Re: SBS shares. Theres no security. GOT IT!!!
- From: "Jonathan Davey" <me@xxxxxxxxxxx>
- Date: Tue, 14 Mar 2006 08:26:56 -0000
Thank you kindly for all your help and input.
Im now a little wiser but have some what more to learn.
Thanks Again.
Jonathan
"aus" <aus@xxxxxxx> wrote in message
news:%23vgoCowRGHA.5108@xxxxxxxxxxxxxxxxxxxxxxx
Hi, that bit is partially true in that resources in Windows Domains have
always been largely available by simply using a valid Username/Password.
Do note that some domain resource accesses will work and others fail
unless your PC is really a member of a domain (i.e. have logged on at a PC
that has been 'joined' to the domin by an Admin).
e.g I was setting up an XP Home system that some user had brought in
temporarily and it can indeed read the users Exchnage email even though
its not actually part of the domain, but things like shared calendars and
other functions will fail.
So its a bit of a half way house by default in that respect (and I think
'by default' is key here). But its perfectly possible to restrict user
logins to, say, specific *Domain* PCs, etc. so that you need more than
just the Username/Password for access.
Once you have actively setup your domain security - and its not too hard,
but there are various options - you will have what you are looking for I
think.
Jonathan Davey wrote:
GOT IT!!!!
Aus was right, I checked Ctrl panel/users on the Rogue PC and there WAS
the Network Logins. Including 1 to the SBS server.
Removal of said "Stored network password" and wham, no more access to SBS
BUT
Guess what........ Outlook then prompted me for a username and password
to access my SBS Exchange folder. (well of course it would)
Then I checked the SBS network shares and yep access granted without any
credentials (save from, credentials supplied to and for use only to
Outllook to access Exchange).
So this proves that SBS doesnt operate a real domain enviroment. A real
domain enviroment does not allow unathenticated devices or users access
to the network. SBS however allows a simple Exchange login to propogate
across the entire local/remote profiles and give full access to the
domain! It is therefore not a domain.
Anyone?
"Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@xxxxxxxxxxx>
wrote in message news:eRq36SWRGHA.3192@xxxxxxxxxxxxxxxxxxxxxxx
CO-DBA-SC-EL wrote:
There is something odd going on though. On our SBS, on which I have
*never* set shares manually, except on data folders on drive d:
- Guest is disabled.
- On a machine not joined to the domain, logged in with a name/password
that is not on the SBS, I cannot get access to any of the shares on the
server without being challenged for a name and password. Note that the
challenge does not request or even have a prompt for a domain. I.
- On a machine not joined to the domain I can get read/execute access to
all the shares on the server if the user has a matching name/password,
also without requiring domain logon. This includes C$ on the SBS, even
if the user is only a restricted user in the domain.
This is expected because you are using Pass through Authentication.
This isn't odd at all. You 'have' authenticated on that system. You've
given it an appropriate username/password.
- By default, the security for C$ is set to allow read/execute to
Everyone (you need to click Advanced to see that, because it appears
unchecked in the basic rights dialog box).
How do we restrict shares to allow only domain users? (without having to
do it manually for each share). And what happens if we remove C$ access
for Everyone on the SBS?
Don't. Messing with those admin shares can mess majorly with
administration and patching.
Choose good passphrases.
Both you and Jonathan are still not seeing that these 'are' domain users
as they 'have' provided the proper authentication to that box.
http://blogs.brnets.com/michael/archive/2004/05/26/146.aspx
You start drilling down into AD and you have to consider that you need
some of this stuff for LOB and backwards compatibility.
You don't want to mess with AD unless you know what you are doing. BTW
Everyone in 2k3 is the equivalent of Authenticated users anyway...it's
not like the 2k era where it included anon.
There is proper authentication going on for both of you ..you have
'rights' to that system.
C_O
.
- References:
- SBS shares. Theres no security
- From: Jonathan Davey
- Re: SBS shares. Theres no security
- From: kj
- Re: SBS shares. Theres no security
- From: Jonathan Davey
- Re: SBS shares. Theres no security
- From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
- Re: SBS shares. Theres no security
- From: CO-DBA-SC-EL
- Re: SBS shares. Theres no security
- From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
- Re: SBS shares. Theres no security. GOT IT!!!
- From: Jonathan Davey
- Re: SBS shares. Theres no security. GOT IT!!!
- From: aus
- SBS shares. Theres no security
- Prev by Date: RE: Company web
- Next by Date: RE: word reports an error when trying to print
- Previous by thread: Re: SBS shares. Theres no security. GOT IT!!!
- Next by thread: creating users remotely
- Index(es):
Relevant Pages
|
