Solved

Network Access to Shares is Too Persistent

Posted on 2000-02-22
7
236 Views
Last Modified: 2013-12-28
Using   Windows NT Explorer   to ramble through   Network Neighborhood   I can access shares created on various systems.  For some shares I need to go through the   Enter Network Password   dialog.  If I gain access this way there does not appear to be a way to terminate the access, i.e. subsequent times that I logon to the local machine I will have access to the shares that I logged in to previously.  (This is different from mapping a drive letter where I can use   Disconnect Network Drive...  to sever the connection.)  How can I break this connection so that another network logon is required?
0
Comment
Question by:unlikelyloginname
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 2

Accepted Solution

by:
shibu020500 earned 200 total points
ID: 2547096
Hi Unlikely,
            If u do not want to get the shares of a PC which u got after going thru this "Enter Network Password" Dialog box, u can go to the command prompt and type in
NET USE
 u would see a list of shares and the drive letters mapped to it
 Out of that u can see \\machine_name\IPC$ entry which is enabling this access to the the shared resource of the PC to which u haven't mapped any drive letter.
U can delete this by using this command..
NET USE \\mach_name\IPC$ /delete
which would end the session and prompt u for a username and password next time u try to access the share.
If u want to remove all the shares u can use
NET USE * /delete
u could probably put it in a batch file to easen the job:-)
These connections are for a short period and are called deviceless connections.

             Good Luck
             SHIBU
0
 
LVL 63

Expert Comment

by:SysExpert
ID: 2547230
Once you have accessed a share , the password is stored locally. So the next time you access it, you may not be required to enter a password. You could delete the *.pwl file if you want. Normally in the windows dir.
I hope this helps.
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 2549943
Windows NT Explorer will map shares persistently.
The only way to change this is to unmap the shares (net use /d) or remove the persistent status of the share via the registry.
Why do you want to 'break' the connection ?
Are you using the same username and password to logon ?
This all sounds like default behaviour to me.
0
Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

 

Author Comment

by:unlikelyloginname
ID: 2551071
Curiouser and curiouser.

The client side shows a connection to   \\MyMachine\IPC$   when the share is in use.  It reconnects automatically after being broken with   NET USE \\MyMachine\IPC$ /d .  (Or after being disconnected by the server side using Server Administrator.)  I want to prevent automatic reconnection without forcing another network login.

There are several reasons that I'm mucking with this:

Curiosity.  Who is keeping track of the access that was granted long ago?  Is it hiding in the registry by SID?

A concern about security.  I deleted a share to which the client machine had access and later created a new share with the same name.  The client had access to the new share without performing a network login.  As an old (Eh?) system manager I would like to be able to look at the list of things that are "preauthorized", whether or not they currently exist, so that I can avoid creating something that I think is protected only to find that some old certificate somewhere is still valid.

The ability to tidy up loose ends.  I have made the mistake of using the browser, and a network login, rather than mapping a drive in order to help someone get a file.  Disconnecting a mapped drive is easy, but I can't seem to disable access that was obtained while browsing.
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 2551193
IPC$ connections are normal - they represent accesses to files that don't have a drive mapped to them.
So - if you're browsing through explorer, you'll get IPC connections for each seperate server you browse.
Even if you've already got a drive mapped to that server.

What's happening here should not affect security.

That boils down to NTFS permissions - if they're secure and in place, nothing can get past them (at least from a user's point of view :) ).

An IPC connection will be made to ALL servers the worksation access (including the PDC or BDC whenever they log on).

It seems a little mysterious that deleting a shared directory and recreating it retains NTFS permissions, as they're attached to the directory itself.

Are you sure this is the case ?

If you just delete the SHARE, then this would happen.  If you delete the SHARE+DIRECTORY, it shouldn't !

You have to make sure you apply NTFS permissions BEFORE you share the directory.

Hope this helps.

0
 
LVL 2

Expert Comment

by:shibu020500
ID: 2554401
Hi ,
    It seems to me my answer didn't satisfy you :-) . Anyway that was the answer to your query. Once using net use u r disconnecting a share , when u attempt to reconnect it would defenitely ask for a username and password ( only if the SID which u have used to login to the client PC is not present in the server)

U can check the status of ur share ( all shares to which u r connected )
using NET  USE command ...For the disconnected share it would be DISCONNECTED else OK

Now coming to the shares , When u share anything , the Computer Browser Service just broadcast the information throughout the network . This is  why u can see ur server shares from a client PC.
When a user Logs in , the NETLOGON service and Local Security Authority of the Server would verifying the user's info in the Security Accounts Manager Database . If his info is present he would be allowed to Login.

Coming to accessing resources ,the user would be given KEYS to the SHARES to which he is permitted to access. This you configure in the shares
Ex: DATA folder is shared .( remember , in NT by default it is Everyone Fullcontrol) . Since it is shared it's info would be broadcasted on the Network. And users like you and me see it from the NetNeighborhood. When u double click or try to access the share your SID passed on to the server to check whether (1) your account is present in the SAM database and (2) you have been permitted to access ( Default --> FullControl) , if yes u can see the contents and perform other operations.
Now if I stop the sharing and delete the folder and create another folder with a different name but SHARE it with the SAME name , naturally it would appear in Netneighborhood and when you access it ,ur Username would be checked as mentioned before and if accepted would be allowed to access.

To avoid such things share a folder only for those users who are meant to access it, remove the default ( Everyone--FullControl)Also as Tim Holman mentioned u can use NTFS permissions which again , by default, allows everyone.

  In brief , there is nothing in sharenames ,it is the accesslist which is associated with a share  more important.

  I believe this might have clarified most of your doubts
                  Good Luck
                    Shibu
0
 

Author Comment

by:unlikelyloginname
ID: 2554926
It seems that I missed a fundamental feature of "security" in Windows NT.  Share permissions don't apply if the client user's username and password happen to match an account on the system offering the share.

When setting file protections there is always the feature of having to remember to include access for   Me   and   Domain\Me .  I assumed that being schizophrenic, or at least plural, would extend to shares.  If the share permission allows access to anyone authenticated as   Svengali   on the serving machine then they must explicitly ask the server to authenticate them.  In fact, if the client happens to be   Svengali   on their machine, and the passwords match, then access is granted implicitly.

Sorry that it took so long for this to sink in.
0

Featured Post

Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A Bare Metal Image backup allows for the restore of an entire system to a similar or dissimilar hardware. They are highly useful for migrations and disaster recovery. Bare Metal Image backups support Full and Incremental backups. Differential backup…
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question