Unwanted share access despite security settings

  • Thread starter Thread starter Titus van Houwelingen
  • Start date Start date
T

Titus van Houwelingen

Hello,

I have a share on a W2K Advanced server with active directory.
Permissions on the share are for a group ABC (defined in Active Directory).
NTFS security is full acces for 'everyone'.

A user MrX belongs to group ABC.

Whe MrX log on LOCALLY on a NT4 machine and this local account has the same
username/password he can access the share. I think this shouldn't be
possibble because the group is a domain group. And no explicit access for
MrX has been defined on the share, only the ABC group. Nothing else.

It gets worse: when he uses WinXP professional, and he has a LOCAL account
with the same name but with an EMPTY password, he gets access to the share
when he logs on LOCALLY!

The guest account is disabled.

I must be doing something stupid. Can anyone please tell me what could be
the problem?

Thanks in advance,
Titus
 
Hi,

your first scenario can be explained like this.

User (MrX) has password (MrXpass) on domain. He has same username (MrX) and
password (MrXpass) on his local computer. When he tries to access resource
on domain from his PC, Windows will automatically send his username (MrX)
and password (MrXpass) to domain. Since such user exist and has correct
password, he is granted access. Well in company where I work I am the only
Mike and that is what my username is. If there was another one I guess his
username was Mike1, but I don't think there is much chance that we would
have exactly same password (unless password is password)... :-). If the case
is that two users have same password at the same time then these password
are note secure enough (e.g. not Pass Phrases). I recently did an audit of
450 user accounts for the customer and not 2 passwords were the same...

On XP was network share mapped manually?



Who are other users of group ABC?


I hope this helps,

Mike
 
User credentials do not have to be domain based for access to a domain resource.
Internet hackers are able to access domain resources all the time through no or
poorly configured firewalls without using a domain account and why - they first get a
username, maybe administrator, and then guess/obtain a weak or blank password. I use
my non domain laptop to access my domain shares.

The part about a user gaining access with the same local account name but one has a
password and one doesn't makes no sense. My guess is the share is mapped with
persistent credentials OR he is using XP stored credentials which can be deleted. I
suggest you enable minimum password lengths in your domain and also password
complexity. For the user in question, reset his password in AD Users and Computers
and logon as him on that XP computer with his local account that has a blank password
I would bet you can not access the share anymore - at least as him. I question giving
everyone full control to any folder, even though I don't think that is the issue. You
might consider giving administrators and system full control and your group modify
permissions. -- Steve

http://www.microsoft.com/resources/...Windows/XP/all/reskit/en-us/prdp_log_vkxx.asp
 
Permissions on the share are for a group ABC (defined in Active Directory).

What permissions?


I believe that if you have given the "Everyone" group full access, it means no user needs to have any connection what-so-ever with the domain or users or what ever. It allows everyone in the entire world to connect to this share and have full access. I also believe this allow 'anonymous' connections, too.

I have always deleted Everyone from almost every share or permissions because of this. Even Authorized Users is not good in some instances.

For shares try this:
Local Admins (which includes Domain Admins) Full
Domain groups - whatever they need

Does this help?


--
Mark-Allen Perry
ALPHA Systems, Switzerland
mark-allen AT mvps DOT org

Hello,

I have a share on a W2K Advanced server with active directory.
Permissions on the share are for a group ABC (defined in Active Directory).
NTFS security is full acces for 'everyone'.

A user MrX belongs to group ABC.

Whe MrX log on LOCALLY on a NT4 machine and this local account has the same
username/password he can access the share. I think this shouldn't be
possibble because the group is a domain group. And no explicit access for
MrX has been defined on the share, only the ABC group. Nothing else.

It gets worse: when he uses WinXP professional, and he has a LOCAL account
with the same name but with an EMPTY password, he gets access to the share
when he logs on LOCALLY!

The guest account is disabled.

I must be doing something stupid. Can anyone please tell me what could be
the problem?

Thanks in advance,
Titus
 
Back
Top