I have been reading some of the posts here and alot of ppl are telling you to open your guest accounts.

It sould be noted that while on a internal network that may be fine...but if you open the guest account on a pc that has direct access to the internet be warned anyone now has access to snoop you shares.

My 2 cents worth

I totally agree. I think it is better security and practice to create user accounts for those boxes you wish to have access to your shares in NT or 2000.

Guest access is a cheap hack that can come back and bite you in the butt.

Ditto...

and don't leave your administrator account without a password !

[This message has been edited by Andersony (edited 11 April 2000).]

As long as you password your guest account with a different one from the default. Then you have as much protection as you do with any other login. The main point is to disable file and printer sharing for any direct connection to the internet.
Having the guest account enabled is the only way to allow other machines in a workgroup style network have acces to shares on any NT based machine.

Sorry Simon, but bollocks.

No you don't, you have half as much protection, as attackers already know the username - they just have to crack the pwd.

And further bollocks...

Wrong. For small networks, create user accounts under W2K with the same username and password as the Win9x logins you wish to grant access, then permission the W2K shares accordingly.
For larger networks, make a W2K machine a domain controller, and have all the W9x boxes authenticate via that...



[This message has been edited by YuppieScum (edited 12 April 2000).]

There nothing wrong with enable guest accounts, If you runing small Local Lan at Home or Small Buiss with less then 8 PC.
But his it will depend on how setup you Internet Gateway.

The Internet Gateway Server.
1: By defult this should be Uncheck "Files and Sharing for Microsoft Networks" on one the following Adapter: Modem Adapter, PCI Ethernet Adapter, USB Ethernet Adapter what ever card you are useing as your Internet Connection to that ISP.

2: Services that you should turn off
Messenger, Remote Registry Service unless you plan on run a domain controller for that you will need Windows2000 Server.

Reference knowing the guest account name is guest lowers security, you mean like knowing the administrator logon is administrator or root on unix? (bollocks?) If you are going to call a statement bollocks think about the whole picture and not part of it.

Again the best defence for securing any account is a decent password.

Also the same username and password option does not always work. I've still seen instances where in NT4 it still asks for the IPC password and Win2K where it presents you with the access permissions error.

Wow, So you leave your Administrator and Guest accounts as "Administrator" and "Guest"!!!!??? Hmmm. What company do you work at and where? I would like to show you something.....

who are talk to DosFreak ?.

I work for a large IT company... And to prevent unwanted access... we change the name of administrator accounts on "ALL" Nt based machines. And for even "more" security. We disable all guest acounts.. Now for internet access... THats a whole nother story..

Just my 50 cents and a penny.

------------------
When the world comes to a halt, Hold The F*** ON!!!

Yeah.. your supposed to change the Admin.. but i found a better way... take away all the privs in Admin name.. make super pass like blahbkajdksfjlj29830423.. so they spend like 4 years cracking it to get no access =)..



------------------
Volitaire
A+, MCSE, MCP+I, ACT

nah, i still believe in runnin my good ol' BlackIce Defender on the lan and sharin whatever i want without worrying....block them ports baby!

First, if you have Cable or DSL, get two ethernet cards. Don't do local file sharing on the same interface as the Internet connection.

Second, disable "Client for MS Networks" and "File/Print Sharing" on the Internet connected interface (Ethernet or dial-up).

On the second, "internal" interface you can run filesharing. You can use a private IP address like 10.x.x.x, but I just use NetBEUI because it's faster and less of a hassle and won't 'leak' onto the Internet under any circumstances. Don't enable IP forwarding, either.

If you are keeping your file sharing to a local, disconnected interface, you can enable the guest account without worry.

OK guys, first off if you have any netbios sharing enabled on the interface that is public a simple nbtstat will get the user name that is loggin in. There goes your extra security by renaming the user.

However it is still a good idea to rename them. And DON'T enable your guest account, your only asking for trouble. Create user accounts that the other machines have. NO GUEST!!!

I just thought I'd like to throw in my 2 cents...

My Opinion is that 75 to 80% of hackers out there are not very good or creative, they just download port scanners, password crackers and all kinds of other goodies from the internet. Then they scan Massive blocks of IP addresses looking for easy targets.

What is an Easy target? NT or Win95 machines that are displaying all of their NetBIOS goodies out there for all to see. They try the obvious stuff first, Administrator accounts, Guest account, FTP ports, etc. If the Easy stuff doesn't work they move on to a better target.

In my opinion, to protect yourself from these guys, do the following. Disable file and print sharing, and remove all bindings to the TCP/IP protocol (exept the one binding the protocol to the adapter)on the interface exposed to the internet for Win95.

For WinNT, open the network applet, go to TCP/IP properties, select the bindings tab, choose "all adapters". For the exposed adapter, disable the NetBIOS interface, Server, and Workstation services. (this does not affect your internet access)

Then rename your administrator account, give it an impossible password and disable the guest account.

Finally, get a good firewall to block all 65,000 + TCP ports on your machine. I recomend ZoneAlarm from Zone labs, It is easy to figure out, easy to use, blocks traffic Both ways (if you want it to) and most of all, It's free! Get it at www.zonelabs.com. also check out http://grc.com (very cool internet site, what you find may shock you)

For the other 20 to 25% of the hackers out there, you can bet that for every thing you think is impossible for them to do, Some clever genius has figured out a way to do it. All you can really hope for if one of these guys sets his sights on you is that he is nice to your system while he visits


------------------
MjolnirGS@hotmail.com

[This message has been edited by mjolnirGS (edited 15 May 2000).]