NTService can't access a share (set to everyone)

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Hi,

We have the following config:
- 2 PCs are on a same domain. They are both XP pro. On PC1, a share is
created with everyone full access control. On PC2, a NT service is
running as LocalSystem.

In this service I try to open a file in PC1 that is under the share. I
get an ACCES_DENIED. I can't understand why. If the share is placed on
a W2K machine, this is the same access denied.

If the service is set to run as a specific user, it can access the
share.
If the service (as localsystem) is moved to PC1, it can access the
share on its same machine.

Thanks for your help.

Nicolas
4 answers Last reply
More about ntservice access share everyone
  1. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    <cadilhac@gmail.com> wrote in message
    news:1114618947.435214.172680@l41g2000cwc.googlegroups.com...
    > Hi,
    >
    > We have the following config:
    > - 2 PCs are on a same domain. They are both XP pro. On PC1, a share is
    > created with everyone full access control. On PC2, a NT service is
    > running as LocalSystem.
    >
    > In this service I try to open a file in PC1 that is under the share. I
    > get an ACCES_DENIED. I can't understand why. If the share is placed on
    > a W2K machine, this is the same access denied.
    >
    > If the service is set to run as a specific user, it can access the
    > share.
    > If the service (as localsystem) is moved to PC1, it can access the
    > share on its same machine.
    >
    > Thanks for your help.
    >
    > Nicolas
    >

    Regardless of permissions, there are restrictions against connecting to
    shares without providing any credentials. (The credentials of one machines
    SYSTEM account are meaningless to other machines on the network.)

    Run SECPOL.MSC from Start--> Run
    Under Local Policies, go to Security Options and add the name of your share
    to "Network access: Shares that can be accessed anonymously "

    Give it a reboot to make sure the policy takes effect (you should be able to
    force it by running GPUPDATE on XP.)


    Also have a look here:
    http://support.microsoft.com/default.aspx?scid=kb;en-us;289655 (I believe
    setting the policy as above should accomplish the same thing)


    --
    Colin Nash
    Microsoft MVP
    Windows Shell/User
  2. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Dear Colin,

    thank you for your answer.
    Adding my share in the list of anonymously accessible shares actually
    fixes my problem. But I have some concerns:

    - is it the only solution ?
    - If I don't do it, but I add ANONYMOUS LOGON user in the share
    permissions, it doesn't work anymore. What is the difference between
    the 2 approaches ?
    - What about "let everyone permissions apply to anonymous users"
    setting ? In your solution, do I have to use it ? If I don't, does the
    anonymous user has full access to the share ?

    Thank you

    Nicolas

    Colin Nash [MVP] wrote:
    > <cadilhac@gmail.com> wrote in message
    > news:1114618947.435214.172680@l41g2000cwc.googlegroups.com...
    > > Hi,
    > >
    > > We have the following config:
    > > - 2 PCs are on a same domain. They are both XP pro. On PC1, a share
    is
    > > created with everyone full access control. On PC2, a NT service is
    > > running as LocalSystem.
    > >
    > > In this service I try to open a file in PC1 that is under the
    share. I
    > > get an ACCES_DENIED. I can't understand why. If the share is placed
    on
    > > a W2K machine, this is the same access denied.
    > >
    > > If the service is set to run as a specific user, it can access the
    > > share.
    > > If the service (as localsystem) is moved to PC1, it can access the
    > > share on its same machine.
    > >
    > > Thanks for your help.
    > >
    > > Nicolas
    > >
    >
    > Regardless of permissions, there are restrictions against connecting
    to
    > shares without providing any credentials. (The credentials of one
    machines
    > SYSTEM account are meaningless to other machines on the network.)
    >
    > Run SECPOL.MSC from Start--> Run
    > Under Local Policies, go to Security Options and add the name of your
    share
    > to "Network access: Shares that can be accessed anonymously "
    >
    > Give it a reboot to make sure the policy takes effect (you should be
    able to
    > force it by running GPUPDATE on XP.)
    >
    >
    > Also have a look here:
    > http://support.microsoft.com/default.aspx?scid=kb;en-us;289655 (I
    believe
    > setting the policy as above should accomplish the same thing)
    >
    >
    > --
    > Colin Nash
    > Microsoft MVP
    > Windows Shell/User
  3. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    <cadilhac@gmail.com> wrote in message
    news:1114694558.563554.75430@o13g2000cwo.googlegroups.com...
    > Dear Colin,
    >
    > thank you for your answer.
    > Adding my share in the list of anonymously accessible shares actually
    > fixes my problem. But I have some concerns:
    >
    > - is it the only solution ?
    > - If I don't do it, but I add ANONYMOUS LOGON user in the share
    > permissions, it doesn't work anymore. What is the difference between
    > the 2 approaches ?
    > - What about "let everyone permissions apply to anonymous users"
    > setting ? In your solution, do I have to use it ? If I don't, does the
    > anonymous user has full access to the share ?
    >
    > Thank you
    >
    > Nicolas
    >


    No, you shouldn't need to set the "let everyone permissions..." for this to
    work. Doing so would decrease security.

    Windows 2000 and XP have different names for the some of the security
    policies that affect behaviour of anonymous connections. See
    http://www.windowsitpro.com/Windows/Article/ArticleID/44415/44415.html

    If you don't specify that anonymous connections are allowed for your share,
    it won't matter if you put ANONYMOUS LOGON on the access control list for
    the share. The anonymous connection will be blocked by the policy.

    Is it the only solution? Well you could have your service use a valid
    domain account... this would allow some level of authentication. As stated
    in the article, creating shares that can be accessed anonymously is not
    secure. That's OK as long as you don't put anything there that you don't
    mind anyone else on your network having access to.


    --
    Colin Nash
    Microsoft MVP
    Windows Shell/User
  4. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    I am having the same problem. The service I'm running is VB app. I tried
    the solution but it did not work. The only differrence is the 2 PCs
    belongs on the same workgroup "not" a domain. I'm still getting
    ACESS_DENIED on Windows NT Authority.

    Any help would be appreciated.


    Thanks...

    Joey


    --
    diamond
    ------------------------------------------------------------------------
    diamond's Profile: http://www.iamnotageek.com/member.php?userid=12441
    View this thread: http://www.iamnotageek.com/showthread.php?t=1819065416
Ask a new question

Read More

Windows XP