Re: Default Shares on Member Servers

It turns out the password for the local admin account on the member server
and the client were, incorrectly, the same. Auditing showed the local admin
account being used for access.

Many thanks for all you help.

--

"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:%23pqhAZe8GHA.1496@xxxxxxxxxxxxxxxxxxxxxxx
Onr motr thing.
You should check that login success/failure event logging is enabled
on the member and then check to see what credentials are being used
when you connect (without prompting) to admin share on it.

Roger

"JB" <me@xxxxxx> wrote in message
news:%231GXkpS8GHA.4620@xxxxxxxxxxxxxxxxxxxxxxx
On the client, there are no persistent shares, and no stored credentials.

On the member servers, the local Administrators group contains
Domain\Domain Admins and the domain Administrator account.

I've checked the Domain Admins group, that contains only the Domain
Administrator account.

Thanks.

--
Gavin.

"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:%23vH13Hl7GHA.4708@xxxxxxxxxxxxxxxxxxxxxxx
Well, something is really toasty here.

If the C$, etc. are indeed the administrative shares, then the
access should be allowed for Administrators only.

A couple things to examine:
1. what is the membership in the Administrators group of the
member that does not require authN ?
2. when you try to look in through the Permissions button for
a drive root's share (in its properties, sharing tab) are you
shown "This has been shared for administrative ... "
(one can shut off admin shares, and then define a C$ that is
permissioned other than expected)

The Logon on over the network user right only determines
what accounts can try to access shares, but the permissions
on each share still determines which of those allowed to try
accounts will succeed.

Also, on the machine from which you are testing that allows
unauthenticated access, make sure that you try this after a
fresh login, that there are no persistent shares, and that running
control keymgr.dll
does not show that there are cached network credentials to use
when accessing the member.

Let's start there, and after the more simple possibilities are ruled
out, then post back.

Roger

"JB" <me@xxxxxx> wrote in message
news:eKyXg.23231$pa.20155@xxxxxxxxxxxxxxxxxxxxxxx
I'm trying to secure access to our servers. We have 2 domain
controllers, 1 windows 2000, the other windows 2003 and 3 member
servers, all running windows 2003.

From a computer that is not a member of the domain, attempting to
access an administrative share on a DC, we are presented with a prompt
for a username and password.

The same computer connecting to an administrative share on a member
server, there is no prompt and the access is allowed.

Our AV software uses administrative shares to update so I can't simply
disable them.

I assumed this had something to do with the 'Access this computer from
the network' policy but this appears not to be the case; The 'Everyone'
group is assigned this permission on the DC's and authentication is
required for those servers.

How can I prevent unauthenticated access to these member server shares,
or even better, only permit Administrators access to the shares?

Do i need to manually create the shares with custom security?

Thanks.

--
JB









.