Re: Service running as Local system account Unable to map drive on
- From: "systematic_peter" <systematicpeter@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 30 Dec 2005 05:32:02 -0800
Hi Joe and Phillip
Thanks for the information and input.
To answer your initial question Joe: Yes i have made sure that the computer
account has full permissions on both the share and the file system itself.
But to no awail, as i still not have been able to access the share.
You mention that Kerberos auth is used when computer accounts are used to
grant permissions. Can it be some setting in there that i need to tweak or
something (i have left the settings to their default values)?
Another thing which puzzels me is that i have noticed the following in the
Security Eventlog:
There are no errors in the Eventlog (on neither of the machines), but the
failed attemp to access the share results in a entry saying that the User
Anonymous Logon has been granted "SeChangeNotifyPrivilege" (and only that
privilege)
I have made sure that the security setting "Additional restrictions for
anonymous connesctions" is set to "None, rely on default", but was wondering
whether there could be other settings which need to be changed?
By the way, i have modified the code in my app, to use the LogonUser() and
ImpersonateLoggedOnUser() functions to run as another user with success (been
able to create files in the share), so the error is not in some other parts
of the code. But this solution is not my first choice so i would prefer to
get the other method working.
Thanks for all your help, and have a happy New Year all
Kind regards/ Venlig hilsen
Peter Langhoff Feddersen
System Engineer, MCSD
Systematic Software Engineering A/S
Web: www.systematic.dk
"Joe Richards [MVP]" wrote:
> The most common use I have deployed them for in companies is for software
> installation shares for apps that aren't security critical and it doesn't matter
> who sees the installation packages.
>
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> www.joeware.net
>
>
> Phillip Windell wrote:
> > "Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx> wrote in message
> > news:uK8aEF1CGHA.2644@xxxxxxxxxxxxxxxxxxxxxxx
> >> If kerberos auth is being used, you simply grant rights for the computer
> > account
> >> from AD on the share and the file system. The security concern is that
> > ANYTHING
> >> running as localsystem on the specific computer will have access to the
> > share.
> >
> > Ok, that makes sense.
> >
> >> For anonymous access you enable the null session share and set the ACL on
> > the
> >
> > This is the first time I have seen the term "null session share",...I've
> > never heard of it.
> >
>
.
- References:
- Re: Service running as Local system account Unable to map drive on ano
- From: Joe Richards [MVP]
- Re: Service running as Local system account Unable to map drive on ano
- From: Joe Richards [MVP]
- Re: Service running as Local system account Unable to map drive on ano
- From: Joe Richards [MVP]
- Re: Service running as Local system account Unable to map drive on ano
- Prev by Date: Re: Microsoft Security Advisory (912840): Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution
- Next by Date: Re: Spyware method of infection? And is it still present?
- Previous by thread: Re: Service running as Local system account Unable to map drive on ano
- Next by thread: Re: Windows 2003 server Network Security
- Index(es):
Relevant Pages
|
