Solved

Sharing a Win7 folder for use from XP

Posted on 2014-03-13
12
1,706 Views
Last Modified: 2014-03-14
I'm trying to share a folder on a Win7 machine which can be accessed by an XP machines. It's connected across a WAN through a VPN.  When I try and connect I get a message saying

"\\IPaddress\foldername is not accessible. You might not have permissions to use this network resource. Access denied."


On Win7 I have enabled sharing settings as per:
http://cdn.howtogeek.com/wp-content/uploads/2009/05/homeorworksettings.png

I have shared the folder with permissions set to full access for everyone. Neither machine is part of a domain.
0
Comment
Question by:fred2k3
  • 4
  • 2
  • 2
  • +2
12 Comments
 
LVL 19

Expert Comment

by:helpfinder
ID: 39926520
are you able to ping that IP you have typed in the UNC path?
      if not, then try to turn off the firewalls running on both machines if it helps, if yes try to access shared folder again
0
 

Author Comment

by:fred2k3
ID: 39926605
Yes I can ping the IP. I have tried disabling the endpoint firewalls in any case, doesn't make any difference.
0
 
LVL 19

Expert Comment

by:helpfinder
ID: 39926664
and are you able access at least \\IPaddress?
0
 
LVL 31

Assisted Solution

by:Frosty555
Frosty555 earned 100 total points
ID: 39926676
You're getting an access denied error. That means you DID successfully connect to the Windows 7 machine, you just didn't have permission to access it's resources.

You need a user account on the Windows XP machine with a password, and you need to have an identical user on the Windows 7 machine (same username, same password), before it will let you connect. By default, Windows XP will send the credentials of the currently logged in user to the Windows 7 machine. Those credentials must be listed in the share's permissions AND in the Security tab of the folder (if you're using Win7 Professional). The "Everyone" account is a special account that lets you reference all user accounts on the Windows 7 machine so that will do nicely.

If your user account does not have a password,  it will be treated as a guest account and access will be denied.
0
 
LVL 31

Expert Comment

by:Frosty555
ID: 39926698
Some other things you can do to relax the security requirements on the Windows 7 machine:

1) Make sure your network is listed as a Home or Work network, not a public network
http://windows.microsoft.com/en-ca/windows/choosing-network-location#1TC=windows-7

Go into Network and Sharing Center->Advanced Sharing Settings, and for all of the applicable networks (e.g. Private Networks):

- Turn on "Network Discovery"
- Turn on "File and Printer sharing"
- Turn on "Enable file sharing for devices that use 40- or 56-bit encryption
- Turn off "Password Protected Sharing"
- Turn on "Use user accounts and passwords to connect to other computers"
0
 
LVL 44

Expert Comment

by:Darr247
ID: 39928229
What version of Win7 is it, by the way?
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 41

Accepted Solution

by:
Jackie Man earned 300 total points
ID: 39928618
Actually, share the folder with permissions set to full access for everyone does not mean that every user in Windows XP can access the Windows 7's Shared folder. Only the user name which exists in both the user lists of Windows 7 and Windows XP can access the shared folder.

Say, in Windows 7, you have two users who is called A and B and you have shared the folder to everyone which means that if in Windows XP, there is also a user called A or B can access the shared folder. If there is a user called C, the user is denied access to the shared folder.

Besides, you need to make the following changes to the authenication of Windows 7 so as to make it backward compatabile to Windows XP.

First, disable Simple File Sharing in your windows XP

In Windows 7, open Local Security Policy with elevated administrator privilege. Under Local Policies, goto Security Options and look for "Network security: LAN Manager authentication level" and change the Security Setting to "Send LM & NTLM responses".

Description of this local policy is as follows:-

Network security: LAN Manager authentication level

This security setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers as follows:

Send LM & NTLM responses: Clients use LM and NTLM authentication and never use NTLMv2 session security; domain controllers accept LM, NTLM, and NTLMv2 authentication.

Send LM & NTLM - use NTLMv2 session security if negotiated: Clients use LM and NTLM authentication and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.

Send NTLM response only: Clients use NTLM authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.

Send NTLMv2 response only: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.

Send NTLMv2 response only\refuse LM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM (accept only NTLM and NTLMv2 authentication).

Send NTLMv2 response only\refuse LM & NTLM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM and NTLM (accept only NTLMv2 authentication).

Important

This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP Professional, and the Windows Server 2003 family to communicate with computers running Windows NT 4.0 and earlier over the network. For example, at the time of this writing, computers running Windows NT 4.0 SP4 and earlier did not support NTLMv2. Computers running Windows 95 and Windows 98 did not support NTLM.

Default:

Windows 2000 and windows XP: send LM & NTLM responses

Windows Server 2003: Send NTLM response only

Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2: Send NTLMv2 response only

If your system is Windows 7 Home Premium, you may change it from Registry.

1. Launch regedit from Start Search box.
2. Find the following branch.
 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

3. Create a DWORD key under Lsa and set:

Name: LmCompatibilityLevel
Value: 1

4. Restart."

Source: http://social.technet.microsoft.com/Forums/en/w7itpronetworking/thread/91fe4e10-a0d4-45db-94df-fad885d8f64f

If still no go, you need to disable the local policy of ""Network security: Minimum session security for NTLM SSP based (including secure RPC) clients" policy on the client computer are not the same as the settings in the "Network security: Minimum session security for NTLM SSP based (including secure RPC) servers" policy on this server."

Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Security Options
0
 

Author Comment

by:fred2k3
ID: 39928834
Darr247 - It's Win 7 Pro SP1
0
 

Author Comment

by:fred2k3
ID: 39928989
Many thanks for all the helpful suggestions so far.

Jackie - I have disabled simple file sharing on XP and set Win 7 policy to Send LM & NTLM responses but still no joy. I didn't understand your last paragraph on Network security: Minimum session security for NTLM SSP based (including secure RPC) clients - this is on XP right? There was no disable option, but it's on no minimum i.e. none of the 4 options within the policy are checked.

Regarding adding the XP user to the security tab in the Win 7 share folder - this isn't so straight forward as on XP they just log in with the administrator user with no password. When I try and access the Win 7 share folder from XP it doesn't give me the option to enter a username & password (which it does if I log in from another Win 7 machine).
0
 
LVL 41

Expert Comment

by:Jackie Man
ID: 39929157
Network security: Minimum session security for NTLM SSP based (including secure RPC) clients <- it is a setting on windows 7

http://technet.microsoft.com/en-us/library/jj852194.aspx

Besides, every user must have a password for accessing a file share.

Actually, we seldom share files from a more secure OS (say windows 7 as a server) to a less secure OS (say windows xp as a client) as it will create network vulnerability to the server. Normally, the best practice is to share files from a server which is having at least the same level of security as the client OS.
0
 
LVL 44

Assisted Solution

by:Darr247
Darr247 earned 100 total points
ID: 39929245
On all the non-domain LAN machines where I want to share resources, I make a user-level account named Browser, with the same password on each machine.

Then, instead of allowing Everyone full access, I Add that user (Browser) on the Sharing tab with Full Control to the shared folder, and on the Security tab, click Advanced, select the user (Browser) click Change Permissions, then I give Browser Full Control in the Allow column, but scroll down and check Deny for Take Ownership and Change Permissions. You'll get a warning likeSecurity Permissions - Deny Warningso be careful not to restrict your admin account[s] out of being able change permissions.
A post-it note with the Browser name and its password makes local users aware of the credentials to enter when prompted. You can, of course, restrict that user more, like denying them the ability to create folders, et cetera.

If you want more accountability for who does what in/with the shared resource, then you have to make more accounts so everyone's not using that common account for access.
0
 

Author Closing Comment

by:fred2k3
ID: 39929544
Many thanks everyone, got there in the end with a combined effort of your suggestions. Can't believe how much faffing around that took!
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Join & Write a Comment

Suggested Solutions

Issue: Unstable cursor in Windows XP and Windows runs extremely slow in that any click will bring up the Hour glass (sometimes for several seconds before giving you what you want) . Troubleshooting Process and the FINAL FIX: This issue see…
If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum editing capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now