XPost: comp.mobile.android, alt.comp.os.windows-10   
   From: java@evij.com.invalid   
      
   On 17/01/2024 20:51, Bill Powell wrote:   
   >   
   > On Wed, 17 Jan 2024 20:30:50 +0000, Java Jive wrote:   
   >>   
   >>> Press the down arrow and select the people allowed to access it.   
   >>> "Everyone" | Add | Read/Write | Share | Done   
   >>   
   >> That's a significant security hole.  Ideally, you want to restrict it   
   >> to known users of your LAN regardless of device, and the best way to   
   >> do that is to password-protect the share in some way.   
   >   
   > Why do I need a password? If I can't trust my wife, then who can I trust?   
      
   Because anyone hacking into your local network can access the share,   
   this may include:   
      Legitimate visitors to your home whom you allow to access the LAN   
   temporarily;   
      WiFi warriors who attempt to hack & surf other people's networks;   
      Troublesome neighbourhood youths;   
      Anyone that manages to hack your router from the WAN side.   
      
   This may not worry you if you don't intend to put anything private on   
   the share, which is fine as long as your never forget that rule, but in   
   general it wouldn't be considered good security practice, because for   
   example, someone gaining access to your LAN as above might put on the   
   share something to infect you machine with malware, and, if you clicked   
   on it, you'd then be in trouble.   
      
   >> For Windows, the way I usually do this is to ensure that my Windows   
   >> PCs all have the same user accounts with the same Username/Password   
   >> combinations, and only allow those accounts access permissions on the   
   >> shares.  This means I can simply open shares in File Explorer without   
   >> being prompted for usernames & passwords.   
   >   
   > If I have to have an account password on Windows, can I use "guest/guest"?   
   > What's the Windows default "guest" or "everyone" account password anyway?   
      
   On a locked down PC, the Administrator account and the Guest account are   
   usually disabled, and it's probably best to leave them so unless you are   
   at least moderately well up on security  -  I used to create standard   
   workstation builds for thousands of PCs used in the UK offices of a   
   multi-national financial firm, so I had to take at least a basic   
   interest in this stuff, though I wouldn't have classed myself as an   
   expert even then, and especially not now as recent versions of Windows   
   have changed so much, particularly emasculating the Administrator &   
   Administrators accounts, since I retired.  If you want to use either   
   account, the next best thing to having them disabled is to set a policy   
   to rename them to be something different that cannot easily be guessed,   
   but this may only be possible on Pro versions of Windows, I'm not sure   
   about Home versions.  Alternatively, you could create a special guest   
   account on the Windows PC(s) to use on the share(s), and give it a   
   limited set of permissions to suit your purposes.   
      
   >> This used to work also via Samba on Linux, as long as the passwords   
   >> were the same all round, using an smbusers file to convert between   
   >> Linux & Windows versions of usernames (many Linux distros won't allow   
   >> uppercase in usernames), but this no longer seems to work, and now to   
   >> access a Windows share from a Linux PC I have to put in a Windows   
   >> account's username & password TWICE  -  an absurd & maddening   
   >> fiddle-faddle!   
   >   
   > What I don't get is why does Windows have an "everyone" or "guest" account?   
   > What good are those two Windows accounts if they /require/ a password.   
      
   In the eyes of someone like myself who takes security moderately   
   seriously, they are an anachronism which should not be used, but,   
   despite Microsoft's oft repeated mantra with each new version of Windows   
   that "good security is built-in from the ground up"  -  or whatever the   
   latest version of the claim is  -  AFAIAA unfortunately the *DEFAULT*   
   permissions on Windows shares is still Everyone :-(   
      
   >> Android, being based on Linux, is likely to do something similar.  If   
   >> you can find out what is your Android username, you could try creating   
   >> an account of that name on your Windows PC and assigning a password to   
   >> it, then, if you're lucky, to connect you will only be prompted for   
   >> the password.   
   >   
   > I don't even know if Android has a username. Being Linux, it probably does.   
   >   
   > I went into Termux. Then I typed "whoami" and it said "u0_a331" and when I   
   > typed "id" it said "uid=10331(u0_a331)" and a whole bunch of other stuff.   
      
   So it would be interesting to add a new account of that name on your   
   Windows PC, give it a suitable password, and give that account Change   
   access to the share, *AND* your usual logon account Full Control access   
   to it, add Admins & System as below, and remove all 'Everyone'   
   permissions to it.  Hopefully then you could connect to it from your   
   phone by giving just the password.  If this works, repeat for your   
   wife's phone user account and her Windows user account if different from   
   yours.   
      
   If it's any help, the default permissions I put on a data share on a   
   Windows PC are as follows ...   
   	Authenticated Users    Change   
   	Administrators         Full Control   
            System                 Full Control   
   ... but if the situation could be covered by a single user account   
   rather than the more general Authenticated Users, then you could specify   
   that account to have Change permissions instead of AU.   
      
   BTW, don't forget that you need to replicate the above permissions, or   
   whatever you have chosen as your own version of them, on the underlying   
   directory structure of the share as well, so not just on the share under   
   the Sharing tab, but also on the directory under the Security tab, and,   
   if there is already a directory heirarchy there, replicate down through   
   it.  However, DON'T do that, in fact don't even share, any of the   
   standard Windows folders, including that for your User Profile ...   
   	C:\Users\%USERNAME%   
   ... it didn't used to matter if you did that, but increasingly since   
   Vista+ or 7+ things break if you do that, and, with each new version of   
   Windows, the breakage seems to be more severe than with the previous   
   version.   
      
   --   
      
   Fake news kills!   
      
   I may be contacted via the contact address given on my website:   
   www.macfh.co.uk   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)