Sign in with
Sign up | Sign in
Your question

NTService can't access a share (set to everyone)

Last response: in Windows XP
Share
Anonymous
April 27, 2005 1:22:27 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Hi,

We have the following config:
- 2 PCs are on a same domain. They are both XP pro. On PC1, a share is
created with everyone full access control. On PC2, a NT service is
running as LocalSystem.

In this service I try to open a file in PC1 that is under the share. I
get an ACCES_DENIED. I can't understand why. If the share is placed on
a W2K machine, this is the same access denied.

If the service is set to run as a specific user, it can access the
share.
If the service (as localsystem) is moved to PC1, it can access the
share on its same machine.

Thanks for your help.

Nicolas
Anonymous
April 28, 2005 12:04:10 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

<cadilhac@gmail.com> wrote in message
news:1114618947.435214.172680@l41g2000cwc.googlegroups.com...
> Hi,
>
> We have the following config:
> - 2 PCs are on a same domain. They are both XP pro. On PC1, a share is
> created with everyone full access control. On PC2, a NT service is
> running as LocalSystem.
>
> In this service I try to open a file in PC1 that is under the share. I
> get an ACCES_DENIED. I can't understand why. If the share is placed on
> a W2K machine, this is the same access denied.
>
> If the service is set to run as a specific user, it can access the
> share.
> If the service (as localsystem) is moved to PC1, it can access the
> share on its same machine.
>
> Thanks for your help.
>
> Nicolas
>

Regardless of permissions, there are restrictions against connecting to
shares without providing any credentials. (The credentials of one machines
SYSTEM account are meaningless to other machines on the network.)

Run SECPOL.MSC from Start--> Run
Under Local Policies, go to Security Options and add the name of your share
to "Network access: Shares that can be accessed anonymously "

Give it a reboot to make sure the policy takes effect (you should be able to
force it by running GPUPDATE on XP.)


Also have a look here:
http://support.microsoft.com/default.aspx?scid=kb;en-us;289655 (I believe
setting the policy as above should accomplish the same thing)


--
Colin Nash
Microsoft MVP
Windows Shell/User
Anonymous
April 28, 2005 10:22:38 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Dear Colin,

thank you for your answer.
Adding my share in the list of anonymously accessible shares actually
fixes my problem. But I have some concerns:

- is it the only solution ?
- If I don't do it, but I add ANONYMOUS LOGON user in the share
permissions, it doesn't work anymore. What is the difference between
the 2 approaches ?
- What about "let everyone permissions apply to anonymous users"
setting ? In your solution, do I have to use it ? If I don't, does the
anonymous user has full access to the share ?

Thank you

Nicolas

Colin Nash [MVP] wrote:
> <cadilhac@gmail.com> wrote in message
> news:1114618947.435214.172680@l41g2000cwc.googlegroups.com...
> > Hi,
> >
> > We have the following config:
> > - 2 PCs are on a same domain. They are both XP pro. On PC1, a share
is
> > created with everyone full access control. On PC2, a NT service is
> > running as LocalSystem.
> >
> > In this service I try to open a file in PC1 that is under the
share. I
> > get an ACCES_DENIED. I can't understand why. If the share is placed
on
> > a W2K machine, this is the same access denied.
> >
> > If the service is set to run as a specific user, it can access the
> > share.
> > If the service (as localsystem) is moved to PC1, it can access the
> > share on its same machine.
> >
> > Thanks for your help.
> >
> > Nicolas
> >
>
> Regardless of permissions, there are restrictions against connecting
to
> shares without providing any credentials. (The credentials of one
machines
> SYSTEM account are meaningless to other machines on the network.)
>
> Run SECPOL.MSC from Start--> Run
> Under Local Policies, go to Security Options and add the name of your
share
> to "Network access: Shares that can be accessed anonymously "
>
> Give it a reboot to make sure the policy takes effect (you should be
able to
> force it by running GPUPDATE on XP.)
>
>
> Also have a look here:
> http://support.microsoft.com/default.aspx?scid=kb;en-us;289655 (I
believe
> setting the policy as above should accomplish the same thing)
>
>
> --
> Colin Nash
> Microsoft MVP
> Windows Shell/User
Related resources
Anonymous
April 29, 2005 3:52:07 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

<cadilhac@gmail.com> wrote in message
news:1114694558.563554.75430@o13g2000cwo.googlegroups.com...
> Dear Colin,
>
> thank you for your answer.
> Adding my share in the list of anonymously accessible shares actually
> fixes my problem. But I have some concerns:
>
> - is it the only solution ?
> - If I don't do it, but I add ANONYMOUS LOGON user in the share
> permissions, it doesn't work anymore. What is the difference between
> the 2 approaches ?
> - What about "let everyone permissions apply to anonymous users"
> setting ? In your solution, do I have to use it ? If I don't, does the
> anonymous user has full access to the share ?
>
> Thank you
>
> Nicolas
>


No, you shouldn't need to set the "let everyone permissions..." for this to
work. Doing so would decrease security.

Windows 2000 and XP have different names for the some of the security
policies that affect behaviour of anonymous connections. See
http://www.windowsitpro.com/Windows/Article/ArticleID/4...

If you don't specify that anonymous connections are allowed for your share,
it won't matter if you put ANONYMOUS LOGON on the access control list for
the share. The anonymous connection will be blocked by the policy.

Is it the only solution? Well you could have your service use a valid
domain account... this would allow some level of authentication. As stated
in the article, creating shares that can be accessed anonymously is not
secure. That's OK as long as you don't put anything there that you don't
mind anyone else on your network having access to.


--
Colin Nash
Microsoft MVP
Windows Shell/User
Anonymous
May 6, 2005 7:33:14 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I am having the same problem. The service I'm running is VB app. I tried
the solution but it did not work. The only differrence is the 2 PCs
belongs on the same workgroup "not" a domain. I'm still getting
ACESS_DENIED on Windows NT Authority.

Any help would be appreciated.



Thanks...

Joey


--
diamond
------------------------------------------------------------------------
diamond's Profile: http://www.iamnotageek.com/member.php?userid=12441
View this thread: http://www.iamnotageek.com/showthread.php?t=1819065416
!