locked
Dec 4th OneCare Update Locks Down LAN File & Print Sharing Permanently . . . RRS feed

  • Question

  • Hi,

     

    I'd be grateful for advice on how to get OneCare on XP Pro SP2 to re-enable File & Printer Sharing on my LAN.

     

    SETUP:  Working LAN, 5 PCs, (XP Pro and XP Home), one hub PC has two NICs, two LANs and ICS, going to router and modem and cloud.  Users share various files (e.g. Outlook) from hub server to their own machine.  Works very well.

     

    CHANGE:  Auto-update of OneCare today turned OFF File and Printer Sharing.  Users can no longer see files on shared hub server.  HOWEVER, internet browsing and email (not file-sharing clients) still work.

     

    INVESTIGATION:  Although OneCare Firewall says that File and Printer Sharing for Subnet is permitted (and File and Prin ter Sharing for Internet is disabled), in the advanced settings dialogue, File and Printer Sharing is greyed out and disabled.   AND THE REASON IS GIVEN that you are in a public space and file and printer sharing is not in a public space.  Drive mapping also does not work any more from any other machine on the LAN, to the hub server.

     

    ANALYSIS:  OneCare security is not properly distinguishing between the local private LAN and the public LAN which goes to the router and modem.   THIS IS EVEN TRUE in the face of the fact that in the OneCare Firewall Dialogue, the two LANs are properly identified.

     

    HOW TO FIX?  This is now a serious problem and is preventing us from using any of our shared files.

     

    Thank you for explaining how to fix this serious problem.

     

    I have to say that it is a little disappointing to have to spend two hours to figure out why all of a sudden our email doesn't work.

     

    John-in-Toronto

     

    Wednesday, December 5, 2007 3:39 AM

Answers

  • Hi,

    I am Program Manager for this feature.

     

    Currently if any of the network you are connected to is marked "public place" the public place policy is applied. In current version OneCare can't apply two different policies on two different network at the same time.

     

    Given this limitation your options that I can think of are:

    a) Change network topology: Instead of using ICS, is it possible for you to connect all the PCs to the router? This way all the PC will have only single network and since it will be behind a router, you can mark that network private.

    b) Evaluate whether the network you have currently marked as public can be marked private: If both the LAN of hub PC are behind router you can do that

    c) Turn off automatic blocking in public place: You can do that via a checkbox in firewall settings. If you do that, please do turn off any of the rules under "Configure Firewall" that you do not really need. This will definitely increase the security risk, but will allow you to open any rule on any network.

     

    Thanks

    Neeraj

     

     

    Wednesday, December 5, 2007 4:24 AM

All replies

  • Hi,

    I am Program Manager for this feature.

     

    Currently if any of the network you are connected to is marked "public place" the public place policy is applied. In current version OneCare can't apply two different policies on two different network at the same time.

     

    Given this limitation your options that I can think of are:

    a) Change network topology: Instead of using ICS, is it possible for you to connect all the PCs to the router? This way all the PC will have only single network and since it will be behind a router, you can mark that network private.

    b) Evaluate whether the network you have currently marked as public can be marked private: If both the LAN of hub PC are behind router you can do that

    c) Turn off automatic blocking in public place: You can do that via a checkbox in firewall settings. If you do that, please do turn off any of the rules under "Configure Firewall" that you do not really need. This will definitely increase the security risk, but will allow you to open any rule on any network.

     

    Thanks

    Neeraj

     

     

    Wednesday, December 5, 2007 4:24 AM
  • Neeraj,

     

    Thank you for your speedy reply.  I have to say that if I understand what you are saying correctly, I am flabbergasted.  And as we say in Toronto, "shocked and appalled".

     

    Here are my comments:

     

    1) SUPPORT NEEDED FOR GOOD DESIGN:  I am running a reasonably sophisticated home network with one PC as a file server and ICS gateway.  That is not an unusual thing to do.  And before I got rid of ZoneAlarm Pro, it was easy enough to apply a different policy to two different LAN segments.  And in fact it was easy to do this with OneCare.

     

    2) MS DOESN'T SUPPORT ICS????  The advantage of this setup is that we are more secure.  I do NOT want to all connect to a router or hub, which means I dumb down the management capabilities of my LAN.  I would rather use ICS...

     

    3) NO MORE LOCAL SUBNET RESTRICTIONS????  And to mark the public network as private means I lose some of the security on it.  Why even bother with OneCare then?  There is the dumb firewall in the router, then another OneCare software firewall behind that.  But OneCare is also locking down all the applications I have said "local subnet only".

     

    4) RESOLUTION FOR NOW:  As you suggest, I will take Option No. 3, "turn off automatic blocking".  On my file server, there are only a limited number of applications running.  I believe they are all configured individually now anyway.

     

    5) SUGGESTION FOR PRODUCT NO. 1:  Microsoft OneCare should support its own ICS capability.  It's a scandal that apparently it doesn't.  Seriously, ICS isn't bad for a simple situation and lots of people use it?  I guess this means "different policies" to "different LANs" on the same machine.

     

    6) SUGGESTION FOR PRODUCT NO. 2:  In the firewall "list of software products", in order to configure, or later to double-check, whether or not a product is restricted to a local subnet, you have to click on each one.  It would be much better to have a column in the dialogue which gives the "local or public access" shown -- and the ability to change without drilling in.  "Table-based user interfaces" I believe can really help with managing large numbers of related elements.  This would be both a convenience -- and a security enhancement.  Programs that were incorrectly configured would be easily apparent.

     

    7) SUGGESTION FOR PRODUCT NO. 3: The product currently does NOT clearly communicate what you communicated, either in help or in dialogues.  In fact, it erroneously leads one to believe that it should be able to support different rules.  So, in lieu of fixing the product, at least communicate that the product doesn't do what it doesn't do.

     

    8) HOW MUCH OF A PRIORITY?  Let's see, people use ICS.  Everyone who uses ICS cannot use OneCare.  Is this correct?  Do the ICS people know this?  Is Microsoft abandoning ICS?  Should I go back to ZoneAlarm, which is more complicated and more expensive and actually doesn't always work?

     

    I'm trying to be positive here and I'm trying to discipline myself.  But the fact is that this "automatic update" has broken a well-designed system that is relied upon by a number of people.  The problem has cost me considerable time.  And the fix will cost me even more time.  And the problem is a deliberate, but I believe incorrect design decision.  May I encourage your team to consider the points made here?

     

    Thank you for your speedy reply.  I will say that your reply was very helpful, even if I didn't like the news.  We appreciate the messenger!

     

    John

    Wednesday, December 5, 2007 10:05 AM
  • John, forgive me for perhaps overlooking something, but is OneCare running on your hub PC in the enviroment? If so, then Neeraj's advice applies since that machine has two network interfaces which apparently can't be dealt with properly by the firewall at this time. There have been other posts from users having this problem running VMWare Wirtual machines. I don't have this issue with Virtual PC, but it may identify the network differently.

     

    If the hub PC is not running OneCare, then the issue would seem to me to be much simpler, having just witnessed my wife's PC take the 2.0 update last night. When it updated, she had to follow some initial install prompts/dialogs to configure the system and one of those prompts asked her to identify if the network was Public or Private. Had I not been watching, she may have selected public, in which case file and printer sharing would have been disallowed as you describe.

    So, if you are not running OneCare on the hub machine, on all clients, go to the Firewall tab and make sure that they are all set to be connected to a Private network (since they are on your LAN) and file and printer sharing will become available once more.

     

    -steve

    Wednesday, December 5, 2007 6:01 PM
    Moderator
  • Stephen,

     

    Hi.  Good question.  However, we have OneCare on the server hub machine as well.  I have now turned OFF the checkbox labeled "automatically suspend all Home or work locations when you are connected to any network in a public place".  This checkbox is found very easily under the Firewall Tab on the new OneCare Settings dialogue.

     

    When I unchecked this box, then the rest of the new features started to work; in the new dialogues, they weren't greyed out anymore.  And the two NIC cards now are associated with the appropriate private and public subnets.

     

    Couple of points:

     

    1. I think the way this is implemented is a design flaw, or at very least, very poor documentation.

     

    2. I have what I believe is a reasonably well-configured home LAN setup, simple and easy to maintain and extend.  However, it seems most people just hook up a LAN via a router and don't use ICS.

     

    3. The point I made earlier above about "table based editing" I think is an important security concern -- you want to be sure that many apps are only permitted for the subnet, but it's hard to keep track because of the visibility and hassle.

     

    4. Right now I'm back in working order -- and I THINK I'm still secure . . . but by unchecking the box, am I missing something?

     

    5. So, is this new OneCare only designed for laptops?  Do the designers think that nobody uses them for a static machine?  That there never will be a firewall on a static machine?  Or that static machine servers are only run by people who would never think of using OneCare?  Depressingly probably the last item...

     

    Thanks all for good help.

     

    John

    Thursday, December 6, 2007 1:19 AM
  • I believe that the main reason for that detection is indeed for laptops which are very common these days and people regularly roam to unsecure networks. In your case, I'm sure all is well and thanks for the feedback.

    -steve

     

    Thursday, December 6, 2007 2:52 AM
    Moderator
  •  

    Steve,

     

    I hope the fine folk at Microsoft realize just how common a configuration is being described above. I used hardware routers for years, until broadband instability in multiple locations across multiple broadband suppliers was traced to poor quality firmware code in Linksys routers. I moved from hardware routers to XP machines running Internet Connection Sharing (ICS) for me and residential clients, and the stability of ICS on XP is unsurpassed in my experience, with uptime measured in months.

     

    Earlier this week I was attempting to replace an XP ICS machine with a Vista ICS machine, and I needed to disable OneCare on the Vista ICS machine because of the apparent inability of Vista to handle what XP handled without issue; namely, the internal-facing (private) and external-facing (public) network cards.

     

    If you or perhaps Neeraj could please clarify that Vista, ICS, and OneCare are not compatible to the extent that XP, ICS, and OneCare are compatible, I could cancel the appropriate OneCare subscriptions as people upgrade their ICS machines to Vista.

     

    Thanks,

     

    Don

    Friday, December 7, 2007 6:00 PM
  • Don, I'll to defer to Neeraj on this as I don't have direct experience with this functionality and Neeraj is the firewall Program Manager.

    -steve

     

    Friday, December 7, 2007 7:12 PM
    Moderator
  • Hi Don

     

    First of all, thanks for being a OneCare customer and thanks for bringing this issue to our attention. I will attempt to clarify somethings

    a) OneCare 2.0 is not less capable than 1.5 in any fashion. The new feature in firewall in 2.0 is that by marking certain networks as public, certain risky ports will automatically be blocked.  Difference from previous release are as follows

      1. Previous release only had this feature for Vista. XP did not have any concept of public vs. home/work location networks. Now it does.

      2. We blocked ALL incoming connection in public places. now we only block risky ones.

      3. At the same time we have opened few more ports by default in home/work zone.

     

    I am sorry, that  the new defaults do not work for you. If you were happy with 1.5 version, you can achieve that by doing the following

        1. Mark any network you want to have more access as home/work

        2. Open Firewall Configuration Tool, turn off all the rules, turn on any specific things you care about.

    This will basically provide you with exactly the same behavior as 1.5.

     

    I will ensure that your suggestions are considered seriously for our next release.

     

    Thanks

     

    Monday, December 31, 2007 8:06 PM
  •  

    Neeraj,

     

    I appreciate the guidance. In future, I'll RTFM.

     

    Thanks,

     

    Don

    Monday, December 31, 2007 8:58 PM