barthollis
asked on
Rights using RAS
Can someone explain to me how the accounts and user rights work when using RAS?
I have an NT 4 Server running RAS. I want to be able to have a client call this computer and be able to log on and gain access to only a single directory on the server. No other services should be available to this client form my server unless I specifically grant them.
I would create that directory on my server in advance and give it a share name. I would create a user on my server and would assign a user name and password.
The usual client would be a Win 95 machine and would probably be part of another workgroup or domain. I won't have access to the client username or password that was used to gain access to his workgroup or domain. The client should use the user name and password I have created on my server.
I would guess there are different ways to accomplish this, so I'd like to know all the ramifications of the various options.
I have an NT 4 Server running RAS. I want to be able to have a client call this computer and be able to log on and gain access to only a single directory on the server. No other services should be available to this client form my server unless I specifically grant them.
I would create that directory on my server in advance and give it a share name. I would create a user on my server and would assign a user name and password.
The usual client would be a Win 95 machine and would probably be part of another workgroup or domain. I won't have access to the client username or password that was used to gain access to his workgroup or domain. The client should use the user name and password I have created on my server.
I would guess there are different ways to accomplish this, so I'd like to know all the ramifications of the various options.
ASKER
I'm sorry, perhaps I wasn't clear enough with my request.
I already have RAS running on my server, The clients already have Win95 and Dialup Networking on their machines.
When they log on to their domain or workgroup, they use a name and password that is unknown to me. In fact, I don't even know the name of the domain or work group.
I have created a domain user, with dial in permission on my server. Of course that name/password is different than the one they used on their machine.
When they dial in to my server, they fill in the name and password I gave them when they dial. Upon connection, they are presented with a log on dialog box asking for a password. No matter what they enter, they do not gain access to my system.
The only way I have found to make it work is to have them log on to their workstation using the name/password I have given them. This, of course creates security problems at their end as I now have access to their system.
What I really want to know is how to get them to be able to log on to my system regardless of the user name/password they used to get onto theirs.
Then, I would like to know how to restrict them to just certain services. Best bet would be they couldn't even see anything else. Kinda like Netware <g>.
I want to thank you for the effort you have put into this request so far. Although I think reject is a slightly strong word, and I certainly appreciate your efforts to this point, I am going to reject this answer to allow others access.
I already have RAS running on my server, The clients already have Win95 and Dialup Networking on their machines.
When they log on to their domain or workgroup, they use a name and password that is unknown to me. In fact, I don't even know the name of the domain or work group.
I have created a domain user, with dial in permission on my server. Of course that name/password is different than the one they used on their machine.
When they dial in to my server, they fill in the name and password I gave them when they dial. Upon connection, they are presented with a log on dialog box asking for a password. No matter what they enter, they do not gain access to my system.
The only way I have found to make it work is to have them log on to their workstation using the name/password I have given them. This, of course creates security problems at their end as I now have access to their system.
What I really want to know is how to get them to be able to log on to my system regardless of the user name/password they used to get onto theirs.
Then, I would like to know how to restrict them to just certain services. Best bet would be they couldn't even see anything else. Kinda like Netware <g>.
I want to thank you for the effort you have put into this request so far. Although I think reject is a slightly strong word, and I certainly appreciate your efforts to this point, I am going to reject this answer to allow others access.
ASKER
Adjusted points to 150
ASKER
Adjusted points to 200
ASKER
Adjusted points to 400
I can think of a couple more things you can look at. On the client end (win 95) check the security settings on dial up network. There are 3 levels of security - if you choose the NT authentication, I believe it will expect that workstation to be either a member of your domain or of a trusted domain. Since it is not, choose one of the other options.
On your server, did you use the Remote Access Administrator to give the dial-up user access to the machine? If so, then you can setup shares that will allow the user to see and access only what you want them to see. Hope this helps more than my first try.
On your server, did you use the Remote Access Administrator to give the dial-up user access to the machine? If so, then you can setup shares that will allow the user to see and access only what you want them to see. Hope this helps more than my first try.
ASKER
Thanks for your response.
I'll have to check the Win boxes security settings. I don't know what they are.
On the server: I did give the user dial in rights.
I pulled the cable from one of my Win boxes, hooked it to the phone line and tried some things. Seems like if I give the user admin rights, it works as expected. He can get everything. If I create a group called RASUser for instance, When I dial in, the server says I have Guest permissions. I THOUGHT I disabled the guest account! I can see everything although I can't do everything. I'd like the RASUser to be able to see only the shares I have specifically allowed.
The thing that is most important to me right now is this: I want to have a user (BOB) be able to dial up my server and have full access to G:\BOB (a subdirectory on G: of my server.) I create a subdirectory call BOB. I create a share called BOBDIR, give full permissions to BOB and take out the Everyone permissions. I create a user called BOB, and grant Dial in rights. BOB also has to see the root of G:, right? BOB should not be able to see anything else, right?
I'll have to check the Win boxes security settings. I don't know what they are.
On the server: I did give the user dial in rights.
I pulled the cable from one of my Win boxes, hooked it to the phone line and tried some things. Seems like if I give the user admin rights, it works as expected. He can get everything. If I create a group called RASUser for instance, When I dial in, the server says I have Guest permissions. I THOUGHT I disabled the guest account! I can see everything although I can't do everything. I'd like the RASUser to be able to see only the shares I have specifically allowed.
The thing that is most important to me right now is this: I want to have a user (BOB) be able to dial up my server and have full access to G:\BOB (a subdirectory on G: of my server.) I create a subdirectory call BOB. I create a share called BOBDIR, give full permissions to BOB and take out the Everyone permissions. I create a user called BOB, and grant Dial in rights. BOB also has to see the root of G:, right? BOB should not be able to see anything else, right?
So far it sounds good. When your user(Bob) dials into your machine, he should use the ID/password (bob/whatever) as is defined on your machine. Make sure that the domain name on his machine is set for your server. Once Bob successfully logs on, he will need to create a map to the share you defined (BOBDIR). Once the user is logged on, have them right click on My Computer and select "Map Network Drive". The drive letter should not matter. In the path have them type: \\Your-Server\BOBDIR then click ok. If you get an error, try the same thing, but in the Connect As box add the following: Your-Server\BOB
Hope this helps
Hope this helps
ASKER
So far so good. What if BOBs computer is part of a domain already. I mean what if he's calling from work and already part of a domain there?
And how come he gets to use the guest account on my server when I have it disabled?
And how come he gets to use the guest account on my server when I have it disabled?
It doesn't matter if BOBs computer is part of another domain or a standalone. When he uses RAS to login to your server he is basically just creating a map to another machine using a connect as. Basically the workstation will be logged into BOBs domain (his normal work domain) and will have a drive mapped to your share (BOBDIR) connected as BOB (a member of your domain).
If you've disabled the guest account using User Manager for Domains on your server, I'm at a loss as to how BOB can connect to it using that ID. Try and verify that he is using the guest account as defined in your domain by either renaming the guest id or giving it a password only you know - then try loging on with that ID again.
If you've disabled the guest account using User Manager for Domains on your server, I'm at a loss as to how BOB can connect to it using that ID. Try and verify that he is using the guest account as defined in your domain by either renaming the guest id or giving it a password only you know - then try loging on with that ID again.
The guest account does not ordinarily have a password, you should avoid giving this account dial-in permissions (which wil be given if you select to give all users dial-in permissions - a pain in NT as you can choose all, none or manually go through and select individual users). If you intend to grant guest dial-in access, either strictly restrict permissions assigned to this account ir asign a password. But again, you should not give it dial-in permissions.
UNLESS - You want to do what you have stated. Give the guest account access to the directory(ies) which you wish. You can do this with the User Manager for Domains and revoke all permissions from the guest and then add only the permisions necessary to gain access to that directory - which is pretty easy, create the directory and assign it rights to the guest and yourself or the group which you wish to access internally.
Here is a supporting word from Microsoft:
Windows NT Remote Access Service (RAS) does not permit unknown user accounts to access a RAS server remotely. On many local area networks (LANs), an anonymous guest account is established to enable some access to the LAN even if you are not an offical member. However, you will be unsuccessful if you try to connect to a LAN via Windows NT RAS from a non-recognized account, even if a default guest account has been established. However, if you use the guest account directly by actually specifying "guest" as your logon name, you will be able to connect to the LAN.
To restrict guest or unknown user access to your network from RAS, you need to disable the guest account, restrict the guest account's dial-in permissions, or assign a password to the guest account.
Example
NOTE: This example assumes there are no trust relationships between the RAS server and other domains, a guest account is enabled, and RAS Administrator has given dial-in permissions to the guest account.
•A Windows NT RAS client dials into a Windows NT Advanced Server RAS server. •The client supplies "Joe" for the account and "MS" for the password. •RAS Server does not have an account for "Joe." •The client fails authentication and is prompted for a new account and password.
MORE INFORMATION
RAS user authentication is similar to network access authentication. The server logs the user on via LsaLogonUser and then logs him off with NtClose. RAS logs the user on to find out if guest credentials were used or not. RAS then logs the user off; RAS only uses this logon session for checking credentials and does not enable the user any acces to the nextwork. The logon session of interest to the user is the one created when logged onto the system interactively. If the user has guest credentials then RAS rejects his authentication.
A result of this is an interesting security audit trail. In User Manager, choose Auditing from the Policies menu. Choose Audit Logon and Logoff. When a remote client dials in, as in the example above, you will see "Joe" successfully logged in as Guest and then logged off. It looks like a successful guest access. However, RAS detects the guest permissions and rejects the authentication.
UNLESS - You want to do what you have stated. Give the guest account access to the directory(ies) which you wish. You can do this with the User Manager for Domains and revoke all permissions from the guest and then add only the permisions necessary to gain access to that directory - which is pretty easy, create the directory and assign it rights to the guest and yourself or the group which you wish to access internally.
Here is a supporting word from Microsoft:
Windows NT Remote Access Service (RAS) does not permit unknown user accounts to access a RAS server remotely. On many local area networks (LANs), an anonymous guest account is established to enable some access to the LAN even if you are not an offical member. However, you will be unsuccessful if you try to connect to a LAN via Windows NT RAS from a non-recognized account, even if a default guest account has been established. However, if you use the guest account directly by actually specifying "guest" as your logon name, you will be able to connect to the LAN.
To restrict guest or unknown user access to your network from RAS, you need to disable the guest account, restrict the guest account's dial-in permissions, or assign a password to the guest account.
Example
NOTE: This example assumes there are no trust relationships between the RAS server and other domains, a guest account is enabled, and RAS Administrator has given dial-in permissions to the guest account.
•A Windows NT RAS client dials into a Windows NT Advanced Server RAS server. •The client supplies "Joe" for the account and "MS" for the password. •RAS Server does not have an account for "Joe." •The client fails authentication and is prompted for a new account and password.
MORE INFORMATION
RAS user authentication is similar to network access authentication. The server logs the user on via LsaLogonUser and then logs him off with NtClose. RAS logs the user on to find out if guest credentials were used or not. RAS then logs the user off; RAS only uses this logon session for checking credentials and does not enable the user any acces to the nextwork. The logon session of interest to the user is the one created when logged onto the system interactively. If the user has guest credentials then RAS rejects his authentication.
A result of this is an interesting security audit trail. In User Manager, choose Auditing from the Policies menu. Choose Audit Logon and Logoff. When a remote client dials in, as in the example above, you will see "Joe" successfully logged in as Guest and then logged off. It looks like a successful guest access. However, RAS detects the guest permissions and rejects the authentication.
ASKER
I have received partial answers to my questions. That's why I haven't accepted an answer yet. I have also spent about 7 hours trying different things. I have narrowed my question down to just one thing now.
Is there a way to force my server to recognize the user/password combination used in DUN if it is different from the logon user/password?
Here's the scene.
A user logs into his computer running Win 95, using a user name of "George" and a password of "Password". He is allowed access to his domain of "Whatever" and can operate normally.
He calls up DUN on his machine, enters a user name of "Bob" with a password of "Secret" and the domain of "Remote" (which is my domain name).
I have created a user of "Bob", assinged a password of "Secret", granted dialin rights, and have set permissions on the shares I want him to be able to access.
When the connection is made, my server verifys and accepts "Bob" as a user and logs him onto the system.
However, when the user attempts to use any services, such as mapping a drive, he is unable to do so and is presented with a dialog box asking for a password.
It seems that his machine is presenting his original user name, "George" and the password, "Password" at this time.
If I ask for his original user name so I can set up a user on my machine for him, we have commited a 50% security breach of his system.
Do I have to live with this? Or, is there a way to have his machine send the DUN user/password to my machine during a request?
Is there a way to force my server to recognize the user/password combination used in DUN if it is different from the logon user/password?
Here's the scene.
A user logs into his computer running Win 95, using a user name of "George" and a password of "Password". He is allowed access to his domain of "Whatever" and can operate normally.
He calls up DUN on his machine, enters a user name of "Bob" with a password of "Secret" and the domain of "Remote" (which is my domain name).
I have created a user of "Bob", assinged a password of "Secret", granted dialin rights, and have set permissions on the shares I want him to be able to access.
When the connection is made, my server verifys and accepts "Bob" as a user and logs him onto the system.
However, when the user attempts to use any services, such as mapping a drive, he is unable to do so and is presented with a dialog box asking for a password.
It seems that his machine is presenting his original user name, "George" and the password, "Password" at this time.
If I ask for his original user name so I can set up a user on my machine for him, we have commited a 50% security breach of his system.
Do I have to live with this? Or, is there a way to have his machine send the DUN user/password to my machine during a request?
ASKER
mearly,
I still don't understand this situation. Are there two login names being used?
I still don't understand this situation. Are there two login names being used?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
skyman,
Not the answer I was hoping for, but plain, simple and accurate non-the-less.
One final point. You say: "and will automatically try to mount shares based on the users WINDOWS username and password. If they are not the correct password for your server the user will then be prompted for an alternative password."
Why does a valid user/password not allow access at that time. I mean if the user enters a user name and password other than that used to log onto his computer, why won't my server use the information he enters at this prompt?
The idea of restricting the log in computer will certainly help.
Thank you all for your efforts with my problem.
I am accepting skymans answer as if fits my needs within the limits of the operating system.
Not the answer I was hoping for, but plain, simple and accurate non-the-less.
One final point. You say: "and will automatically try to mount shares based on the users WINDOWS username and password. If they are not the correct password for your server the user will then be prompted for an alternative password."
Why does a valid user/password not allow access at that time. I mean if the user enters a user name and password other than that used to log onto his computer, why won't my server use the information he enters at this prompt?
The idea of restricting the log in computer will certainly help.
Thank you all for your efforts with my problem.
I am accepting skymans answer as if fits my needs within the limits of the operating system.
On the Client side (win95) Dial-up Networking will need to be installed. The Dial-up server type should be set for PPP Windows NT, Windows 95.
Some additional notes that may help with problems you may encounter: There is a registry setting you can change on the server that will enable the server to broadcast NetBIOS names to IPX dial-in clients. At the server update HKEY_LOCAL_MACHINE System - CurrentControlSet - Services - NwlnkIpx - Parameters
Value: DisableDialinNetBIOS Change from 1 to 0
Also, watch for the ability to enable dial-in NetBIOS durning the Wizard-based installation of RAS - answer YES
Finally, you could setup a Policy for the RAS Server:
CLASS MACHINE
CATEGORY "Remote Access Service"
POLICY "Allow NWLink dial-in connections by
broadcasting NetBIOS names"; (type on 1 line)
KEYNAME System\CurrentControlSet\S
NwlnkIpx\Parameters; (all on 1 line & note nw-L-nk-I-px)
VALUENAME DisableDialinNetbios
VALUEON NUMERIC 0 VALUEOFF NUMERIC 1
END POLICY
END CATEGORY