Re: SBS shares. Theres is security. GOT IT!!!

Yeah because you gave it credentials to have permission to access it.

When you get ready to migrate ... let me know if you still don't think that it's not a real domain.



Jonathan Davey wrote:
GOT IT!!!!

Aus was right, I checked Ctrl panel/users on the Rogue PC and there WAS the Network Logins. Including 1 to the SBS server.

Removal of said "Stored network password" and wham, no more access to SBS

BUT

Guess what........ Outlook then prompted me for a username and password to access my SBS Exchange folder. (well of course it would)

Then I checked the SBS network shares and yep access granted without any credentials (save from, credentials supplied to and for use only to Outllook to access Exchange).

So this proves that SBS doesnt operate a real domain enviroment. A real domain enviroment does not allow unathenticated devices or users access to the network. SBS however allows a simple Exchange login to propogate across the entire local/remote profiles and give full access to the domain! It is therefore not a domain.

Anyone?

"Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@xxxxxxxxxxx> wrote in message news:eRq36SWRGHA.3192@xxxxxxxxxxxxxxxxxxxxxxx
CO-DBA-SC-EL wrote:

There is something odd going on though. On our SBS, on which I have *never* set shares manually, except on data folders on drive d:
- Guest is disabled.
- On a machine not joined to the domain, logged in with a name/password that is not on the SBS, I cannot get access to any of the shares on the server without being challenged for a name and password. Note that the challenge does not request or even have a prompt for a domain. I.
- On a machine not joined to the domain I can get read/execute access to all the shares on the server if the user has a matching name/password, also without requiring domain logon. This includes C$ on the SBS, even if the user is only a restricted user in the domain.
This is expected because you are using Pass through Authentication.

This isn't odd at all. You 'have' authenticated on that system. You've given it an appropriate username/password.

- By default, the security for C$ is set to allow read/execute to Everyone (you need to click Advanced to see that, because it appears unchecked in the basic rights dialog box).

How do we restrict shares to allow only domain users? (without having to do it manually for each share). And what happens if we remove C$ access for Everyone on the SBS?

Don't. Messing with those admin shares can mess majorly with administration and patching.
Choose good passphrases.

Both you and Jonathan are still not seeing that these 'are' domain users as they 'have' provided the proper authentication to that box.

http://blogs.brnets.com/michael/archive/2004/05/26/146.aspx

You start drilling down into AD and you have to consider that you need some of this stuff for LOB and backwards compatibility.

You don't want to mess with AD unless you know what you are doing. BTW Everyone in 2k3 is the equivalent of Authenticated users anyway...it's not like the 2k era where it included anon.

There is proper authentication going on for both of you ..you have 'rights' to that system.

C_O


.

Relevant Pages

  • Re: SBS shares. Theres is security. GOT IT!!! (repost)
    ... He can login to the ... SBS market I doubt you have either. ... Then I checked the SBS network shares and yep access granted ... This is expected because you are using Pass through Authentication. ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS shares. Theres is security. GOT IT!!!
    ... on ANY device using his user credentials simply through network passwords, ... without having to formally login at BOOT on the client. ... Removal of said "Stored network password" and wham, no more access to SBS ... Then I checked the SBS network shares and yep access granted without any ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS shares. Theres no security. GOT IT!!!
    ... But its perfectly possible to restrict user logins to, say, specific *Domain* PCs, etc. so that you need more than just the Username/Password for access. ... Removal of said "Stored network password" and wham, no more access to SBS ... Then I checked the SBS network shares and yep access granted without any credentials. ... Both you and Jonathan are still not seeing that these 'are' domain users as they 'have' provided the proper authentication to that box. ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS shares. Theres no security. GOT IT!!!
    ... always been largely available by simply using a valid Username/Password. ... Removal of said "Stored network password" and wham, no more access to SBS ... Then I checked the SBS network shares and yep access granted without any ... This is expected because you are using Pass through Authentication. ...
    (microsoft.public.windows.server.sbs)
  • Re: Active Directory and Network Shares
    ... if the shares that are allowing transparent access ... request for authentication because of two reasons. ... > with shared printers and files scattered around several computers. ... The Win2000 box requires credentials from the local ...
    (microsoft.public.win2000.security)