Windows file sharing on specific network

[Zeyneb]

Hello you all!

Alright, there are a lot of sharing and security settings in windows 7 for specific folders, users and groups and what not. I hope there is an Eevblog member who's a guru in this topic.

I'm talking here about my own home network and I am the only user, but with several computers running Windows 7, 32 and 64 bit as well as some Windows XP computers and a network printer.

For privacy and safety reasons I want just one computer to have internet access. See the picture of my network block diagram.


Maybe this is not according to the official network diagramming conventions but anyone remotely into networking will understand what I mean with this block diagram.

So the linksys router has nothing connected to it's WAN port. Now the objective is to get file and printer sharing to work only on the network 10.0.0.x.

Ok, network printing works already. File sharing from the Windows 7 computer also works but for the folder I wished to share in "Properties->Security tab" I had to add "Everyone" in the "Group or user names" field to have the windows XP computer the ability to gain access.

What I am looking for is some "Group or user names" term that will just permit the three common access rights (read & execute, list folder contents, read) on the network 10.0.0.x. So "Everyone" is too coarse grain setting while maintaining a list on computers and users is too fine grain setting.

Some of my partial thoughts to get this working:

1) I know about the Homegroup feature of Windows 7, but that only applies to Windows 7 computers. Unless there is some hack program that lets a Windows XP computer play along the Windows 7 Homegroup rules of file and folder sharing.
2) Maybe i can enable DNS on the linksys router for my own private network to provide Windows 7 a domainname term to which to apply the security access rights to. But when I do "ipconfig /all" I don't have a name for "Connection-specific DNS Suffix". The picture below shows some settings for the linksys router. The portion "Internet setup" applies to just the WAN port does it?

I hope I presented this issue understandably. If there is anything I could add that is relevant for resolving this, please let me know.

[gmb42]

Without an Active Directory Domain Controller, whether provided by a Windows Server or Samba, then your Windows machines will be operating in "Workgroup" mode and there are NO common users\groups etc. as the security database for each account is local on each machine.  You should set each machine to use a common workgroup, I think the default is "Workgroup".

A "workaround" for this is to create identical accounts (name and password) on each machine and use those between systems.  These local accounts can be made members of local groups to control access that way if you wish, but if there's only you, then simply replicate your account on all machines.

If you still want to have the complication of different accounts then you'll have to provide the account details appropriate for the remote machine you're connecting to.

[Ranayna]

Windows security is inherently user based.
Setup a user on the machine holding the shares with the permissions you want them to have *on the filesystem*. If you use NTFS, and you should, those filesystem permissions are a secondary layer to the share permissions. You can then use that user, to access the share, in the format <ComputernameHoldingTheShares>\<Username> or maybe <Username>@<ComputernameHoldingTheShares>. If you have the same Usernames with the same password set up on both computers, it should even work directly without having to enter credentials.
The share permissions are a relic from almost forgotten times :p. They were required in times of filesystems that did not support security, like FAT. Nowadays they are mostly redundant and it is just an additional hassle to keep them up to date. Even in a corporate setting, these are generally set to "Everyone" and the actual fine tuning is done using filesystem security settings.

SInce you currently have shares running, i assume the windows firewall is properly set up (or turned off :p).

So, let's assume your CAD-PC holds the files you want to access. Creativly, it's actual computername is "CAD-PC"
So, you setup a local user on CAD-PC, lets call him shareuser, with some arbitrary password.
You create a folder, call it whatever, and setup NTFS permissions how you want them, how fine grained however you want it. Do not forget to setup inheritance properly. If you need help there i can give you a couple of pointers.
With the filesystem permissions set up, you can share that folder and give it a share name. Let's say "fileshare". Set the share permissions to "Everyone", as you have it now.
If you do not have a NTFS filesystem you want to share, it *should* also be possible to set similar permissions on the share level with that local user.

To access this share on the CAD-PC from the WEB-PC, you can access it directly the following way: \\10.0.0.3\fileshare. You should be asked for credentials. Enter them as CAD-PC\shareuser, and of course the password

Maybe this is too basic, since you already have sharing running, but hopefully this may give you additional insight. I have very little knowledge about Work/Homegrouping, but i suspect this may require a properly working DNS that knows all member computers.

[drussell]

Just completely firewall off the Windows file & print sharing ports between your networks? 
Ports 137-139 and 445 or whatever they are? 
Just disallow those completely on your 192.168.x.x network.

[EasyGoing1]

For the love of god man, DONT use HOMEGROUP! It's a nightmare and an abortion of an effort to make home networking "simple".

If it's a simple matter of limiting access to files and folders to specific user accounts, then you just create a user account on the machine that is sharing the files. Then when you share a folder, there are two different places to set permissions for that folder. One is at the file level and the other is at the network share level and that's the one you want to use when it comes to that resource being accessed from another machine on your network. You can do things there like assign read-only permissions etc and the enforcement of permissions are handled in the network layers of the operating system, not at the file system level. Of course, either place can achieve the same goal, but it's far better to let the right layer of the OSI model handle its job accordingly. Some people like to grant full access through the network share, then assign file permissions using the ACLS at the disk level. To me, that's kind of overcomplicating the issue and it can lead to problems over time when you can't figure out why you can't do something that you should be able to do.  Keep it simple!

I am additionally of the opinion that your paranoia over allowing multiple devices have Internet access is misplaced and it is something that I hear far too often from people who don't understand how Internet connectivity works and because they don't understand, they chose to error on the side of caution. Which is GREAT, don't get me wrong, but I like to take such opportunities to try and help people understand best practices so that they don't have to impose such limitations on their personal lives. It's far more convenient when all of your computers can get on the Internet through a high-speed connection such as a cable modem service or FIOS or something similar. And in order to do that SAFELY, just get yourself a modern, well-reviewed, supported and recommended home Internet router / WiFi router and plug your Internet connection into the WAN port, and power it up and go through the instructions for basic setup and you'll be just fine. No one is going to hack into your network for many reasons. First, most home routers don't even respond to traffic requests coming into your network from the outside. They won't even respond to pings, so when hackers are out there fishing for networks that are exposed to the Internet, they will be looking for certain responses that a quality home router won't be giving them. out of the millions of IP addresses available to scan for hackability, there would be nothing coming from your IP address that would give anyone even a spark of curiosity. And in the one in a million chance that they did see something, they would still need to hack your router because of the firewall software in it and if they could get that far, then they would need to re-configure it so that they could actually attempt to gain access to the computers sitting on your home network.

These are not trivial tasks that anyone can just do because they want to. The level of skill that would be required to brute force hack into your home network from the Internet, given that you're using a quality home router, would be so incredibly large, that anyone who had those kinds of skills would not even consider someone's home network to be worth their efforts ... unless the home network belonged to the CEO of Google or some such potentially valuable target. The hard reality is, you're just not that interesting that someone would go through such extreme measures to break into your network. No, you're far more vulnerable just because you have a personal account on your bank's web server. Cause if THIER stuff ever got hacked, then YOUR information is at risk. Hackers want the meat on the internet, not the scraps.

And the way traffic flow works from a computer inside your home to the Internet is like this...

You are on your home computer and you open Chrome and you go to google.com, your computer sends out packets to your local router, which then re-packages your request into a packet that is allowed to exist on the Internet because it uses the public IP address that your Internet provider assigned to it. I also tag the packet with something called a session ID so that when the request is responded to, and your router receives those response packets, it will know which machine on your home network made the request because it keeps track of all that via those session IDs. So your as far as the Internet traffic goes that is related to a computer inside your house is concerned... any information about that computer STOPS at the router and is re-packaged and then forwarded out to the Internet and the responses coming in are then re-packaged with your personal computers private IP address and then sent back to your private computer. The router is the wall in between you and the world, keeping your inside network completely invisible to the rest of the Internet.

Also, the notion of monitoring all of the traffic coming in and out of your house to and from the Internet would be called SNIFFING and that is done with software that is designed to capture packets for later analysis. HOWEVER, there is only ONE group of people who would ever be able to do that with your traffic and those are the people who sell you your Internet connection. Sniffing packets requires being on the same VLAN as the switch port being sniffed. It's actually done at layer 2 in the OSI model which means it cannot be done across a bridge, router or vlan, it needs to see the MAC address of the switch port directly. So unless you're afraid that someone at the cable company would try to hack your router and attach your network, don't think twice about it. You have nothing to be afraid of.

So you see ... The internet is not so simple that it could be compared to someone leaving the door open to their house 24/7 leaving them vulnerable to crooks or evildoers. The better analogy is to think of it like you have a security screen door and a guy sitting at the door checking the credentials of anyone wanting to come into your home and if they aren't on the list that you approved, then they aren't getting in PERIOD. Not only that, but you can also think of it like ... if an evildoer were driving down your street with a spotlight looking for houses that they could break into, when they shine their light on your house, its actually cloaked and all they see is an empty field even though you are really there actively doing stuff.

SO ... don't be afraid to allow all of your computers to have access to the internet ... be far more concerned with how you use the internet and the places you go to on the internet, which can put you at far more risk than simply being attacked out of nowhere... because that's never gonna happen.