Windows Networking And Alternate Transports

Windows Networking is the suite of programs that provide file and printer sharing between computers running Microsoft Windows (and compatible Operating Systems, such as Linux). Windows Networking runs at the Application level of the OSI Network Model, and, in its default configuration, uses NetBIOS Over TCP/IP (NetBT) and TCP/IP, for logical connectivity. It can be customised to use alternate transports, like IPX/SPX or NetBEUI.

Microsoft supports only NetBT and TCP/IP, though you may use IPX/SPX or NetBEUI, if you're prepared to deal with the support issues. There are advantages and disadvantages to using either alternative. (Update): Windows Vista will not support NetBEUI.

Similar in effect to IPX/SPX / NetBEUI, we have a commercial product called Network Magic. Network Magic requires no complicated configuration, you just install it and it works. Unfortunately, nobody that I know knows how it works, or if it's OSI Network compliant. And, just as the disadvantages of IPX/SPX / NetBEUI, if there's a problem with the network outside its scope of effect, you may not be able to diagnose such a problem as reliably as with IP.

Advantages Of Alternate Transports

  • No filtering problems. A misconfigured or overlooked personal firewall can cause problems with IP based networks. Neither IPX/SPX nor NetBEUI is affected by firewall problems.
  • Segments are isolated. Any separate networks, connected by routers, won't pass IPX/SPX or NetBEUI based traffic between them. Windows Networking simply won't leak onto any networks connected by routers, such as the Internet.
  • Easier to setup. There's no need to configure TCP/IP settings, both IPX/SPX and NetBEUI attach directly to the hardware, and both setup automatically.

Disadvantages Of Alternate Transports

  • Network complexity. You'll likely have redundant system components in use by each computer, and redundant network traffic between each computer.
  • Lack of diagnostics. The ipconfig and ping utilities can identify logical and physical connectivity problems on an IP network. This is not available on non-IP networks, and may not give consistent results when you deal with problems on mixed networks.
  • Lack of filtering. Firewalls only filter IP network traffic.
  • Limited effect. Using alternate transports provides a workaround only for TCP/IP configuration problems, or filtering problems. It does nothing for physical problems, or for problems caused by authentication / authorisation.
  • Only TCP/IP can link multiple segments. Any separate networks, connected by routers, won't pass IPX/SPX or NetBEUI based traffic between them. If your network is segmented, for physical reasons, you'll have to bridge the segments (which is, by design, what NBT does).
  • Have to be setup properly. If just one computer on the network attaches Windows Networking to NBT, convenience and security gains are eliminated.

>> Top

IP traffic, by design, can be filtered by personal firewalls and routers. IPX/SPX and NetBEUI, which attach directly to the physical transport and in parallel to TCP/IP, are not affected by IP based filtering. This has its good side and its bad side.

If you're having a problem with a personal firewall on a computer, you can work around that problem. IPX/SPX and NetBEUI are not affected by personal firewalls.

However, if you depend upon a personal firewall providing protection against malicious network traffic, you won't have that. Any malicious network traffic, IPX/SPX or NetBEUI based, won't be filtered.

>> Top

IP traffic, by design, passes thru routers; IPX/SPX and NetBEUI traffic doesn't. This has its good side and its bad side.

If you have a network in a single segment, and you use IPX/SPX or NetBEUI to provide a transport for Windows Networking, all Windows Networking traffic will stay on that segment. All shares will be totally safe from malicious access from other network segments, including the Internet.

If your network includes multiple segments, connected by routers, and you use IPX/SPX or NetBEUI as a transport for Windows Networking, all Windows Networking traffic will stay on each segment. Computers on separate segments will be unable to access each other, unless you build bridges between the segments. NBT was designed as that bridge.

>> Top

A network, using IPX/SPX or NetBEUI, is easy to setup. It's not so easy to setup properly though.

A simple IPX/SPX or NetBEUI network, in a single segment, requires no configuration. Both transports essentially set themselves up. There's no subnetting or other complicated TCP/IP settings to make.

If you want to access the Internet from your computers, though, you will still have to have TCP/IP on each computer. If you do not separate Windows Networking from TCP/IP on even one single computer, your entire Windows Networking environment may be exposed. And without protection by personal firewalls, all computers may be at risk more than if they were using NBT.

>> Top

Complexity and Use of Network and System Resources

IPX/SPX and NetBEUI are not significantly more chatty than NBT, and do not use significantly more network or system resources. If your computers only use IPX/SPX or NetBEUI, there is no complexity or resource problem.

But, if your computers will be accessing the Internet too, you'll need TCP/IP on each computer. IPX/SPX, NetBEUI, and TCP/IP, although each run under the same operating system, use different system components. And while they each generate traffic on the same network, the content of that traffic is different. So, with multiple combinations of IPX/SPX, NetBEUI, and TCP/IP operating on your network, your computers will have to work harder (to use multiple protocols), and your network hardware will have to work harder (to transport multiple protocols, with a higher volume of traffic).

If Windows Networking functions like browsing, or name resolution, run thru dual protocols on one computer, or if all computers on the LAN aren't identically setup and different computers run services thru different protocols, you'll really have problems. And some problems might not be immediately obvious either.

Separating Internet traffic (using TCP/IP) from Intranet (Windows Networking) traffic (using IPX/SPX or NetBEUI) has an effect similar to using a Virtual LAN. But using a common protocol (TCP/IP) with a properly designed layered security strategy is more efficient in the long run.

>> Top

Network Diagnostic Tools

With any network, any time there's a problem, such as an "access denied" error, you'll want to first look for a possible physical problem (by observing the lights on the network devices, and by running Device Manager diagnostics). Having dismissed the physical possibility, on a TCP/IP network, you'll be looking at IPConfig, and pinging one computer from the other. You have to eliminate lower level problems, before you can diagnose higher level problems.

If you have TCP/IP on each computer, for Internet access, you can still use ipconfig and ping. But if Windows Networking is using a separate transport, neither ipconfig or ping will be conclusively valid.
  • Just because you have IP connectivity (valid ping results), that doesn't mean that you have IPX connectivity.
  • Just because your computers are on separate subnets (from a bad IP configuration, indicated by ipconfig), you can't expect to find a NetBEUI connectivity problem.
  • If you don't install TCP/IP on each computer (or if you completely detach it from any computer), then ipconfig, ping, and other IP based diagnostics won't provide consistently relevant results.

>> Top

Limitations of Effectiveness

If you have problems with either IP configuration, or with a personal firewall, either IPX/SPX or NetBEUI will provide a good workaround. But, if the problem causing the "access denied" error is a bad cable or connection, or if you haven't setup file sharing authentication / authorisation properly, you'll have the same problem with IPX/SPX or NetBEUI. But now you won't have diagnostic tools to identify the problem.

>> Top

Windows Networking

Windows Networking is the suite of programs that provide file and printer sharing between computers running Microsoft Windows (and compatible Network Operating Systems, such as Linux). If you reference the OSI Network Model, Windows Networking runs at the Application level. It uses Server Message Blocks over the lower network layers, such as Ethernet or WiFi, for connectivity.

By default, Windows Networking uses SMBs over NetBIOS Over TCP/IP (NetBT), and TCP/IP, for logical connectivity. It can be customised to use alternate transports, like IPX/SPX or NetBEUI, if you're prepared to deal with the support issues. On a large LAN with a dedicated DNS server for local name resolution, it can use SMBs directly bound to ("hosted on") Internet Protocol.

Whatever transport that you choose, though, all computers need to use the same one.

There are five concepts, which you need to understand, to deal with Windows Networking problems.

Domains / Workgroups
Computers are grouped in domains or workgroups, with membership in either grouping providing benefits.

We can browse My Network Places (known sometimes as "Network Neighborhood"), and see all nearby computers. The workgroup that we are in is the part of My Network Places that is nearest to us - those are the computers that we need access to the most. A workgroup provides a way of identifying the computers that relate closely to our computer.

A domain, on the other hand, is a collection of computers that trust each other. When your computer is joined to a domain, it sets up a two way trust, where the computer and the domain are trained to trust each other.
  1. You authenticate (login as a local administrator) to your computer.
  2. You allow a domain administrator to authenticate to the domain from your computer.
  3. Your computer learns to trust the domain. A "certificate" from the domain is added to your computer.
  4. The domain learns to trust your computer. A "certificate" from your computer is added to the domain.

The domain membership also gives workgroup visibility. You see the other members of "your" domain. as you would see the other members of "your" workgroup. But the two way trust in the domain is special.
  • You gain access to your computer thru domain authentication - you trust the domain, based upon the certificate from the domain that's now on your computer, and upon the credentials (domain account / password) that you supply.
  • You gain access to domain resources in a similar way, from the certificate from your computer that's now in the domain, and from the credentials that you supply.
  • Other people in your work area, and presumably in your domain, can potentially access your computer, as you access theirs.
  • For an allegorical description of two factor (certificate / credential) authentication, see Designing an Authentication System....

Most small LANs will use workgroups, although small domains are worthwhile. Domain membership provides two components - Authentication / Authorisation, and Browsing. Workgroup membership provides one component - Browsing. Workgroup membership provides no authentication / authorisation; that must be provided by redundant accounts setup on both the client and the server.

Outside of becoming invisible in Network Neighborhood, by changing your domain / workgroup membership, you are not adding to your security at all. Becoming invisible is simply a form of Security By Obscurity. If you're on a network with untrustable computers or people, making yourself invisible won't protect you; you need Layered Protection, including a perimeter and / or personal firewall.

>> Top

Name To Address Resolution
You might call the computer in your kitchen "Kitchen Computer", but it's a safe bet that your equipment will call it something more definitive, like "" (an IP address), or "06-04-7A-D7-EF-BA" (a MAC address). The IP address, and the MAC address, are used by the various operating systems and network devices, to send message from computer to computer.

The process of translating a name like "Kitchen Computer" to an IP address like "" is called name resolution. Name resolution is provided independently of domain / workgroup membership. A domain may contain a DNS or WINS server, but that's not a given. Less likely, but still possibly, a workgroup may contain either. Without a name resolution server, all computers use peer-peer name resolution. Please don't confuse peer-peer resolution with Node Type "Peer-Peer", which is just the opposite.

If your network (domain or workgroup) is setup properly, but does not contain a DNS or WINS server, all computers will use peer-peer broadcasts to resolve names. Using IP addresses to refer to computers should not be necessary, except in extreme situations. And, if you're using an alternate protocol, an IP address won't work at all.

>> Top

Each domain / workgroup uses a browser server to tell it what resources are out there. For every domain / workgroup on a network, there should be at least one browser server in that domain / workgroup.

You can have computers in a workgroup, sharing a network with a domain. If a workgroup has its own browser server, the computers in the workgroup can see each other, and can see the computers in the adjoining domain.

If a workgroup has no browser server, its members will still be able to see each other, and the computers in the domain, if you make the workgroup name identical to the domain name. If you have a computer that's not a domain member, AND you give that computer a workgroup name identical to the domain name, the browser servers in the domain will provide visibility between that computer and the computers in the domain.

In order for browsing to work properly, several essential relationships have to exist between the various computers on the LAN in question.

Does your domain / workgroup occupy multiple subnets? If so, you need to know about Browsing Across Subnets. Do you maybe have two (or more) routers, but would prefer to have one subnet? If so, then read about File Sharing On A LAN With Two Routers.

>> Top

The Total Picture
Browsing is, arguably, not essential in a small LAN. Without the use of a browser server, a common workaround is to make an adhoc mapping to a share.

  • Hit the Start button.
  • Hit the Run button.
  • Type "\\OtherComputerName" (substituting the Other Computer Name, and less the ""), and hit Enter.

Or, you may make a persistent mapping from Windows Explorer.
  • Select Tools, then Map Network Drive, from the Windows Explorer menu.
  • Substitute the Server, and Share, into "\\Server\Share" as entered into the Folder: box.
  • Select "Reconnect at logon", if desired.
  • Select the Finish button.

Name resolution is not essential either. Without the use of name resolution, you can map a resource by substituting the ip address of the server for the name (again, if you're using NetBIOS Over TCP/IP as the transport).
  • Hit the Start button.
  • Hit the Run button.
  • Type "\\OtherComputerIPAddress" (substituting the Other Computer IP Address, and again less the ""), and hit Enter.

But, when you use Network Neighborhood (My Network Places) to provide a neat list of all the shared folders and printers on your network, you select and double click on a share, and you get a connection, you are using, in turn,

If you're having a problem with Network Neighborhood:
  • Network Neighborhood is empty, or lacks an entry for one or more computers that you know are there.
  • Computer A shows in Network Neighborhood for Computer B, but Computer B doesn't show in Network Neighborhood for Computer A.
  • You get an error "(Workgroup) is not accessible..." when opening Network Neighborhood.
  • You get a variant (and there are many variants here) of "not accessible / name not found ... access denied" when clicking on an entry in Network Neighborhood.

then you likely have a problem with either browsing, or name resolution. Diagnose Windows Networking first. If, and only if, you can't find any problems with Windows Networking, look at File Sharing. Whenever working on problems with Windows Networking, work from the bottom up.

You may also benefit from reading about Server Message Blocks, and Windows Networking.
>> Top

Authentication and Authorisation
Whether or not you do use the browser to list resources, and / or name resolution to locate the resources, you will still have to setup authentication and authorisation properly, if you wish to actually connect to, access, and change those resources. You can avoid use of the browser, and of name resolution; you cannot avoid authentication and authorisation.

>> Top

The Registry Editor

The RAM in your computer is short term memory, which is cleared when you restart the computer. The Registry in your operating system is the long term memory of the operating system. The Registry Editor helps you to make manual changes to this memory.

Have you used the Registry Editor before? If not, it's a scary tool, but it's pretty simple once you get used to it. Read Annoyances: Introduction to the Registry.

As an example, say you need to Change or to Delete the Value NodeType in Registry Key [HKEY_LOCAL_MACHINE\ System\ CurrentControlSet\ Services\ Netbt\ Parameters], as instructed separately.

  1. Locate the Registry Key.
    • Open the Registry Editor
    • Navigate to [HKEY_LOCAL_MACHINE\ System\ CurrentControlSet\ Services\ Netbt\ Parameters].

  2. Backup the Registry Key.
    • Right click on the Parameters entry in the registry tree.
    • Select Export.
    • Specify a file name and a folder, using the mini Windows Explorer wizard.

  3. Change or Delete the Value.
    • To Change the Value, double click on it, and type the appropriate value. Hit OK.
    • To Delete the Value, right click on it, and choose Delete. Hit OK.

  4. Reboot to ensure that the system accepts the change.

  5. If you experience any problems, simply locate the file created in step #2, and double click on it. Its contents will be automatically merged back into the registry, reversing any changes you just made.

(Note): The terminology here may take getting used to. The string (with spaces added to enhance readability)
HKEY_LOCAL_MACHINE\ System\ CurrentControlSet\ Services\ Netbt\ Parameters
is called the Registry Key. The string
is called the Value name. And the string
1, 2, or whatever (entered as a DWord)
is called the Value data. My sympathy to you, as you try to absorb this. I don't find it too instinctive either.

Connecting Two Computers With A Crossover Cable

Most of my articles in this website are about Windows Networking / File Sharing, or about Internet Connectivity, and start by assuming that you have several computers, and a hub (router / switch) connecting them. But what if you have just 2 computers, and just want to quickly move files between the two? Or maybe you want to setup Internet service, for the 2 computers, without using a router to share the service?

You don't always require a hub (router / switch) to connect just 2 computers.

>> Top

Make The Right Decision
Start by asking yourself - what do you want to do - both now, and in the future? If you just want to immediately connect just these two computers, and quickly move files between the two, without Internet service, then this is the right start.

If your future might include Internet service, or if you might end up with a third computer, then you would really be better off using a hub (router / switch).

If you want to connect the two computers, and share Internet service, you can do that using a crossover cable. But know the issues before you start.
  • If the computer with Internet service has it thru a dedicated modem, either:
    • Internally installed.
    • Connected externally, but thru a serial cable.
    • Connected externally, but thru a USB cable.
  • then using a crossover cable is a valid solution.
  • If the computer with Internet service has it thru an Ethernet connection, or thru WiFi, then this is not a valid solution. If the Ethernet or WiFi connection is on subnet 192.168.0/24, this will not work at all. In the latter case, you will have to connect both computers directly to the LAN with subnet 192.168.0/24. If the Ethernet or WiFi connection has a private LAN address (,, or, you're behind a NAT router, and you should setup a bridge, rather than use ICS.

>> Top

Use The Proper Equipment
The simplest solution, for networking just 2 computers, is to get an Ethernet crossover cable, and connect the two directly. A single crossover cable is the equivalent to getting a hub (router / switch), and a pair of straight-thru patch cables.

Please use Ethernet, not Firewire or USB, for connecting your computers. Firewire / USB networking requires extra drivers, and extra work. Ethernet drivers are native in all modern operating systems.

Please use a Cross-over Ethernet cable. A Straight-Thru, aka Patch, cable may work for some newer systems, which can automatically sense the need for a cross-over. But a cross-over cable will work all of the time, when you need to connect two computers directly.

Patch cables may come in many colours and lengths; some computer stores will have dozens of choices to suit your cabling needs. Cross-Over cables, when you find them in the store, will be explicitly labeled "Crossover", and will come in one colour (probably orange), and one length (probably 3 or 5 foot).

Please buy a properly made cross-over cable. If you're a masochist, or extremely desperate, you may make your own from a pair of patch cables, properly spliced. But Ethernet cables, that support modern high speed networks, require precision in their construction. I'm a fan of do-it-yourself activity (as in the reason for this website), when it's properly planned. I don't recommend do-it-yourself Ethernet cabling, when you're setting up a network. Buy a cable, unless you're very experienced with networking and can easily recognise the possible problems.

If you replace the two Ethernet adapters, one on each computer, with two WiFi adapters, you may be able to eliminate the Ethernet cable and setup an ad-hoc WiFi network. A WiFi based ad-hoc network isn't terribly different from an Ethernet based ad-hoc network, once you get the WiFi connectivity working.

Use the Device Manager in Windows, and test the network adapter in each computer. Connect your cross-over cable to the two network adapters. Observe the lights on the network adapters, and / or the status indicated by the Local Area Connection icon in the tooltray - do both computers indicate successful electrical connection?

Now, will you be setting up your network to Share Internet Service? Or just to share files, with No Internet Service?

>> Top

Setup The Network - No Internet
If you just have two computers, and no Internet service to either, run the Network Setup Wizard on each computer. Select the last option
This computer belongs to a network that does not have an Internet connection.

Having connected the two computers physically, and checked that you have no physical problems, you need to make the logical (TCP/IP) settings. If you have Windows XP / Vista, or other current operating systems on your computers, you're in luck. Modern operating systems use a system called APIPA, and should be able to provide ip settings automatically, so the two computers will connect to each other. If you allow the two computers to dynamically assign addresses, APIPA should take care of this for you.

Be prepared to get an error message - Limited Or No Connectivity - if you use APIPA configuration.

NOTE: if any of your computers are NOT running Windows XP / Vista, you'll have to set the IP address and subnet mask manually, on those computers. Remember IP addresses have to be unique for IP addressing to work.
  • Run "ipconfig /all", from a command window, on each APIPA compliant computer first.
  • Make a list of which addresses are automatically assigned.
  • Manually configure each non-APIPA compliant computer.
    • Set each computer up with a unique IP address, in the 169.254.x.x subnet (written as 169.254/16 in many cases).
      • Each computer gets a subnet mask of "".
      • Each computer gets an IP address of "169.254.x.x", where the "x.x" MUST be different for each computer. Check your list of addresses assigned by APIPA!
      • Each value of "x" must fall between 1 and 255 (not including either 1 or 255).
    • You assign IP addresses using the TCP/IP Properties wizard. Select "Use the following IP address". Only worry about IP address and Subnet mask - the other settings are only useful if you have an outside connection. With locally connected computers, just IP address and Subnet mask are essential, and should be assigned as described above.

Having connected the two computers physically, and checked that you have no physical problems, next Verify The Network - make sure that it works properly.

>> Top

Setup The Network - With Internet
If you have two or more computers, with Internet service to one, and wish to share the service to the others, run the Network Setup Wizard, first, on the computer that has Internet service. Select the first option
This computer connects directly to the Internet. The other computers on my network connect to the Internet through this computer.

You'll probably be running ICS on this computer. Note the disadvantages and requirements of ICS, and a possible alternative. You'll have to have two separate network connections (one might be a modem, directly or internally connected). You'll indicate which connection provides the Internet service, and then which connection(s) are to be used for sharing the Internet service.

If, per the ICS alternative, you decide to use a bridge, remember that both of the network adapters, on the bridged computer, will have the same IP address. Plan your testing accordingly.

If you decide to use ICS, run the Network Setup Wizard on the other computers, and select the second option
This computer connects to the Internet through another computer on my network or through a residential gateway.

If you can't run the Network Setup Wizard on any computers, use the TCP/IP Properties wizard, and select automatic configuration.

If the second computer will be running as a server, and providing data to the Internet, remember that the ICS server will have to be online constantly. Having dealt with that requirement, setup the ICS server to (KB231162): forward the right ports to the Internet server.

Having connected the two computers physically, and checked that you have no physical problems, verify that the network works properly.

>> Top

Verify The Network
Please verify that you have connectivity between the computers first.

  • Run "ipconfig /all" on each computer, from a command window. Note the IP address and subnet mask for each network connection.
  • Make sure that you don't have a bridge, on any computer, unintentionally.
  • Verify that all computers are on the same subnet, and that each has a unique address.
    • If this is two computers without Internet service, each computer should have an address of 169.254.n.n, and a subnet mask of This will indicate that each is on subnet 169.254/16.
    • If this is two, or more, computers sharing Internet service, the first computer (thru which the others will be getting Internet service) must have an address of, and a subnet mask of (on the connection used for sharing the Internet service). All of the computers getting Internet service thru the first computer must have an address of 192.168.n.n, and a subnet mask of, and show both DHCP and Autoconfiguration Enabled = Yes.
  • From each computer, again in a command window, ping the other. If, for instance, the address on Computer B is "", open a command window on Computer A, and enter:

    If you get back a series of responses like
    Reply from bytes=32 time<1ms TTL=128
    Reply from bytes=32 time<1ms TTL=128
    Reply from bytes=32 time<1ms TTL=128
    Reply from bytes=32 time<1ms TTL=128

    then you are ready.

When you open Windows Explorer on each computer, and look in Network Neighborhood, you should see both computers. And when you open (doubleclick on) one entry, you should see the folders and files.

And, if the computer directly connected to Internet service can access the Internet, the other computers should be able to do so also.

>> Top

Troubleshoot The Network, If Necessary
So what if it doesn't work, per the basic testing above? Well, now you start troubleshooting, and methodically, in the right sequence.

>> Top

Hacking Redefined

Modern malware is constantly taking on new forms; it's hard for those of us who aren't dedicated security experts to comprehend how deviously, and methodically, it's designed and deployed. How do you fight it? Well, first, you have to know what's out there. With that goal in mind, I will provide here a brief overview of malware.

I would first like to apologise to those good guys, like Steve Wozniak and John Draper, who called themselves hackers, and who insist that the proper term for the bad guys is crackers. If you're calling yourself a hacker, and you're a good guy, you're swimming upstream, and there's a strong downstream current.

Even though we abhor malware in general, it's hard NOT sometimes to (objectively) admire how professionally it's designed and deployed. Computer owners, who become victims of hacking, will NOT (subjectively) admire the tools, or the attackers.

One of the problem is how you describe what's happening? Which came first - the chicken or the egg? How do you define hacking, other than what a hacker does?

For the purpose of this article, I will define the following terms.
  • Hacking is aggressive, deceiptful, or intentional misuse of any computer not legally owned by any Attacker, for commercial, financial, or personal purpose.
  • Hacker is the person, or groups of people, doing the Hacking.
  • Malware is the tool used for Hacking, AND the payoff of the Hacking.
  • Victim is the legal owner of the computer Attacked by a Hacker (or user of a corporate computer).

Malware includes:
  • Adware.
  • Hijacks.
  • Spam.
  • Spyware.
  • Trojan.
  • Virus.
  • Worm.

The people performing the Hacking Attacks have been referred to as, variously:
  • Adware / Spyware Writers.
  • Hackers (Classically).
  • Crackers.
  • Spammers.
  • Virus Writers.

In the past, this cross-referencing was not necessarily done. Classically, Malware was of a distinct nature, and one type of malware was not used by another type, or group, of Attackers. Today, we have combined Attacks, where:
  • Spam is used to deliver Trojans to be installed on Victims computers.
  • Adware / Spyware is installed as Trojans.
  • Trojans, installed on Victims computers, are used in the delivery of Spam, or Worms, to other Victims.
  • Viruses are used to attack people or software used to defend against Adaware, Spam, and Spyware.
  • Viruses, having infected the Victims computer, can become Worms, and attack other computers on the same Network.
  • Viruses or Worms were used to Attack the data on the Victims computer, rendering the data unusable unless actual money was paid by the Victim to the Attacker. No, this is NOT fiction.

The classical Hacker was a disenfranchised teenager, hiding in his bedroom, attacking an individual computer owned by a single Victim, for amusement. See, for instance, War Games, one of the earliest movies about Hackers.

Today, Hackers use programs that they may release as Trojans, as Viruses, or as Worms. The Hack, which when installed on the Victims computer, may make that computer part of a Botnet. A Botnet, or army of computers controlled by a successful Hacker, can be sold to individuals or corporations for delivery of Spam, for hosting of Trojans, or for the creation of even more Botnets. As of June 2005, the reported value of ONE bot was $.55 USD, thus a 10,000 member Botnet (a not at all abnormal number) could net the Hacker $5,000 or so.

The term Spam comes from a legendary skit by the British comedy group Monty Python, which maligned a very controversial food product made by Hormel, called "Spam". It was originally used to describe unwanted email, which would typically be used to advertise commercial products of varying legitimacy. Now, following the links in spam email, or spam postings in various forums or on various websites, will typically take your computer to websites that are used to serve trojans to your computer, or possibly to manipulate search engines, making them favour websites serviced by (again, for a fee) a hacker.

So spam too becomes both the medium (email / Internet postings), and the payload (websites benefitting from the spam).

The term Trojan refers classically to the mythical story of the Trojan Horse in Greece. A Trojan is software which is packaged (by the hacker) with Host software that is trusted by, and intentionally installed by, the Victim.

A Trojan can be anything as innocent as an extra toolbar, installed as a part of the Victims browser, and used to "enhance the browsing experience", to software that makes the Victims computer act in a three role Spam delivery capacity. A Trojan is intentionally installed on a server (by a Hacker), with the Host software. It then requires the intentional installation of the Host software (by the Victim), for propagation onto the Victim's computer. A trojan travels as a server to client infection - from a server to a client (victim) and then no further.

A virus is software that travels, from one computer to another, in trusted Host software, such as an application or data file passed by one victim to the next. A virus requires the intentional installation of the Host software (by the Victim), for propagation, but automatically repackages itself on the Victim's computer, for transport to the next computer. A virus travels as a peer to peer infection - from any computer to other computers, and then to more computers later.

A worm is software that travels, from one computer to another, in a trusted media, such as the computer network (with no firewalls in place), or in email (with no malware malware / virus scanning software in place). A worm requires no intentional action, by the Victim, for propagation. A worm travels as a peer to peer infection - from any computer to other computers, and then to more computers later.

Malware - Classified By Delivery Mechanism
  • Trojan - A server to client infection, that requires action by the Victim to propagate. A trojan starts out life packaged, by a hacker, with software trusted by the Victim. When the Victim installs the trusted software, the malware gets installed. Once installed on the Victims computer, a Trojan travels no further. A trojan can be used targeted against a specific set of victims - maybe players of a specific game, or visitors to a specific website.
  • Virus - A peer to peer infection, that requires action by the Victim to propagate. A virus starts out on a Victims computer, and packaged with software trusted by the next Victim. When the next Victim installs the trusted software, the virus gets installed. Unlike a Trojan, a Virus automatically repackages itself, on the Victims computer, for transport to the next Victim. A virus is simply broadcast - its spread cannot be controlled, excepting by the media in which it spreads. A successful virus spreads indiscriminantly.
  • Worm - A peer to peer infection, that requires no action by the Victim to propagate. A Worm is malware that travels, from one computer to another, in a trusted media, such as a computer network (with no firewalls in place), or in email (with no malware malware / virus scanning software in place).

Malware - Classified By Payload
  • Adware - Malware that delivers, or influences the delivery of, commercial material (aka advertisements) to the Victims computer.
  • Hijack - Malware that makes the Victims computer do things not intended by the Victim.
  • Spam - Malware consisting of unwanted Messages delivered to the Victims computer.
  • Spyware - Malware that collects and transmits personal information about the Victims computer, or about the Victim, to persons who have no legal entitlement to that information.

Malware Protection

We use differing defense mechanisms, to protect against differing malware.

Since worms travel as network traffic, a firewall, or a NAT router, will protect against them. A firewall examines the content of the network traffic, detects the malware, and (possibly) alerts us to its activity. Since a NAT router passes traffic between specifically defined endpoints (a distant server, using a specific IP address / port / protocol, mapped using NAT to a specific local computer / port), a worm (which has as its destination only the public IP address / port) goes nowhere. It's simply ignored by the NAT processor.

If we care to learn of worm activity in our neighbouring public address space, we would connect a computer with firewall directly to the Internet service, and configure its firewall to log and / or report worm activity. If we don't care, a NAT router simply discards worm traffic. In either case, no worms can attack the computers on a properly protected LAN.

Since trojans and viruses travel as application traffic, a mere firewall or NAT router is useless here. Firewalls and NAT routers examine and pass packets. An infected file (virus) or a page from a web site with malicious content (trojan) will be broken down into multiple packets. A firewall or NAT router has no ability to filter or inspect multiple packets statefully.

Trojans and viruses can only be detected after reassembly of the packets into application data, and in some cases, after multiple files or web pages have been received by the client. Protection against a trojan or virus is generally by detection, after the malware has landed on the client, but hopefully before it has installed its payload.

Malware Detection

So, if there's malware out there, how do we know what's out there? More importantly, how do we describe what's out there? And how do we remove what's on our computers, and then hopefully, keep it from coming back?

You have to know what's there before you can fight it. Knowing what's there is a matter of detecting it. Basic malware detection is based upon two alternate processes.
  • Behaviour analysis and detection.
  • Signature analysis and detection.

Behaviour analysis, also known as heuristic analysis, takes a suspect file (or a computer system), opens it (operates it), and sees what it does. Sophisticated heuristics are used by some antitrojan / antivirus products, which contain a sandbox, which is a replica of the operating system, within the AT / AV product code. A suspect file is copied into the sandbox, opened from within, and watched. When opened, if it makes suspicious use of system resources provided by the (replica) operating system, it is determined to be malware, and examined further.

Signature analysis takes the actual contents of the various bytes in a suspicious file, and mathematically calculates a hash of the contents. The hash becomes the signature, which is compared against a database listing known malware. If suspected malware has a hash matching known malware, it is determined to be malware.

Malware analysis can be done heuristically against the entire system. Note the difference between adware and spyware. The first will typically generate incoming network traffic; the second, outgoing.

By statefully looking for incoming or outgoing traffic, compared against what should be expected, malicious activity can be detected. Software designed to look for malicious incoming traffic will be better at detecting adware, software designed to look for malicious outgoing traffic will be better at detecting spyware.

Signature analysis is a much simpler process, but demands more repetitious work. To do a signature analysis of the system (a trojan or virus scan) requires taking each file, one at a time, on the entire system, generating a signature from the file, and comparing the signature against each entry in a very long list (database) of known malware. Multiply the number of files in your typical system, against the number of possible (known) malware, and you see what a massive effort that is. And each time a new set of signatures is produced (and with some antivirus products, it's multiple times / day), a rescan could be appropriate.

Some malware is encrypted, to fool the signature scanners. Malicious code is taken, and subjected to rearrangement (packing), with some packing containing random operations which makes unpredictable results. Simple signature checking (and the bad guys, in some cases, know what procedures are followed to produce the signatures) won't detect packed code, which follows no known pattern. So suspect files have to be examined for unpacking code embedded in the code, and in some cases, the unpacking has to be allowed to execute so the signature checking can take place. This makes signature checking even more complex, and more time consuming.

On the other hand, its somewhat possible that having unpacking code in a file indicates that it's malware. Most legitimate code (excepting openly compressed files) does not use unpackers, as most legitimate code is already in an executable state. So when an AT / AV scan finds a file with an embedded unpacker, it's a strong possibility that the file contains malware. Of course, the malware still has to be analysed, to determine just what malware it is. But the scanner doesn't have to continue the heuristic analysis, just switch to the signature check.

Malware Detection and Removal Tools

So all of the above is good background information, but what do you do about the problem, once you understand it?

The traditional way of scanning for viruses, the first malware that was distributed so long ago, was by examining each file on the computer that might carry a virus. This is where the signature and heuristic checks would be done. I'll discuss the tools required in Dealing With Malware.

The problem with scanning each individual file on the computer is several:
  • You need a database on the computer being scanned, that describes each known malware.
  • Scanning each file on the computer is labourious; as the signature database gets larger, scanning each file on the computer times the length of the database gets larger still.
  • You still have to do heuristic scanning. If you limit your analysis to known malware, you risk overlooking undiscovered malware, that hasn't been added to the database.
  • Since the scanning process constantly gets longer, the tendency is to scan only when convenient. Malware that propagates between the scans travels with ease.

The new procedure is to observe the computer as one large process. With the exception of malware that has no payload, except to travel from computer to computer, all malware has to surface with secondary symptoms. Generally, those secondary symptoms have to include one or more rogue processes, running on the victims computer.

If we treat the computer itself as one large file, we can do signature and heuristic checks against all of the processes and files, or whole computer heuristic analysis. I'll discuss that process in Dealing With Malware Version 2.

Connecting Different Devices To Your Internet Service

Many Internet services do not want you to casually connect just any network device (computer or router) to their network. They will link your IP address, or network connection, to a specific MAC address entry in a database in their system, or in the memory of the modem connected to their network.

If you connect another device, with a different MAC address, to their network, they will deny service to the unknown device. Each different network device in the entire world, be it a modem, network card, or router, has a unique MAC address assigned when it is manufactured. Many broadband services will issue an IP address, and provide or deny service, based upon the MAC address.

If you connect a different computer, or a router, to your Internet service and get no connection, you will have several choices to force your service to accept the new computer or router.

Reset the Modem
If you're lucky, your modem is easily reprogrammed.
  • Have all devices connected and powered up.
  • Look carefully for a small hole on the back or bottom of the modem, labeled "Reset". Generally it will be large enough for just a large paper clip.
  • Insert a straightened paper clip into the hole, and press ever so gently, maybe 1/32".
  • Hold for 10 - 15 seconds.
  • Release.
  • The lights on the modem will flash differently, indicating reset activity.

Reset the Broadband Service
If you can't reset the modem, you reset the ISPs equipment.
  • Power everything down.
  • Connect everything as you wish.
  • Wait 5 - 10 minutes.
  • Power only the modem on. Wait until the modem indicates service (the Line / Link / Service light is lit).
  • Power the router on.
  • Power the computer on.

If this procedure doesn't work, try again, but wait 1/2 hour or so. Some services reportably have a 4 hour retraining period, as the equipment behind the modem (at the broadband head-end) has to reset too. You may even have to involve your ISP, in extreme cases.

Change The MAC Address
If you can't reset the modem, or the service, you change the MAC address to match the computer that was previously connected to the service. Most network cards and routers will allow you to change their MAC address. This is called the Locally Administered Address, as opposed to the Universally Administered Address which is assigned at manufacture. The procedure for doing this, if available, will vary by vendor and by device.

Most network cards can be changed, in Windows NT systems, on the Network Adapter Settings wizard, which is accessible from the Connection Properties wizard. On the Advanced tab, in the Property window, you should find the Network Address. Change that to the appropriate value, and hit the Close button. Restart the system if necessary.

To find the MAC address for a network card, look in the output from "ipconfig /all".

Physical Address. . . . . . . . . : 00-04-76-D7-B7-6F

To change the MAC address of a router, you will probably use the router configuration web page. This process, called MAC address cloning or spoofing, will vary by router. You will have 2 possibilities here - either the router will allow you to manually change the MAC address of its WAN port (similar to the network card change above), or the router will automatically change its WAN port to match the MAC address of the computer that you are currently using to manage it (making the assumption that you are running the management program from the computer previously used for Internet access).

From the router configuration web page, find the MAC Address Clone (or Spoof) selection. Follow instructions - either type a MAC address, or select "Use this MAC address" (the address of the computer which you are on right now). The router will, most likely, restart, the modem will see a known and trusted MAC address, and will grant service.

>> Top

The Local Security Policy Editor

The Local Security Policy editor, aka "secpol.msc" is used on any computer running Windows 2000, or XP Professional, to provide the granularity needed in tuning the operating system. It is not available for XP Home. With XP Home, you may have to use alternative products.

You can run the editor in any of several ways.

  • From Control Panel - Administrative Tools - Local Security Policy.
  • From Start - Run - "secpol.msc".
  • From any command window, again as "secpol.msc".

Having started the Editor, you can find the entry that you need in a branch under Security Settings.

  • Account Policies.

    • Password Policy
    • Account Lockout Policy

  • Local Policies.

    • Audit Policy
    • User Rights Assignment
    • Security Options

  • Public Key Policies.

    • Encrypting File System

  • Software Restriction Policies.

    • Security Levels
    • Additional Rules

  • IP Security Policies on Local Computer.
The names of the entries themselves are long enough to be self-explanatory.

Server Availability Affected By Maximum Simultaneous Connections

With Windows 2000, XP, and Vista, you are subject to a limitation on the (KB314882): number of simultaneous connections that a server can provide. If you have more than 5 connections to a server running a Home edition, or 10 connections to a server running a Business or Professional edition, you may observe various symptoms:

  • The error "No more connections can be made to this remote computer at this time because there are already as many connections as the computer can accept."
  • The error "Server is not accessible...".
  • As connections time out from disuse, they will become disconnected. Attempts to reconnect will either result in the above errors, or will force the disconnection of another, less active computer.

The good news is, you can't use up all of your connections on any server from any one client, with multiple sessions on that server. Generally, one account on one client with multiple sessions = 1 connection. A session started by a user, and another session started by the system account, from one client, will count as 2 connections, though. And multiple protocols, for instance NetBEUI and TCP/IP, if both are used for file sharing, will count as 2 connections by a single client.

Check the connections in use on your server, using one of two tools - the GUI Shared Folders wizard, or the command window Net commands.

As a client becomes inactive on a server, its connection will timeout, and become available to another client. The default period for inactivity to trigger a disconnection is 15 minutes.

If you need many more client connections than the server can provide, you can lower the timeout period, by tuning the server. Microsoft (KB314882): Inbound connections limit in Windows XP tells us how to change the timeout period to 10 minutes, for instance. Into a command window, enter:

net config server /autodisconnect:10

But beware. Changing the timeout period, by using "net config", may affect server functionality, permanently.

The Windows Server service is self-tuning; normally the server configuration parameters are autoconfigured (calculated and set) each time you start Windows XP. If you run net config server in conjunction with the /autodisconnect, /servcomment or /hidden options, the current values for the automatically tuned parameters are displayed and written to the registry. After these parameters are written to the registry, you cannot tune the Server service by using the Networks tool in Control Panel. If you change any of the Server service settings, Windows XP can no longer automatically tune the Server service for your new configuration. To avoid losing the Server service's automatic self-tuning capability, make the change through Registry Editor instead from a command line or Control Panel Network.

You may want to use the Local Security Policy Editor (for XP Pro only) instead. Under Security Options, you should find "Microsoft network server: Amount of idle time required before suspending session". Or, you may prefer to edit the registry directly, and change Registry Value [HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\autodisconnect]. Change either the LSP entry (for XP Pro), or the registry value, to an appropriate setting.

Now, knowing that there is a limitation is slightly easier to deal with when you have some way of monitoring use, so you can prevent exceeding the limitation, or at least know when you have exceeded it. See Know Who's Accessing The Server, for discussion about the GUI Computer Management - Shared Folders wizard, and for the Command Windows utility Net command.

You may find additional information of interest in the Microsoft articles

>> Top

Use NTRights To Grant Specific Privileges

Generally, you use the Security Policy Editor, aka "secpol.msc" to grant rights to accounts under Windows NT (NT, 2000, XP, Server 2003). There are two cases where you wouldn't do this, though.

  • The Security Policy Editor won't run under Windows XP Home.
  • You may wish to change the rights using a script.

In either of these cases, you'll want to use the NTRights utility.

NTRights is available, as a standalone component, from Dynawell, or as a component in the Windows 2003 Server Resource Kit Tools.

You can run NTRights depending upon how it was downloaded and installed.

  • If you downloaded NTRights as a standalone component from Dynawell, and copied NTRights.exe into a folder in the Path, you can run NTRights directly from a command window.
  • If you downloaded and installed the Server Resource Kit Tools, you run NTRights from a SRK command shell.

    • Hit Start.
    • Hit All Programs.
    • Hit Windows Resource Kit Tools.
    • Hit Command Shell.

NTRights is case and syntax sensitive, so you may want to look at the command help - type "ntrights /?" at the prompt. Or you can read How to Set Logon User Rights with the Ntrights.exe Utility. You may also find How to: Determine NTRIGHTS Names and Meanings informative.

As an example, to allow the Guest account to be used for network access, you grant the SeNetworkLogonRight. Enter precisely:

ntrights +r SeNetworkLogonRight -u Guest

Read the documentation carefully, and remember:

  • Distinguish properly between "+r" and "-r".
  • All rights names, such as "SeNetworkLogonRight", are case sensitive.
  • There are 4 words (strings of non-blank characters) after "ntrights", in the above example. Each word must be preceded by a space.

>> Top

Limited Or No Connectivity

With XP SP2, Microsoft wants you to be aware when your computer, although configured for automatic address assignment, does not in fact get service from a DHCP server. Your computer, and maybe one or more other computers, will have (KB220874): APIPA addresses.

This is simply a new message - it is not a new problem, and the APIPA address is a symptom of the problem, not the problem itself. You have to solve the problem, not the symptom. Manually assigning an IP address, subnet mask, etc won't solve anything.

There are 2 possible reasons for not getting DHCP service.

No Connectivity
If your computer has no connectivity, whether you leave the APIPA address, or use a manually assigned address, you will gain nothing. You will have to diagnose and fix the physical connectivity problem.

A case of LSP / Winsock corruption can cause No Connectivity, so if you can't easily find a physical connectivity problem, check that next.

Connectivity, but no DHCP server
If your computer has limited connectivity, it has an APIPA address, and it may have connectivity to other computers on the local network. APIPA addresses don't pass thru routers though, so you'll at best have connectivity only with other computers, also with APIPA addreses, and also on your local network.

There is one case where this is not at all a problem. If you have 2 or more computers - either 2 computers connected directly with a cross-over cable, or 2 or more computers connected thru a hub or switch, you may have a LAN with no DHCP server, and no gateway.

In this case, each computer will self-assign an IP address, per APIPA design. If your only need to connect the computers is to let them share files with each other, then you're fine.

If you have a gateway on your LAN, and intend for the computers to communicate outside the LAN, however, you have a problem. Manually assigning normal addresses, such as 192.168.n.n, to match the rest of the computers on the LAN, will accomplsh nothing.

If you manually assign an IP address that will communicate with the outside world, you'll have to do this for every computer on your network with an APIPA address. You'll be better off finding and fixing the problem.

Make sure that the DHCP Client service is running - Started and Automatic.

If the client computer is running Windows Vista, check for a couple connectivity issues which are unique to that operating system.

If your DHCP Client is running, and none of the above help, the problem is probably not with your computer. Either you have no device on your local network that can provide DHCP services, or the DHCP server is ignoring the requests from your computer. The latter condition can either be caused by a MAC address filter, or by an exhausted DHCP scope (all available IP addresses having been issued).

Do you have a DHCP server on the LAN, or are your computers behind a NAT router? If either is the case, check the log on the server, or the router, for clues.

More Analysis
If none of the above scenarios apply to you, or if you can't work as above, then continue by asking for help for basic Internet Connectivity. Or troubleshoot the Internet Connectivity problem yourself, methodically.

>> Top

Local Name and Address Resolution On Your Computer

Hosts and LMHosts are local, fixed name resolution caches on your computer, invented before the concept of DNS. Their contents may cause the computer to bypass use of dynamic name resolution techniques like querying DNS, name broadcast, and / or WINS.

If your computer is attempting to resolve the name of a computer, and there's an entry in either Hosts (if DNS resolution is being used), or in LMHosts (if NetBIOS aka WINS resolution is being used) that matches the target name, resolution will stop there.

The Hosts (and similarly the LMHosts) file contains entries of the form:

nnn.nnn.nnn.nnn hostname

The first entry in Hosts, for instance, should be: localhost

This entry is called the loopback address. It lets you reference the computer itself, from itself, without using any network hardware or software. The loopback address is an essential component in layered testing. It is referenced in a diagnostic sequence, for instance:

  • Ping
  • Ping the computer by IP address.
  • Ping the computer by name.

There may be additional entries in Hosts. Some entries may be intentional, others may have been added without your knowlege. Know and understand the difference.

  • You may intentionally override dynamic resolution to create an alias to a server.
  • Malware has been known to hijack the Hosts file. This practice predates pharming, and has the same effect.
  • Many security strategies use the Hosts file to block access to known malicious websites.

Hosts and LMHosts are generally found in "%SystemRoot%\System32\drivers\etc". When in doubt, though, it's best to verify the registry entry which points to that location, as some malware may change the registry entry. Examine the value of registry entry [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DataBasePath], and make sure its value is as stated above. Any other value may point to a Hosts file hijack.

See TCP/IP and NBT configuration parameters for Windows XP for further information.

Whether or not you find your Hosts file hijacked in a registry setting, check the content of your Hosts file very carefully.

Both Hosts and LMHosts are simple text files, so you may view and/or edit either using Notepad. But view and edit them carefully; errors can have unpredictable results. Saving changes is tricky; you should save Hosts, for instance, as "Hosts." (note the period after "Hosts"), as type "All Files".

RestrictAnonymous and Your Server

To have a truly secure server, you'll want to require proper authentication before allowing access. The restrictanonymous registry setting allows you to control anonymous access, and make authenticated access necessary.

The restrictanonymous registry setting, if not used properly, can affect access to your server in several possibly unanticipated ways.

  • Your server son't be enumerated by the browser.
  • Your server won't be accessible thru Guest authentication.
  • Your server may not have its name successfully resolved to an address. Other computers may display an "error = 53" when trying to access your server.

The browser process is designed to run from a server, which would typically be unattended, and not logged on. It uses anonymous access to enumerate any server under its notice. Since it requires anonymous access, browser operation is subject to interference by the restrictanonymous setting.

Since the Guest account is equivalent to anonymous access, the restrictanonymous setting can likewise interfere with Guest access.

And, in at least one case which I have observed, the restrictanonymous setting can interfere with name resolution.

The Zotob worm, as we are instructed by ISC / SANS Zotob affecting some XP SP2/2003?, uses anonymous SAM enumeration to spread. That ability is controlled by the restrictanonymoussam setting. The ISC article goes further, predicting that one day some currently unknown worm may use anonymous shares enumeration, and recommends setting restrictanonymous to block such expected activity. If you followed such a recommendation, and you are now here, that is why you're here.

Enumeration of your server, and other relationships described above, requires anonymous access.

Look at registry key (spaces added for readability) [HKLM \System \CurrentControlSet \Control \Lsa], value restrictanonymous, on any server with either problem.

For anonymous access to work (for any server to be enumerated by a browser, or for Guest authentication to take place), a server must have a restrictanonymous value of "0". If the value on your server isn't "0", change it and restart the server.

NOTE Only worry about one specific value here: restrictanonymous.

  • The relevant key node is CurrentControlSet. ControlSet001, ControlSet002, ... are mirrors of that key, and are not relevant, when you're working on this problem.
  • The relevant value here is restrictanonymous. The peer value, restrictanonymoussam, is not relevant, when you're working on this problem.

Only worry about the restrictanonymous value in the [HKLM \System \CurrentControlSet \Control \Lsa] registry key.

Besides restrictanonymous, though, you might want to be aware of the Hidden, and the RestrictNullSessAccess, registry settings.

For more information, you might want to read:

The above articles refer to Windows 2000, and to Server 2003. Remember Win2K is NT V5.0, WinXP is NT V5.1, and Windows Vista is NT V6.0.

>> Top