help understanding authentication on workgroups

[Guest]

I've spent a lot of time trying to understand the concept of simple
workgroups (all PCs's with XP pro service pak 2, simple file sharing on,
network client services on and print/file sharing on), but none of the
networking internet help sites appear to address some of the issues:

1. Does the computer browser service (adminstrative tools/services) have to
be started on all but one ("host") of the PC's in the workgroup (I've seen
conflicting recommendations; it doesn't seem to make much difference anyway).
If so are there any other special settings required for this "host"? In any
case should the computer browser be set to "manual" or "automatic".

2. From reading MS documentation, workgroup authentication is said to be
"local". I understood this to mean that if you can log onto any PC in the
network then you can see all other PCs in the workgroup, plus any files that
they share. However, I generally get a login window with username
"computername\guest" when I try to access PC "computername". When I supply
the password for that guest account on that computer, I get access to that PC
in the workgroup. At the same time one PC on the workgroup has no guest
account (only administrator account) and the other PCs can see it and it's
shared files without being forced to go through the login process.

What is going on here with respect to authentication?

Thanks
Greg Nash

 

[Chuck]

I've spent a lot of time trying to understand the concept of simple
workgroups (all PCs's with XP pro service pak 2, simple file sharing on,
network client services on and print/file sharing on), but none of the
networking internet help sites appear to address some of the issues:

1. Does the computer browser service (adminstrative tools/services) have to
be started on all but one ("host") of the PC's in the workgroup (I've seen
conflicting recommendations; it doesn't seem to make much difference anyway).
If so are there any other special settings required for this "host"? In any
case should the computer browser be set to "manual" or "automatic".

2. From reading MS documentation, workgroup authentication is said to be
"local". I understood this to mean that if you can log onto any PC in the
network then you can see all other PCs in the workgroup, plus any files that
they share. However, I generally get a login window with username
"computername\guest" when I try to access PC "computername". When I supply
the password for that guest account on that computer, I get access to that PC
in the workgroup. At the same time one PC on the workgroup has no guest
account (only administrator account) and the other PCs can see it and it's
shared files without being forced to go through the login process.

What is going on here with respect to authentication?

Thanks
Greg Nash

Greg,

The browser provides visibility.

The rule of the browser is simple. If you're going to use browser services,
there must be a browser on the network for each computer to get the browse list
from. If there is just one computer running the browser, then that computer
will be the master browser. If there are two or more computers running the
browser, then those computers have to decide which one will be the master
browser.

If the master browser computers stays online constantly, there will be no
problem. If the master browser ever drops offline, you have the possibility for
problems. If you have more questions after reading my article, I'd appreciate
the feedback.
<http://nitecruzr.blogspot.com/2005/04/nt-browser-or-why-cant-i-always-see.html>
http://nitecruzr.blogspot.com/2005/04/nt-browser-or-why-cant-i-always-see.html

Authentication provides access.

By local authentication, the meaning is for network access by non-Guest
accounts, you have to use an identical non-Guest account on both the client (the
computer that you're logged in to), and any server (the remote computer that you
need to access). Authentication is required, whether or not you use the browser
(Network Neighborhood), or just do an adhoc mapping by name or even by IP
address).
<http://nitecruzr.blogspot.com/2005/06/file-sharing-under-windows-xp.html>
http://nitecruzr.blogspot.com/2005/06/file-sharing-under-windows-xp.html

Now things get complicated when you setup accounts with or without passwords.
It is possible to setup network access on any account with no password required
(ie a blank password). If you're going to use blank passwords, you should do
consistently, or you may run into problems. Maybe this is part of your problem.

When you refer to the computer that "has no guest account", what specifically do
you mean? Was Guest deleted? Or was Guest disabled for local access? Remember
local and remote access is potentially different for any account.

Do my questions raise any more questions from you? Ask away. Windows browsing
and authentication has many possible problems, and I don't think it's possible
to document all of them.
<http://nitecruzr.blogspot.com/2005/07/windows-networking.html>
http://nitecruzr.blogspot.com/2005/07/windows-networking.html

 

[Guest]

Your web site links were great. I'd suggest (if it's not availabe in a way I
didn't see) that all the forum moderator's links be grouped in a way that
they could be separately searched for info before a question is submitted.
In all my searching I didn't end up seeing the links you provided. Instead,
searching Google, Google groups and the MS Knowledge base provided either
related but not directly useful material, or info that was too detailed to
understand. And a big waste of time.

Based on info in the links you provided on computer browsers, I now have
turned off the computer browser on my laptop (wireless connection), but left
it on on the two desktops (wired connection). I'm surprised that MS can't
figure out a way to make the whole browser process deterministic and stable.

My problem with workgroup authentication is that I'm using a router on my
vacation that has one ethernet port going to a PC in another condo. So I can
see another workgroup (not mine) on the network. I don't want that person to
be able to access any shared folders on my 3 PCs on my workgroup (desktop1,
desktop2, and laptop).

I have all my 3 PCs setup with guest accounts, all with the same password.
This morning I restarted all PCs (all with simple file sharing on) and found
that for any of the PCs to access the other on my workgroup, I had to supply
a password at a login window that had "computername/guest" user ID; however,
there was one exception: desktop1 was able to see laptop's shared folders
without having to through a login window. I don't understand this. This
makes me wonder if my (unknown) neighbor could actually see any of my 3 PC's
shared folders w/o going through the login process. That's why I want to
understand how the authentication process works.

I know I can probably use "hidden" folders or get rid of simple file
sharing, but I want to keep things as simple as possilbe to avoid maintenance
hassles.

 

[Malke]

Your web site links were great. I'd suggest (if it's not availabe in
a way I didn't see) that all the forum moderator's links be grouped in
a way that they could be separately searched for info before a
question is submitted.
In all my searching I didn't end up seeing the links you provided.
Instead, searching Google, Google groups and the MS Knowledge base
provided either related but not directly useful material, or info that
was too detailed to
understand. And a big waste of time.

(snip)

I'll let the always-excellent Chuck address the other questions you
raised. I just wanted you to know that this isn't a "forum" and there
are no "forum moderators". This is Usenet. Here is an explanation and a
way for you to access these groups more efficiently:

Since you are using the web interface, you may not realize that this is
really a newsgroup. You will get far more out of this resource if you
learn to use a newsreader. There are many good newsreaders for Windows,
but you can use Outlook Express since you already have it. Here are
some links to information about newsgroups:

About Usenet:
http://en.wikipedia.org/wiki/Usenet
http://groups.google.com/support/bin/static.py?page=basics.html - Basics
of Usenet
http://www.elephantboycomputers.com/page3.html#12-09-02 - a brief
explanation of newsgroups

Using Outlook Express as Newsreader:
http://michaelstevenstech.com/outlookexpressnewreader.htm
http://rickrogers.org/setupoe.htm

How to Post:
http://www.dts-l.org/goodpost.htm

http://aumha.org/nntp.htm - list of MS newsgroups
microsoft.public.test.here - MS group to test if your newsreader is
working properly
http://www.mailmsg.com/SPAM_munging.htm - how to munge email address
http://www.blakjak.demon.co.uk/mul_crss.htm - multiposting vs.
crossposting

Malke

 

[Chuck]

Your web site links were great. I'd suggest (if it's not availabe in a way I
didn't see) that all the forum moderator's links be grouped in a way that
they could be separately searched for info before a question is submitted.
In all my searching I didn't end up seeing the links you provided. Instead,
searching Google, Google groups and the MS Knowledge base provided either
related but not directly useful material, or info that was too detailed to
understand. And a big waste of time.

Based on info in the links you provided on computer browsers, I now have
turned off the computer browser on my laptop (wireless connection), but left
it on on the two desktops (wired connection). I'm surprised that MS can't
figure out a way to make the whole browser process deterministic and stable.

My problem with workgroup authentication is that I'm using a router on my
vacation that has one ethernet port going to a PC in another condo. So I can
see another workgroup (not mine) on the network. I don't want that person to
be able to access any shared folders on my 3 PCs on my workgroup (desktop1,
desktop2, and laptop).

I have all my 3 PCs setup with guest accounts, all with the same password.
This morning I restarted all PCs (all with simple file sharing on) and found
that for any of the PCs to access the other on my workgroup, I had to supply
a password at a login window that had "computername/guest" user ID; however,
there was one exception: desktop1 was able to see laptop's shared folders
without having to through a login window. I don't understand this. This
makes me wonder if my (unknown) neighbor could actually see any of my 3 PC's
shared folders w/o going through the login process. That's why I want to
understand how the authentication process works.

I know I can probably use "hidden" folders or get rid of simple file
sharing, but I want to keep things as simple as possilbe to avoid maintenance
hassles.

Thanks for your feedback, Greg. I don't think a FAQ for this forum is a real
possibility though. Help here is interactive, and each helper has his / her own
style.

The browser subsystem is deterministic, but more so for domains. Workgroups,
which are peer-peer networks, have to use a self electing process for choosing a
master browser. The election process matrix, shown in the Microsoft article,
link provided, is pretty complex. Unfortunately, with a workgroup, it's still
peer-peer. Vista will be better, but until networks are 100% Vista and up,
there will always be some backwardly compatible mechanism.

So we're stuck with the Windows NT browser for some time.

Now then, on your choice for network security. You state that you have a
network, which you share with another individual, and you don't want that other
person to be able to access your computer. Then you state your intention to
keep Simple File Sharing. These two goals are not compatible.

If you don't trust your neighbor, and you need to share an Internet connection,
you need to buy 2 more routers. Connect 2 new routers to the existing router,
and connect your computers to the LAN on one, and your neighbors computers to
the LAN on the other.

Greg, if you spent good money for Windows XP Pro, and you persist in using SFS
simply to avoid maintenance hassles, you're throwing your money away. Send it
to me instead.

SFS was designed for networks where everybody trusts everybody else equally.
Instead of putting a password on Guest, disable SFS and setup a non-Guest
account with a password. You'll simply have a non-Guest account on each
computer. Then disable Guest.

The maintenance hassles will be less than what you are likely going thru right
now. Bite the bullet, and secure your network. Disable SFS, and Guest. Use a
non-Guest account between all of your computers.

 

[Guest]

Newsgroups are sometimes referred to (loosely) as forums. "Moderator" was a
poor choice though-didn't know what to use I guess. I do use newsreaders for
groups I track closely, but for the many others I occasionally use, but don't
track closely, the internet is easier and works just fine.

Anyway, my point still stands. I wasted a lot of time searching for help;
alternatively, if I had been able to search a more select group of sites
(not a FAQ, but sites like those Chuck point me to) associated with this
newsgroup it would have been extremely helpful. I made this point thinking
such a thing might exist and someone could direct me there.

J. Greg Nash

 

[Guest]

Thanks for the prompt reply. I guess I should have provided more context to
my post, but I always try to avoid "wordy" questions.

My neighbor is just a vacationer like me, for whom the shared router
connection is used in all likelihood to check email etc. So I don't
"distrust" him, I would just prefer that he not be able to see my shared
files. (Even if he was a hacker type smart enough to get into any of the
shared files on the PCs in my workgroup, I don't have any shared files there
that would cause me any problems in this circumstance.) So if it's true that
my workgroup computers are all password protected by "guest authentication",
then this is all the security I need.

You might be right that its "simple" to disable SFS and proceed as you
suggested. I would like to do all this; however, I'm hardly an advanced
user and I see all the problem posts on this newsgroup plus other similar
stuff on the internet, so I see it as a gamble I don't have to take right
now when I'm pressed for time to do other things. I also, move/regconfigure
my PCs quite often, so there would have to be some sort of maintenance cost
there if I didnt' use SFS. (I will need the security features of XP pro in
the future, and then I should have more time to install/maintain them as
well.)


Thanks for your help.

Greg Nash
Centar

 

[Chuck]

Thanks for the prompt reply. I guess I should have provided more context to
my post, but I always try to avoid "wordy" questions.

My neighbor is just a vacationer like me, for whom the shared router
connection is used in all likelihood to check email etc. So I don't
"distrust" him, I would just prefer that he not be able to see my shared
files. (Even if he was a hacker type smart enough to get into any of the
shared files on the PCs in my workgroup, I don't have any shared files there
that would cause me any problems in this circumstance.) So if it's true that
my workgroup computers are all password protected by "guest authentication",
then this is all the security I need.

You might be right that its "simple" to disable SFS and proceed as you
suggested. I would like to do all this; however, I'm hardly an advanced
user and I see all the problem posts on this newsgroup plus other similar
stuff on the internet, so I see it as a gamble I don't have to take right
now when I'm pressed for time to do other things. I also, move/regconfigure
my PCs quite often, so there would have to be some sort of maintenance cost
there if I didnt' use SFS. (I will need the security features of XP pro in
the future, and then I should have more time to install/maintain them as
well.)

Greg,

You should expect to see problems here. That's why people post here.

Lots of people don't post here. Of course, we don't know how many don't post
here, but it's probably a lot more than do.

And I would bet, judging from what you've written so far, that you're in the top
75% of advanced users here. With computers, the more you learn, the more you
see how much you have yet to learn. That's one of the best payoffs of the MVP
bit - new stuff to learn, constantly.

Seriously, if you plan your network properly, you should be able to get it set
up OK. I suspect that it will be simpler to disable to SFS and setup non-Guest
authentication, then it will for us to figure out the inconsistency in your
current authentication.

But it's your choice, since it's your network. Do you want to spend time
figuring out your current problem? Or follow my advice, and setup your network
in a way that will serve you in the future? Or just leave it as is, and live
with the weirdness?

We'll be here when you decide.

 

[Guest]

Chuck,

The very fact that I haven't been able to understand or get answers to
questions about the simplest possible network configuration with the simplest
security arrangment possible makes my point. That's a lot of the reason why
I'm reluctant to proceed as you suggest.

Greg Nash
Centar
PS-I'm not alone ;-)

"...I wonder if all the "ease of use" Microsoft has thrown in really helps
networking neophytes get the job done? If I can't figure out how to share
Internet access between two PCs using Windows XP (and I have the resources of
PC Magazine), then how are the rest of the newbies out there faring? "
(http://www.findarticles.com/p/articles/mi_zdpcm/is_200204/ai_ziff26023)

 

[Chuck]

Chuck,

The very fact that I haven't been able to understand or get answers to
questions about the simplest possible network configuration with the simplest
security arrangment possible makes my point. That's a lot of the reason why
I'm reluctant to proceed as you suggest.

Greg Nash
Centar
PS-I'm not alone ;-)

"...I wonder if all the "ease of use" Microsoft has thrown in really helps
networking neophytes get the job done? If I can't figure out how to share
Internet access between two PCs using Windows XP (and I have the resources of
PC Magazine), then how are the rest of the newbies out there faring? "
(http://www.findarticles.com/p/articles/mi_zdpcm/is_200204/ai_ziff26023)

OK, Greg, let's start over. Maybe I overlooked your questions, in trying to
figure out how to advise you about the limitations of Simple File Sharing.

So ask your questions, and I'll do my best to answer them. Remember I'm not
looking at your network, when you ask.

And Greg, please type your answers after mine - it will benefit both of us.
Help us to help you.
<http://nitecruzr.blogspot.com/2005/05/how-to-post-on-usenet-and-encourage.html#TopPosting>
http://nitecruzr.blogspot.com/2005/05/how-to-post-on-usenet-and-encourage.html#TopPosting