Re: help understanding authentication on workgroups

On Mon, 3 Apr 2006 18:03:01 -0700, Greg Nash
<GregNash@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:

"Chuck" wrote:

On Sun, 2 Apr 2006 16:44:01 -0700, Greg Nash
<GregNash@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:

I've spent a lot of time trying to understand the concept of simple
workgroups (all PCs's with XP pro service pak 2, simple file sharing on,
network client services on and print/file sharing on), but none of the
networking internet help sites appear to address some of the issues:

1. Does the computer browser service (adminstrative tools/services) have to
be started on all but one ("host") of the PC's in the workgroup (I've seen
conflicting recommendations; it doesn't seem to make much difference anyway).
If so are there any other special settings required for this "host"? In any
case should the computer browser be set to "manual" or "automatic".

2. From reading MS documentation, workgroup authentication is said to be
"local". I understood this to mean that if you can log onto any PC in the
network then you can see all other PCs in the workgroup, plus any files that
they share. However, I generally get a login window with username
"computername\guest" when I try to access PC "computername". When I supply
the password for that guest account on that computer, I get access to that PC
in the workgroup. At the same time one PC on the workgroup has no guest
account (only administrator account) and the other PCs can see it and it's
shared files without being forced to go through the login process.

What is going on here with respect to authentication?

Thanks
Greg Nash

Greg,

The browser provides visibility.

The rule of the browser is simple. If you're going to use browser services,
there must be a browser on the network for each computer to get the browse list
from. If there is just one computer running the browser, then that computer
will be the master browser. If there are two or more computers running the
browser, then those computers have to decide which one will be the master
browser.

If the master browser computers stays online constantly, there will be no
problem. If the master browser ever drops offline, you have the possibility for
problems. If you have more questions after reading my article, I'd appreciate
the feedback.
<http://nitecruzr.blogspot.com/2005/04/nt-browser-or-why-cant-i-always-see.html>
http://nitecruzr.blogspot.com/2005/04/nt-browser-or-why-cant-i-always-see.html

Authentication provides access.

By local authentication, the meaning is for network access by non-Guest
accounts, you have to use an identical non-Guest account on both the client (the
computer that you're logged in to), and any server (the remote computer that you
need to access). Authentication is required, whether or not you use the browser
(Network Neighborhood), or just do an adhoc mapping by name or even by IP
address).
<http://nitecruzr.blogspot.com/2005/06/file-sharing-under-windows-xp.html>
http://nitecruzr.blogspot.com/2005/06/file-sharing-under-windows-xp.html

Now things get complicated when you setup accounts with or without passwords.
It is possible to setup network access on any account with no password required
(ie a blank password). If you're going to use blank passwords, you should do
consistently, or you may run into problems. Maybe this is part of your problem.

When you refer to the computer that "has no guest account", what specifically do
you mean? Was Guest deleted? Or was Guest disabled for local access? Remember
local and remote access is potentially different for any account.

Do my questions raise any more questions from you? Ask away. Windows browsing
and authentication has many possible problems, and I don't think it's possible
to document all of them.
<http://nitecruzr.blogspot.com/2005/07/windows-networking.html>
http://nitecruzr.blogspot.com/2005/07/windows-networking.html

Your web site links were great. I'd suggest (if it's not availabe in a way I
didn't see) that all the forum moderator's links be grouped in a way that
they could be separately searched for info before a question is submitted.
In all my searching I didn't end up seeing the links you provided. Instead,
searching Google, Google groups and the MS Knowledge base provided either
related but not directly useful material, or info that was too detailed to
understand. And a big waste of time.

Based on info in the links you provided on computer browsers, I now have
turned off the computer browser on my laptop (wireless connection), but left
it on on the two desktops (wired connection). I'm surprised that MS can't
figure out a way to make the whole browser process deterministic and stable.

My problem with workgroup authentication is that I'm using a router on my
vacation that has one ethernet port going to a PC in another condo. So I can
see another workgroup (not mine) on the network. I don't want that person to
be able to access any shared folders on my 3 PCs on my workgroup (desktop1,
desktop2, and laptop).

I have all my 3 PCs setup with guest accounts, all with the same password.
This morning I restarted all PCs (all with simple file sharing on) and found
that for any of the PCs to access the other on my workgroup, I had to supply
a password at a login window that had "computername/guest" user ID; however,
there was one exception: desktop1 was able to see laptop's shared folders
without having to through a login window. I don't understand this. This
makes me wonder if my (unknown) neighbor could actually see any of my 3 PC's
shared folders w/o going through the login process. That's why I want to
understand how the authentication process works.

I know I can probably use "hidden" folders or get rid of simple file
sharing, but I want to keep things as simple as possilbe to avoid maintenance
hassles.

Thanks for your feedback, Greg. I don't think a FAQ for this forum is a real
possibility though. Help here is interactive, and each helper has his / her own
style.

The browser subsystem is deterministic, but more so for domains. Workgroups,
which are peer-peer networks, have to use a self electing process for choosing a
master browser. The election process matrix, shown in the Microsoft article,
link provided, is pretty complex. Unfortunately, with a workgroup, it's still
peer-peer. Vista will be better, but until networks are 100% Vista and up,
there will always be some backwardly compatible mechanism.

So we're stuck with the Windows NT browser for some time.

Now then, on your choice for network security. You state that you have a
network, which you share with another individual, and you don't want that other
person to be able to access your computer. Then you state your intention to
keep Simple File Sharing. These two goals are not compatible.

If you don't trust your neighbor, and you need to share an Internet connection,
you need to buy 2 more routers. Connect 2 new routers to the existing router,
and connect your computers to the LAN on one, and your neighbors computers to
the LAN on the other.

Greg, if you spent good money for Windows XP Pro, and you persist in using SFS
simply to avoid maintenance hassles, you're throwing your money away. Send it
to me instead. ;)

SFS was designed for networks where everybody trusts everybody else equally.
Instead of putting a password on Guest, disable SFS and setup a non-Guest
account with a password. You'll simply have a non-Guest account on each
computer. Then disable Guest.

The maintenance hassles will be less than what you are likely going thru right
now. Bite the bullet, and secure your network. Disable SFS, and Guest. Use a
non-Guest account between all of your computers.

--
Cheers,
Chuck, MS-MVP [Windows - Networking]
http://nitecruzr.blogspot.com/
Paranoia is not a problem, when it's a normal response from experience.
My email is AT DOT
actual address pchuck mvps org.
.

Relevant Pages

  • Re: help understanding authentication on workgroups
    ... network client services on and print/file sharing on), ... workgroup authentication is said to be ... the password for that guest account on that computer, I get access to that PC ... The browser provides visibility. ...
    (microsoft.public.windowsxp.network_web)
  • Re: help understanding authentication on workgroups
    ... shared files on the PCs in my workgroup, I don't have any shared files there ... network client services on and print/file sharing on), ... the password for that guest account on that computer, I get access to that PC ... The browser provides visibility. ...
    (microsoft.public.windowsxp.network_web)
  • RE: xp home -> xp home
    ... > After installation of xp home, the network became a one way thing only. ... > no account login ever asked for, no account on machine b of any shape or sort ... > see itself in the workgroup list of computers let alone access machine a. ... > access permissions. ...
    (microsoft.public.windowsxp.network_web)
  • Re: help understanding authentication on workgroups
    ... network client services on and print/file sharing on), ... workgroup authentication is said to be ... the password for that guest account on that computer, I get access to that PC ... The browser provides visibility. ...
    (microsoft.public.windowsxp.network_web)
  • Re: help understanding authentication on workgroups
    ... figure out a way to make the whole browser process deterministic and stable. ... My problem with workgroup authentication is that I'm using a router on my ... see another workgroup on the network. ... the password for that guest account on that computer, I get access to that PC ...
    (microsoft.public.windowsxp.network_web)