Solved

Local vs. domain login and file sharing security

Posted on 2004-04-04
14
1,117 Views
Last Modified: 2010-04-12
Old mainframe guy getting up to speed on Win 2K and domains, and a new person to this site.

I have a Win 2000 domain controller with shared resources.  User A is setup with password B.  A Win XP client has the same user with the same password.  Now it would seem that the client computer and user shouldn't have access to the domain resources.  I mean, why allow access just because the password is the same (it could be null or something real smart like 'password').  

What is the point of having a domain and all those policies if a client computer can breeze right past?

I can't find any MS info on this issue to explain why this is allowed.  I know there must be a simple explanation.  Is there an equally simple fix to keep non-domain accounts from getting to resources?

Also, the client computer isn't found in Active Driectory Users and Computers>Computers.  If you try to logon as a domain user, you're blocked.  But, again, local logins breeze right in.  Same basic question of How & Why?
0
Comment
Question by:twgonder
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 3
  • 2
  • +1
14 Comments
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10753676
Not quite sure about this question..  If your user (client) is a member of the domain, then they must authenticate to the domain controller..  At this point, they should be able to access whatever resources that you give them permission to access, via NTFS permissions..  

Or am I reading this wrong..??  

Also, these clients should be showing up in ADUC..  And DNS..  if they are not, then you probably have a DNS issue..  Ck your DNS and make sure that the resource records are getting populated correctly..

FE
0
 

Author Comment

by:twgonder
ID: 10753738
The user logs on to the local workstation (not the domain) and has the password scenario described above.   They can get to network resources (shared files on domain controller).  Using the Active Directory Users and Computers (ADUC), the client computer isn't listed (because they never joined the domain).  No basic DNS problem as the client pings the server just fine.
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10753755
Ahh..  yes, this is by default..  It is a feature that enables a Peer to Peer network to share resources...   This is the way it is supposed to work..   :)
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 

Author Comment

by:twgonder
ID: 10753791
I can accept that for a PTP, but not for a domain!
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10753828
I have workgroup computers, using Windows XP Home Edition, which by default, cannot join a domain..  the way we get around this is to use this P2P quirk to access these resources...   Although this is not the best way, it is a workaround...   and in some of my client's situations, because they bought the wrong OS, it is one way to get it to work...

0
 

Author Comment

by:twgonder
ID: 10753848
I'm not trying to get it to work, I'm trying to get it to not work.  Could there be some group policy setting for the domain that would lock out rouge computers from accessing the files?
0
 
LVL 40

Assisted Solution

by:Fatal_Exception
Fatal_Exception earned 300 total points
ID: 10753870
I guess I am just trying to explain that this is how MS set this up...  and why it is intentional..

You can create password security policies via GPO's that enforce such things as a 15 character password..  This nullifies the LM Hash crack that hackers use to force their way into a domain controller..  (this can also be disabled via a GPO too)..  

Here is a very good security guide for configuring a W2K domain..  I used it as a template when configuring a DC..

http://labmice.techtarget.com/articles/securingwin2000.htm
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10753882
Another idea to secure this from a workstation...  Edit the Host file of the client..  make it point to itself when trying to access the DC or any other server on your network..

EX:

127.0.0.1  abc.local
0
 
LVL 2

Expert Comment

by:ryangclear
ID: 10754056
for the shared folder remove the "everyone" group and add "domian users"
0
 
LVL 6

Expert Comment

by:DanniF
ID: 10755397
I dont think the problem is that the user has same password as a domain user, I think the problem is that this user has the rights necessary to access the share.

I think ryangclear is on to it.

Remove Everyone from the security tab and add Authenticated Users.

That should do the trick.

Hope this helps,

Daniel F.
0
 
LVL 40

Accepted Solution

by:
Fatal_Exception earned 300 total points
ID: 10756416
Yes, in the list of security lockdowns I posted above, one of the first things to do is to replace the Everyone's Group...    

Quote:

Replace the "Everyone" Group with "Authenticated Users" on file shares
"Everyone" in the context of Windows 2000 security, means anyone who gains access to your network can access the data. Never assign the "Everyone" Group to have access to a file share on your network, use "Authenticated Users" instead. This is especially important for printers, who have the "Everyone" Group assigned by default.

FE
0
 
LVL 2

Assisted Solution

by:ryangclear
ryangclear earned 200 total points
ID: 10758338
hehe. Authenticated Users, thats what i meant
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10758644
*grin*

0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 11006212
Thanks..

FE
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question