Allowing file share browsing for un-authenticated users

[Guest Nonapeptide@gmail.com]

I have a Windows Server 2003 file server in a workgroup environment

that needs to allow anyone who plugs into the network to browse its

file shares without being prompted for a username and password.

Ideally it would behave just like a Windows XP machine that has a file

share. A simple UNC path like this: \\ServerName\ should reply with

the available file shares to anyone who asks.

 

What is the option to get this behaviour? I can't seem to find the

local policy to get this to work.

 

Thanks bunches,

[Guest jameshanley39@yahoo.co.uk]

Re: Allowing file share browsing for un-authenticated users

 

On 27 May, 00:25, Nonapept...@gmail.com wrote:

> I have a Windows Server 2003 file server in a workgroup environment

> that needs to allow anyone who plugs into the network to browse its

> file shares without being prompted for a username and password.

> Ideally it would behave just like a Windows XP machine that has a file

> share. A simple UNC path like this: \\ServerName\ should reply with

> the available file shares to anyone who asks.

>

> What is the option to get this behaviour? I can't seem to find the

> local policy to get this to work.

>

> Thanks bunches,

 

In Win XP, there are 3 crucial options with file sharing.

Within ctrl panel..administrative tools....Local Security

Settings...Local policies

2 interesting options are in one subcategory, 1 is in the other.

 

 

Whether you check or uncheck SFS.. i.e. choose SFS or AFS.

It changes an option here.. And vice versa.

The place where the option is is

Local Security Settings...local policies...Security Options

Now see there are a bunch of items called "Network Access........."

The last one is "Sharing and security model for local accounts"

 

If you change that to Guest. then it does SFS.

If you change it to Authenticate as themselves, then it does AFS.

 

And vice versa.

 

Now.. regarding SFS

It does require the Guest account to be enabled,

And the other 2 interesting options are very important

"User rights assignments"

Allow - Everyone

Deny - <-- remove Guest from that list if it is there.

 

If you do those things, then any user can access. Because they

authenticate as Guest, and Guest can access.

 

I haven't used AFS as much, but

 

In Win XP..

if using AFS

and I mentioned how to set that option.. Your post suggests that

perhaps that classic tools..folder options..view..SFS/AFS option is

hard to find. So you can set AFS with that other option too. From

Local Security Settings.

Maybe it is in windows server too.

 

I think with AFS, users authenticate as themselves, and if that fails,

then it prompts them for a username/password. The username/password on

the remote machine.. (perhaps any user/pass on the remote machine)

 

So, if the account you are currently logged on as, exists on the

remote machine, then it will log in without a prompt.. i.e. identical

user account .

I don't know if it requires identical username, full name, and

password. Or just identical username and password.

[Guest Nonapeptide@gmail.com]

Re: Allowing file share browsing for un-authenticated users

 

Thanks for the prompt reply, James!

 

Your pointer to the Local Policies >> Security Settings node in local

security policy opened up some new possibilities for me.

 

Let me restate my goal. What I really need is to create a public

folder or two on the file server (much like the public folder on XP or

Vista). That way anyone can access files in those folders without

being prompted for username and password. Other shares can, and

probably should stay access restricted.

 

At first I thought "Network access: Named pipes that can be accessed

anonymously" and "Network access: Shares that can be accessed

anonymously" would be the way to go, but after messing with it I now

think otherwise. When a Windows client tries to access shares on

another computer in a workgroup, it seems to send the credentials of

the local machine and user, so in effect it's not try to access it

anonymously. Unless I'm missing something anonymous shares are not the

way to go. Neither is allowing the ANONYMOUS_LOGON access to the share

because again the logon attempt isn't really anonymous. Argh.

 

What befuddles me is that this behaviour is default in XP and Vista.

If you share something, everyone can access it on the network without

username and password. I've just taken that behaviour for granted. I

can't help but thinking to myself that this should be alot simpler

than I'm making it.

 

I know I'm missing something obvious. Back to Googling...

 

jameshanley39@yahoo.co.uk wrote:

> On 27 May, 00:25, Nonapept...@gmail.com wrote:

> > I have a Windows Server 2003 file server in a workgroup environment

> > that needs to allow anyone who plugs into the network to browse its

> > file shares without being prompted for a username and password.

> > Ideally it would behave just like a Windows XP machine that has a file

> > share. A simple UNC path like this: \\ServerName\ should reply with

> > the available file shares to anyone who asks.

> >

> > What is the option to get this behaviour? I can't seem to find the

> > local policy to get this to work.

> >

> > Thanks bunches,

>

> In Win XP, there are 3 crucial options with file sharing.

> Within ctrl panel..administrative tools....Local Security

> Settings...Local policies

> 2 interesting options are in one subcategory, 1 is in the other.

>

>

> Whether you check or uncheck SFS.. i.e. choose SFS or AFS.

> It changes an option here.. And vice versa.

> The place where the option is is

> Local Security Settings...local policies...Security Options

> Now see there are a bunch of items called "Network Access........."

> The last one is "Sharing and security model for local accounts"

>

> If you change that to Guest. then it does SFS.

> If you change it to Authenticate as themselves, then it does AFS.

>

> And vice versa.

>

> Now.. regarding SFS

> It does require the Guest account to be enabled,

> And the other 2 interesting options are very important

> "User rights assignments"

> Allow - Everyone

> Deny - <-- remove Guest from that list if it is there.

>

> If you do those things, then any user can access. Because they

> authenticate as Guest, and Guest can access.

>

> I haven't used AFS as much, but

>

> In Win XP..

> if using AFS

> and I mentioned how to set that option.. Your post suggests that

> perhaps that classic tools..folder options..view..SFS/AFS option is

> hard to find. So you can set AFS with that other option too. From

> Local Security Settings.

> Maybe it is in windows server too.

>

> I think with AFS, users authenticate as themselves, and if that fails,

> then it prompts them for a username/password. The username/password on

> the remote machine.. (perhaps any user/pass on the remote machine)

>

> So, if the account you are currently logged on as, exists on the

> remote machine, then it will log in without a prompt.. i.e. identical

> user account .

> I don't know if it requires identical username, full name, and

> password. Or just identical username and password.

[Guest jameshanley39@yahoo.co.uk]

Re: Allowing file share browsing for un-authenticated users

 

On 27 May, 04:04, Nonapept...@gmail.com wrote:

> Thanks for the prompt reply, James!

>

> Your pointer to the Local Policies >> Security Settings node in local

> security policy opened up some new possibilities for me.

>

> Let me restate my goal. What I really need is to create a public

> folder or two on the file server (much like the public folder on XP or

> Vista). That way anyone can access files in those folders without

> being prompted for username and password. Other shares can, and

> probably should stay access restricted.

>

> At first I thought "Network access: Named pipes that can be accessed

> anonymously" and "Network access: Shares that can be accessed

> anonymously" would be the way to go, but after messing with it I now

> think otherwise. When a Windows client tries to access shares on

> another computer in a workgroup, it seems to send the credentials of

> the local machine and user, so in effect it's not try to access it

> anonymously. Unless I'm missing something anonymous shares are not the

> way to go. Neither is allowing the ANONYMOUS_LOGON access to the share

> because again the logon attempt isn't really anonymous. Argh.

>

> What befuddles me is that this behaviour is default in XP and Vista.

> If you share something, everyone can access it on the network without

> username and password. I've just taken that behaviour for granted. I

> can't help but thinking to myself that this should be alot simpler

> than I'm making it.

>

> I know I'm missing something obvious. Back to Googling...

 

 

I have had this with windows xp.. Being prompted for a user/pass..

 

I have found it just to be whether you choose AFS or SFS..

Either can prompt you, in a different way.

 

if you don't like the prompt, them either way you can get rid of it.

Slightly more easily with SFS. If SFS is prompting you then it's not

set up right e.g. Guest account is disabled perhaps. With AFS, if you

have identical accounts it will prob not prompt you.

 

And that setting I mentioned switches between AFS and SFS.

 

And I mentioned how not to get the prompts with them.

 

I only know Win XP though for file sharing.

[Guest Nonapeptide@gmail.com]

Re: Allowing file share browsing for un-authenticated users

 

On May 26, 11:30 pm, "jameshanle...@yahoo.co.uk"

<jameshanle...@yahoo.co.uk> wrote:

> On 27 May, 04:04, Nonapept...@gmail.com wrote:

>

>

>

> > Thanks for the prompt reply, James!

>

> > Your pointer to the Local Policies >> Security Settings node in local

> > security policy opened up some new possibilities for me.

>

> > Let me restate my goal. What I really need is to create a public

> > folder or two on the file server (much like the public folder on XP or

> > Vista). That way anyone can access files in those folders without

> > being prompted for username and password. Other shares can, and

> > probably should stay access restricted.

>

> > At first I thought "Network access: Named pipes that can be accessed

> > anonymously" and "Network access: Shares that can be accessed

> > anonymously" would be the way to go, but after messing with it I now

> > think otherwise. When a Windows client tries to access shares on

> > another computer in a workgroup, it seems to send the credentials of

> > the local machine and user, so in effect it's not try to access it

> > anonymously. Unless I'm missing something anonymous shares are not the

> > way to go. Neither is allowing the ANONYMOUS_LOGON access to the share

> > because again the logon attempt isn't really anonymous. Argh.

>

> > What befuddles me is that this behaviour is default in XP and Vista.

> > If you share something, everyone can access it on the network without

> > username and password. I've just taken that behaviour for granted. I

> > can't help but thinking to myself that this should be alot simpler

> > than I'm making it.

>

> > I know I'm missing something obvious. Back to Googling...

>

> I have had this with windows xp.. Being prompted for a user/pass..

>

> I have found it just to be whether you choose AFS or SFS..

> Either can prompt you, in a different way.

>

> if you don't like the prompt, them either way you can get rid of it.

> Slightly more easily with SFS.  If SFS is prompting you then it's not

> set up right e.g. Guest account is disabled perhaps. With AFS, if you

> have identical accounts it will prob not prompt you.

>

> And that setting I mentioned switches between AFS and SFS.

>

> And I mentioned how not to get the prompts with them.

>

> I only know Win XP though for file sharing.

 

Okay. It seems that if I simply enable the guest account on my Server

2003 machine I am then able to list file shares using an account on a

workgroup computer that does not have an identical counterpart on the

server. That's a step in the right direction, but not quite what I had

in mind.

 

When I look through the server's event logs, it looks like the first

access attempt is using the workstation's local username and password.

When that is unsuccessful, it immediately retries using "Guest" (this

is behaviour that I was heretofore unaware of). That access request is

successful when the guest account is enabled.

 

There are a number of things that puzzle me about this whole thing

though. The "Network Access: sharing and security model for local

accounts" seems to be irrelevant in this scenario. That policy simply

states that in Classic mode if you access the server using a local

account then your permissions will be granular; allowing one account

the ability to have different permissions than another account. In

Guest Only mode, no matter what account you put in, it will map your

account to whatever permissions the Guest account has been given. That

may or may not included anonymous logins. I haven't figured that out

yet. Either way, I have the server in Client mode and enabling the

Guest account still allows me to enumerate file shares so that Network

Access policy can't be the solution.

 

So now I can allow any workgroup machine\user the ability to use the

server's shares, but I have yet to track down the specific policy that

grants this to the guest account. I also have yet to figure out if I

can select individual folders that the guest account can see and use.

That's my ultimate goal.

 

 

 

On a related note:

 

I've mentioned several times that I wondered how client OSs like XP

and Vista share their folders with anyone on the local network by

default. That's still unanswered. It doesn't seem to be through the

guest account, as its disabled and the user rights assignment "Deny

access to this computer from the network" includes the Guest account.

Yet, anonymous access seems to be unlikely as well since several of

the Network Access policies dealing with Anonymous accounts look like

they stymie anon access.

 

What a can of worms.

 

I'll get to the bottom of this someday... :-|

[Guest jameshanley39@yahoo.co.uk]

Re: Allowing file share browsing for un-authenticated users

 

On 27 May, 06:00, Nonapept...@gmail.com wrote:

> On May 26, 11:30 pm, "jameshanle...@yahoo.co.uk"

<snip>

> > I only know Win XP though for file sharing.

>

> Okay. It seems that if I simply enable the guest account on my Server

> 2003 machine I am then able to list file shares using an account on a

> workgroup computer that does not have an identical counterpart on the

> server. That's a step in the right direction, but not quite what I had

> in mind.

>

 

In Win XP, I would say it sounds like you are set to SFS

> When I look through the server's event logs, it looks like the first

> access attempt is using the workstation's local username and password.

> When that is unsuccessful, it immediately retries using "Guest" (this

> is behaviour that I was heretofore unaware of). That access request is

> successful when the guest account is enabled.

>

 

 

Where are these logs.. Do they exist in Windows XP?

 

I have never seen that behaviour. From my Win XP use, it sounds like a

mixture of AFS and SFS. I think that's impossible.. I have never

heard of that. Are you sure?

Is this retry a second later?

 

I haven't seen the logs though.. would be interested to know where

they are accessible.

 

 

> There are a number of things that puzzle me about this whole thing

> though. The "Network Access: sharing and security model for local

> accounts" seems to be irrelevant in this scenario. That policy simply

> states that in Classic mode if you access the server using a local

> account then your permissions will be granular; allowing one account

> the ability to have different permissions than another account. In

> Guest Only mode, no matter what account you put in, it will map your

> account to whatever permissions the Guest account has been given. That

> may or may not included anonymous logins. I haven't figured that out

> yet. Either way, I have the server in Client mode and enabling the

> Guest account still allows me to enumerate file shares so that Network

> Access policy can't be the solution.

>

 

you say you "have the server in client mode"? That is absolute

nonsense. Like saying you have the dart board acting as an arrow.

 

I think you mean Classic.. As in users authenticate as themselves.

 

I don't know much about NT file permissions. (they are for multi-user

environment of potentially malicious users. I don't need to really for

my own computers at home)

> So now I can allow any workgroup machine\user the ability to use the

> server's shares, but I have yet to track down the specific policy that

> grants this to the guest account. I also have yet to figure out if I

> can select individual folders that the guest account can see and use.

> That's my ultimate goal.

>

 

I mentioned 3 interesting options.

2 of them were "Allow...." and "Deny......"

 

The default is to Allow everyone, and Deny Guest.

(deny wins..I guess it is processed after)

 

(so another way of looking at it, is that if you don't deny guest,

ten Guest is allowed. So there is no policy that allows Guest, it's

allowed if it is not denied. So in a sense, that is a default setting

- an unchangeable one. Stupid way of looking at it though. Or maybe

it's the Allowing everyone, that allows Guest.)

Default is Deny Guest.

 

Although I mentioned that in the context of being relevant to SFS. I

suppose it is relevant to AFS too.

 

Infact, windows xp machines are set to AFS by default. Guest Account

disabled. Guest Denied. (judging by my win xp installation from the

win xp sp2 cd I burned anyway)

> On a related note:

>

> I've mentioned several times that I wondered how client OSs like XP

> and Vista share their folders with anyone on the local network by

> default. That's still unanswered.

 

Out of interest.. Where did you see the terminology of calling XP a

client OS?

 

I know.. I have seen it too.. and it's common. But just wondering

where you saw it..

I actually saw that kind of terminology in a book called Networking

Complete, described windows 98 as a client OS.. Because relative to

Windows NT(the Network OS), its network features were limited.. e.g.

just basic password access to network directories. .

 

I think the default is AFS.

 

I think

Win XP only has 2 options . SFS or AFS, and no way of opting out.

But you can choose not to share any folders.

 

Certainly, I remember that Guest is disabled and Denied. I guess

Network Access is - Classic - users authenticate as themselves.

 

People who want SFS will have a problem if they just check the box.

They should either run the "Network Setup Wizard". Or after setting

SFS..

Check that it does Allow Everyone (it probably is)

-remove Guest from the deny list -

 

And check that authentication is as Guest - though it would be if it

is set to SFS.

As explained.

> It doesn't seem to be through the

> guest account, as its disabled and the user rights assignment "Deny

> access to this computer from the network" includes the Guest account.

> Yet, anonymous access seems to be unlikely as well since several of

> the Network Access policies dealing with Anonymous accounts look like

> they stymie anon access.

>

 

What is an anonymous account?

 

BTW, I think with SFS users ONLY authenticate as Guest.

So whoever they are. I don't hink it's like , they try to

authenticate as themselves and if it fails they do so as Guest. They

just do so as Guest.

 

Your logs claim otherwise.. be interesting to know where these logs

are..

 

and if they are in Win XP. 'cos I have win xp.

[Guest Nonapeptide@gmail.com]

Re: Allowing file share browsing for un-authenticated users

 

On May 27, 12:35 pm, "jameshanle...@yahoo.co.uk"

<jameshanle...@yahoo.co.uk> wrote:

> On 27 May, 06:00, Nonapept...@gmail.com wrote:

>

> > On May 26, 11:30 pm, "jameshanle...@yahoo.co.uk"

> <snip>

> > > I only know Win XP though for file sharing.

>

> > Okay. It seems that if I simply enable the guest account on my Server

> > 2003 machine I am then able to list file shares using an account on a

> > workgroup computer that does not have an identical counterpart on the

> > server. That's a step in the right direction, but not quite what I had

> > in mind.

>

> In Win XP, I would say it sounds like you are set to SFS

>

> > When I look through the server's event logs, it looks like the first

> > access attempt is using the workstation's local username and password.

> > When that is unsuccessful, it immediately retries using "Guest" (this

> > is behaviour that I was heretofore unaware of). That access request is

> > successful when the guest account is enabled.

>

> Where are these logs.. Do they exist in Windows XP?

>

> I have never seen that behaviour. From my Win XP use, it sounds like a

> mixture of AFS and SFS. I think that's impossible..  I have never

> heard of that. Are you sure?

> Is this retry a second later?

>

> I haven't seen the logs though.. would be interested to know where

> they are accessible.

>

> > There are a number of things that puzzle me about this whole thing

> > though. The "Network Access: sharing and security model for local

> > accounts" seems to be irrelevant in this scenario. That policy simply

> > states that in Classic mode if you access the server using a local

> > account then your permissions will be granular; allowing one account

> > the ability to have different permissions than another account. In

> > Guest Only mode, no matter what account you put in, it will map your

> > account to whatever permissions the Guest account has been given. That

> > may or may not included anonymous logins. I haven't figured that out

> > yet. Either way, I have the server in Client mode and enabling the

> > Guest account still allows me to enumerate file shares so that Network

> > Access policy can't be the solution.

>

> you say you "have the server in client mode"? That is absolute

> nonsense. Like saying you have the dart board acting as an arrow.

>

> I think you mean Classic.. As in users authenticate as themselves.

>

> I don't know much about NT file permissions. (they are for multi-user

> environment of potentially malicious users. I don't need to really for

> my own computers at home)

>

> > So now I can allow any workgroup machine\user the ability to use the

> > server's shares, but I have yet to track down the specific policy that

> > grants this to the guest account. I also have yet to figure out if I

> > can select individual folders that the guest account can see and use.

> > That's my ultimate goal.

>

> I mentioned  3 interesting options.

> 2 of them were "Allow...." and "Deny......"

>

> The default is to Allow everyone, and Deny Guest.

> (deny wins..I guess it is processed after)

>

>  (so another way of looking at it, is that if you don't deny guest,

> ten Guest is allowed. So there is no policy that allows Guest, it's

> allowed if it is not denied. So in a sense, that is a default setting

> - an unchangeable one. Stupid way of looking at it though.  Or maybe

> it's the Allowing everyone, that allows Guest.)

> Default is Deny Guest.

>

> Although I mentioned that in the context of being relevant to SFS. I

> suppose it is relevant to AFS too.

>

> Infact, windows xp machines are set to AFS by default.  Guest Account

> disabled. Guest Denied. (judging by my win xp installation from the

> win xp sp2 cd I burned anyway)

>

> > On a related note:

>

> > I've mentioned several times that I wondered how client OSs like XP

> > and Vista share their folders with anyone on the local network by

> > default. That's still unanswered.

>

> Out of interest.. Where did you see the terminology of calling XP a

> client OS?

>

> I know.. I have seen it too.. and it's common. But just wondering

> where you saw it..

> I actually saw that kind of terminology in a book called Networking

> Complete, described windows 98 as a client OS..  Because relative to

> Windows NT(the Network OS), its network features were limited.. e.g.

> just basic password access to network directories. .

>

> I think the default is AFS.

>

> I think

> Win XP only has 2 options .  SFS or AFS, and no way of opting out.

> But you can choose not to share any folders.

>

> Certainly, I remember that Guest is disabled and Denied.  I guess

> Network Access is  - Classic  - users authenticate as themselves.

>

> People who want SFS will have a problem if they just check the box.

> They should either run the "Network Setup Wizard". Or  after setting

> SFS..

> Check that it does Allow Everyone (it probably is)

> -remove Guest from the deny list -

>

> And check that authentication is as Guest - though it would be if it

> is set to SFS.

> As explained.

>

> > It doesn't seem to be through the

> > guest account, as its disabled and the user rights assignment "Deny

> > access to this computer from the network" includes the Guest account.

> > Yet, anonymous access seems to be unlikely as well since several of

> > the Network Access policies dealing with Anonymous accounts look like

> > they stymie anon access.

>

> What is an anonymous account?

>

> BTW, I think with SFS users ONLY authenticate as Guest.

> So whoever they are.  I don't hink it's like , they try to

> authenticate as themselves and if it fails they do so as Guest.  They

> just do so as Guest.

>

> Your logs claim otherwise.. be interesting to know where these logs

> are..

>

> and if they are in Win XP. 'cos I have win xp.

>> In Win XP, I would say it sounds like you are set to SFS <<

 

I think essentially it is. This post explains it rather cogently:

http://episteme.arstechnica.com/eve/forums/a/tpc/f/12009443/m/957006982831

 

Look for the last message on the list from a user called Bluenote.

It's basiclaly what you told me to do.

 

>> Where are these logs.. Do they exist in Windows XP? <<

 

It's just standard event viewer. You can navigate to it in the Admin

Tools folder or open up the run box and type 'eventvwr'. You must

first turn on both "audit account logon events" and "audit logon

events" from the following local policy: Local Computer Policy >>

Computer Configuration >> Windows Settings >> Security Settings >>

Local Policies >> Audit Policy.

 

Then access network resources on your machine from another machine.

You should see logon/logoff events in the Security log in event

viewer.

 

>> I have never heard of that. Are you sure? <<

 

Pretty sure I'm sure.

 

 

>> Is this retry a second later? <<

 

It's not even a second later. It's so quick that it shows both logon

events at the exact same second.

 

>> you say you "have the server in client mode"? That is absolute

nonsense. Like saying you have the dart board acting as an arrow.

 

I think you mean Classic.. As in users authenticate as themselves. <<

 

Yep. Just a typo.

 

 

>> Out of interest.. Where did you see the terminology of calling XP a

client OS? <<

 

It's just a common way of talking about OSs that are not explicitly

designed to handle being dedicated servers. Of course, client machines

can serve things and have software installed on it that in effect

makes the client os a server (IIS on XP comes to mind). It's just a

matter of semantics.

 

 

>> What is an anonymous account? <<

 

An anonymous user or an anonymous access attempt is also known as a

"null session". Googling should bring back ample results. It is an

attempt at accessing a computer or resource with a null username and

no password. As I ponder this situation further, Anonymous access

doesn't seem to be relevant to my situation.

 

 

 

So here's what I think I'll do. If I enable the guest account, I can

enumerate all shares on the server (side note: that baffles me how I

can enumerate file shares on XP of Vista even though the guest account

is disabled... %-| ). However, for the guest account to actually

access anything it needs to be explicitly allowed, so I'll set NTFS

permissions appropriately on the shares that all folks need to get to.

 

I'd prefer to restrict even the listing of shares to only the ones

that guests can access, but that might be too much to ask.

 

 

>> BTW, I think with SFS users ONLY authenticate as Guest.

So whoever they are. I don't hink it's like , they try to

authenticate as themselves and if it fails they do so as Guest. They

just do so as Guest. <<

 

My understanding of the difference between SFS and AFS is that it

merely obscures or reveals the guts of file sharing to the user who is

attempting to share something. With SFS you only have two options: To

share or not to share, and wether or not to allow people to modify

resources. AFS exposes the three levels of share permissions, all of

the NTFS permission scheme, as well as the ability to apply different

levels of permission to different users and groups. It has nothing to

do with wether or not another user on the network accesses your share

first with a local account and then with a guest account or only with

a guest account. In fact, it couldn't have any effect on that since

the option is only modifying your computer's behaviour and not other

computer's.

 

This looks like a good article on the topic:

http://www.microsoft.com/windowsxp/using/networking/expert/honeycutt_august13.mspx

 

 

Thanks for your input. Does anyone else out there have anything to

contribute concerning this whole file sharing thing? I'd love to grasp

Window's concept of permissions and network access better, but fear

I'd lose my mind if I try to trace every loose end back to its

origin. :-/

 

Thanks

[Guest jameshanley39@yahoo.co.uk]

Re: Allowing file share browsing for un-authenticated users

 

On May 28, 3:11 am, Nonapept...@gmail.com wrote:

<snip>

> > and if they are in Win XP. 'cos I have win xp.

> >> In Win XP, I would say it sounds like you are set to SFS <<

>

> I think essentially it is. This post explains it rather cogently:http://episteme.arstechnica.com/eve/forums/a/tpc/f/12009443/m/9570069...

>

 

interesting.. Good forum, I hadn't thought of that forum for windows /

non-hardware, but good to know.

> Look for the last message on the list from a user called Bluenote.

> It's basiclaly what you told me to do.

>

 

he mentions another option which is potentially interesting..

Accounts: Guest Account Status <-- enabled

 

 

 

> >> Where are these logs.. Do they exist inWindowsXP? <<

>

> It's just standard event viewer. You can navigate to it in the Admin

> Tools folder or open up the run box and type 'eventvwr'. You must

> first turn on both "audit account logon events" and "audit logon

> events" from the following local policy: Local Computer Policy >>

> Computer Configuration >>WindowsSettings >> Security Settings >>

> Local Policies >> Audit Policy.

>

 

fantastic.. I will turn these on now and analyse what I see - when I

can!

 

in win xp..

ctrl panel..administrative tools..local security settings..local

policies..audit policies

 

 

> Then access network resources on your machine from another machine.

> You should see logon/logoff events in the Security log in event

> viewer.

>

 

thanks

> >>  I have never heard of that. Are you sure? <<

>

> Pretty sure I'm sure.

>

> >> Is this retry a second later? <<

>

> It's not even a second later. It's so quick that it shows both logon

> events at the exact same second.

>

> >> you say you "have theserverin client mode"? That is absolute

>

> nonsense. Like saying you have the dart board acting as an arrow.

>

> I think you mean Classic.. As in users authenticate as themselves. <<

>

> Yep. Just a typo.

>

> >> Out of interest.. Where did you see the terminology of calling XP a

>

> client OS? <<

>

> It's just a common way of talking about OSs that are not explicitly

> designed to handle being dedicated servers. Of course, client machines

> can serve things and have software installed on it that in effect

> makes the client os aserver(IIS on XP comes to mind). It's just a

> matter of semantics.

>

> >> What is an anonymous account? <<

>

> An anonymous user or an anonymous access attempt is also known as a

> "null session". Googling should bring back ample results. It is an

> attempt at accessing a computer or resource with a null username and

> no password. As I ponder this situation further, Anonymous access

> doesn't seem to be relevant to my situation.

>

> So here's what I think I'll do. If I enable the guest account, I can

> enumerate all shares on theserver(side note: that baffles me how I

> can enumeratefileshares on XP of Vista even though the guest account

> is disabled... %-| ). However, for the guest account to actually

> access anything it needs to be explicitly allowed, so I'll set NTFS

> permissions appropriately on the shares that all folks need to get to.

>

 

Here's a stab in the dark, maybe part of the answer is there's a

difference between the Guest account being disabled, and that option

of

Account: Guest Account Status

Though I suppose that just complicates things further and doesn't

answer your question.

> I'd prefer to restrict even the listing of shares to only the ones

> that guests can access, but that might be too much to ask.

>

 

anyone?

 

<snip>

> My understanding of the difference between SFS and AFS is that it

> merely obscures or reveals the guts offilesharingto the user who is

> attempting to share something. With SFS you only have two options: To

> share or not to share, and wether or not to allow people to modify

> resources. AFS exposes the three levels of share permissions, all of

> the NTFS permission scheme, as well as the ability to apply different

> levels of permission to different users and groups. It has nothing to

> do with wether or not another user on the network accesses your share

> first with a local account and then with a guest account or only with

> a guest account. In fact, it couldn't have any effect on that since

> the option is only modifying your computer's behaviour and not other

> computer's.

>

> This looks like a good article on the

> topic: >http://www.microsoft.com/windowsxp/using/networking/expert/honeycutt_august13.mspx

 

No.. My test is conclusive..

 

Change the network access setting, between Guest and Classic. And it

changes file sharing mode between AFS and SFS. And Vice Versa.

 

 

I am using Win XP and If you have a Win XP machine, you can see for

yourself..

Tools...Folder Options...View...

scroll down to the bottom

Now look if SFS is checked or not

Checked is SFS. Unchecked is AFS.

 

Note down. in your short term memory, or notepad.

Let's say it is SFS.

 

Now. Look at that setting about

Network Access:

about how users authenticate.

 

You will see it is set to Guest.

 

Now do tools..folder options..view... Uncheck it. So it is set to AFS

 

Now go back to look at that setting about Network Access

 

You will see it has changed from Guest to Classic.

 

Now change it from Classic to Guest, and then go to tools..folder

options..view.

You will see that that setting has now changed to AFS.

 

I actually said this in probably my first reply to you.. I guess you

overlooked it!

 

That only covers a bit of what you mentioned about the access though.

I look forward to checking the logs.

 

I don't know about the file permissions..

<snip>

[Guest jameshanley39@yahoo.co.uk]

Re: Allowing file share browsing for un-authenticated users

 

On May 27, 12:25 am, Nonapept...@gmail.com wrote:

> I have a Windows Server 2003 file server in a workgroup environment

> that needs to allow anyone who plugs into the network to browse its

> file shares without being prompted for a username and password.

> Ideally it would behave just like a Windows XP machine that has a file

> share. A simple UNC path like this: \\ServerName\ should reply with

> the available file shares to anyone who asks.

>

> What is the option to get this behaviour? I can't seem to find the

> local policy to get this to work.

>

> Thanks bunches,

 

You mentioned that you are puzzled as to how win xp enumerates shares

with Guest disabled.

I had found that it doesn't.. - BUT

 

I know that with advanced file sharing, with an account on the remtoe

machine the same as the currently logged in account on the local

machine. Then it will go in automatically.

So in that instance , it will

 

Maybe the situation you ran into with xp, was that one.

 

I haven't tested this, but maybe that happens if you are logged on as

Administrator on the local machine.?

I guess you'd need a non blank password on it.. (otherwise windows

might not let you do it)

 

And since you're not logging in as Guest. Then that may help you with

your permissions goal.

 

You can always check your win xp machines for this duplicate account

thing. And the logs must give it away.

It should show it logging in as e.g. user1 , and you know user1

exists on the remote machine. I can't imagine it logging in as user1

and user1 not existing.

 

I know that above probably won't help, or you tried it 'cos I kind of

half mentioned.. But I thought i'd have another look at your post

'cos I tried the log thing you mentioned.. and made a small finding I

posted on arstechnica

http://episteme.arstechnica.com/eve/forums/a/tpc/f/12009443/m/282004192931?r=880000292931#880000292931

, which corrects or updates some of the things I said here not

directly related to your problem.

My findings did correlate quite nicely with what you wrote. (though

not related to solving your prob!). But I thought maybe the duplicate

account thing had been overlooked..

I cannot see any other way that your win xp machines could see each

others' shares when the Guest account is disabled.

 

did you come any closer to solving it?

[Guest jameshanley39@yahoo.co.uk]

Re: Allowing file share browsing for un-authenticated users

 

On Jun 19, 6:21 am, "jameshanle...@yahoo.co.uk"

<jameshanle...@yahoo.co.uk> wrote:

<snip>

 

and I meant to mention...

another promising option was mentioned in that arstechnica thread -

the one i just mentioned..

 

http://episteme.arstechnica.com/eve/forums/a/tpc/f/12009443/m/282004192931?r=880000292931#880000292931

 

one a reply to the question I asked, somebody posted a response..

 

it wasn't the solution but it is relevant to your problem

 

Control Panel > User Accounts > Advanced > Manage Passwords

 

(or in win xp - ctrl panel..user accounts..[click whichever user

account]..manage my network passwords)

 

Then you can add usernames and passwords, and a server to connect to..

I haven't tested it but it looks like this would give you some good

control over how you log in. (prob wouldn't even need "duplicate

accounts")