Re: Allowing file share browsing for un-authenticated users

On May 26, 11:30 pm, "jameshanle...@xxxxxxxxxxx"
<jameshanle...@xxxxxxxxxxx> wrote:
On 27 May, 04:04, Nonapept...@xxxxxxxxx wrote:



Thanks for the prompt reply, James!

Your pointer to the Local Policies >> Security Settings node in local
security policy opened up some new possibilities for me.

Let me restate my goal. What I really need is to create a public
folder or two on the file server (much like the public folder on XP or
Vista). That way anyone can access files in those folders without
being prompted for username and password. Other shares can, and
probably should stay access restricted.

At first I thought "Network access: Named pipes that can be accessed
anonymously" and "Network access: Shares that can be accessed
anonymously" would be the way to go, but after messing with it I now
think otherwise. When a Windows client tries to access shares on
another computer in a workgroup, it seems to send the credentials of
the local machine and user, so in effect it's not try to access it
anonymously. Unless I'm missing something anonymous shares are not the
way to go. Neither is allowing the ANONYMOUS_LOGON access to the share
because again the logon attempt isn't really anonymous. Argh.

What befuddles me is that this behaviour is default in XP and Vista.
If you share something, everyone can access it on the network without
username and password. I've just taken that behaviour for granted. I
can't help but thinking to myself that this should be alot simpler
than I'm making it.

I know I'm missing something obvious. Back to Googling...

I have had this with windows xp.. Being prompted for a user/pass..

I have found it just to be whether you choose AFS or SFS..
Either can prompt you, in a different way.

if you don't like the prompt, them either way you can get rid of it.
Slightly more easily with SFS.  If SFS is prompting you then it's not
set up right e.g. Guest account is disabled perhaps. With AFS, if you
have identical accounts it will prob not prompt you.

And that setting I mentioned switches between AFS and SFS.

And I mentioned how not to get the prompts with them.

I only know Win XP though for file sharing.

Okay. It seems that if I simply enable the guest account on my Server
2003 machine I am then able to list file shares using an account on a
workgroup computer that does not have an identical counterpart on the
server. That's a step in the right direction, but not quite what I had
in mind.

When I look through the server's event logs, it looks like the first
access attempt is using the workstation's local username and password.
When that is unsuccessful, it immediately retries using "Guest" (this
is behaviour that I was heretofore unaware of). That access request is
successful when the guest account is enabled.

There are a number of things that puzzle me about this whole thing
though. The "Network Access: sharing and security model for local
accounts" seems to be irrelevant in this scenario. That policy simply
states that in Classic mode if you access the server using a local
account then your permissions will be granular; allowing one account
the ability to have different permissions than another account. In
Guest Only mode, no matter what account you put in, it will map your
account to whatever permissions the Guest account has been given. That
may or may not included anonymous logins. I haven't figured that out
yet. Either way, I have the server in Client mode and enabling the
Guest account still allows me to enumerate file shares so that Network
Access policy can't be the solution.

So now I can allow any workgroup machine\user the ability to use the
server's shares, but I have yet to track down the specific policy that
grants this to the guest account. I also have yet to figure out if I
can select individual folders that the guest account can see and use.
That's my ultimate goal.



On a related note:

I've mentioned several times that I wondered how client OSs like XP
and Vista share their folders with anyone on the local network by
default. That's still unanswered. It doesn't seem to be through the
guest account, as its disabled and the user rights assignment "Deny
access to this computer from the network" includes the Guest account.
Yet, anonymous access seems to be unlikely as well since several of
the Network Access policies dealing with Anonymous accounts look like
they stymie anon access.

What a can of worms.

I'll get to the bottom of this someday... :-|
.

Relevant Pages

  • Re: Networking XP
    ... > I am helping a small company add new pc's to a new network. ... NO wins server involved. ... > Guest account is enabled on this box. ... > check from the pc serving the printer and printing goes as expected. ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: Networking XP
    ... > I am helping a small company add new pc's to a new network. ... NO wins server involved. ... > Guest account is enabled on this box. ... > check from the pc serving the printer and printing goes as expected. ...
    (microsoft.public.windowsxp.setup_deployment)
  • Re: Networking XP
    ... > I am helping a small company add new pc's to a new network. ... NO wins server involved. ... > Guest account is enabled on this box. ... > check from the pc serving the printer and printing goes as expected. ...
    (microsoft.public.windowsxp.general)
  • Re: Used to network properly but now Guest account is interfering.
    ... Ethernet adapter Wireless Network Connection: ... Server Comment ... did the guest account become flavour of the month?- it's disabled on both ...
    (microsoft.public.windowsxp.network_web)
  • Re: Anonymous folder access
    ... server to run a computer inventory/help desk solution called Track-It. ... but to do that each user would have to have access to the shares on ... for disaster as anyone that can reach the machine on the network ... One is to enable the Guest account ...
    (microsoft.public.windows.server.security)
Loading