Windows 10 network file sharing / permissions changing "features"?

I have a peer-to-peer Windows 10 Pro network with various file shares using password protected sharing.
Each client user has file share credentials set when needed.
The client users may be Administrators or Local/standard users - it doesn't seem to matter.

If an administrator user with credentials accesses a file share, all is fine.
If an administrator user with credentials elevates a program instantiation with run "as administrator", the program can access the file share.
If a local user with credentials accesses a file share, all is fine.
If a local user with credentials elevates a program instantiation with run "as administrator", all USED TO BE fine.
If a local user with crednetials elevates a program instantiation with run "as administrator", all is NOT fine UNLESS the administrator username/password that's used to instantiate the program ALSO has credentials set for the file share.

This seems a new "feature" in Windows which has appeared in the last few weeks.

If you think you know something about this then:
Do you agree?
Is it documented somewhere?
etc.
LVL 27
Fred MarshallPrincipalAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
Microsoft announced some time back that SMB 1 was going to be disabled by default. And SMBv2/3 has mitigation to prevent MitM attacks. I doubt it is a coincidence that 1709 went broad a couple weeks ago.

Short answer: workgroups/peer to peer don't scale. That's what domains are for.
0
McKnifeCommented:
There is a setting of UAC that might be responsible: https://technet.microsoft.com/de-de/library/ee844140(v=ws.10).aspx
Don' forget to restart after setting it to 1 at the computer that is accessing the share.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Fred MarshallPrincipalAuthor Commented:
McKnife:  Thanks.  That's certainly pertinent to this question.  I'm just not sure how pertinent yet.  :-)
When network shares are mapped, they are linked to the current logon session for the current process access token.
Here's how I interpret that:
When a network share is accessed, the access is linked to the current logon session for the current process access token.
Or,
When a network share is accessed, the access is linked to the User associated with the current program instantiation.??
It's not very clear really so to translate it one more time:
If a local user with credentials elevates a program instantiation with run "as administrator", then it is the administrator username/password AND stored credentials that are used to instantiate the program AND to access the file share.

Now, my experience with this is that it wasn't working this way in the recent past.  Only very recently did this start to happen.

Cliff Galiher:  I've read enough for this morning on SMB 1 and about turning it off.  I used PS to turn it off on this computer and I've unchecked it in Windows Features.  Reboot next and we'll see what happens to the "clients".  Still, I'm not sure how it applies to this question so far.
0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

McKnifeCommented:
Simply try it, it does not hurt.
0
Fred MarshallPrincipalAuthor Commented:
McKnife:  Yes indeed.  I tried it and it seems to not change anything on *this* network - although I can't yet test the situation I described.  It does hurt if tried in production systems.  I need to check of our arcane software uses SMB 1 at all.
0
McKnifeCommented:
I see not the slightest connection to smbv1, yet. Your symptoms point to that article.
I could try to reproduce - no time at the moment.
And no worries, it does not hurt on production systems.
0
Cliff GaliherCommented:
I think my comment got misunderstood.  I don't think disabling SMBv1 will fix the problem.

Starting with v1709, Microsoft is disabling SMBv1 by default on new installs, and is disabling SMBv1 on upgrades if it goes unused for a period of time (two weeks as I recall.)  That means that if you usually connect as non-admin and it is using SMBv2 properly, SMBv1 could have gone unused, gotten disabled, and that could break certain share connections under certain conditions.  I was saying that the *absence* of SMBv1 could be the problem.  

And I have to reiterate that realistically at the scale you are talking about, a workgroup becomes more labor to manage than a domain. When the system can connect to shares with a Kerberos ticket, a lot of the authentication issues goes away, and it is easier to add and revoke permissions from a single source or trust.  I think you would save yourself a lot of hassle by considering this change.
0
Fred MarshallPrincipalAuthor Commented:
Cliff Galiher:  Yes, I am considering such a change.  In the meantime, I have to ask questions about what *is* in production.

McKnife:  "no worries"?  If I break file access in production that uses some legacy and arcane software in the middle then how can I be so sure?   I'm not unwilling to try but it would be a careful experiment at the beginning.

The issue was not that standard users couldn't access shares.  
It was not that standard users running THE app couldn't access shares via the app.
The issue was that standard users running THE app "as administrator" could not access shares via the app.
That is, unless the particular administrator was given the necessary credentials for the shares.
I had not experienced this before.

When I read about tokens, etc. that seems understandable enough.  What's not at all clear is that the use of a token will carry with it a particular user's Windows Credentials.  That seems to be the core of this question.
0
McKnifeCommented:
This is right, it uninstalls after 15 days - see https://support.microsoft.com/en-us/help/4034314/smbv1-is-not-installed-windows-10-and-windows-server-version-1709 - but only if not in use. So if Fred is talking about a win10 peer that has a share, that would mean, for 15 days, that share wasn't touched (excluding days were the machine was off). Else, SMBv1 might still be there. But well, why would SMBv1 even be used? Any client win7 or higher will use at least SMBv2. Your application will not decide "hey, let's use smbv1".
0
McKnifeCommented:
Fred, if you don't feel like testing, abandon the thought. It's not dangerous, but well, if you don't feel like it, leave it.
I understood your situation, you carefully described it and that is what it points to. If you don't know what that setting does and you don't know about tokens, please read the documentation and don't rely on me - it's best to trust one's own knowledge.
0
Fred MarshallPrincipalAuthor Commented:
McKnife:  I agree and I have been reading.  I've also tested removing SMB 1 and, as you predicted, it doesn't hurt.  
Thanks for the encouragement and the kick-start!
0
McKnifeCommented:
I did not recommend to remove smbv1, but to set that registry key at the client side and reboot and test.
0
Fred MarshallPrincipalAuthor Commented:
Thanks!
0
McKnifeCommented:
Could you explain what exactly helped you?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 10

From novice to tech pro — start learning today.