On 17/01/2024 20:51, Bill Powell wrote:
>
> On Wed, 17 Jan 2024 20:30:50 +0000, Java Jive wrote:
>>
>>> Press the down arrow and select the people allowed to access it.
>>> "Everyone" | Add | Read/Write | Share | Done
>>
>> That's a significant security hole. Ideally, you want to restrict it
>> to known users of your LAN regardless of device, and the best way to
>> do that is to password-protect the share in some way.
>
> Why do I need a password? If I can't trust my wife, then who can I trust?
Because anyone hacking into your local network can access the share,
this may include:
Legitimate visitors to your home whom you allow to access the LAN
temporarily;
WiFi warriors who attempt to hack & surf other people's networks;
Troublesome neighbourhood youths;
Anyone that manages to hack your router from the WAN side.
This may not worry you if you don't intend to put anything private on
the share, which is fine as long as your never forget that rule, but in
general it wouldn't be considered good security practice, because for
example, someone gaining access to your LAN as above might put on the
share something to infect you machine with malware, and, if you clicked
on it, you'd then be in trouble.
>> For Windows, the way I usually do this is to ensure that my Windows
>> PCs all have the same user accounts with the same Username/Password
>> combinations, and only allow those accounts access permissions on the
>> shares. This means I can simply open shares in File Explorer without
>> being prompted for usernames & passwords.
>
> If I have to have an account password on Windows, can I use "guest/guest"?
> What's the Windows default "guest" or "everyone" account password anyway?
On a locked down PC, the Administrator account and the Guest account are
usually disabled, and it's probably best to leave them so unless you are
at least moderately well up on security - I used to create standard
workstation builds for thousands of PCs used in the UK offices of a
multi-national financial firm, so I had to take at least a basic
interest in this stuff, though I wouldn't have classed myself as an
expert even then, and especially not now as recent versions of Windows
have changed so much, particularly emasculating the Administrator &
Administrators accounts, since I retired. If you want to use either
account, the next best thing to having them disabled is to set a policy
to rename them to be something different that cannot easily be guessed,
but this may only be possible on Pro versions of Windows, I'm not sure
about Home versions. Alternatively, you could create a special guest
account on the Windows PC(s) to use on the share(s), and give it a
limited set of permissions to suit your purposes.
>> This used to work also via Samba on Linux, as long as the passwords
>> were the same all round, using an smbusers file to convert between
>> Linux & Windows versions of usernames (many Linux distros won't allow
>> uppercase in usernames), but this no longer seems to work, and now to
>> access a Windows share from a Linux PC I have to put in a Windows
>> account's username & password TWICE - an absurd & maddening
>> fiddle-faddle!
>
> What I don't get is why does Windows have an "everyone" or "guest" account?
> What good are those two Windows accounts if they /require/ a password.
In the eyes of someone like myself who takes security moderately
seriously, they are an anachronism which should not be used, but,
despite Microsoft's oft repeated mantra with each new version of Windows
that "good security is built-in from the ground up" - or whatever the
latest version of the claim is - AFAIAA unfortunately the *DEFAULT*
permissions on Windows shares is still Everyone :-(
>> Android, being based on Linux, is likely to do something similar. If
>> you can find out what is your Android username, you could try creating
>> an account of that name on your Windows PC and assigning a password to
>> it, then, if you're lucky, to connect you will only be prompted for
>> the password.
>
> I don't even know if Android has a username. Being Linux, it probably does.
>
> I went into Termux. Then I typed "whoami" and it said "u0_a331" and when I
> typed "id" it said "uid=10331(u0_a331)" and a whole bunch of other stuff.
So it would be interesting to add a new account of that name on your
Windows PC, give it a suitable password, and give that account Change
access to the share, *AND* your usual logon account Full Control access
to it, add Admins & System as below, and remove all 'Everyone'
permissions to it. Hopefully then you could connect to it from your
phone by giving just the password. If this works, repeat for your
wife's phone user account and her Windows user account if different from
yours.
If it's any help, the default permissions I put on a data share on a
Windows PC are as follows ...
Authenticated Users Change
Administrators Full Control
System Full Control
... but if the situation could be covered by a single user account
rather than the more general Authenticated Users, then you could specify
that account to have Change permissions instead of AU.
BTW, don't forget that you need to replicate the above permissions, or
whatever you have chosen as your own version of them, on the underlying
directory structure of the share as well, so not just on the share under
the Sharing tab, but also on the directory under the Security tab, and,
if there is already a directory heirarchy there, replicate down through
it. However, DON'T do that, in fact don't even share, any of the
standard Windows folders, including that for your User Profile ...
C:\Users\%USERNAME%
... it didn't used to matter if you did that, but increasingly since
Vista+ or 7+ things break if you do that, and, with each new version of
Windows, the breakage seems to be more severe than with the previous
version.