Re: Default Shares on Member Servers



Are you by chance using an account (i.e. logging into the test-from
standalone machine with an account) that matches in name and
password an admin account on the target member to which you
are allowed non-promted access ?
And, if the above is not the case, I just want to confirm that you
see this if the test to the member is the first thing done after logging
into the test-from machine after it has been freshly rebooted (here
I am trying to rule out any persistence of other credentials).
If both yield no behavior explanation/differences then we may be
in a real mystery to explain.

Roger
"JB" <me@xxxxxx> wrote in message
news:%231GXkpS8GHA.4620@xxxxxxxxxxxxxxxxxxxxxxx
On the client, there are no persistent shares, and no stored credentials.

On the member servers, the local Administrators group contains
Domain\Domain Admins and the domain Administrator account.

I've checked the Domain Admins group, that contains only the Domain
Administrator account.

Thanks.

--
Gavin.

"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:%23vH13Hl7GHA.4708@xxxxxxxxxxxxxxxxxxxxxxx
Well, something is really toasty here.

If the C$, etc. are indeed the administrative shares, then the
access should be allowed for Administrators only.

A couple things to examine:
1. what is the membership in the Administrators group of the
member that does not require authN ?
2. when you try to look in through the Permissions button for
a drive root's share (in its properties, sharing tab) are you
shown "This has been shared for administrative ... "
(one can shut off admin shares, and then define a C$ that is
permissioned other than expected)

The Logon on over the network user right only determines
what accounts can try to access shares, but the permissions
on each share still determines which of those allowed to try
accounts will succeed.

Also, on the machine from which you are testing that allows
unauthenticated access, make sure that you try this after a
fresh login, that there are no persistent shares, and that running
control keymgr.dll
does not show that there are cached network credentials to use
when accessing the member.

Let's start there, and after the more simple possibilities are ruled
out, then post back.

Roger

"JB" <me@xxxxxx> wrote in message
news:eKyXg.23231$pa.20155@xxxxxxxxxxxxxxxxxxxxxxx
I'm trying to secure access to our servers. We have 2 domain
controllers, 1 windows 2000, the other windows 2003 and 3 member
servers, all running windows 2003.

From a computer that is not a member of the domain, attempting to access
an administrative share on a DC, we are presented with a prompt for a
username and password.

The same computer connecting to an administrative share on a member
server, there is no prompt and the access is allowed.

Our AV software uses administrative shares to update so I can't simply
disable them.

I assumed this had something to do with the 'Access this computer from
the network' policy but this appears not to be the case; The 'Everyone'
group is assigned this permission on the DC's and authentication is
required for those servers.

How can I prevent unauthenticated access to these member server shares,
or even better, only permit Administrators access to the shares?

Do i need to manually create the shares with custom security?

Thanks.

--
JB







.



Relevant Pages

  • Re: Error 4957 trying to install SMS_MP_Control_Manager
    ... Running in standard security and the smsservice account is a member of the ... which is of course a member of the Administrators ... Administrators group, I think because we modified the schema for the AD ... This is an SMS 2003 single ...
    (microsoft.public.sms.admin)
  • Re: Help with User Groups (XP Pro)
    ... the Administrators, Power Users, Users groups. ... likely see the account you changed in the groups you expect. ... Then Removed the Administrators. ... > Welcome sign on it shows that the User is a member of an unknown group. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Default Shares on Member Servers
    ... It turns out the password for the local admin account on the member server ... the local Administrators group contains ...
    (microsoft.public.windows.server.security)
  • Re: Administrators Account cannot install updates and programs (Administrator can)
    ... his account is member of Administrators (alsway been, ... his account is also member of groups with Deny settings. ... You can use Local Security Policy to see the user ...
    (microsoft.public.win2000.security)
  • Re: Default Shares on Member Servers
    ... On the client, there are no persistent shares, and no stored credentials. ... On the member servers, the local Administrators group contains Domain\Domain ...
    (microsoft.public.windows.server.security)