Lan sharing and network neighbor Security

1. neighbors in the LAN

Miss Li is a secretary of a company. She threw out a project report overnight yesterday and hurried back to the company to explain the Report to the customer. She just left the 30-storey conference hall of the company, miss Li was busy returning to her position on the 15th floor. But when she stepped out of the elevator, she received a call from the staff who participated in the demonstration and said that the presentation documents of the report were incomplete, when she was asked to bring it up quickly, Miss Li found that she was too confused to copy a few documents, but she knew that if this careless behavior showed the customer, I am afraid it will cause a negative image to the company. Miss Li is in a dilemma for a moment. Suddenly, she thought of the company's Lan ......
A crisis was finally solved. Miss Li transmitted the files through the lan. The demonstration staff quietly added the remaining documents. The meeting went smoothly and everyone finally breathed a sigh of relief ......

The basic role of a Network is to achieve resource sharing. As a Local Area Network (LAN) with the smallest Network distribution structure, this concept is fully developed, how is the sharing in the lan realized?

1. Lan implementation principle

Before learning about sharing, we need to understand the concept of LAN. Lan is not the same as the TCP/IP protocol system used for external communication) in addition to the TCP/IP protocol, the network distribution in the structure also involves many protocols.
In a LAN, computers need to look for each other not through IP addresses, but through the MAC address of the NIC. It is a group of unique identification numbers fixed during production. according to protocol specifications, when a computer is looking for another computer, it must broadcast the IP address of the target computer through the ARP Protocol (Address Resolution Protocol) in the physical network, "broadcast" is a data transmission method that allows any computer to receive data. After receiving the data, the computer determines whether the message is sent to itself. If yes, the computer returns a response, here, it returns its own address. When the source computer receives a valid response, it learns the MAC address of the target computer and stores the result in the system address buffer pool. The next time data is transmitted, it does not need to send broadcast again, the address buffer pool will be refreshed and rebuilt on a regular basis to avoid data redundancy. In fact, The Sharing Protocol requires that each computer in the LAN that enables file and printer sharing services must actively broadcast its own IP address and the corresponding MAC address to the network segment at startup, then, a computer (usually the first computer started in a working group in a LAN) receives and stores the data. This computer is called a browser master server ", it is an extremely important computer in the Working Group and maintains the browsing list in this Working Group and the list of Master servers designated for other working groups, provides browsing services for other computers in the Working Group and for other computers visiting the Working Group. It is identified as containing \ _ MSBROWSE _ name segments. This is why we can see other computers in our network neighbors. It is actually a browsing list, you can use "nbtstat-r" to view your NetBIOS Name List on the browser master server.
The browsing list records the resource descriptions of the computers enabled in the LAN. When we want to access the shared resources of another computer, the system actually sends a broadcast query to browse the master server, then, the browsing list provided by the browser master server is used to "Discover" the shared resources of the target computer.
However, it is not enough to know each other's addresses. A data link must be established between computers to work normally. This requires another basic protocol. The NetBIOS (basic network Input and Output System) protocol is a command set developed by IBM to provide networks and other special functions for LAN. Almost every lan must work on this protocol, netBIOS is equivalent to the TCP/IP protocol on the Intranet. The NetBEUI Protocol (the NetBIOS user Extended Interface Protocol) was introduced to expand the functions of the former. These protocols are essential to form a LAN. Finally, in order to establish a connection, the TCP/IP protocol is also required for the LAN.

2. Lan sharing in Windows

In Windows, identity and permission verification for computers in the LAN is implemented by a component known as "IPC" (Named Pipe, it is essentially set by Windows to facilitate administrators to log on to the management computer from a distance. It is also responsible for file sharing and transmission in the LAN, so it is an indispensable basic component of Windows Lan.
By default, shared services between local networks are implemented through the identity of the Guest account "Guest". This account has the least permissions in Windows, which provides a basis for preventing unauthorized access by visitors, at the same time, it is the minimum requirement for normal Resource Sharing. Any computer that wants to provide the LAN sharing service must open a guest account. The command is "net user guest/active: yes ".
In addition to using IPC for authentication, the system also uses the SMB (Server Message Block) protocol for file sharing. This protocol is closely related to sharing and will be discussed later.

II. Implementation of LAN sharing

Although we can define a LAN as a "network composed of a certain number of computers connected by interconnection devices ", however, only using a network card to make a computer physically connected to a network can not achieve a real LAN, it also requires some protocol settings to achieve resource sharing.
First, the IP addresses of computers in the same LAN should be distributed in the same CIDR block. Although the final IP Address Form of Ethernet is the MAC address of the NIC, however, at the user level, IP addresses are always relatively well-remembered. In addition, system interaction interfaces and network tools use IP addresses to find computers, therefore, it is necessary to configure a qualified IP address for the computer, which is the basis for the computer to find each other, unless you are in the DHCP environment, because the IP address in this environment is automatically allocated through the server.
Next, we need to add the "communication language"-LAN protocol for machines in the LAN, including the most basic NetBIOS protocol and NetBEUI protocol, then confirm that "Microsoft network file and printer sharing" is installed and selected, and then make sure that the system has installed the "Microsoft network client" and only has this client, otherwise, various strange network faults may occur.
Then, the user must specify at least one shared resource for the computer, such as a directory, disk or printer, to complete these tasks, the computer can normally implement the LAN resource sharing function.
Finally, the computer must enable one of the ports 139 and 445. They are used as NetBIOS Session connections and are SMB protocol-dependent ports. If these two ports are blocked, requests shared by other computers cannot be responded.
However, not all users can smoothly enjoy the convenience of LAN Resource Sharing. due to factors such as operating system environment configuration, damage to protocol files, and some software modifications, it often causes various problems in LAN sharing. If you are a network administrator, you must learn how to troubleshoot most common LAN sharing faults.

Iii. Lan sharing Fault Analysis and troubleshooting

IPC, Server Service and sharing faults

Upon graduation, the student Mr. Wang sought a graphic design company as an intern. On this day, a colleague in the office rushed to the network department to ask for anti-virus software. Unfortunately, the Administrator did not return to the website. Mr. Wang was enthusiastic, although I am not a professional in the network field, I think I have a little understanding of it, and I volunteered to help. Fortunately, it was just a small virus, and he solved it easily. With the praise of his colleagues, by the way, Mr. Wang made a system optimization for her.
After more than 10 minutes, the colleague came out to find the network department. She said that her machine could not be shared by other computers after being played by Mr. Wang, for the first time, Mr. Wang understood what is the consequence of kindness ......

When talking about Windows Lan sharing, I mentioned IPC (Internet Process Connection), which is a named pipe opened by NT and above systems for inter-Process communication, you can obtain the relevant permissions by verifying the user name and password. Microsoft uses the permission to remotely manage computers and view computer shared resources. If it is disabled, the computer will have a "inaccessible Network Neighbor" fault.
In a Windows NT System, IPC depends on the Server service. users who are used to the standalone environment may close the service, the consequence is that the system will not be able to provide Lan-related operations, users will not be able to view others' computers, or publish any shares for themselves.
To check whether the IPC and Server services are normal, enter the net share command in the command prompt. If the Server service is not enabled, the system prompts "the Server service is not started. Can it be started? (Y/N) [Y]: ". Press enter to start the Server service. If the Server service is enabled, the system will list all the currently shared resources, which must be at least named "IPC $". Otherwise, the user will still be unable to use the shared resources normally.
In addition to the Server Service, there are two services that affect sharing, namely "Computer Browser" and "TCP/IP NetBIOS Helper Service ", the former is used to save and exchange the NetBIOS Name and shared resource list of computers in the LAN. When a program needs to access the shared resources of another computer, it queries the target computer from this list, once the service is disabled, IPC determines that there are no shared resources available for access, and users naturally cannot access the shared resources of other computers; the latter is mainly used for the NetBIOS protocol (NetBT) and NetBIOS name resolution work transmitted over TCP/IP. NetBT provides a carrier for implementing NetBIOS command transmission across CIDR blocks. For this reason, in the early hacker intrusion tutorial, "remote intrusion on port 139" can be achieved, because the NetBIOS protocol is encapsulated by TCP and transmitted to the other machine through the Internet for processing, the other party also implements data transmission through the same channel. Otherwise, hackers cannot use the network resource ing command "ne" across network segments. T use ". For the local LAN, NetBT is the transmission media that the SMB protocol depends on and is also very important.
If the two services are terminated abnormally, the sharing in the LAN may not work properly. At this time, we can run the program "services. msc open the Service Manager, find the "Computer Browser" and "TCP/IP NetBIOS Helper Service" services, and click "start.

System Security Policies and shared faults

Users familiar with Windows systems may be more or less exposed to "group policies" (gpedit. msc), which provides a more intuitive way to set system functions and user permissions than to manually modify the registry, however, misconfiguration also affects the use of LAN shared resources.
Since IPC is used for identity authentication, it is particularly sensitive to computer account configuration, and many settings in group policies are for computer accounts, the "Deny access to this computer from the network" in "Computer Configuration-Windows configuration-Security Settings-local policy-user permission assignment ", in Windows 2000, no restrictions are imposed by default. However, since the appearance of XP, this Part has two additional accounts by default, one is the 3389 user name used for remote assistance (that is, the simplified Terminal Service) Identity login, and the other is the basic member of our lan sharing guest!
Many users who use the XP system cannot normally enable access to shared resources. This is the limitation of this project, and the solution is very easy. You only need to remove the "Guest" account from the list.
In addition to account-related policies