logo
background
 Home and Links
 Your PC and Security
 Server NAS
 Wargames
 Astronomy
 PhotoStory
 DVD making
 Raspberry Pi
 PIC projects
 Other projects
 Next >>

Securing your home network for file sharing

Home Network setup

What's more secure - Ethernet cables or WiFi ?

A1. If you have physical security (i.e. no kids :-) ) the most secure way to setup your home network is to disable WiFi and build a fully wired Ethernet system. This is also the fastest, since even 'standard' Ethernet (100mbs) is about twice as fast at the best WiFi (54mbs)

A2. If you have kids (and thus their friends visiting), WiFi is the better choice for security. This is because it's hard to even 'connect' to your network using WiFi (with a non-broadcast SSID and WPA2/PSK encryption) whilst an Ethernet cable can be simply swapped off from an existing computer

A3. Most of us will have a mixed WiFi & wired system, with laptops on WiFi (for ease of use) and desktops, server & media devices on cable (for speed). Securing such a system is an interesting 'challenge', given the fact that Windows was DESIGNED to allow computers to be invisibly controlled from the 'corporate' network

What's the most secure way to setup network IP ?

Whilst the 'most secure' is to set up each computer individually, with it's own IP address & sub-net mask etc., Windows is designed to 'link computers together', keep each 'informed' about all others and make it easy for them to be controlled 'automatically'. Whilst it is possible to setup TCP/IP so that computers are higher restricted, this has to be done 'manually' and the administration overhead involved is beyond most home network users.

I thus suggest using DHCP for all your computers EXCEPT for your 'server', which you setup manually (and 'hide' from the rest of the network).

What IP address range should I use for DHCP ?

There are 3 'normal' IP address ranges reserved for private Local Area Networks (LAN). These Addresses do not exist on the Internet, so the only way for a computer using one of theses addresses to reach the Internet (or for some-one on the Internet to reach one of these addresses) is to go via your Router (this is why a Router firewall is so vital and why only complete moron's turn off their Router firewall at the behest of some 'game')

The well known private LAN address ranges are :-
10.x.x.x, Subnet Mask 255.0.0.0 (i.e. 10.0.0.0 to 10.255.255.255)
172.16.x.x, Subnet Mask 255.240.0.0 (i.e. 172.16.0.0 to 172.31.255.255)
192.168.x.x, Subnet Mask 255.255.0.0 (i.e. 192.160.0.0 to 192.168.255.255)

Of these, the 192.168.x.x range is the 'default' for most home Routers, so should be avoided, whilst the 10.x.x.x range is used by 'Corporate level' equipment such as CISCO 'managed switches'. I thus suggest the first step in confusing and misdirecting the 'wannabee hacker' is to choose from the 10.x.x.x range

The goal is to 'fool' the wannabee hacker into thinking that any restrictions they run into are being imposed by an active CISCO switch / Firewall - rather than by some simple changes you have made to the 'normal' Windows settings

What address should I use for my 'server' ?

In theory, 'anything outside the 10.x.x.x range'. However there is one lesser known private LAN address range, 169.254.x.x, Subnet Mask 255.255.0.0 (169.254.0.0 to 169.254.255.255) which is ideal

The reason why this set is not normally mentioned as a 'home address range' is because it's reserved for communication between computers on a 'non-routed' local network, where the computers generate their own address by 'auto-configuration' i.e. in a LAN with no DHCP server (or when one can not be found). Since this range is for non-routed communications, the Default Gateway will be blank (0.0.0.0)

You will not want your server to reach the Internet, so it must have no 'default gateway' and no DNS Server settings & thus can not be 'set-up' by the Router's DHCP Server service

In fact, to prevent 'obvious' errors, of the sort that might give a hint to an unauthorised user to how to access the Internet from the server, the Gateway & DNS settings will all be set to 127.0.0.1 = local loop-back. To prevent the server using DHCP, it's 'DHCP Client' Service will be Disabled

The 169.254.x.x set is thus ideal for private use outside the range of the Router .. and more or less guarantees that Windows won't complain about there being no DHCP Server or no Gateway. The drawback is that it is NOT easy to remember = so you will have to write it down (and not leave your notes anywhere the kids can find them :-) )

What other 'reserved' addresses exist ?

A1. Addresses in the range 224.0.0.x are designated for "multi-casting" on a private LAN, as are the 239.0.0.x range, 239.255.x.x, 239.254.x.x and 239.253.x.x and 239.192.x.x - 239.128.x.x.

To avoid your Windows TCP/IP drivers becoming totally confused, ALL multi-casting address ranges should be avoided !

A2. Addresses in the range 240.0.0.0 to 254.255.255.254 (all addresses in 240.0.0.0/4 except 255.0.0.0/8) are "designated" for future use and research and development

These should be avoided just in case they are 'hardwired' into some software / Hardware for 'testing'

How do my wired computers communicate with the server ?

A1. The wired computers and the Router will be connected to a common 'switch' or hub. This will allow the Router to issue DHCP addresses (in the 10.x.x.x range) to each the computers.

The server will also be wired to the switch, however it will not use DHCP and will have an address in the 169.254.x.x range

The subnet masks of the computers (and the server) will prevent the 10.x.x.x computers from accessing the server on 169.254.x.x (& visa-versa)

In order for the computers to reach the server, it will thus be necessary to manually enter a 'User Configured' 169.254.x.x address in the 'Alternate Configuration' tab of the TCP/IP Properties of each computer

The sub-net mask for the 'User Configured' address will be set so that the computer can ONLY 'see' the server (and not any other 169.254.x.x address computer). The sub-net mask for the server will need to be set so that the server can 'see' all of the 169.254.x.x computers

How do my WiFi connected computers reach the server ?

Those with 'real' Routers should have no problem, since the Router should simply 'pass on' the 169.254.x.x traffic (and all 10.x.x.x traffic not addressed to itself, i.e. traffic not addressed to the Default Gateway) to the switch / hub (& thence to the server)

A1. If your Router will only 'pass-on' traffic within it's 'own' LAN (i.e. in the local address & sub-net range you specified in the Router DHCP settings), I suggest dropping the 10.x.x.x zone and using a subset of 169.254.x.x as the Routers DHCP set

A2. If your Router refuses to 'pass on' ANY traffic from the WiFi to the 'wired' zone, you will have no choice but to add a WiFi USB 'dongle' to the server. The Router DHCP can be left on 10.x.x.x and the server WiFi 'dongle' set manually (with an address that is 'inside' the WiFi zone subnet but outside the range of addresses issued by DHCP)

In all cases, the server should not be permitted to reach the Internet. Since it's DHCP Client service will be disabled, the server's TCP/IP settings must be set manually & this allows all Default Gateway & DNS Server addresses to be set to the 'local loop-back address' 127.0.0.1

For some recommended address settings, see my Securing your network page

Will this prevent the server accessing the Internet ?

A1. 'Yes' - this will block Windows itself (and MSIE and any 'commercial' software trying to 'phone home) and thus a logged-in user from accessing the Internet from the server

A2. 'No' - many 'clever' virus / worm / key-logger & root kit software will include a TCP/IP 'stack' & will be able to bypass Windows restrictions.

You must still take precautions (anti-virus, Firewall etc) to avoid being infected with software that can bypass your settings

How do I hide my Server (& shares) from 'Network Neighbourhood' ?

The 'normal' way to prevent a computer being 'discovered' in Network Neighbourhood is to REMOVE 'File and Printer Sharing' from your Local Area Connection properties and DISABLE the 'Server Service'. However, if you want to 'share' folders on this computer with others you have to run both 'File & Printer Sharing' and the server Service.

A1. First, the 'Server Service' can be set so it does not 'announce' itself in Network Neighbourhood. This has to be done every time the server is rebooted - so put a .CMD file in the servers Start / Programs / Startup Folder containing the command string :-

NET CONFIG SERVER /HIDDEN:YES

Alternatively, edit the Registry as follows :-

(START / RUN / cmd / REGEDIT & go to :-)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
(add value) Hidden
(Note: 'Hidden' is case sensitive and must begin with a capital H)
(In the Data Type field, choose REG_DWORD, OK & type) 1
(OK & reboot)

A2. To 'hide' a shared folder on the server, all you need to do is add a '$' sign to the end of it's name (eg 'movie$'). To 'map' such a folder users will then have to enter the exact name

A3. The next trick is to give the server an 'invalid' computer 'name' (My computer, right-click Properties, computer Name tab, 'Change' button). If you enter a name starting with a 'period' ('.'), including a few 'special characters (*&%$£"#~@") and is AT LEAST 16 characters long, you can more or less guarantee that it won't be 'seen'

In the most Workgroups, it is 'NetBIOS over TCP/IP' (NetBT) that resolves the 'Your_computer/ name' (NetBIOS name) to an IP address - and NetBT can't cope with special characters or names over 15 characters. However WINS ('Windows Internet Naming Service') also converts computer names to IP addresses, and whilst this is 'intended' for use in a Domain it will still happily betray you in a Workgroup.

A4. To get rid of WINS (which is only needed to support Windows 95/98 computers), open the servers Local Area Network Connection, Properties, TCP/IP Properties, General, Advanced, WINS tab, select "Disable NetBIOS over TCP/IP"

Note = you need to stop WINS on every computer in your network since it only takes ONE running the insecure WINS to 'catch a virus' and infect all the others

All of the above should prevent any possibility of any computer 'mapping' to a shared folder by using the servers 'name'. Instead, to 'Map a Network drive', the user will have to specify the Servers IP address (as well as the share name) eg. \\169.254.231.190\share$

How does a Home Cinema Multimedia (DLNA) access 'shares' ?

Below relates to serving your own music / photo / movie 'archive' to your home cinema system. If you want to access Internet 'streaming video' (eg BBC iPlayer / 4OD) setup a SEPARATE DLNA Internet Server .. DO NOT risk your irreplaceable holiday photo's / music collection by allowing you server to be 'seen' (& 'hacked') from the Internet

In order to support connection to your home cinema / TV / DVD player you need to run the Serviio driver (or similar**) on your server. First make sure you have Java v6 (Start > Settings > Control Panel > Java) installed then download and install the Serviio driver.

**There are many DLNA / UPnP packages, HOWEVER some are more 'free' than others :-) Before downloading and installing anything, check EXACTLY what you are getting (for example, "tvmobili" claims in big headlines 'A FREE DLNA MEDIA SERVER' and 'Download for free' but at the bottom of the page the 'small print' states '30 day trial .....')

Remember, 'free trials' mean all sorts of hidden 'un-installable anti-copying / anti-retrial' code will be left embedded in your system. You should also steer well clear of anything from a well known large entertainment corporation that is well known for it's highly aggressive 'DRM' stance

Note that you need to open ports TCP 8895 and UDP 1900 on the 'DLNA server' computer's Firewall for DLNA to work. You should also make sure you have selected the 'target' multimedia box in Serviio's 'profile' setting.

Serviio is capable of 'serving' media files to multiple consumer 'boxes' .. just make sure you have selected the correct profile for each.

How do I control a DLNA system 'remotely' ?

By default, Serviio automatically checks for new files 'appearing' in the specified folder 'share' every 5 minutes. If you wish to shares new folders with DLNA, you will need to use the control 'console' tool on the server. However, if you have kids, it's quite likely your server is locked away without a keyboard/mouse/monitor attached

Fortunately, Serviio can be controlled using it's 'console' tool running on another computer. Just make sure you set a 'system variable' name = "serviio.remoteHost" on your 'console' computer to the IP address of the Server running Serviio (it will use TCP port 23423 so this must be 'open' on both server and console PC). When you Run ServiioConsole on your computer, it should automatically connect to the Server (if not, set the serviio.remoteHostsystem variable on the Server as well)

Are there any other ways to support DLNA ?

If your server is running XP, Windows Media Player (WMP) 11 (or later) can act as a DLNA server. No sensible person would really wants this DRM riddled bloatware to control access to their music & DVD collection, however if you really must use WMP see here for some help in getting it to work.

Be aware that to use WMP, you are likely to find you have to re-enable many of those annoying MS Services that you disabled to reduce the risk of virus infection (and speed up your computer).

What commercial DLNA package do you recommend ?
None, however if you really want something that even your kids could use, I suggest Nero MediaHome 4.

Can you manually enter the IP settings on a DLNA device ?

Generally, yes, HOWEVER if the device is on the same physical LAN as a DHCP server, it will always try to obtain an Address using DHCP. Further, most DLNA software will then immediately use the Default Gateway and DNS Servers to 'phone home' for updates etc. If you have secured your network against Root-Kits and Key-Loggers 'phoning home' etc. you should receive an 'alert' and be asked if you want to 'allow' the connection

On first use, by all means 'allow' the DLNA software to check for an update = but don't set 'remember', and make sure you reboot and 'deny'+'remember' after any update. First, some DLNA software is 'advertising' supported (so block it's Internet access and you block the ads) and second, any sort of 'SERVER' software can as as a path for access to your archived photos / music / movies

NB. To force manual entry of TCP/IP and prevent a consumer DHCP device (TV, Blu-Ray player, home cinema system etc.) from 'phoning home' as soon as you plug in an Ethernet cable (thus allowing it to 'query' the DHCP server), the MAC address of the device can to be added your Routers DHCP 'deny' list (if it has one - if not, then you you will have to turn on 'MAC locking' and add all your other computer's MAC addresses to the 'permitted' list)

By now you should have realised that using DLNA opens your system to all sorts of security risks = especially as some DLNA software is DESIGNED to wander off onto the Internet and download music ('Internet radio') and movies from the virus infected 'torrents'

Since DLNA 'technology' is still in it's infancy, I have no doubt that ALL the Hardware and software is full of bugs that can be 'exploited' from the Internet.

I also find the 'pre-school kiddie friendly' interface with it's limited 5 item keyhole GUI extremely frustrating - so until it 'matures' (and 5 items become 50 & I can select BOTH music and a photo slideshow to play at the same time) I recommend avoiding DLNA completely.

If you really want to 'serve' videos and music direct to your TV, I suggest connecting a laptop direct using a HDMI cable and wireless keyboard / mouse

For my experience with various DLNA / uPnP Server drivers, click "Next >>" in the navigation bar, left.


Next page :- DLNA Server - (options)

[top]