Network Neighborhood

All my SM’s are running without nat enabled. On the protocol filtering page I have checked SMB, Bootp Server, IPV4 Multicast. For some reason on Vista when a user clicks My Network Places it shows all the pc that are on the same subnet as them? I thought SMB filtering was suppose to take care of that?


J

I had that exact same problem and never found a way around it except segregating users with VLANs.

Is the Vista computer just able to see the other machines or is it able to access them as well?

I believe someone else had a similar situation with being able to access fileshares. It had something to do with the SMB filtering not covering all the ports being used. Do a forum search.

Hey!

I’ve been thinking new network traffic might have to do with Vista wanting to reach out and touch a neighbot :evil:

This is culled form a google search, the MS article is confirmed.

(I’ll try to do some scanning and see if one port or another is more significant. Often you can block a ‘handshake’ level port and derail the whole process, which is what I’m hoping. Any help in regard to port diagnostics would be appreciated, as always.)

Field Alert on
Microsoft Vista Additional Network Neighborhood Ports
Recently it has come to our attention that Windows Vista uses additional UDP and TCP ports for
network neighborhood.

In order to completely block network neighborhood on a computer running Microsoft Vista you
also need to add the following ports to the port filter table.

UDP-3702, TCP-5357, TCP-5358, UDP-1900, and TCP-2869

Here is a link to the Microsoft article that details this information.

http://windowshelp.microsoft.com/Window … 31033.mspx

We insist customers have routers for this very reason. Imagine all the congestion emanating from each pc on layer 2 network!

Yeah;

Hey wanna see something really scary?

Open Network Neighborhood and doubleclick on any of the other computers in your workgroup or domain. The menu opens up with whatever the computer might purposefully be sharing on your LAN.

Up at the top fo the screen, in the Address Bar, is the name of the computer you double-clicked a moment ago. Following the name of the computer, type
’c$
and hit enter.
That will give you access to any file on the remote computers C drive. Any valid drive letter will open a similar screen.
Gotta love Microsoft, eh?
(Oh, yeah, in context: I checked, and the same backdoor remains open in Vista!)

That’s always been the case with Windows. I’ve made it habit to go through and manually disable File and Printer Sharing and Client for Microsoft Networks in the local area network connection configuration.

The only time I leave that enabled is if the customer is behind a router AND needs to share files/printers, otherwise I see absolutely no good reason to leave those protocols enabled.

wifiguy wrote:
That's always been the case with Windows. I've made it habit to go through and manually disable File and Printer Sharing and Client for Microsoft Networks in the local area network connection configuration.

The only time I leave that enabled is if the customer is behind a router AND needs to share files/printers, otherwise I see absolutely no good reason to leave those protocols enabled.


The fact that people should have the right to have whatever they want enabled? I can tell you right now that if I had to go with a WISP and they started restricted access to all sorts of things on my computer I would be mighty ticked off, you should have measures on your end to stop anything a user could do.

Know your users. The fact that it comes enabled on windows by default is not always what the customer wants.

We make changes on a case by case basis and if the customer wants the functionality we won’t interfere with that. Most of our users are single computer households (we also enable NAT on these SMs). There is no reason whatsoever to have those protocols enabled and the only thing they do is leave open unnecessary security holes for those users.

I don’t force anything on my customers, I just set them up with our recommended configuration per their request. I have not yet had a customer complain about that.

Again, the only time that functionality is necessary is in a LAN environment. There is no good (or necessarily safe) excuse to have it enabled otherwise.