Home Network PC/Mac folder sharing?
March 27, 2008 9:21 PM Subscribe
How can I securely access my PC files using my wireless iBook on my home network?
I have a Comcast cable modem for internet access. The ethernet cable goes from the modem to my Belkin 4 port wireless router.
The Win XP PC is connected to the router by CAT5, 192.168.2.2.
The iBook is wireless, talks to the router as 192.168.2.3. Uses WEP, etc.
All my cool content is on the PC, but I want to sit on the sofa and browse my PC photos, call it G:\photos on the PC, using my Mac iBook. Mess around with them in iPhoto.
Is there some obvious way to set up a little tunnel in the respective operating systems, sharing through the router or something, without letting all my neighbors see G:\photos\FurryPr0n ? Letting me read/write files on the PC using the iBook?
I have a Comcast cable modem for internet access. The ethernet cable goes from the modem to my Belkin 4 port wireless router.
The Win XP PC is connected to the router by CAT5, 192.168.2.2.
The iBook is wireless, talks to the router as 192.168.2.3. Uses WEP, etc.
All my cool content is on the PC, but I want to sit on the sofa and browse my PC photos, call it G:\photos on the PC, using my Mac iBook. Mess around with them in iPhoto.
Is there some obvious way to set up a little tunnel in the respective operating systems, sharing through the router or something, without letting all my neighbors see G:\photos\FurryPr0n ? Letting me read/write files on the PC using the iBook?
If your wireless router is using WEP, then there is no way to make your wireless connections secure. On the other hand, the only way currently known to crack WPA or WPA2 is using dictionary attacks to discover the password that the pre-shared key is derived from. If you use a long (20 character) randomly generated password, WPA/WPA2 is secure.
If you then simply tell Windows to share your photos folder, you should be able to see and use that share from the Mac, and none of your neighbors will see squat; you don't need a tunnel.
The only way you'd need anything like a tunnel is if you've given your neighbors your wireless network key because that's the kind of generous soul you are, but you don't want them to be able to use a packet sniffer to look at your furry pr0n traffic in transit. In that case, using SFTP is indeed likely to be less error-prone than using Windows file sharing via a tunnel.
posted by flabdablet at 10:14 PM on March 27, 2008
If you then simply tell Windows to share your photos folder, you should be able to see and use that share from the Mac, and none of your neighbors will see squat; you don't need a tunnel.
The only way you'd need anything like a tunnel is if you've given your neighbors your wireless network key because that's the kind of generous soul you are, but you don't want them to be able to use a packet sniffer to look at your furry pr0n traffic in transit. In that case, using SFTP is indeed likely to be less error-prone than using Windows file sharing via a tunnel.
posted by flabdablet at 10:14 PM on March 27, 2008
In addition to using WPA, check to see if your router has MAC address filtering. Add your iBook's wireless MAC address (found under /Applications/Utilities/Network Utility - look for Hardware Address under the Info tab) and set the router to reject other network devices.
posted by phrayzee at 10:43 PM on March 27, 2008
posted by phrayzee at 10:43 PM on March 27, 2008
Automated cracking tools can instantly spoof the attacker's MAC address to match one they see in use on your network, once they've cracked the WPA password. This means MAC address filtering is fairly pointless. Don't do it - it will only cause you grief when you forget you've done it. Same goes for turning off SSID broadcasting.
Your wireless network's security is only as good as your WPA key, so just pick an excellent key and be done with it.
posted by flabdablet at 10:59 PM on March 27, 2008
Your wireless network's security is only as good as your WPA key, so just pick an excellent key and be done with it.
posted by flabdablet at 10:59 PM on March 27, 2008
Response by poster: I'm using WPA Personal auth - I apologize for the typo. I didn't know if it was important.
On other networks, I get on machine FOO and open a window to address \\BAR\C$ to read BAR's C: drive. That's the sort of thing I want to do. I want to see my PC files, using the iBook.
The PC has FTP and SFTP, and that is how I transfer files between them. But I'm looking for something more like a shared drive, and not actually copying the files over to the iBook permanently.
posted by sidereal at 4:49 AM on March 28, 2008
On other networks, I get on machine FOO and open a window to address \\BAR\C$ to read BAR's C: drive. That's the sort of thing I want to do. I want to see my PC files, using the iBook.
The PC has FTP and SFTP, and that is how I transfer files between them. But I'm looking for something more like a shared drive, and not actually copying the files over to the iBook permanently.
posted by sidereal at 4:49 AM on March 28, 2008
Use Windows built-in sharing. Password protect your system (of course) and turn off "Simple File Sharing". Share only specific folders, not the entire drive. In the Sharing tab, open Permissions. Allow access to these folders for one specific user account, best bet is to set access to read-only unless you really need read-write or full-control. In both Permissions and in the Security tab, don't specifically Deny access for other accounts or groups, just uncheck all the Allow boxes (this will remove access without actively denying anything, which can cause problems if you've denied Admin access but one of the allowed users is part of the Admin group, etc.).
Change your PC's default Workgroup as well (don't use MSHOME or WORKGROUP). Amazing to me how many people leave it as the default. This won't make anything more secure, but it does slightly complicate the ease of seeing your systems on the network if someone does manage to connect.
I've been sharing files this way for years at home. No issues and no known security breaches. This isn't a tunnel though, it's just straight sharing plus whatever security measures are built in to the systems you are using.
posted by caution live frogs at 5:22 AM on March 28, 2008
Change your PC's default Workgroup as well (don't use MSHOME or WORKGROUP). Amazing to me how many people leave it as the default. This won't make anything more secure, but it does slightly complicate the ease of seeing your systems on the network if someone does manage to connect.
I've been sharing files this way for years at home. No issues and no known security breaches. This isn't a tunnel though, it's just straight sharing plus whatever security measures are built in to the systems you are using.
posted by caution live frogs at 5:22 AM on March 28, 2008
Response by poster: CLF - once I do that, can I then create a folder or drive alias on the Mac that is actually a link to the shared PC folder? I understand what you're saying about setting up the share on the PC, thank you. I'm not sure how I would then access it from the iBook.
posted by sidereal at 6:49 AM on March 28, 2008
posted by sidereal at 6:49 AM on March 28, 2008
Windows shares should show up in Network. Browse the machine name in Network using the Finder (shift-cmd-K to open Network when Finder has focus). You should see the workgroup name; opening that should show you the computer name. Click it to connect. It will ask for your credentials (or click the "Connect as..." button in Leopard); feed it the Windows user name and password. If you have multiple shares it should ask which you want to open. After you've done it once, if you told it to remember the password you should be able to quickly connect at any time by looking in Recent Items from the apple menu.
The share will show up as a mounted network drive on your desktop. (Incidentally you can share printers the same way, but I've had haphazard results with printing from a Mac to a shared printer on a Windows box. Sometimes it works, sometimes it doesn't, depends on the printer and what drivers you choose.)
posted by caution live frogs at 8:14 AM on March 28, 2008
The share will show up as a mounted network drive on your desktop. (Incidentally you can share printers the same way, but I've had haphazard results with printing from a Mac to a shared printer on a Windows box. Sometimes it works, sometimes it doesn't, depends on the printer and what drivers you choose.)
posted by caution live frogs at 8:14 AM on March 28, 2008
Response by poster: I'm afraid the Properties -> Sharing tab does not have a "Permissions" button, nor is there a "Permissions" tab in the Properties box.
(I'm thinking this may be a little too tech-support for AskMe)
posted by sidereal at 9:45 AM on March 28, 2008
(I'm thinking this may be a little too tech-support for AskMe)
posted by sidereal at 9:45 AM on March 28, 2008
flabdablet: I totally agree with you here, but I think that MAC filtering could/would add another stumbling block for anybody trying to get access.
sidereal: To disable Simple File Sharing in Windows, open up a My Computer window. Go to Tools -> Folder Options -> View tab. Scroll down to the bottom of Advanced Settings and uncheck "Use simple file sharing". This should enable the advanced features when you go to the Sharing tab under a drive/folder's Properties window.
Another thing that comes to mind is if your router has a web admin front end that requires a log-in, give it a strong password that is different than your WEP/WPA password. That way if someone were to crack your WPA password and gain access to your network, they would then have to crack the password for the web front end if they wanted to make changes there.
posted by phrayzee at 10:46 AM on March 28, 2008
sidereal: To disable Simple File Sharing in Windows, open up a My Computer window. Go to Tools -> Folder Options -> View tab. Scroll down to the bottom of Advanced Settings and uncheck "Use simple file sharing". This should enable the advanced features when you go to the Sharing tab under a drive/folder's Properties window.
Another thing that comes to mind is if your router has a web admin front end that requires a log-in, give it a strong password that is different than your WEP/WPA password. That way if someone were to crack your WPA password and gain access to your network, they would then have to crack the password for the web front end if they wanted to make changes there.
posted by phrayzee at 10:46 AM on March 28, 2008
My point is that running dictionary attacks against WPA passwords is a job generally done using automated tools, and that those same tools will easily and automatically spoof MAC addresses as needed. There is really no point creating stumbling blocks when the only person who will actually stumble over them is the creator.
Also, it's only XP Professional that gives you the choice of turning Simple File Sharing off - it's baked into XP Home. Which means that (a) using the shared folder from the Mac will probably Just Work, and (b) there is no meaningful way to enforce per-user access restrictions on folders shared over the network (with SFS turned on, from the server's point of view all network users are actually Guest). Using Windows XP Home's inbuilt file sharing on a folder containing your furry pr0n will make it generally available to any user on any computer on your LAN.
I'm looking for something more like a shared drive, and not actually copying the files over to the iBook permanently
OK, then you probably want an ssh server on the Windows box, and MacFUSE and sshfs on your Mac.
posted by flabdablet at 5:19 PM on March 28, 2008
Also, it's only XP Professional that gives you the choice of turning Simple File Sharing off - it's baked into XP Home. Which means that (a) using the shared folder from the Mac will probably Just Work, and (b) there is no meaningful way to enforce per-user access restrictions on folders shared over the network (with SFS turned on, from the server's point of view all network users are actually Guest). Using Windows XP Home's inbuilt file sharing on a folder containing your furry pr0n will make it generally available to any user on any computer on your LAN.
I'm looking for something more like a shared drive, and not actually copying the files over to the iBook permanently
OK, then you probably want an ssh server on the Windows box, and MacFUSE and sshfs on your Mac.
posted by flabdablet at 5:19 PM on March 28, 2008
Also: the point I keep trying to make about picking a WPA password is that you can, and should, make it uncrackable. I have never heard of any way to crack WPA except using a dictionary attack against the password. Do not use a WPA password designed to be memorable, or even easy to type. If you generate a long (20 characters or more) password using a random number generator, save it in a text file on a USB memory stick you keep on your keychain, and use copy/paste to put it into all the boxes where it has to go, you can consider your WPA wireless network secure against outside attack. There is then no point in using false-sense-of security measures additional to this.
None of the above applies to WEP, which is just fundamentally broken. WPA good; WEP bad!
I agree that using different passwords for router admin and WPA is a good idea, but not because of any fear of drive-by router tampering via wireless. Rather, there is no particular reason to use a super-strong password for your router's web interface, unless you also need it protected against skilled attackers inside your LAN.
Most routers can be told not to allow access to the admin interface via their wireless ports at all. If you're paranoid, do that, and do all your router admin via a wired connection.
posted by flabdablet at 5:43 PM on March 28, 2008
None of the above applies to WEP, which is just fundamentally broken. WPA good; WEP bad!
I agree that using different passwords for router admin and WPA is a good idea, but not because of any fear of drive-by router tampering via wireless. Rather, there is no particular reason to use a super-strong password for your router's web interface, unless you also need it protected against skilled attackers inside your LAN.
Most routers can be told not to allow access to the admin interface via their wireless ports at all. If you're paranoid, do that, and do all your router admin via a wired connection.
posted by flabdablet at 5:43 PM on March 28, 2008
Response by poster: I have XP Home, so that explains why this isn't working. I'll try the ssh/MacFUSE thingy, thanks!
posted by sidereal at 6:39 AM on March 29, 2008
posted by sidereal at 6:39 AM on March 29, 2008
This thread is closed to new comments.
The 192 network your PC is getting via DHCP is a NAT firewall so theoretically it's protected behind that from being scanned by Internet script kiddies but you should still use the full array of anti-virus, anti-exploit and firewall tools. It's more likely you'll be exploited by downloading some free pr0n with a trojan in it than via your wireless network.
There's probably some secure protocol for doing transmissions between your PC and your Mac that would fairly easy to set up but nothing comes to my mind at the moment...SFTP maybe. I use FTP between my Mac and PC because the protocol is easy to run. I don't bother using further encrypting because the wireless signal is encrypted via WPA and that's secure.
My two cents worth...your mileage may vary.
posted by diode at 9:29 PM on March 27, 2008