Homegroup: Lost for words... security issue now?

Situation: Desktop- wiping out, deleting and formating HDD which had both 7100 and 7127 parts, then clean install of 7127. Laptop- 7100 installed still, previously connected with previous desktop setup via Homegroup etc.

Preparation: Did an easy transfer of 7100, saved to flash. Upon install of 7127, transferred all settings, windows settings included (which are broswer and such other things like quicktime, realplayer start menu - settings).


Problem Explanation:
Originally both pcs WERE on same workgroup. I skipped Homegroup on desktop. After i setup 7127 installed back all my usual programs, then i was going to fool with Homegroup again. But before i did, i noticed that i didnt have the option to create a Homegroup. This i understood, since the laptop was still joined to a Homegroup (which the old desktop 7100 had created : see pic). So, i understood why i only had the option to join instead of create. All stil on same workgroup, and Homegroup was "active" on the network and specific workgroup. So, first and foremost, i wanted to see if i could even view the MOBILE at all. Thru network, this was possible, no need or prompt for password, could view the HOMEGROUP SHARED "user" folder and its SHARED sub-directories/library. Tho, this could be due to me being on the desktop 7127 using the same user/pass account, as same user/pass account is on that MOBILE as well. If this would only be the case or problem, i would actually be fine, if this was the only and exact way it will act (without joining an existing HG).




Then i thought, ok, how about switching up the workgroup. I shouldnt be able to see ANY computers or shared devices that I currently see. So i change workgroup name, REBOOT. Nope! no change at all! So, i wondered if this was acting the same way vice versa. Sure is!, i could view the 7127 PC, tho since i hadnt shared ANY files, nor Joined a HG... it was a blank area. But indeed i connected, also was prompted for my user/pass which i provided per my account on the desktop. It wasnt an automatic "login" to the shares as it was per the desktop 7127 viewing the MOBILE the same way. So now I'm just totally shocked! While XP, if not on same workgroup, you wouldnt even SEE ANY shares that were using a different named workgroup. Let alone any pcs, and allow you to connect.

So on the mobile, i leave Homegroup completely. Which leads me to another question/problem. Why is there the 3 options for this? "Leave completely" (ok), "dont leave and dont change anything" (umm, cancel?), and "dont leave, but change what i am sharing" (ok). Where's the option of "Leave homegroup, but dont change what i'm sharing" ??
I know you can untick and tick your HG libraries, but you can also share other drives and folders with HOMEGROUP.

After i leave Homegroup on MOBILE, reboot even, I could still view the 7127 desktop (even tho i had NO SHARES currently what so ever, triple checked that as well just in case it could be). Tho now, While on the desktop, I can see the MOBILE still after it leaving the old HG, and being both on different Workgroups. While trying to access the mobile from desktop, i get the following error. WHich that isnt too unexplainable, actually acceptable, its what i was actually looking for. But why not the other way around? If you have a group of computers that you want on a totally different "net" besides physically, then they would be on a different workgroup. Shouldnt see anyone else that isnt on that same workgroup, at all, period.



Now my only "common sense" hopeful thinking tells me that maybe they are still in the works on this, and possibly, i'm hoping that this may precede the implementing of a "superGroup" which if on different workgroups, you can still join the networks HOMEGROUP/CASTLE, with per user settings. But in my case, i hadnt joined a HG at all during any of this while on the desktop, just changed workgroup name. So, who knows. Right now, its a security vulnerability in my eyes, yet i know this is still a beta, a work in progress.

I don't think Workgroups and Homegroups are related. I think all that matters is the type of network you select. I have Home network selected for my connection on both PC's and my laptop is in a differently named workgroup and I still added both to the same Homegroup.

Homegroups were designed to simplify file sharing with the new libraries feature. Regular old workgroup file sharing operates independently underneath. My buddy has a WinXP laptop and while he is connected to my network, we can still share files the old fashioned way no problem because our workgroup name is the same.

Please correct me if I'm wrong, but that is my understanding of the matter.

right, but sharing with homegroup, shouldnt make those same files available to XP... or any computer thats not joined on a HG... especially if pcs are on different workgroups. Whats the need then for workgroups to exist right now if your point is correct enTRAPAG? ... see my first pic for a closer reference. I wasnt a part of any HG in that shot, AND on a different workgroup but was still allowed to get into the shared "user" folder on the MOBILE, thats on a different workgroup and connected to a now non-existant Homegroup. This computer should not have had priv/axx to anything on that computer(MOBILE). It didnt even require me to have a login, no prompt. But remember, i have the exact same accounts setup on both pcs. Tho in reverse, from MOBILE to Desktop during that current situation, I could still login to the desktop with no shares but i was prompted for credentials - which i then entered and accessed the desktop with no shares.

any explanation/thoughts for this? This means any XP, and possibly Vista (i dont use) will see any shares atleast shared by "Homegroup" on 7 via network browser. Sometimes prompting for credentials, sometimes not. Enabling a guest account would be brave now imo. And public folders are, if setup this way, available to all users along with each users shared libraries on Homegroup. Wheres the security? why have a password for this myth of HG if ANYONE can access files when they are shared via HOMEGROUP, no matter if on same workgroup or not?

You don't need to be on the same workgroup to see other computers on different workgroups. You just need to know their names.

They won't show up in XP, but if you know the name of the computer you can access it without any issues. Windows 7 automatically loads up any computer on the network if your on a "Home" network.

copernicus said:

You don't need to be on the same workgroup to see other computers on different workgroups. You just need to know their names.

ok, if this is correct, again, why the need to have that in place for win7? Just for XP and Vista? In XP sharing, you need to be on same workgroup. If not, you wont see pc or shares.

They won't show up in XP, but if you know the name of the computer you can access it without any issues. Windows 7 automatically loads up any computer on the network if your on a "Home" network.

They DO show up in XP. Problem is, i dont want Homegroup shared folders to be of access to non-Homegroup pcs... whether they are on the network or not. Then why have homegroup if everything is shared to everyone via default "share with" Homegroup. Have you actually tried and/or replicated this scenario? Why have a Homegroup password? what is that password "protecting" ? doesnt make alot of sense to me.

In XP you won't see the other workgroups by navigating to them in explorer, but you still have access to the computers if you know their names. You can access multiple workgroups simultaneously without having to joing them.

I haven't messed around with Homegroups, but it's my understanding that they are independent from workgroups.

Do you mobile and desktop share the same loging/password?

If you reinstalled the OS on the desktop, but used the same name as the previous install, the permissions for shared folders (through workgroups) will remain in tact on the mobile.

You should also be aware that as soon are you joing a Homegroup windows automatically shares your USER folder.

copernicus said:

In XP you won't see the other workgroups by navigating to them in explorer, but you still have access to the computers if you know their names. You can access multiple workgroups simultaneously without having to joing them.

I haven't messed around with Homegroups, but it's my understanding that they are independent from workgroups.

Do you mobile and desktop share the same loging/password?

If you reinstalled the OS on the desktop, but used the same name as the previous install, the permissions for shared folders (through workgroups) will remain in tact on the mobile.

You should also be aware that as soon are you joing a Homegroup windows automatically shares your USER folder.

well, first thanks for the replies and interest copernicus.

Yes, both desk and mobile have same user/pass setup. But if you look in the first pic posted, you will see that i am doing all this while I am NOT on a HG, and ON a different workgroup. The only similarity if you want to call it that is the Type of network, which IS home.

nevertheless, lets say you or i or anyone make the mistake of taking the laptop to a hotel and not switching to public ( i dont think thats even possible, unless done basically on purpose, say i'm drunk, but just follow me here), you instead are on Home Network. Now IF this hypothetical were to happen, the "fail safe" would and should be, ( like in the past even if you DO have file sharing enabled) (1) if you are on a different workgroup, (2)and/or require a HG password to join and see your files. Atleast your library files for pete's sake. I maybe can understand if you had simple file sharing enabled, and had a drive shared with no restrictions not on homegroup and someone "guessed" your workgroup.

But if this would go like one would think, atleast myself, then all of this couldnt be a future problem, just in that wacky example. I'm just trying to show, that still no matter what network you are on, home work or public (even tho public disables all filesharing which is useless when used on a "trusted" network you want to share with, fully or partially).

As you are referring to how it may be (i'm not sure myself, why i created thread), then if you took a laptop and to the hotel currently, and select Home Network, just because you select that you are now naked to the whole network? even if you dont have anything shared, as in my case while i was on a different workgroup than the laptop (see pic). If i'm not on the same workgroup, and NOT on any HG, i shouldnt be allowed to view another HG's library shares thru explorer, and then have complete access, read write append mkdir etc etc. If anything, being exposed to a "home network" it should only allow list access... not even read, and really not even list. Surely if you have a network, with a "workgroup" and a "secure passworded homegroup" and only "share with" "homegroup", only the HOMEGROUPUSER$ should see the shares.

At that point in time, i wasnt any of the above, yet i still had full access ... and all because of the same user/pass on both machines? If it recognizes this, than sharing and axx/privs per HGUser$ could and should be able to go further for restriction, rather than just having the same user/pass... what if thats hijacked ... like its been done in the past? that makes the use of workgroup and HG non-relevant in that case. Where is the "level" of security.

That would be like me unlocking my front door, putting the dog in the garage, and hoping the burglar/axe murderer thats on the loose doesnt know which room i'm in while he hops around in the house? And all i have is a cheapy push button lock on my door. I hope that holds him back. Thats just nuts to me.

Digger said:

well, first thanks for the replies and interest copernicus.

Yes, both desk and mobile have same user/pass setup. But if you look in the first pic posted, you will see that i am doing all this while I am NOT on a HG, and ON a different workgroup. The only similarity if you want to call it that is the Type of network, which IS home.

The reason you have instant access between the two computers is because they share the user/pass combo and both are on a "home" network. Change one of them and you'll see that you'll get the dialog to log in to the computer. Again you don't have to be part of a workgroup to access it, you just need to know the name of the computer. In windows 7 when you select Home Group it'll allow you to see all computers in the network that are allowing you to see them.

nevertheless, lets say you or i or anyone make the mistake of taking the laptop to a hotel and not switching to public ( i dont think thats even possible, unless done basically on purpose, say i'm drunk, but just follow me here), you instead are on Home Network. Now IF this hypothetical were to happen, the "fail safe" would and should be, ( like in the past even if you DO have file sharing enabled) (1) if you are on a different workgroup, (2)and/or require a HG password to join and see your files. Atleast your library files for pete's sake. I maybe can understand if you had simple file sharing enabled, and had a drive shared with no restrictions not on homegroup and someone "guessed" your workgroup.

Anytime you log into a new network you will get a prompt to designate that network at home/private/public. If you go to a hotel you would select public, and that will tell windows 7 to not show up when other people scan the network (network discover). If you tell the computer a network is home when it's not, well stop drinking (USB breathalyzer addon?) =P

But if this would go like one would think, atleast myself, then all of this couldnt be a future problem, just in that wacky example. I'm just trying to show, that still no matter what network you are on, home work or public (even tho public disables all filesharing which is useless when used on a "trusted" network you want to share with, fully or partially).

As you are referring to how it may be (i'm not sure myself, why i created thread), then if you took a laptop and to the hotel currently, and select Home Network, just because you select that you are now naked to the whole network? even if you dont have anything shared, as in my case while i was on a different workgroup than the laptop (see pic). If i'm not on the same workgroup, and NOT on any HG, i shouldnt be allowed to view another HG's library shares thru explorer, and then have complete access, read write append mkdir etc etc. If anything, being exposed to a "home network" it should only allow list access... not even read, and really not even list. Surely if you have a network, with a "workgroup" and a "secure passworded homegroup" and only "share with" "homegroup", only the HOMEGROUPUSER$ should see the shares.

If you select a network as HOME you are saying, yes I trust all computers on the same physical network, let me see them and let them see me. I do find it really odd that windows automatically shares your USER folder with everyone on your network when you joing a homegroup, I hope that gets fixed, but apparently that's a carry over from vista =/.

At that point in time, i wasnt any of the above, yet i still had full access ... and all because of the same user/pass on both machines? If it recognizes this, than sharing and axx/privs per HGUser$ could and should be able to go further for restriction, rather than just having the same user/pass... what if thats hijacked ... like its been done in the past? that makes the use of workgroup and HG non-relevant in that case. Where is the "level" of security.

That would be like me unlocking my front door, putting the dog in the garage, and hoping the burglar/axe murderer thats on the loose doesnt know which room i'm in while he hops around in the house? And all i have is a cheapy push button lock on my door. I hope that holds him back. Thats just nuts to me.

I think the main issue you're seeing here is having two machines with the same login/pass.

I'm currently on a network with 2 XP machines, on the seven machine I set this network as "home". Those two machines are on the same workgroup between themselves. I'm on another workgroup.

I can see both of those machines in the network section, but I cannot get access to any files, except the folders that were shared on the XP machine and given access to me specifically. Neither of those machines can see my machine, except for the folders I set to share with "Everyone".

I have a folder shared on the 7 machine, currently neither XP machine can see it through windows explorer, but if I type my computer name in the address bar I get the log in dialog, and then I get access to the shared folder.

If you dig through the network section you'll see the option to allow homegroup to use login/pass instead of letting windows manager it.

It's seems like a balancing act between security and convenience.

you pointed out some good things copernicus, most things tho i am aware of. I guess one of the first things I dont quite understand given my explained situation is that while i was using the option of "windows managing Homegroup" instead of "use user/pass"... the perplexing thing again is, i wasnt on a HG, so why or how did MS "manage" me as a Homegroup "user"? Its not like it was managing by "network" or "workgroup"... again this is beta, but i feel that unless or atleast until you join a HG, no need to have windows manage BY Homegroup. The use user/pass to manage should be on by default then imo. Follow me here?

Yea, i know my lil "drunk" scenario was unrealistic unless just outta your mind, i know that 99.9% of the time that wont happen, and public most likely will be chosen. I guess a better scenario would be if you were at a LAN party, you dont want to be on public (few buddies you want to share with are there), and being on "work" doesnt allow the creation of a HG... and all the while, i just dont want to naked share to the whole network. So one should and could conclude that the "building of" a Homegroup, inside the workgroup/network/LAN this should be able to be done, and done securely without the other "non-buddies" to see any of your shared files. But if you "share with" HG again... this makes all shares visible to anyone who is on the network. And if you know, being visible is the first step to being compromised in any way, no matter what security. Cant take network discovery off tho to prevent this because of the simple need for it to locate other computers. Another .01% scenario, but what if at a LAN you're trying to find your friends pc, who is coincidentally named the same as another pc on the lan, thats on a different workgroup. Again, highly unlikely, but i'm approaching this in a "defcon 5" type of way. Short of unplugging the computer, and short of jumping thru multiple hoops to get it to be secure and act friendly to ones that i completely trust or atleast chosen to give privy to.

Next question is... are you having the problem of viewing your XP machine from 7, or vice versa? Reason being is that i keep noticing you stating that how you are accessing the machines by name, or can be, is that how you are managing your pcs and network for shares?? If so, isnt that a PITA? and secondly if so, is network discovery off or something? To this day, with every 7 install, call me lucky but, i have never had the problem of seeing any other pc, no matter the current OS. No matter which was the host or client, never any problems.

I guess just because I "trust" the home network, it doesnt mean that whatever i share, i want "EVERYONE" (as it is shared by HG) on the network to have ANY access unless specified and/or given privs to directly. It seems as tho you have more control over whats shared to an XP machine, than you do another 7 machine... which in the future will be a bit scary if "managed by Homegroup".

I'll look into that usb breathalyzer lol