Protect Your Computer - Securing Windows File and Printer Sharing

Windows 95, 98, ME, NT, 2000 and XP allows files and printers to be shared to other Windows users via a network. Unfortunately, these features may make your computer vulnerable to compromises or otherwise damage your machine. For this reason, we recommend you do not use Windows File and Printer Sharing.

In most environments where Windows File and Printer Sharing is used, access control is done through passwords. That is, in order to access a shared folder or printer, one must know the correct password. However, there is no facility for logging access attempts, so an attacker could, with enough time and effort, break the password through brute force (i.e. trying every possible combinations of passwords). Furthermore, often the passwords are poorly chosen and can be easily guessed.

Windows shares can be either read-only or full access. (On NT machines, further permissions can be applied at the file and directory level). A full access share is exactly that - an individual accessing the share can modify a file, add new files, delete existing files, etc. For this reason, it is recommended that you not share anything with full access enabled.

Note that even a read-only share can be dangerous. Sharing your C:\WINDOWS directory read-only would allow a remote attacker to view your saved password files and possibly other sensitive information.

If you must share files (and we strongly recommend you don't), make sure you have a password on the share and that the share is read-only.