Re: Allowing file share browsing for un-authenticated users
- From: Nonapeptide@xxxxxxxxx
- Date: Tue, 27 May 2008 19:11:29 -0700 (PDT)
On May 27, 12:35 pm, "jameshanle...@xxxxxxxxxxx"
<jameshanle...@xxxxxxxxxxx> wrote:
On 27 May, 06:00, Nonapept...@xxxxxxxxx wrote:
On May 26, 11:30 pm, "jameshanle...@xxxxxxxxxxx"<snip>
I only know Win XP though for file sharing.
Okay. It seems that if I simply enable the guest account on my Server
2003 machine I am then able to list file shares using an account on a
workgroup computer that does not have an identical counterpart on the
server. That's a step in the right direction, but not quite what I had
in mind.
In Win XP, I would say it sounds like you are set to SFS
When I look through the server's event logs, it looks like the first
access attempt is using the workstation's local username and password.
When that is unsuccessful, it immediately retries using "Guest" (this
is behaviour that I was heretofore unaware of). That access request is
successful when the guest account is enabled.
Where are these logs.. Do they exist in Windows XP?
I have never seen that behaviour. From my Win XP use, it sounds like a
mixture of AFS and SFS. I think that's impossible.. I have never
heard of that. Are you sure?
Is this retry a second later?
I haven't seen the logs though.. would be interested to know where
they are accessible.
There are a number of things that puzzle me about this whole thing
though. The "Network Access: sharing and security model for local
accounts" seems to be irrelevant in this scenario. That policy simply
states that in Classic mode if you access the server using a local
account then your permissions will be granular; allowing one account
the ability to have different permissions than another account. In
Guest Only mode, no matter what account you put in, it will map your
account to whatever permissions the Guest account has been given. That
may or may not included anonymous logins. I haven't figured that out
yet. Either way, I have the server in Client mode and enabling the
Guest account still allows me to enumerate file shares so that Network
Access policy can't be the solution.
you say you "have the server in client mode"? That is absolute
nonsense. Like saying you have the dart board acting as an arrow.
I think you mean Classic.. As in users authenticate as themselves.
I don't know much about NT file permissions. (they are for multi-user
environment of potentially malicious users. I don't need to really for
my own computers at home)
So now I can allow any workgroup machine\user the ability to use the
server's shares, but I have yet to track down the specific policy that
grants this to the guest account. I also have yet to figure out if I
can select individual folders that the guest account can see and use.
That's my ultimate goal.
I mentioned 3 interesting options.
2 of them were "Allow...." and "Deny......"
The default is to Allow everyone, and Deny Guest.
(deny wins..I guess it is processed after)
(so another way of looking at it, is that if you don't deny guest,
ten Guest is allowed. So there is no policy that allows Guest, it's
allowed if it is not denied. So in a sense, that is a default setting
- an unchangeable one. Stupid way of looking at it though. Or maybe
it's the Allowing everyone, that allows Guest.)
Default is Deny Guest.
Although I mentioned that in the context of being relevant to SFS. I
suppose it is relevant to AFS too.
Infact, windows xp machines are set to AFS by default. Guest Account
disabled. Guest Denied. (judging by my win xp installation from the
win xp sp2 cd I burned anyway)
On a related note:
I've mentioned several times that I wondered how client OSs like XP
and Vista share their folders with anyone on the local network by
default. That's still unanswered.
Out of interest.. Where did you see the terminology of calling XP a
client OS?
I know.. I have seen it too.. and it's common. But just wondering
where you saw it..
I actually saw that kind of terminology in a book called Networking
Complete, described windows 98 as a client OS.. Because relative to
Windows NT(the Network OS), its network features were limited.. e.g.
just basic password access to network directories. .
I think the default is AFS.
I think
Win XP only has 2 options . SFS or AFS, and no way of opting out.
But you can choose not to share any folders.
Certainly, I remember that Guest is disabled and Denied. I guess
Network Access is - Classic - users authenticate as themselves.
People who want SFS will have a problem if they just check the box.
They should either run the "Network Setup Wizard". Or after setting
SFS..
Check that it does Allow Everyone (it probably is)
-remove Guest from the deny list -
And check that authentication is as Guest - though it would be if it
is set to SFS.
As explained.
It doesn't seem to be through the
guest account, as its disabled and the user rights assignment "Deny
access to this computer from the network" includes the Guest account.
Yet, anonymous access seems to be unlikely as well since several of
the Network Access policies dealing with Anonymous accounts look like
they stymie anon access.
What is an anonymous account?
BTW, I think with SFS users ONLY authenticate as Guest.
So whoever they are. I don't hink it's like , they try to
authenticate as themselves and if it fails they do so as Guest. They
just do so as Guest.
Your logs claim otherwise.. be interesting to know where these logs
are..
and if they are in Win XP. 'cos I have win xp.
In Win XP, I would say it sounds like you are set to SFS <<
I think essentially it is. This post explains it rather cogently:
http://episteme.arstechnica.com/eve/forums/a/tpc/f/12009443/m/957006982831
Look for the last message on the list from a user called Bluenote.
It's basiclaly what you told me to do.
Where are these logs.. Do they exist in Windows XP? <<
It's just standard event viewer. You can navigate to it in the Admin
Tools folder or open up the run box and type 'eventvwr'. You must
first turn on both "audit account logon events" and "audit logon
events" from the following local policy: Local Computer Policy >>
Computer Configuration >> Windows Settings >> Security Settings >>
Local Policies >> Audit Policy.
Then access network resources on your machine from another machine.
You should see logon/logoff events in the Security log in event
viewer.
I have never heard of that. Are you sure? <<
Pretty sure I'm sure.
Is this retry a second later? <<
It's not even a second later. It's so quick that it shows both logon
events at the exact same second.
nonsense. Like saying you have the dart board acting as an arrow.you say you "have the server in client mode"? That is absolute
I think you mean Classic.. As in users authenticate as themselves. <<
Yep. Just a typo.
client OS? <<Out of interest.. Where did you see the terminology of calling XP a
It's just a common way of talking about OSs that are not explicitly
designed to handle being dedicated servers. Of course, client machines
can serve things and have software installed on it that in effect
makes the client os a server (IIS on XP comes to mind). It's just a
matter of semantics.
What is an anonymous account? <<
An anonymous user or an anonymous access attempt is also known as a
"null session". Googling should bring back ample results. It is an
attempt at accessing a computer or resource with a null username and
no password. As I ponder this situation further, Anonymous access
doesn't seem to be relevant to my situation.
So here's what I think I'll do. If I enable the guest account, I can
enumerate all shares on the server (side note: that baffles me how I
can enumerate file shares on XP of Vista even though the guest account
is disabled... %-| ). However, for the guest account to actually
access anything it needs to be explicitly allowed, so I'll set NTFS
permissions appropriately on the shares that all folks need to get to.
I'd prefer to restrict even the listing of shares to only the ones
that guests can access, but that might be too much to ask.
So whoever they are. I don't hink it's like , they try toBTW, I think with SFS users ONLY authenticate as Guest.
authenticate as themselves and if it fails they do so as Guest. They
just do so as Guest. <<
My understanding of the difference between SFS and AFS is that it
merely obscures or reveals the guts of file sharing to the user who is
attempting to share something. With SFS you only have two options: To
share or not to share, and wether or not to allow people to modify
resources. AFS exposes the three levels of share permissions, all of
the NTFS permission scheme, as well as the ability to apply different
levels of permission to different users and groups. It has nothing to
do with wether or not another user on the network accesses your share
first with a local account and then with a guest account or only with
a guest account. In fact, it couldn't have any effect on that since
the option is only modifying your computer's behaviour and not other
computer's.
This looks like a good article on the topic:
http://www.microsoft.com/windowsxp/using/networking/expert/honeycutt_august13.mspx
Thanks for your input. Does anyone else out there have anything to
contribute concerning this whole file sharing thing? I'd love to grasp
Window's concept of permissions and network access better, but fear
I'd lose my mind if I try to trace every loose end back to its
origin. :-/
Thanks
.
- Follow-Ups:
- Re: Allowing file share browsing for un-authenticated users
- From: jameshanley39@xxxxxxxxxxx
- Re: Allowing file share browsing for un-authenticated users
- References:
- Allowing file share browsing for un-authenticated users
- From: Nonapeptide
- Re: Allowing file share browsing for un-authenticated users
- From: jameshanley39@xxxxxxxxxxx
- Re: Allowing file share browsing for un-authenticated users
- From: Nonapeptide
- Re: Allowing file share browsing for un-authenticated users
- From: jameshanley39@xxxxxxxxxxx
- Re: Allowing file share browsing for un-authenticated users
- From: Nonapeptide
- Re: Allowing file share browsing for un-authenticated users
- From: jameshanley39@xxxxxxxxxxx
- Allowing file share browsing for un-authenticated users
- Prev by Date: Re: Virtual Server 2005 R2 SP1 setup error
- Next by Date: Re: Windows Server 2003
- Previous by thread: Re: Allowing file share browsing for un-authenticated users
- Next by thread: Re: Allowing file share browsing for un-authenticated users
- Index(es):
Relevant Pages
|
