Re: Local System Account & Network Access
- From: "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 30 Jun 2006 09:52:14 -0500
When you see a $ after the username that means it is a computer account so
apparently the computer account was able to authenticate and have access to
the share. You said that the share has only read for domain users group
which I believe would not normally contain domain computer accounts. I would
double check the membership of the domain users group, check the membership
of the computer account which you can do with the support tool gpresult, and
double check the share permissions to make sure it does not include users,
everyone, authenticate users, or any other group the computer is a member
of. As a test I would also try changing the share permissions to be a
specific domain user account or change the permissions to deny for domain
users to see what happens. --- Steve
"Alwin" <Alwin@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:794D0F1E-0713-4317-9820-B4797C0043AD@xxxxxxxxxxxxxxxx
Thanks Steve, I enabled detailed logging on the server and redid the
excercise, these are the the only two entries from the event log:
User Logoff:
User Name: PCNAME$
Domain: MYDOMAIN
Logon ID: (0x0,0xBA816)
Logon Type: 3
and
Successful Network Logon:
User Name: PCNAME$
Domain: MYDOMAIN
Logon ID: (0x0,0xBA816)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
Looks like it's connecting with some kind of 'system' computer account?
Just some background - I'm developing the service and the GUI that sends
the
commands to it. This seems to be more of a security issue than a
development
issue which is why I posted it here.
It's a real worry when programs work better than they are not supposed to
:-)
"Steven L Umbach" wrote:
Offhand I don't know exactly what is going on but what I would do is to
check the security log on the server that has the administrator share to
see
the type 3 logon event generated when access is allowed to the share and
the
user name. The events in the log are time stamped so it should be easy to
find. The info in the link below may also be helpful if you have not seen
it
yet on planning security for service accounts. --- Steve
http://www.microsoft.com/technet/security/topics/serversecurity/serviceaccount/sspgch03.mspx
-- The Services and Service Accounts Security Planning Guide
"Alwin" <Alwin@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:578755CB-FC31-4512-91D7-B8379710C22E@xxxxxxxxxxxxxxxx
Hi,
I have a custom developed windows service running on XP - very simple ,
it
accepts commands via TCP/IP and executes them on the pc on which it is
installed.
The service gets installed with 'Local System' account credentials
which
by
all accounts does not have access to network resources. I am however
able
to
send commands to the service instructing it to install software
packages
which reside on a network share (shared read-only for domain users) and
it
works just fine.
I am concerned because all the documentation I have read indicates that
this
should not be possible, are there any special circumstances where the
System
account can access UNC share paths?
.
- Follow-Ups:
- Re: Local System Account & Network Access
- From: Alwin
- Re: Local System Account & Network Access
- References:
- Re: Local System Account & Network Access
- From: Steven L Umbach
- Re: Local System Account & Network Access
- From: Alwin
- Re: Local System Account & Network Access
- Prev by Date: Re: Kerberos pre authentication question
- Next by Date: Re: Windows 2003 remote admin access
- Previous by thread: Re: Local System Account & Network Access
- Next by thread: Re: Local System Account & Network Access
- Index(es):
Relevant Pages
|
