want no Web for XP & (Win7) XP Mode, but Web for Win7 all on same lan

dianedebuda

New member
Member
Local time
10:04 AM
Messages
73
want no Web for XP & (Win7) XP Mode, but Web for Win7 all on same lan

Have XP Home as file server to Win7 boxes on a lan. One Win7 box also uses XP Mode. IIRC, if I change tcp/ip default gateway to 1.1.1.1, that blocks outgoing web access for XP & XP Mode. Using router with NAT. Am I missing something here to prevent web access to/from the XP & XP Mode boxes?

For the XP shared folder, disabled inheritance and added NTFS security with Full Control for the XP (Admin-level) user. Then tried to map that folder on Win7 box using XP user password, but that didn't work. Been too long since I've messed with security & I've forgotten SO much. Not concerned with security within the LAN, just from the web, so maybe the NTFS stuff isn't needed.
 

My Computer My Computer

At a glance

Windows 7 Pro 64bit
Computer type
PC/Desktop
OS
Windows 7 Pro 64bit
Hopefully I understand you correctly. If I am on the wrong track please disregard this. I also am unsure of your level of expertise. So again, if I'm getting too technical or vice versa, please forgive me.

To gain access to the internet a PC simply needs to know where the gateway (router) is. Often routers have default addresses of 192.168.0.1 or 192.168.1.1. Pointing the default gateway of a PC to almost any other address will mean the PC can't find it's way to the Internet.

This generally means having to configure static IP addresses in your LAN.

192.168.x.x are class C addresses, meaning they are private and not routable on the internet. Your router translates addresses on your LAN to the WAN (Internet facing), IP address.

You could also change the default DNS server to a fake address (I use 192.168.1.253 when I want to block access). If however you do it this way, your PC still knows the correct route to the router (expecially if using DHCP), and you would still be able to access the Internet for things that don't require a DNS lookup.

To prevent that, I then block that address in my router with a rule that says that address is not allowed to send or receive data from the internet. Most routers support such rule configurations.

Regards the NTFS permissions, People can access from the web, if you have provided access through Web, RDC or ftp services. When setting permissions try to avoid using Everyone(full). I know it is more work, but setting specific permissions for specific users can save you a lot of security concerns later.

There are other highly experienced networking gurus here who will probably chime in with more info.

hth
Tanya
 

My Computer My Computer

At a glance

Linux Mint 17 Cinnamon | Win 7 Ult x64Intel I7-3770K @ 4.2ghz32GB G-Skill C10QEVGA GTX 670 2GB SC
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Home Made
OS
Linux Mint 17 Cinnamon | Win 7 Ult x64
CPU
Intel I7-3770K @ 4.2ghz
Motherboard
ASRock Extreme 4
Memory
32GB G-Skill C10Q
Graphics Card(s)
EVGA GTX 670 2GB SC
Sound Card
Creative Fatality ExtremeGamer
Monitor(s) Displays
LG E2742V x 2
Screen Resolution
1920x1080
Hard Drives
256GB Vertex 4 SSD
2TB Seagate ST2000DM001
1TB Seagate ST1000DM003
PSU
Corsair HX 650
Case
HAF 932 advanced
Cooling
Corsair H100i liquid cooler
Keyboard
Logitech Wireless
Mouse
Logitech Wireless
Internet Speed
OptusNet NBN 100/40
Antivirus
Malwarebytes
Browser
Firefox 30
Other Info
Router: Sagemcom F@st 3846 Crippled by Optus.
I have a static address and set gateway to 1.1.1.1, so that does seem to block access TO the web. I'm thinking that being behind a NAT router should block access FROM the web unless one of the Win7 boxes is hacked via web. Just trying to verify that I'm not missing something here.
 

My Computer My Computer

At a glance

Windows 7 Pro 64bit
Computer type
PC/Desktop
OS
Windows 7 Pro 64bit
Setting fake gateway addresses does NOT restrict access from the Internet into your computer. It is a common misconception that NAT is a secure form of protection. It is not.

That's why you still need a firewall, and virus/malware software.

If a hacker found an open port, and you were using a cheap router (or set your router to "Allow" all traffic inbound by default, he could direct traffic at your WAN IP. The router then translates those packets into an internal address (192.168.x.x), and forwards them to the relevant computer.

Quality routers use a Deny-All security strategy (Eg Billion). Cheap routers use an Allow-All strategy.

Most decent routers have NAT and SPI (Stateful Packet Inspection), and other security (Such as Denial of Service, Xmas attacks etc).. By default all ports are closed, or you specifically open them, unless as I said, you have a cheap router.

For example, if you ran a torrent client, that port would be open.

One way to see if your safe-ish is to go to Gibson Research Center (https://www.grc.com/x/ne.dll?bh0bkyd2) and run the Shields Up scanner there. You want a result of Stealth on all your ports.

Here's an example of a vulnerable PC..
 

Attachments

  • sf2.jpg
    sf2.jpg
    179.1 KB · Views: 1

My Computer My Computer

At a glance

Linux Mint 17 Cinnamon | Win 7 Ult x64Intel I7-3770K @ 4.2ghz32GB G-Skill C10QEVGA GTX 670 2GB SC
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Home Made
OS
Linux Mint 17 Cinnamon | Win 7 Ult x64
CPU
Intel I7-3770K @ 4.2ghz
Motherboard
ASRock Extreme 4
Memory
32GB G-Skill C10Q
Graphics Card(s)
EVGA GTX 670 2GB SC
Sound Card
Creative Fatality ExtremeGamer
Monitor(s) Displays
LG E2742V x 2
Screen Resolution
1920x1080
Hard Drives
256GB Vertex 4 SSD
2TB Seagate ST2000DM001
1TB Seagate ST1000DM003
PSU
Corsair HX 650
Case
HAF 932 advanced
Cooling
Corsair H100i liquid cooler
Keyboard
Logitech Wireless
Mouse
Logitech Wireless
Internet Speed
OptusNet NBN 100/40
Antivirus
Malwarebytes
Browser
Firefox 30
Other Info
Router: Sagemcom F@st 3846 Crippled by Optus.
Setting fake gateway addresses does NOT restrict access from the Internet into your computer. It is a common misconception that NAT is a secure form of protection. It is not.
That's what I was afraid would be the case. Had a nagging feeling that NAT was only "fair". The router in question is a cheapie & I'm sure it wouldn't be replaced.

still need a firewall, and virus/malware software.
Almost funny in a way - the XP box can't "get out" to the web, so updates would be a pain. D if you do & D if you don't. :rolleyes: As always, weigh the risks.
 

My Computer My Computer

At a glance

Windows 7 Pro 64bit
Computer type
PC/Desktop
OS
Windows 7 Pro 64bit
Back
Top