Cynna
asked on
IPX/SPX sharing with Win98
I have WinXP machine with printer, no admin password.
The machine I'm using for testing is Win98 machine. I don't want
user there to have to use password either to access WinXP machine.
I'm trying to enable File and print sharing using IPX/SPX protocol, for
security reasons between those two.
I followed instructions from
http://www.microsoft.com/windowsxp/home/using/productdoc/en/default.asp?url=/windowsxp/home/using/productdoc/en/hnw_ipx_fileandprint_sharingP.asp
for WinXP i Win98.
And after that I couldn't access WinXP machine. I could see it from Win98,
but can't access it. Then I started experimenting and found some strange
behaviour:
If TCP/IP is checked for File and Print Sharing under "Bindings for
Local Area Connection" on WinXP machine, everything works OK.
After that, I uncheck it, leaving only IPX/SPX for file and print sharing,
and WinXP access is still OK!??
But, after either machine is restarted (while WinXP machine still keeps
only IPX/SPX binding) then no access again...
It seems almost like Win98 needs TCP/IP binding on WinXP machine to connect only for the first time, and after that, I can uncheck TCP/IP
leaving only IPX/SPX sharing without any problems.
How can I have IPX/SPX based sharing without having to enable TCP/IP first?
The machine I'm using for testing is Win98 machine. I don't want
user there to have to use password either to access WinXP machine.
I'm trying to enable File and print sharing using IPX/SPX protocol, for
security reasons between those two.
I followed instructions from
http://www.microsoft.com/windowsxp/home/using/productdoc/en/default.asp?url=/windowsxp/home/using/productdoc/en/hnw_ipx_fileandprint_sharingP.asp
for WinXP i Win98.
And after that I couldn't access WinXP machine. I could see it from Win98,
but can't access it. Then I started experimenting and found some strange
behaviour:
If TCP/IP is checked for File and Print Sharing under "Bindings for
Local Area Connection" on WinXP machine, everything works OK.
After that, I uncheck it, leaving only IPX/SPX for file and print sharing,
and WinXP access is still OK!??
But, after either machine is restarted (while WinXP machine still keeps
only IPX/SPX binding) then no access again...
It seems almost like Win98 needs TCP/IP binding on WinXP machine to connect only for the first time, and after that, I can uncheck TCP/IP
leaving only IPX/SPX sharing without any problems.
How can I have IPX/SPX based sharing without having to enable TCP/IP first?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Irmoore,
Firstly, thanks for the prompt response and I'm sorry
if I ask some dumb questions, but networking *really*
isn't my cup of tee, so bare with me please...
I'll try out your suggestions tomorrow, when I get to
office. But before that, I'd like too know why you
suggested what you did. It's not that I don't trust you :),
it's just that I really don't like doing things without
grasping their meaning...
In particular, I seem to remember a certain NG post about
this, that suggested using NetBios, and I think it solved
the asker problem.
But, I don't really understand why. Button text says:
“Enable NetBios over TCP/IP”
Now, how can NetBios than be enabled if TCP/IP is disabled?
Moreover, I'm concerned about security issues regarding NetBios.
If it is “related” to TCP/IP, will it somehow undermine security
of XP machine? I don’t want somebody from other side of the
world accessing my printer (like it happened recently).
I red about IPX/SPX being pretty safe (I don’t want firewall),
but I don’t know about NetBios…
Obviously I don’t really understand what’s going on, and I’d
really like to before I go on with this. Could you please shed
some light on your NetBios suggestion?
Thanks!
Firstly, thanks for the prompt response and I'm sorry
if I ask some dumb questions, but networking *really*
isn't my cup of tee, so bare with me please...
I'll try out your suggestions tomorrow, when I get to
office. But before that, I'd like too know why you
suggested what you did. It's not that I don't trust you :),
it's just that I really don't like doing things without
grasping their meaning...
In particular, I seem to remember a certain NG post about
this, that suggested using NetBios, and I think it solved
the asker problem.
But, I don't really understand why. Button text says:
“Enable NetBios over TCP/IP”
Now, how can NetBios than be enabled if TCP/IP is disabled?
Moreover, I'm concerned about security issues regarding NetBios.
If it is “related” to TCP/IP, will it somehow undermine security
of XP machine? I don’t want somebody from other side of the
world accessing my printer (like it happened recently).
I red about IPX/SPX being pretty safe (I don’t want firewall),
but I don’t know about NetBios…
Obviously I don’t really understand what’s going on, and I’d
really like to before I go on with this. Could you please shed
some light on your NetBios suggestion?
Thanks!
first in regards to security and tcp, try a firewall like zonealarm (free for personal use) www.zonealarm.com
now is this xp pro or home? if pro
disable simplified file sharing
http://www.microsoft.com/windowsxp/expertzone/tips/september/stevens1.asp
in the properties for ipx/spx, is the network number the same? and the frame type? set them to be the same
now is this xp pro or home? if pro
disable simplified file sharing
http://www.microsoft.com/windowsxp/expertzone/tips/september/stevens1.asp
in the properties for ipx/spx, is the network number the same? and the frame type? set them to be the same
TCP/IP and IPX should not be mutually exclusive, and they should work just fine together. I was taking the simple approach to help figure out why they don't want to play as you expect them to.
SPX is the NETBIOS piece of IPX/SPX, so I was just thinking maybe...??
If your real concern is simply security, then....
I don't understand your comment:
>I don’t want firewall
at the same time:
> don’t want somebody from other side of the
world accessing my printer
I'm sorry to say, that is the exact purpose of a firewall, and why a firewall is recommended by almost everyone in our profession. You simply cannot rely on the transport protocols by themselves to provide security. That is not their function. A transport protocol's function is to simply move data from one place to another. Everything else is on top of that -- providing traffic control if you will, granting/denying access.
TCP/IP is the global protocol, common language of the future. It's easy to understand the insecurities of it, and easy to control access using dedicated firewalls. If you have Internet access, you need TCP/IP.
As long as you are behind a firewall, using private IP addresses that can't be routed through the internet (see RFC 1918), provide some type of NAT (Network Address Translation) firewall, and have some means of monitoring and checking on the security (logging, intrusion detection, etc), then there is no logical reason to use any other protocols on the inside of your network just for "security" reasons.
Check out the TOP 20 security vulnerabilities, and you won't see the protocol itself under fire:
http://www.sans.org/top20.htm
However, you'll notice #W4 is NETBIOS - UNPROTECTED NetBios. Most routers/firewalls block netbios ports by default.
Another good primer:
http://rr.sans.org/firewall/bank.php
SPX is the NETBIOS piece of IPX/SPX, so I was just thinking maybe...??
If your real concern is simply security, then....
I don't understand your comment:
>I don’t want firewall
at the same time:
> don’t want somebody from other side of the
world accessing my printer
I'm sorry to say, that is the exact purpose of a firewall, and why a firewall is recommended by almost everyone in our profession. You simply cannot rely on the transport protocols by themselves to provide security. That is not their function. A transport protocol's function is to simply move data from one place to another. Everything else is on top of that -- providing traffic control if you will, granting/denying access.
TCP/IP is the global protocol, common language of the future. It's easy to understand the insecurities of it, and easy to control access using dedicated firewalls. If you have Internet access, you need TCP/IP.
As long as you are behind a firewall, using private IP addresses that can't be routed through the internet (see RFC 1918), provide some type of NAT (Network Address Translation) firewall, and have some means of monitoring and checking on the security (logging, intrusion detection, etc), then there is no logical reason to use any other protocols on the inside of your network just for "security" reasons.
Check out the TOP 20 security vulnerabilities, and you won't see the protocol itself under fire:
http://www.sans.org/top20.htm
However, you'll notice #W4 is NETBIOS - UNPROTECTED NetBios. Most routers/firewalls block netbios ports by default.
Another good primer:
http://rr.sans.org/firewall/bank.php
ASKER
OK, I switched "Enable NetBios over TCP/IP" on end everything
works fine now. So, points are definitely yours :) .
But I still don't get why it works now. Could you please
try offering one final explanation for this, so we can
wrap it up...
Just a few more comments to hopefully clear the picture:
> I'm sorry to say, that is the exact purpose of a firewall
Yes I know, but I also read about various other problems in
accessing Internet if you have firewall installed. I'm quite
sure I don't want a firewall, trust me. I just wanted something
less restricting, that would just *increase* degree of security
in terms of printer sharing (accepting that this is lower quality
solution then a firewall), compared to what I had so far.
> TCP/IP and IPX should not be mutually exclusive, and they should work just fine together
Maybe you misunderstood me - I *do* want TCP/IP, and using IPX/SPX
didn't exclude it; I was able to use Internet just fine. What I
wanted was to disable using TCP/IP *only* for file and print sharing.
I read somewhere that unbinding TCP/IP for file and print sharing
will kind of "isolate" your printer from Internet. That is what I'm after.
Binding to IPX/SPX is recommended instead. I followed steps
that Microsoft suggested using IPX/SPX for file and print sharing,
but that yielded mysterious results I described in my initial question.
Your suggestion of simply enabling NetBios solved it, but I wonder why,
and will it increase the vulnerability of the system if I keep this
setting on.
works fine now. So, points are definitely yours :) .
But I still don't get why it works now. Could you please
try offering one final explanation for this, so we can
wrap it up...
Just a few more comments to hopefully clear the picture:
> I'm sorry to say, that is the exact purpose of a firewall
Yes I know, but I also read about various other problems in
accessing Internet if you have firewall installed. I'm quite
sure I don't want a firewall, trust me. I just wanted something
less restricting, that would just *increase* degree of security
in terms of printer sharing (accepting that this is lower quality
solution then a firewall), compared to what I had so far.
> TCP/IP and IPX should not be mutually exclusive, and they should work just fine together
Maybe you misunderstood me - I *do* want TCP/IP, and using IPX/SPX
didn't exclude it; I was able to use Internet just fine. What I
wanted was to disable using TCP/IP *only* for file and print sharing.
I read somewhere that unbinding TCP/IP for file and print sharing
will kind of "isolate" your printer from Internet. That is what I'm after.
Binding to IPX/SPX is recommended instead. I followed steps
that Microsoft suggested using IPX/SPX for file and print sharing,
but that yielded mysterious results I described in my initial question.
Your suggestion of simply enabling NetBios solved it, but I wonder why,
and will it increase the vulnerability of the system if I keep this
setting on.
>Your suggestion of simply enabling NetBios solved it, but I wonder why,
Netbios is the underlying structure of Microsoft networking. If you have a WINS server, then it will perform the netbios to IP name resolution for you. Otherwise, XP relies on DNS for name resolution, but 98 relies much more heavily on WINS/Netbios. It is this mixture that makes everything work with Netbios turned on. You can't turn it off on 98.
>and will it increase the vulnerability of the system if I keep this setting on.
Yes. Trust ME. You NEED a firewall. It does not have to be fancy, it does not have to be complicated, and it does not have to restrict your Internet useage.
I did understand your original Q. TCP/IP for Internet, IPX/SPX for file/print sharing should work as described in the MS article. I'm not sure why it's not working that way, unless as steve suggested it could simply be a mismatch of frame type settings in your IPX config.
Netbios is the underlying structure of Microsoft networking. If you have a WINS server, then it will perform the netbios to IP name resolution for you. Otherwise, XP relies on DNS for name resolution, but 98 relies much more heavily on WINS/Netbios. It is this mixture that makes everything work with Netbios turned on. You can't turn it off on 98.
>and will it increase the vulnerability of the system if I keep this setting on.
Yes. Trust ME. You NEED a firewall. It does not have to be fancy, it does not have to be complicated, and it does not have to restrict your Internet useage.
I did understand your original Q. TCP/IP for Internet, IPX/SPX for file/print sharing should work as described in the MS article. I'm not sure why it's not working that way, unless as steve suggested it could simply be a mismatch of frame type settings in your IPX config.
ASKER
OK, thanks for the help!
Try enabling the guest account on the XP box, too.