Re: SBS shares. Theres is security. GOT IT!!!

You guys!

So I have an employee who is a AD profile user. He can login to the domain
on ANY device using his user credentials simply through network passwords,
Outlook etc, without having to formally login at BOOT on the client.

He's at home and decides to use his wifes laptop to check his emails. He
adds the exchange account to Oulook and uses his credentials to sync his
emails.

Unfortunatly his wife is having an affair and they split up. His wife now
has a laptop with full domain access to the server. Not just his emails!!

No wonder MS have disabled RemoteSync on PPC..... shame the same rule doesnt
apply to Laptops!!!

"Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@xxxxxxxxxxx>
wrote in message news:%23o0t5ekRGHA.5108@xxxxxxxxxxxxxxxxxxxxxxx
Yeah because you gave it credentials to have permission to access it.

When you get ready to migrate ... let me know if you still don't think
that it's not a real domain.



Jonathan Davey wrote:
GOT IT!!!!

Aus was right, I checked Ctrl panel/users on the Rogue PC and there WAS
the Network Logins. Including 1 to the SBS server.

Removal of said "Stored network password" and wham, no more access to SBS

BUT

Guess what........ Outlook then prompted me for a username and password
to access my SBS Exchange folder. (well of course it would)

Then I checked the SBS network shares and yep access granted without any
credentials (save from, credentials supplied to and for use only to
Outllook to access Exchange).

So this proves that SBS doesnt operate a real domain enviroment. A real
domain enviroment does not allow unathenticated devices or users access
to the network. SBS however allows a simple Exchange login to propogate
across the entire local/remote profiles and give full access to the
domain! It is therefore not a domain.

Anyone?

"Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@xxxxxxxxxxx>
wrote in message news:eRq36SWRGHA.3192@xxxxxxxxxxxxxxxxxxxxxxx

CO-DBA-SC-EL wrote:


There is something odd going on though. On our SBS, on which I have
*never* set shares manually, except on data folders on drive d:
- Guest is disabled.
- On a machine not joined to the domain, logged in with a name/password
that is not on the SBS, I cannot get access to any of the shares on the
server without being challenged for a name and password. Note that the
challenge does not request or even have a prompt for a domain. I.
- On a machine not joined to the domain I can get read/execute access
to all the shares on the server if the user has a matching
name/password, also without requiring domain logon. This includes C$ on
the SBS, even if the user is only a restricted user in the domain.

This is expected because you are using Pass through Authentication.

This isn't odd at all. You 'have' authenticated on that system. You've
given it an appropriate username/password.


- By default, the security for C$ is set to allow read/execute to
Everyone (you need to click Advanced to see that, because it appears
unchecked in the basic rights dialog box).

How do we restrict shares to allow only domain users? (without having
to do it manually for each share). And what happens if we remove C$
access for Everyone on the SBS?


Don't. Messing with those admin shares can mess majorly with
administration and patching.
Choose good passphrases.

Both you and Jonathan are still not seeing that these 'are' domain users
as they 'have' provided the proper authentication to that box.

http://blogs.brnets.com/michael/archive/2004/05/26/146.aspx

You start drilling down into AD and you have to consider that you need
some of this stuff for LOB and backwards compatibility.

You don't want to mess with AD unless you know what you are doing. BTW
Everyone in 2k3 is the equivalent of Authenticated users anyway...it's
not like the 2k era where it included anon.

There is proper authentication going on for both of you ..you have
'rights' to that system.


C_O





.

Relevant Pages

  • Re: SBS shares. Theres is security. GOT IT!!!
    ... He can login to the ... server, and the server is saying OK. ... SBS market I doubt you have either. ... Then I checked the SBS network shares and yep access granted ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS shares. Theres is security. GOT IT!!! (repost)
    ... He can login to the ... SBS market I doubt you have either. ... Then I checked the SBS network shares and yep access granted ... This is expected because you are using Pass through Authentication. ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS shares. Theres is security. GOT IT!!!
    ... Removal of said "Stored network password" and wham, no more access to SBS ... Then I checked the SBS network shares and yep access granted without any credentials. ... Both you and Jonathan are still not seeing that these 'are' domain users as they 'have' provided the proper authentication to that box. ...
    (microsoft.public.windows.server.sbs)
  • RE: Remote Web Access Credentials stored where?
    ... > site with another User credentials in your client computer. ... The client in question is not yet joined to the SBS domain. ... Under Advanced is a Manage Passwords button which opens ... I can login as any SBS ...
    (microsoft.public.windows.server.sbs)
  • Re: Password Expiration
    ... credential issue, it did not occur on the SBS server, it will also occur on ... Do not allow storage of credentials or .NET Passports for network ... 244474 How to force Kerberos to use TCP instead of UDP in Windows Server ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
Loading