Re: Anonymous (NULL user) access to a Share
From: Paul (anonymous_at_discussions.microsoft.com)
Date: 02/19/04
- Next message: Greg Kujawa: "Re: Windows 98 ASN.1 Vulnerability?"
- Previous message: John B.: "e mail attachments"
- In reply to: Steven Umbach: "Re: Anonymous (NULL user) access to a Share"
- Next in thread: Steven L Umbach: "Re: Anonymous (NULL user) access to a Share"
- Reply: Steven L Umbach: "Re: Anonymous (NULL user) access to a Share"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 19 Feb 2004 11:46:07 -0800
>That seems very odd that you have guest enabled on the W2003 server and now XP can acces it but W2K can not.
You call it odd, I call it broken, pOtato, potAto.
I do have another data point, I've tried it (dir \\<windows2003_IPaddress>\Myfolder) from
three different W2K machines, all of them can ping <windows2003_IPaddress>,
all of them are on the same subnet:
Host1 = W2K, build 5.00.2195 SP 3 => WORKS!
Host2 = W2K, build 5.00.2195 SP 4 => WORKS!
Host3 = W2K, build 5.00.2195 SP 4 => DOES NOT WORK!!!!
Host4 = W2K, build 5.00.2195 SP 4 => DOES NOT WORK!!!!
So it looks like a specific problem with specific W2K machines.
DAMN!
Regardless, my goal is to get it to work with the Guest Account disabled,
and that doesn't work from any machine (W2K or XP).
>Make sure that you logoff of W2K before trying again.
I logged off/on and tried it again, but I got the same result:
Logon failure: unknown user name or bad password.
By the way, that's the error I get from all machines if I disable the Guest Account.
I want to do this without enabling the Guest Account (for security reasons).
So how do you want to attack this?
Do you want to get the W2K machines to work with the Guest Account Enabled first?
Or do you want to skip ahead and try to get all of them to work with the Guest Account Disabled?
Any way, here is what I see as being the relavant settings in the Group Policy snap-in:
Default Settings:
Accounts: Guest account status - Disabled
Accounts: Limit local account use of blank passwords to console logon only - Enabled
Network Access: Do not allow anonymous enumeration of SAM accounts - Enabled
Network Access: Do not allow anonymous enumeration of SAM accounts and shares - Enabled
Network Access: Let Everyone permissions apply to anonymous user - Disabled
Network Access: Restrict anonymous access to Named Pipes and Shares - Enabled
Network Access: Shares that can be accessed anonymously - COMCFG, DFS$
Network Access: Sharing and security model for local accounts - Classic - local users authenticate as themselves
And here are some of their corresponding registry settings:
HKLM\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous=1 (DWORD)
HKLM\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymoussam=1 (DWORD)
HKLM\SYSTEM\CurrentControlSet\Control\LSA\EveryoneIncludesAnonymous=1 (DWORD)
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\RestrictNullSessAccess=1 (DWORD)
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\NullSessionShares=DFS$,etc.
I've tried all sorts of combinations and can't seem to get access to a share without supplying a username and password.
Steve, did you get this to work?
Boy this is frustrating!
- Next message: Greg Kujawa: "Re: Windows 98 ASN.1 Vulnerability?"
- Previous message: John B.: "e mail attachments"
- In reply to: Steven Umbach: "Re: Anonymous (NULL user) access to a Share"
- Next in thread: Steven L Umbach: "Re: Anonymous (NULL user) access to a Share"
- Reply: Steven L Umbach: "Re: Anonymous (NULL user) access to a Share"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
