Re: How to deny access to domain shares from a workgroup computer

Hello Paul Baker [MVP, Windows Desktop Experience],

I have never seen this before. Will do some test when i am back in my office next week. Which kind of authentication format is used in the domain, Kerberos or is Kerberos complete disabled and NTLM is used? If NTLM which version?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


I have not seen any documentation of this, but what I have observed is
that if I create a local account on a machine not connected to the
domain but on the same LAN and I synchronize the user name and
password with a domain account, I am granted the same access as that
domain account.

On Windows XP, it is not automatic. The way this manifests itself in
Windows Explorer, for example, is that there is an authentication
prompt the first time you connect to the share, even if you are logged
in with the synchronized credentials. You simply provide the same
credentials again to proceed.

On Windows 98, it seems to be automatic. You log on to Windows with
synchronized credentials (of course Windows 9x will let you log on
with whatever credentials you wish) and you can proceed without any
further prompts.

It would seem to be some sort of backwards compatibility hack that I
would think is thrown into question in the current security landscape.

I asked the same thing in a slightly different way a while ago and
noone was able to answer my qusestion. If you doubt this, we could try
to reproduce it with current OSes under controlled conditions. I
suppose it's always possible that swb, myself and our IT manager are
having a mass hallucination. Or that it was fixed relatively recently.
It would be nice to see Microsoft documentation of this.

Paul

"Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
news:ff16fb662b34f8cbddc281f6f986@xxxxxxxxxxxxxxxxxxxxxxx

Hello swb,

A local user account on a workgroup computer not belonging to a
domain can have access to a domain share when the share/NTFS
permissions on the domain will allow this, for example both are set
to Everyone Full control. Everyone group doesn't have the need for a
domain SID, it's really everyone.

A local configured username on the workgroup computer will not sync a
password with a domain user account even it has the same name, there
is no sync running, don't know where you read/find this explanation,
or maybe i understand you wrong.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
( I posted a version of the question the Small Business Server
newsgroup - no response - I hope that doesn't violate a posting rule
)

Can anyone explain why a local account on a workgroup computer has
access to domain shares (sbs2008) if the local username and password
are synchronized with a domain username and password ?

The local workgroup account is allowed the same access as specified
by NTFS file permissions assigned to the domain account of the same
username/password.

I though the ACL on NTFS file shares on a Domain Controller required
the users access token to include a domain SID for the user.

This seems to be true on all Microsoft networks . . . I audit
banks. They give me a domain admin account for my visit. When I
create a matching account username/password on my notebook, I have
access to all shares on the Microsoft network, only using the domain
account they created for me for terminal service logins.

Is there a Security Option in to disable access to domain shares
using a synchronized local account on a workgroup computer.

Bigger Picture: What is all the Kerberos Trust path stuff about, if
access to shares only requires a synched username/password from any
workgroup ?



.

Relevant Pages

  • RE: Adding a virtual FTP folder to IIS
    ... I think we can follow the Form Authentication modal. ... application will use the ASPNET account. ... If we change the username ... Windows identity different from that of the default process identity. ...
    (microsoft.public.dotnet.framework)
  • Re: XP Home connecting to XP PRO
    ... passwords and the Guest account. ... you have Simple File Sharing enabled or not. ... Windows XP Home uses Simple File Sharing only. ... This means that username and password of an ...
    (microsoft.public.windowsxp.network_web)
  • Re: Windows mail......asks for username
    ... If you are sure you have the correct username and password, ... delete that account, restart Windows ... Please verify that both the username and password are correct for your ...
    (microsoft.public.windows.vista.mail)
  • Re: Log in problem after user name change.
    ... Can I just change the 'DefaultUserName' to the new username? ... And would it matter if the setting for 'AltDefaultUserName' is already set to the new username? ... Now when the laptop boots up, a dialog box pops up saying 'Windows could not log you in' and behind that dialog is a grayed-out user login dialog with the old name in it. ... When you click 'Ok' on the 'Windows could not log you in' dialog, Windows proceeds to the area where the usernames + pics are shown, and you can click on the new username - even though it is the only account enabled and all passwords are switched off. ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: How to deny access to domain shares from a workgroup computer
    ... the "synchronized" account was added. ... gain access and prompted in Windows Explorer. ... A local configured username on the workgroup computer will not sync a ... access to domain shares if the local username and password ...
    (microsoft.public.windows.server.security)
Loading