, 2006, in forum: Wireless Networking
    Replies:
    1
    Views:
    757
    =?Utf-8?B?amVyZW15?=
    Mar 4, 2006
  4. Ike
    Replies:
    1
    Views:
    2,889
    Evan Platt
    Aug 2, 2005
  5. Replies:
    1
    Views:
    501
    Jack \(MVP-Networking\).
    Mar 2, 2007
Loading...

Share This Page