Cannot access local shares via the Network window

[David Dickinson]

Hello,

I am logged in as a sub-administrator (not as the "super" administrator)
into Vista Biz. I've created a folder, "Test" and shared it only with the
Administrators group (of which my login account is a member -- it is NOT a
member of the Users group). (I've turned off the Sharing Wizard and set up
the shares via the Advanced Sharing button).

I can access the folder in by it's path in Explorer, i.e., D:\Test. I have
full NTFS permissions as a member of the Administrators group.

If I open another Explorer window on this computer and navigate to this
computer under the Network item in the folder tree and try to access the
folder via it's share, I receive a "Permission Denied" error.

However, if I go to another machine on this peer-to-peer network and log in
with the same credentials, I can access the share as I expect.

I am confused by this. Is this a bug or another "feature".

 

[Jimmy Brush]

Hello,

I am logged in as a sub-administrator (not as the "super" administrator)
into Vista Biz. I've created a folder, "Test" and shared it only with
the Administrators group (of which my login account is a member -- it is
NOT a member of the Users group). (I've turned off the Sharing Wizard
and set up the shares via the Advanced Sharing button).

I can access the folder in by it's path in Explorer, i.e., D:\Test. I
have full NTFS permissions as a member of the Administrators group.

If I open another Explorer window on this computer and navigate to this
computer under the Network item in the folder tree and try to access the
folder via it's share, I receive a "Permission Denied" error.

However, if I go to another machine on this peer-to-peer network and log
in with the same credentials, I can access the share as I expect.

I am confused by this. Is this a bug or another "feature".

That's strange.

Do non-admins have read access to the folder?

 

[David Dickinson]

That's strange.

Do non-admins have read access to the folder?

Hi, Jimmy,

No. I removed the Everyone group from the share permissions because I want
ONLY the Administrators group to be able to access the folder over the
network. However, the NTFS permissions are the "standard" inherited ones
from the root of the drive, i.e., Authenticated Users, Administrators,
SYSTEM, and Users all have their usual NTFS permissions.

 

[Jimmy Brush]

Hi, Jimmy,

No. I removed the Everyone group from the share permissions because I
want ONLY the Administrators group to be able to access the folder over
the network. However, the NTFS permissions are the "standard" inherited
ones from the root of the drive, i.e., Authenticated Users,
Administrators, SYSTEM, and Users all have their usual NTFS permissions.

I have verified this behavior.

This seems to be some sort of security protection feature, most likely
to prevent unelevated programs from bypassing UAC restrictions by
accessing administrative shares/named pipes meant for remote
administration from the local machine.

I am not aware of how Windows is accomplishing this or any way to
disable this, but if I find out anything else I will let you know.

I can say that if you access the share from an elevated app, then the
restrictions disappear.

Unfortunately, you cannot easily (or safely) elevate an explorer window.

 

[David Dickinson]

This seems to be some sort of security protection feature, most likely to
prevent unelevated programs from bypassing UAC restrictions by accessing
administrative shares/named pipes meant for remote administration from the
local machine.

Yeah. It's not a big deal (I just got used to being lazy in every older
version of Windows), and may even be a good idea.

I can say that if you access the share from an elevated app, then the
restrictions disappear.

Hmm... sort of defeats the purpose, if it is a security protection feature.

David

 

[Jimmy Brush]

Hmm... sort of defeats the purpose, if it is a security protection feature.

Well, if the app is already elevated, it can already do anything it
wants, so there's no point in blocking access at that point.