Authentication Question

  • Thread starter Thread starter Ken
  • Start date Start date
K

Ken

I have several servers on the network and they are visible through Network
Neighborhood because NetBIOS is still running. We have found that if you
take a laptop or pc that has never been added to the network or does not
have a network user logged on, the user can access different server shares
without authenticating to the server. Many of the servers do not show the
shares and will bring up a logon box to sign in. What is running on these
few servers? Is it the way the shares are setup? Permissions problem? A
service that is running?
 
Permissions problem. Have you looked to see how the share and NTFS
permissions differ? You've pretty much answered your own question. You
just need to look...
 
Ok let me expand on this a bit more. When looking at the list of servers in
Network Neighborhood when I click on the server I do not want the server to
open up unless the person signs onto the network. Some of the servers open
up and display the shares on the server. The few that do not open instantly
have a Enter Network Password box appear requesting authentication. Any
ideas?
 
Ken,

If the user is logged into his or her local workstation
with the same user name and password as a valid Domain
account, then they will be able to access the server
shares in the manner you describe. Or if a user executes a
logon to his or her workstation using a "cached" domain
account, then they will also be able to access the server
shares in the manner you describe.

This is because whenever a user tries to access a share,
the server will request authentication and by default the
first credentials tried will be the credentials the user
is already logged in under. This type of authentication
uses NTLM or NTLM v2, so perhaps disabling these may solve
your problem..? But be aware that disabling NTLM / NTLMv2
may cause complications with Win9x clients and intra -
domain trust relationships. I am 99% sure that this is
what is happening - local user accounts with the same
username / password as a valid Domain account. Please post
back and let me know.

Opti_mystic
 
What do you mean by access?? Any computer on the network running Client for
Microsoft Networks and has netbios over tcp/ip enabled could be able to see
the shares. To actually open them would require user authentication, guest
access, or null access. Null access is certainly not the norm and requires
a registry mod while guest access can occurr if the guest account is enabled
on the server and everyone has permissions to ntfs, share permissions, and
access this computer from the network user right. A user does not need to
logon to the domain at the time they logon their computer to get access to
domain resources if their local account has a matching account
[logon/password] in the AD domain OR they are using XP Pro with stored user
credentials as passthrough authentication will occurr. If you see a computer
name but no user name in sessions or open files, that would indicate null
access. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;289655 --- shows
what registry key to check for null shares.

You can further track down how users are getting access by enabling auditing
of logon events on those server where users are getting access with no
apparent credentials and also by looking in Computer Manager/shared
folder/sessions to see how the user from a particualr computer is being
authentiacted - as the user or guest.
 
So if anyone walks in off the street and is not a user on the network,
connects their laptop to the network they will see these non-hidden shares.
What can we do without losing access to all shares to prevent someone like
this from deleting critical files. If group Everyone is on the share with
full control this would cause the problem as this group includes everyone
including non-authenticated users. Does the null session fall into this
category?
From what everyone has said, sounds like I am on the right track. Need to
start on the Shares themselves and verify that Everyone is not being used.
Secondly I would like to find a way to have the "Enter Network Password"
sign on box appear for every server.

I still have a few of these ideas to check out further but I do appreciate
all the input.
 
Yes. If someone can plug into your network, assuming no mac filtering or 802.1x
switch control, they will be able to see shares on your network. That is why a
firewall is so important because if you have file and print sharing enabled on your
external adapter without one, people can view and potentially access your computer by
entering \\xxx.xxx.xxx.xxx your public IP address in their run box - assuming the ISP
is not filtering netbios ports as many now do.

However in a default installation of W2K neither null share access [except IPC$] or
the guest account are enabled, preventing anyone to gain access to your shared
folders unless they have credentials to a user account on your computer - logon
name/password even if both share and ntfs permissions include the everyone group. Do
NOT use blank passwords. Share permissions are your first line of defense followed by
ntfs permissions. W2K gives everyone full control access to a newly created share,
which you would want to change to suit your needs. To prevent an unauthorized
computer from gaining network access would require mac filtering or 802.1x switches
while ipsec can be used to secure network resources from computers outside of the
domain, though it will not prevent network browsing. See the links below on
configuring folder access for the network. --- Steve

http://support.microsoft.com/default.aspx?kbid=300691
http://www.microsoft.com/technet/Se...win2khg/05sconfg.mspx#XSLTsection129121120120
 
Thanks for the information, extremely helpful and I should be able to put
together a good explanation for someone who knows very little about
networks.
 
Back
Top