Re: How to deny access to domain shares from a workgroup computer



I'm afraid I don't know which authentication protocol it is using, nor do I
know much about how to find out. Besides, it would be the historical
information you need, which is even harder to get. Unless I repeat the
tests, which I do not have time to do.

A couple of things I do *not* recall clearly are:
- Whether the behaviour really was any different depending on whether or not
the "synchronized" account was added. Maybe it allows it even without that
account. But then there is some kind of trust between the domain and a
non-joined computer, which seems wrong.
- Whether it makes a difference using the DOMAIN\ prefix when attempting to
gain access and prompted in Windows Explorer. It was Windows XP I used, so
it doesn't have the nice helpful text Vista has explaining what domain it
will be using. It is possible I was really using the domain account but then
again, the domain is trusting a non-joined computer.

So, yes, I think it best that an expert such as yourself repeat some tests
with the knowledge that you have, and that I do not, to guide you.

Paul

"Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
news:ff16fb662b3cf8cbde000b3e0611@xxxxxxxxxxxxxxxxxxxxxxx
Hello Paul Baker [MVP, Windows Desktop Experience],

I have never seen this before. Will do some test when i am back in my
office next week. Which kind of authentication format is used in the
domain, Kerberos or is Kerberos complete disabled and NTLM is used? If
NTLM which version?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

I have not seen any documentation of this, but what I have observed is
that if I create a local account on a machine not connected to the
domain but on the same LAN and I synchronize the user name and
password with a domain account, I am granted the same access as that
domain account.

On Windows XP, it is not automatic. The way this manifests itself in
Windows Explorer, for example, is that there is an authentication
prompt the first time you connect to the share, even if you are logged
in with the synchronized credentials. You simply provide the same
credentials again to proceed.

On Windows 98, it seems to be automatic. You log on to Windows with
synchronized credentials (of course Windows 9x will let you log on
with whatever credentials you wish) and you can proceed without any
further prompts.

It would seem to be some sort of backwards compatibility hack that I
would think is thrown into question in the current security landscape.

I asked the same thing in a slightly different way a while ago and
noone was able to answer my qusestion. If you doubt this, we could try
to reproduce it with current OSes under controlled conditions. I
suppose it's always possible that swb, myself and our IT manager are
having a mass hallucination. Or that it was fixed relatively recently.
It would be nice to see Microsoft documentation of this.

Paul

"Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
news:ff16fb662b34f8cbddc281f6f986@xxxxxxxxxxxxxxxxxxxxxxx

Hello swb,

A local user account on a workgroup computer not belonging to a
domain can have access to a domain share when the share/NTFS
permissions on the domain will allow this, for example both are set
to Everyone Full control. Everyone group doesn't have the need for a
domain SID, it's really everyone.

A local configured username on the workgroup computer will not sync a
password with a domain user account even it has the same name, there
is no sync running, don't know where you read/find this explanation,
or maybe i understand you wrong.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
( I posted a version of the question the Small Business Server
newsgroup - no response - I hope that doesn't violate a posting rule
)

Can anyone explain why a local account on a workgroup computer has
access to domain shares (sbs2008) if the local username and password
are synchronized with a domain username and password ?

The local workgroup account is allowed the same access as specified
by NTFS file permissions assigned to the domain account of the same
username/password.

I though the ACL on NTFS file shares on a Domain Controller required
the users access token to include a domain SID for the user.

This seems to be true on all Microsoft networks . . . I audit
banks. They give me a domain admin account for my visit. When I
create a matching account username/password on my notebook, I have
access to all shares on the Microsoft network, only using the domain
account they created for me for terminal service logins.

Is there a Security Option in to disable access to domain shares
using a synchronized local account on a workgroup computer.

Bigger Picture: What is all the Kerberos Trust path stuff about, if
access to shares only requires a synched username/password from any
workgroup ?





.



Relevant Pages