How to Protect WoW from Devious HomeGroup Users

HomeGroups in Windows 7 are awesome. Its an easy way to share content on your computer with other users on your network. There is a rather large issue with it though. Its not an issue with HomeGroups specifically but more with how modern games get around needing Administrative Privileges to run updates. Games like World of Warcraft install on Vista and 7 to C:\Users\Public\Games\. The problem is that by default when you join a HomeGroup this directory gets shared out with full read/write access to everyone in your HomeGroup. To prevent a malicious user from destroying your WoW install, you just need to change your NTFS permissions on that folder.

Start by opening Computer and browsing to C:\Users\Public. Right-click on the Games folder and go to Properties. In the Games Properties window click on the Security tab and then Advanced.

Our goal is going to be to remove the Everyone entry from the permissions list which currently has Full Control. Click on Change Permissions. Before you can remove Everyone from the list, you'll need to turn off inheritable permissions (currently Everyone can access C:\Users\Public\Games because they can also access C:\Users\Public) by unchecking the Include inheritable permissions box. It will ask you if you want to Add the current permissions to the new list you'll be making or remove them and start with a clean list, click Add.

Now scroll to the Everyone entry in the list and click Remove. To be safe, make sure that Administrators is in the list with Full control and/or your user account. If it isn't click add type in either Administrators or the user name you use to log into windows and in the window that follows click Full control and OK.

That's it! Go ahead and OK out of all the windows that are still left open. Now only administrators and people you added to the list will be able to access that folder. When someone accesses it from a HomeGroup they are using the HomeGroupUser$ account which is not an administrator and was being caught in the Everyone permissions before. With that gone your WoW install is now safe from being randomly deleted by bored network neighbors! If these directions weren't clear enough, or there's anyone questions, speak up in the comments.

My ISP Sucks

Being on an island in the middle of nowhere doesn't give you many choices for internet providers. Here in Hawaii we have two choices for broadband access; the local cable company, Oceanic Cable (Time Warner/Road Runner) and the local telephone company, Hawaiian Telcom. I've been with Road Runner since I got here over 10 years ago. While I still think they provide the best service on the island, it still sucks.


Unreliable connection
Earlier this week there was a statewide outage from 12:00am til about 7:30am. The issue turned out to be caused by an undersea cable being severed. I don't blame them for this since its a rare occurrence and something they couldn't have easily prevented. What I do take issue with is me periodically losing connection to the mainland and essentially the rest of the internet in the process. I can run a ping on one of the routers on island and have no breaks in the connection, but if I run a ping on the first router outside Hawaii it goes in and out throughout the day. This means unless I'm just connecting to sites in Hawaii, I can't access anything. It usually happens every few hours and will last anywhere from 20 seconds to 10 minutes.

On the left is a local router (oahuhimili-rtr1.hawaii.rr.com) on the right is a router in california (tustca1-rtr1.socal.rr.com).


Unsecure Email
I did a post on this a while ago, but Road Runner has no authentication on their SMTP servers (the ones used to send email). They don't require a user name or password, and the connection between you and their servers is not encrypted. While their POP servers (where your email is stored online) do require a user name and password, there's still no encryption. All communication with these servers are sent in plain text, so anyone eavesdropping on the connection would now have the username and password for your email account.
Packet captured while checking email.


Poor User Privacy
I've had to call Road Runner a few times because I've gotten locked out of the account I use to pay my bill to them. This is usually because I have multiple passwords for different Oceanic sites, and I sometimes forget which one is to pay my bill. After a few incorrect attempts I get locked out. Calling up support they are helpful and are able to unlock my account without much work. The problem is that after they unlock my account, they read off my password to me. They don't reset my password to something new and give me that, they give me my current password which means its something they can pull up. I've also had the same issue with my email account where the help desk person was able to pull up my password. The amount of verification done before we get to this point is information you could get off of any copy of my monthly bill. Working at a support desk, or even an administrator, you should never be able to access a user's password. The only thing you should be able to do is reset it to a new random password and give that to them.