Solved

Network Access to Shares is Too Persistent

Posted on 2000-02-22
7
245 Views
Last Modified: 2013-12-28
Using   Windows NT Explorer   to ramble through   Network Neighborhood   I can access shares created on various systems.  For some shares I need to go through the   Enter Network Password   dialog.  If I gain access this way there does not appear to be a way to terminate the access, i.e. subsequent times that I logon to the local machine I will have access to the shares that I logged in to previously.  (This is different from mapping a drive letter where I can use   Disconnect Network Drive...  to sever the connection.)  How can I break this connection so that another network logon is required?
0
Comment
Question by:unlikelyloginname
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 2

Accepted Solution

by:
shibu020500 earned 200 total points
ID: 2547096
Hi Unlikely,
            If u do not want to get the shares of a PC which u got after going thru this "Enter Network Password" Dialog box, u can go to the command prompt and type in
NET USE
 u would see a list of shares and the drive letters mapped to it
 Out of that u can see \\machine_name\IPC$ entry which is enabling this access to the the shared resource of the PC to which u haven't mapped any drive letter.
U can delete this by using this command..
NET USE \\mach_name\IPC$ /delete
which would end the session and prompt u for a username and password next time u try to access the share.
If u want to remove all the shares u can use
NET USE * /delete
u could probably put it in a batch file to easen the job:-)
These connections are for a short period and are called deviceless connections.

             Good Luck
             SHIBU
0
 
LVL 63

Expert Comment

by:SysExpert
ID: 2547230
Once you have accessed a share , the password is stored locally. So the next time you access it, you may not be required to enter a password. You could delete the *.pwl file if you want. Normally in the windows dir.
I hope this helps.
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 2549943
Windows NT Explorer will map shares persistently.
The only way to change this is to unmap the shares (net use /d) or remove the persistent status of the share via the registry.
Why do you want to 'break' the connection ?
Are you using the same username and password to logon ?
This all sounds like default behaviour to me.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:unlikelyloginname
ID: 2551071
Curiouser and curiouser.

The client side shows a connection to   \\MyMachine\IPC$   when the share is in use.  It reconnects automatically after being broken with   NET USE \\MyMachine\IPC$ /d .  (Or after being disconnected by the server side using Server Administrator.)  I want to prevent automatic reconnection without forcing another network login.

There are several reasons that I'm mucking with this:

Curiosity.  Who is keeping track of the access that was granted long ago?  Is it hiding in the registry by SID?

A concern about security.  I deleted a share to which the client machine had access and later created a new share with the same name.  The client had access to the new share without performing a network login.  As an old (Eh?) system manager I would like to be able to look at the list of things that are "preauthorized", whether or not they currently exist, so that I can avoid creating something that I think is protected only to find that some old certificate somewhere is still valid.

The ability to tidy up loose ends.  I have made the mistake of using the browser, and a network login, rather than mapping a drive in order to help someone get a file.  Disconnecting a mapped drive is easy, but I can't seem to disable access that was obtained while browsing.
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 2551193
IPC$ connections are normal - they represent accesses to files that don't have a drive mapped to them.
So - if you're browsing through explorer, you'll get IPC connections for each seperate server you browse.
Even if you've already got a drive mapped to that server.

What's happening here should not affect security.

That boils down to NTFS permissions - if they're secure and in place, nothing can get past them (at least from a user's point of view :) ).

An IPC connection will be made to ALL servers the worksation access (including the PDC or BDC whenever they log on).

It seems a little mysterious that deleting a shared directory and recreating it retains NTFS permissions, as they're attached to the directory itself.

Are you sure this is the case ?

If you just delete the SHARE, then this would happen.  If you delete the SHARE+DIRECTORY, it shouldn't !

You have to make sure you apply NTFS permissions BEFORE you share the directory.

Hope this helps.

0
 
LVL 2

Expert Comment

by:shibu020500
ID: 2554401
Hi ,
    It seems to me my answer didn't satisfy you :-) . Anyway that was the answer to your query. Once using net use u r disconnecting a share , when u attempt to reconnect it would defenitely ask for a username and password ( only if the SID which u have used to login to the client PC is not present in the server)

U can check the status of ur share ( all shares to which u r connected )
using NET  USE command ...For the disconnected share it would be DISCONNECTED else OK

Now coming to the shares , When u share anything , the Computer Browser Service just broadcast the information throughout the network . This is  why u can see ur server shares from a client PC.
When a user Logs in , the NETLOGON service and Local Security Authority of the Server would verifying the user's info in the Security Accounts Manager Database . If his info is present he would be allowed to Login.

Coming to accessing resources ,the user would be given KEYS to the SHARES to which he is permitted to access. This you configure in the shares
Ex: DATA folder is shared .( remember , in NT by default it is Everyone Fullcontrol) . Since it is shared it's info would be broadcasted on the Network. And users like you and me see it from the NetNeighborhood. When u double click or try to access the share your SID passed on to the server to check whether (1) your account is present in the SAM database and (2) you have been permitted to access ( Default --> FullControl) , if yes u can see the contents and perform other operations.
Now if I stop the sharing and delete the folder and create another folder with a different name but SHARE it with the SAME name , naturally it would appear in Netneighborhood and when you access it ,ur Username would be checked as mentioned before and if accepted would be allowed to access.

To avoid such things share a folder only for those users who are meant to access it, remove the default ( Everyone--FullControl)Also as Tim Holman mentioned u can use NTFS permissions which again , by default, allows everyone.

  In brief , there is nothing in sharenames ,it is the accesslist which is associated with a share  more important.

  I believe this might have clarified most of your doubts
                  Good Luck
                    Shibu
0
 

Author Comment

by:unlikelyloginname
ID: 2554926
It seems that I missed a fundamental feature of "security" in Windows NT.  Share permissions don't apply if the client user's username and password happen to match an account on the system offering the share.

When setting file protections there is always the feature of having to remember to include access for   Me   and   Domain\Me .  I assumed that being schizophrenic, or at least plural, would extend to shares.  If the share permission allows access to anyone authenticated as   Svengali   on the serving machine then they must explicitly ask the server to authenticate them.  In fact, if the client happens to be   Svengali   on their machine, and the passwords match, then access is granted implicitly.

Sorry that it took so long for this to sink in.
0

Featured Post

Create the perfect environment for any meeting

You might have a modern environment with all sorts of high-tech equipment, but what makes it worthwhile is how you seamlessly bring together the presentation with audio, video and lighting. The ATEN Control System provides integrated control and system automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

No single Antivirus application (despite claims by manufacturers) will catch or protect you from all Virus / Malware or Spyware threats. That doesn't stop you from further protecting yourself however - and this article is to show you how.
The Windows functions GetTickCount and timeGetTime retrieve the number of milliseconds since the system was started. However, the value is stored in a DWORD, which means that it wraps around to zero every 49.7 days. This article shows how to solve t…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question