Re: Allowing file share browsing for un-authenticated users
On May 27, 12:35 pm, "jameshanle...@yahoo.co.uk"
<jameshanle...@yahoo.co.uk> wrote:
> On 27 May, 06:00, Nonapept...@gmail.com wrote:
>
> > On May 26, 11:30 pm, "jameshanle...@yahoo.co.uk"
> <snip>
> > > I only know Win XP though for file sharing.
>
> > Okay. It seems that if I simply enable the guest account on my Server
> > 2003 machine I am then able to list file shares using an account on a
> > workgroup computer that does not have an identical counterpart on the
> > server. That's a step in the right direction, but not quite what I had
> > in mind.
>
> In Win XP, I would say it sounds like you are set to SFS
>
> > When I look through the server's event logs, it looks like the first
> > access attempt is using the workstation's local username and password.
> > When that is unsuccessful, it immediately retries using "Guest" (this
> > is behaviour that I was heretofore unaware of). That access request is
> > successful when the guest account is enabled.
>
> Where are these logs.. Do they exist in Windows XP?
>
> I have never seen that behaviour. From my Win XP use, it sounds like a
> mixture of AFS and SFS. I think that's impossible.. I have never
> heard of that. Are you sure?
> Is this retry a second later?
>
> I haven't seen the logs though.. would be interested to know where
> they are accessible.
>
> > There are a number of things that puzzle me about this whole thing
> > though. The "Network Access: sharing and security model for local
> > accounts" seems to be irrelevant in this scenario. That policy simply
> > states that in Classic mode if you access the server using a local
> > account then your permissions will be granular; allowing one account
> > the ability to have different permissions than another account. In
> > Guest Only mode, no matter what account you put in, it will map your
> > account to whatever permissions the Guest account has been given. That
> > may or may not included anonymous logins. I haven't figured that out
> > yet. Either way, I have the server in Client mode and enabling the
> > Guest account still allows me to enumerate file shares so that Network
> > Access policy can't be the solution.
>
> you say you "have the server in client mode"? That is absolute
> nonsense. Like saying you have the dart board acting as an arrow.
>
> I think you mean Classic.. As in users authenticate as themselves.
>
> I don't know much about NT file permissions. (they are for multi-user
> environment of potentially malicious users. I don't need to really for
> my own computers at home)
>
> > So now I can allow any workgroup machine\user the ability to use the
> > server's shares, but I have yet to track down the specific policy that
> > grants this to the guest account. I also have yet to figure out if I
> > can select individual folders that the guest account can see and use.
> > That's my ultimate goal.
>
> I mentioned 3 interesting options.
> 2 of them were "Allow...." and "Deny......"
>
> The default is to Allow everyone, and Deny Guest.
> (deny wins..I guess it is processed after)
>
> (so another way of looking at it, is that if you don't deny guest,
> ten Guest is allowed. So there is no policy that allows Guest, it's
> allowed if it is not denied. So in a sense, that is a default setting
> - an unchangeable one. Stupid way of looking at it though. Or maybe
> it's the Allowing everyone, that allows Guest.)
> Default is Deny Guest.
>
> Although I mentioned that in the context of being relevant to SFS. I
> suppose it is relevant to AFS too.
>
> Infact, windows xp machines are set to AFS by default. Guest Account
> disabled. Guest Denied. (judging by my win xp installation from the
> win xp sp2 cd I burned anyway)
>
> > On a related note:
>
> > I've mentioned several times that I wondered how client OSs like XP
> > and Vista share their folders with anyone on the local network by
> > default. That's still unanswered.
>
> Out of interest.. Where did you see the terminology of calling XP a
> client OS?
>
> I know.. I have seen it too.. and it's common. But just wondering
> where you saw it..
> I actually saw that kind of terminology in a book called Networking
> Complete, described windows 98 as a client OS.. Because relative to
> Windows NT(the Network OS), its network features were limited.. e.g.
> just basic password access to network directories. .
>
> I think the default is AFS.
>
> I think
> Win XP only has 2 options . SFS or AFS, and no way of opting out.
> But you can choose not to share any folders.
>
> Certainly, I remember that Guest is disabled and Denied. I guess
> Network Access is - Classic - users authenticate as themselves.
>
> People who want SFS will have a problem if they just check the box.
> They should either run the "Network Setup Wizard". Or after setting
> SFS..
> Check that it does Allow Everyone (it probably is)
> -remove Guest from the deny list -
>
> And check that authentication is as Guest - though it would be if it
> is set to SFS.
> As explained.
>
> > It doesn't seem to be through the
> > guest account, as its disabled and the user rights assignment "Deny
> > access to this computer from the network" includes the Guest account.
> > Yet, anonymous access seems to be unlikely as well since several of
> > the Network Access policies dealing with Anonymous accounts look like
> > they stymie anon access.
>
> What is an anonymous account?
>
> BTW, I think with SFS users ONLY authenticate as Guest.
> So whoever they are. I don't hink it's like , they try to
> authenticate as themselves and if it fails they do so as Guest. They
> just do so as Guest.
>
> Your logs claim otherwise.. be interesting to know where these logs
> are..
>
> and if they are in Win XP. 'cos I have win xp.
>> In Win XP, I would say it sounds like you are set to SFS <<
I think essentially it is. This post explains it rather cogently:
http://episteme.arstechnica.com/eve/forums/a/tpc/f/12009443/m/957006982831
Look for the last message on the list from a user called Bluenote.
It's basiclaly what you told me to do.
>> Where are these logs.. Do they exist in Windows XP? <<
It's just standard event viewer. You can navigate to it in the Admin
Tools folder or open up the run box and type 'eventvwr'. You must
first turn on both "audit account logon events" and "audit logon
events" from the following local policy: Local Computer Policy >>
Computer Configuration >> Windows Settings >> Security Settings >>
Local Policies >> Audit Policy.
Then access network resources on your machine from another machine.
You should see logon/logoff events in the Security log in event
viewer.
>> I have never heard of that. Are you sure? <<
Pretty sure I'm sure.
>> Is this retry a second later? <<
It's not even a second later. It's so quick that it shows both logon
events at the exact same second.
>> you say you "have the server in client mode"? That is absolute
nonsense. Like saying you have the dart board acting as an arrow.
I think you mean Classic.. As in users authenticate as themselves. <<
Yep. Just a typo.
>> Out of interest.. Where did you see the terminology of calling XP a
client OS? <<
It's just a common way of talking about OSs that are not explicitly
designed to handle being dedicated servers. Of course, client machines
can serve things and have software installed on it that in effect
makes the client os a server (IIS on XP comes to mind). It's just a
matter of semantics.
>> What is an anonymous account? <<
An anonymous user or an anonymous access attempt is also known as a
"null session". Googling should bring back ample results. It is an
attempt at accessing a computer or resource with a null username and
no password. As I ponder this situation further, Anonymous access
doesn't seem to be relevant to my situation.
So here's what I think I'll do. If I enable the guest account, I can
enumerate all shares on the server (side note: that baffles me how I
can enumerate file shares on XP of Vista even though the guest account
is disabled... %-| ). However, for the guest account to actually
access anything it needs to be explicitly allowed, so I'll set NTFS
permissions appropriately on the shares that all folks need to get to.
I'd prefer to restrict even the listing of shares to only the ones
that guests can access, but that might be too much to ask.
>> BTW, I think with SFS users ONLY authenticate as Guest.
So whoever they are. I don't hink it's like , they try to
authenticate as themselves and if it fails they do so as Guest. They
just do so as Guest. <<
My understanding of the difference between SFS and AFS is that it
merely obscures or reveals the guts of file sharing to the user who is
attempting to share something. With SFS you only have two options: To
share or not to share, and wether or not to allow people to modify
resources. AFS exposes the three levels of share permissions, all of
the NTFS permission scheme, as well as the ability to apply different
levels of permission to different users and groups. It has nothing to
do with wether or not another user on the network accesses your share
first with a local account and then with a guest account or only with
a guest account. In fact, it couldn't have any effect on that since
the option is only modifying your computer's behaviour and not other
computer's.
This looks like a good article on the topic:
http://www.microsoft.com/windowsxp/using/networking/expert/honeycutt_august13.mspx
Thanks for your input. Does anyone else out there have anything to
contribute concerning this whole file sharing thing? I'd love to grasp
Window's concept of permissions and network access better, but fear
I'd lose my mind if I try to trace every loose end back to its
origin. :-/
Thanks