|
Posted by Roger Abell [MVP] on October 17, 2006, 3:51 am
Please log in for more thread options Are you by chance using an account (i.e. logging into the test-from
standalone machine with an account) that matches in name and
password an admin account on the target member to which you
are allowed non-promted access ?
And, if the above is not the case, I just want to confirm that you
see this if the test to the member is the first thing done after logging
into the test-from machine after it has been freshly rebooted (here
I am trying to rule out any persistence of other credentials).
If both yield no behavior explanation/differences then we may be
in a real mystery to explain.
Roger
> On the client, there are no persistent shares, and no stored credentials.
>
> On the member servers, the local Administrators group contains
> Domain\Domain Admins and the domain Administrator account.
>
> I've checked the Domain Admins group, that contains only the Domain
> Administrator account.
>
> Thanks.
>
> --
> Gavin.
>
>> Well, something is really toasty here.
>>
>> If the C$, etc. are indeed the administrative shares, then the
>> access should be allowed for Administrators only.
>>
>> A couple things to examine:
>> 1. what is the membership in the Administrators group of the
>> member that does not require authN ?
>> 2. when you try to look in through the Permissions button for
>> a drive root's share (in its properties, sharing tab) are you
>> shown "This has been shared for administrative ... "
>> (one can shut off admin shares, and then define a C$ that is
>> permissioned other than expected)
>>
>> The Logon on over the network user right only determines
>> what accounts can try to access shares, but the permissions
>> on each share still determines which of those allowed to try
>> accounts will succeed.
>>
>> Also, on the machine from which you are testing that allows
>> unauthenticated access, make sure that you try this after a
>> fresh login, that there are no persistent shares, and that running
>> control keymgr.dll
>> does not show that there are cached network credentials to use
>> when accessing the member.
>>
>> Let's start there, and after the more simple possibilities are ruled
>> out, then post back.
>>
>> Roger
>>
>>> I'm trying to secure access to our servers. We have 2 domain
>>> controllers, 1 windows 2000, the other windows 2003 and 3 member
>>> servers, all running windows 2003.
>>>
>>> From a computer that is not a member of the domain, attempting to access
>>> an administrative share on a DC, we are presented with a prompt for a
>>> username and password.
>>>
>>> The same computer connecting to an administrative share on a member
>>> server, there is no prompt and the access is allowed.
>>>
>>> Our AV software uses administrative shares to update so I can't simply
>>> disable them.
>>>
>>> I assumed this had something to do with the 'Access this computer from
>>> the network' policy but this appears not to be the case; The 'Everyone'
>>> group is assigned this permission on the DC's and authentication is
>>> required for those servers.
>>>
>>> How can I prevent unauthenticated access to these member server shares,
>>> or even better, only permit Administrators access to the shares?
>>>
>>> Do i need to manually create the shares with custom security?
>>>
>>> Thanks.
>>>
>>> --
>>> JB
>>>
>>
>>
>
>
| 
XML Sitemap