>A small LAN in Windows should be using the NetBEUI protocol, not TCP/IP.
>File and printer sharing is enabled *only* for NetBEUI. TCP/IP is *only*
>for your Internet connection and you do not have file and printer
>sharing enabled for TCP/IP. NetBIOS is not to be enabled for TCP/IP. So
>with no file and printer sharing for TCP/IP, your hard drive cannot be
>viewed by the outside world.
There are problems with NetBEUI, especially so for larger networks, but
also applicable for smaller networks in that it creates a lot of network
traffic. I've seen studies (or heard of them) where NetBEUI was enabled,
and accounted for somewhere between 60 and 70% of all network traffic.
This is probably why, with win 98, 98se, NT, 2000, and ME, all shares go
over some type of TCP / IP protocol (not NetBEUI), unless you manually
enable netbeui.
You incorrectly state that with TCP / IP file and printer sharing, your
hard drive can be viewed by the outside world. If someone leaves their
network that wide open they are begging for trouble. Anyways, with NT /
2000 (much less so in 98 / 98SE / ME), only those users which exist in
either the login-domain or on the PC in question, can browse the shares
available from a PC, let alone actually get access to them.
This also leaves out the security risks of sharing an entire hard drive to
begin with, especially under windows. You are much better off only sharing
directories on the drive, then the whole thing (with the wrong permissions,
someone could delete the entire Windows or winnt directory, which would
leave the computer unuseable and almost certainly require either a
re-install, or recopying the hard drive image back to the PC.)
With linux, there is more control over who can actually see the shares--you
have options to limit by IP (such that only specific computers on the
network can even see the shares), by users (such that only specific users
on the linux server can see the shares), by permission (such that only
certain users or groups of users can edit the files, and other users or
groups have read only privilege), or by a combination of the above (such
that only certain users from certain computers can see the shares).
For several years, I administered a small lan with 35 workstations running
a mixture of linux / windows 95 / 98 / 98SE / NT / 2000. Before I left, I
had turned off sharing of complete hard drives, or, if the share wasn't
needed, by turning off sharing period (since the campus IT department
wouldn't allow me to run a firewall). Even more surprising was the fact
that when I left I had set up one of the most secure lans on the campus
network.
>Other security problems, such as trojans and viruses, are due to user
>error, such as opening attachments and downloaded files without checking
>them first with one
>or more antivirus programs. A Windows system becomes much safer if
>Windows Script Host is disabled system wide, which is easily done and
>has no adverse consequences for a SOHO or home user.
A much more efficient manner is to enable virus scanning at the mail server
itself -- such that mail is checked as it comes in, although that doesn't
obviate the need for workstation level virus software as well.
Just my .02,
Michael
--
Michael Viron
Registered Linux User #81978
Senior Systems & Administration Consultant
Web Spinners, University of West Florida
