Re: default for requiring authentication 2003



Don't forget about the "Allow anonymous enumeration of SAM Accounts and Shares" under the security -> Network Access setting. If this is disabled (or not allowed) then the "everyone" permissions only applies to authenticated users. I have scripts that prep a machine post image (ghosting) and in doing so must connect to server shares. At my company we have the setting above disabled via GPO on all servers and I must use an encoded vbs to do:
*objShell.run net use \\sever\share password /user:domain\user *
before I can access the share... however like everyone has said before, by default this setting is not configured so everyone (including non authenticated users) can access the data. But I must wonder why in the world you'd fire up a server without having this in a default server GPO. Tisk Tisk

P.S.
I encode the vbs files since a password and user are stored in it.

Murda Mcloud wrote:
Thanks to all for the clarification and the links. He sounded so convinced
that I doubted myself.

Kurt wrote;
Your nemesis is thinking of older versions of Windows.

Bwahaha! Moriarty is foiled again...through the deductive powers of the
security focus list...

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Kurt Dillard
Sent: Friday, June 13, 2008 2:39 AM
To: 'Murda Mcloud'; focus-ms@xxxxxxxxxxxxxxxxx
Subject: RE: default for requiring authentication 2003

Murda,
You are correct, in Windows XP, 2003, and later the Everyone group only
includes Authenticated Users, it no longer includes Anonymous Users. You
can
change this but Microsoft strongly recommends against doing so. Your
nemesis
is thinking of older versions of Windows.

Kurt

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On
Behalf Of Murda Mcloud
Sent: Wednesday, June 11, 2008 11:45 PM
To: focus-ms@xxxxxxxxxxxxxxxxx
Subject: default for requiring authentication 2003


I'm having a debate with someone over whether a 2003 server by default
(OOB)forces someone to authenticate(whether to a DC or to the server
itself
if standalone) before allowing access to files.



He seems to think that the default is that no authentication is required
and
consequently anyone could rock up and connect a laptop to a network with
that server on it and get access to files on it-as the EVERYONE group is
given read permissions to new folders etc.



I say he is wrong but am looking hard to find something to back me up.

I understand that the guest account could access files as it is part of
the
EVERYONE group but it's disabled by default-but still, there is an
authentication process for guest to login








Relevant Pages

  • RE: default for requiring authentication 2003
    ... default for requiring authentication 2003 ... and in doing so must connect to server shares. ... authenticated users) can access the data. ... I encode the vbs files since a password and user are stored in it. ...
    (Focus-Microsoft)
  • changing authentication/relay
    ... I have changed the relay options on our exchange server, ... so that only authenticated users can relay on the server, ... as well as changing the authentication from annonymous to ...
    (microsoft.public.exchange2000.admin)
  • Re: Windows Authentication and Windows Server ASP.NET
    ... NTLM authentication is only done automatically if a "simple" name is used. ... > restrict access to only authenticated users on the domain. ... > information automatically handled by the server. ... > file and cannot get rid of this prompt. ...
    (microsoft.public.dotnet.general)
  • [Full-disclosure] [GOATSE SECURITY] Clench: Goatses way to say "screw you" to certificate author
    ... Application layer authentication-inherent validation of public key ... Goatse Security’s new simple password-based authentication mechanism ... getting hundreds of thousands or millions of users to install a client ... client hashes locally and then sends the hash to the server. ...
    (Full-Disclosure)
  • Re: Kerberos machine authentication - apparent authentication fail
    ... > until logon), the wireless connection can kick off when it is ready. ... > was confirmed in the server event logs with IAS (i set that up as the radius ... > as an ordinary user kicks in and takes over from the machine authentication. ... > while the network sorts itself out and a double click on a network link of ...
    (microsoft.public.windows.server.security)