Re: SBS shares. Theres is security. GOT IT!!! (repost)

<posted this yesterday, but it didn't show up>



In news:elltnFrRGHA.1204@xxxxxxxxxxxxxxxxxxxx,
Jonathan Davey <me@xxxxxxxxxxx> typed:
You guys!

So I have an employee who is a AD profile user. He can login to the
domain on ANY device using his user credentials simply through
network passwords, Outlook etc, without having to formally login at
BOOT on the client.

He is authenticating to the domain. Not "logging into it" - a computer
does not have to belong to a domain in order for the user to access
resources on it. It's passing the authentication request along to the
server, and the server is saying OK. This is why you can use WinXP Home, or
WinME, even, to access resources on any network.

Note that all of this would apply to non-MS operating systems on either
side, too. Are there ways to prevent this? Sure, Such as
Smartcards/SecureID, etc.....you can lock down a lot of things if you have
a) a real need and b) sufficient cash to throw at it. But if you're in the
SBS market I doubt you have either.

He's at home and decides to use his wifes laptop to check his emails.

Well, that's probably a pretty bad company policy...but OK....I'm with you
so far.

He adds the exchange account to Oulook and uses his credentials to
sync his emails.

Unfortunatly his wife is having an affair and they split up. His wife
now has a laptop with full domain access to the server. Not just his
emails!!

No, she doesn't.
RPC over HTTP grants access to the Exchange mailbox only - presuming you've
even opened up that access. Your firewall prevents access to your actual
data, doesn't it?
And sensible admins don't set up any sort of VPN access
for non-company laptops.
And you start by changing the user's password *immediately* when
something like this happens....or the user does.


No wonder MS have disabled RemoteSync on PPC..... shame the same rule
doesnt apply to Laptops!!!

I still don't think you fully grasp the concepts here....


"Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]"
<sbradcpa@xxxxxxxxxxx> wrote in message
news:%23o0t5ekRGHA.5108@xxxxxxxxxxxxxxxxxxxxxxx
Yeah because you gave it credentials to have permission to access it.

When you get ready to migrate ... let me know if you still don't
think that it's not a real domain.



Jonathan Davey wrote:
GOT IT!!!!

Aus was right, I checked Ctrl panel/users on the Rogue PC and there
WAS the Network Logins. Including 1 to the SBS server.

Removal of said "Stored network password" and wham, no more access
to SBS BUT

Guess what........ Outlook then prompted me for a username and
password to access my SBS Exchange folder. (well of course it would)

Then I checked the SBS network shares and yep access granted
without any credentials (save from, credentials supplied to and for
use only to Outllook to access Exchange).

So this proves that SBS doesnt operate a real domain enviroment. A
real domain enviroment does not allow unathenticated devices or
users access to the network. SBS however allows a simple Exchange
login to propogate across the entire local/remote profiles and give
full access to the domain! It is therefore not a domain.

Anyone?

"Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]"
<sbradcpa@xxxxxxxxxxx> wrote in message
news:eRq36SWRGHA.3192@xxxxxxxxxxxxxxxxxxxxxxx
CO-DBA-SC-EL wrote:


There is something odd going on though. On our SBS, on which I
have never set shares manually, except on data folders on drive
d: - Guest is disabled.
- On a machine not joined to the domain, logged in with a
name/password that is not on the SBS, I cannot get access to any
of the shares on the server without being challenged for a name
and password. Note that the challenge does not request or even
have a prompt for a domain. I. - On a machine not joined to the
domain I can get read/execute access to all the shares on the
server if the user has a matching name/password, also without
requiring domain logon. This includes C$ on the SBS, even if the
user is only a restricted user in the domain.
This is expected because you are using Pass through Authentication.

This isn't odd at all. You 'have' authenticated on that system. You've
given it an appropriate username/password.


- By default, the security for C$ is set to allow read/execute to
Everyone (you need to click Advanced to see that, because it
appears unchecked in the basic rights dialog box).

How do we restrict shares to allow only domain users? (without
having to do it manually for each share). And what happens if we
remove C$ access for Everyone on the SBS?


Don't. Messing with those admin shares can mess majorly with
administration and patching.
Choose good passphrases.

Both you and Jonathan are still not seeing that these 'are' domain
users as they 'have' provided the proper authentication to that
box. http://blogs.brnets.com/michael/archive/2004/05/26/146.aspx

You start drilling down into AD and you have to consider that you
need some of this stuff for LOB and backwards compatibility.

You don't want to mess with AD unless you know what you are doing.
BTW Everyone in 2k3 is the equivalent of Authenticated users
anyway...it's not like the 2k era where it included anon.

There is proper authentication going on for both of you ..you have
'rights' to that system.


C_O


.

Relevant Pages

  • Re: SBS shares. Theres is security. GOT IT!!!
    ... He can login to the ... server, and the server is saying OK. ... SBS market I doubt you have either. ... Then I checked the SBS network shares and yep access granted ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS shares. Theres is security. GOT IT!!!
    ... on ANY device using his user credentials simply through network passwords, ... without having to formally login at BOOT on the client. ... Removal of said "Stored network password" and wham, no more access to SBS ... Then I checked the SBS network shares and yep access granted without any ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS shares. Theres no security. GOT IT!!!
    ... always been largely available by simply using a valid Username/Password. ... Removal of said "Stored network password" and wham, no more access to SBS ... Then I checked the SBS network shares and yep access granted without any ... This is expected because you are using Pass through Authentication. ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS shares. Theres no security. GOT IT!!!
    ... But its perfectly possible to restrict user logins to, say, specific *Domain* PCs, etc. so that you need more than just the Username/Password for access. ... Removal of said "Stored network password" and wham, no more access to SBS ... Then I checked the SBS network shares and yep access granted without any credentials. ... Both you and Jonathan are still not seeing that these 'are' domain users as they 'have' provided the proper authentication to that box. ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS shares. Theres is security. GOT IT!!!
    ... Removal of said "Stored network password" and wham, no more access to SBS ... Then I checked the SBS network shares and yep access granted without any credentials. ... Both you and Jonathan are still not seeing that these 'are' domain users as they 'have' provided the proper authentication to that box. ...
    (microsoft.public.windows.server.sbs)
Loading