disable passing local credentials to SMB servers

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

I am having an issue, but then again, aren't we all?


QUESTION 1:
Our environment is a large organization in a workgroup setting (no
domain/AD).

All computers are running Windows XP Pro (SP2)

We have a generic local user account setup for each conference room
computer in our organization, let's say...

username: confroom
password: confroom

This enables any user to login and get basic access to a computer. i.e.
web browsing/email.

The confroom account also, is a valid account for email and file services.

We are using UNC paths to access network shares. Apparently mapping a
drive using different user credentials is too complicated for our users.

When users try to access an SMB network share, the local user info is
passed to, and accepted by the remote server.

The problem is that this generic user has no rights to any network shares.

I want to prevent this auto-login process from happening.

I would like the user to be presented with a login box.

EXAMPLE:

1. Dilbert walks into a conference room and wants to use computer.
2. Dilbert logins locally to computer using confroom account
3. Dilbert attempts to use start-Run to access \\server1\share
4. Dilbert hits enter and computer uses confroom account to authenticate
5. Dilbert gets back error message that, "\\server1\share is not
accessible...Network access is denied."

I just love Dilbert


EXTRA CREDIT QUESTION 2:
When a user connects to a server via UNC paths from the run line, is
there any way to disconnect/logout from the server without restarting or
logging off the machine?
2 answers Last reply
More about disable passing local credentials servers
  1. Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

    On the sharing computer:

    Go to control pannel

    Click users

    Add the user name(s) that you want to DENY access. Make sure to give them
    "Guest" privledges AND disable the account.

    Close the control pannel and the user manager.

    On the share:
    Go into the security settings of the share by right-clicking on it and
    selecting "sharing an security" (from the computer you are sharing the
    file.)

    on the sharing tab click "permissions"

    Add the username you want to disable

    Select the "Deny" checkboxes for that user. (Make sure you select only the
    user you wish to deny, and not "everyone")

    Click "OK" repeatedly to exit.

    This should deny only that username.

    -David Rios

    "PJ" <pjleflar@yahoonoreply.com> wrote in message
    news:42B09118.7080104@yahoonoreply.com...
    >I am having an issue, but then again, aren't we all?
    >
    >
    > QUESTION 1:
    > Our environment is a large organization in a workgroup setting (no
    > domain/AD).
    >
    > All computers are running Windows XP Pro (SP2)
    >
    > We have a generic local user account setup for each conference room
    > computer in our organization, let's say...
    >
    > username: confroom
    > password: confroom
    >
    > This enables any user to login and get basic access to a computer. i.e.
    > web browsing/email.
    >
    > The confroom account also, is a valid account for email and file services.
    >
    > We are using UNC paths to access network shares. Apparently mapping a
    > drive using different user credentials is too complicated for our users.
    >
    > When users try to access an SMB network share, the local user info is
    > passed to, and accepted by the remote server.
    >
    > The problem is that this generic user has no rights to any network shares.
    >
    > I want to prevent this auto-login process from happening.
    >
    > I would like the user to be presented with a login box.
    >
    > EXAMPLE:
    >
    > 1. Dilbert walks into a conference room and wants to use computer.
    > 2. Dilbert logins locally to computer using confroom account
    > 3. Dilbert attempts to use start-Run to access \\server1\share
    > 4. Dilbert hits enter and computer uses confroom account to authenticate
    > 5. Dilbert gets back error message that, "\\server1\share is not
    > accessible...Network access is denied."
    >
    > I just love Dilbert
    >
    >
    > EXTRA CREDIT QUESTION 2:
    > When a user connects to a server via UNC paths from the run line, is there
    > any way to disconnect/logout from the server without restarting or logging
    > off the machine?
  2. Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

    Thanks for the suggestion, but I am already getting an access denied
    situation.

    I need a login box to allow me to login with different username and
    password.

    Also, while we are connecting to an SMB server it is a Mac OSX Server.

    I need a client only solution, i.e. no server changes are allowed.

    I just dont want the machine to pass the local username and password
    when attempting to connect to \\server1\share.

    We have tried setting the following local security policy to disabled:

    1. Network Access: Do not allow storage of credentials or .NET passports
    for network authentication.

    2. Microsoft Network Client: Send unencrypted password to third-party
    SMB servers.


    David Rios wrote:
    > On the sharing computer:
    >
    > Go to control pannel
    >
    > Click users
    >
    > Add the user name(s) that you want to DENY access. Make sure to give them
    > "Guest" privledges AND disable the account.
    >
    > Close the control pannel and the user manager.
    >
    > On the share:
    > Go into the security settings of the share by right-clicking on it and
    > selecting "sharing an security" (from the computer you are sharing the
    > file.)
    >
    > on the sharing tab click "permissions"
    >
    > Add the username you want to disable
    >
    > Select the "Deny" checkboxes for that user. (Make sure you select only the
    > user you wish to deny, and not "everyone")
    >
    > Click "OK" repeatedly to exit.
    >
    > This should deny only that username.
    >
    > -David Rios
    >
    > "PJ" <pjleflar@yahoonoreply.com> wrote in message
    > news:42B09118.7080104@yahoonoreply.com...
    >
    >>I am having an issue, but then again, aren't we all?
    >>
    >>
    >>QUESTION 1:
    >>Our environment is a large organization in a workgroup setting (no
    >>domain/AD).
    >>
    >>All computers are running Windows XP Pro (SP2)
    >>
    >>We have a generic local user account setup for each conference room
    >>computer in our organization, let's say...
    >>
    >>username: confroom
    >>password: confroom
    >>
    >>This enables any user to login and get basic access to a computer. i.e.
    >>web browsing/email.
    >>
    >>The confroom account also, is a valid account for email and file services.
    >>
    >>We are using UNC paths to access network shares. Apparently mapping a
    >>drive using different user credentials is too complicated for our users.
    >>
    >>When users try to access an SMB network share, the local user info is
    >>passed to, and accepted by the remote server.
    >>
    >>The problem is that this generic user has no rights to any network shares.
    >>
    >>I want to prevent this auto-login process from happening.
    >>
    >>I would like the user to be presented with a login box.
    >>
    >>EXAMPLE:
    >>
    >>1. Dilbert walks into a conference room and wants to use computer.
    >>2. Dilbert logins locally to computer using confroom account
    >>3. Dilbert attempts to use start-Run to access \\server1\share
    >>4. Dilbert hits enter and computer uses confroom account to authenticate
    >>5. Dilbert gets back error message that, "\\server1\share is not
    >>accessible...Network access is denied."
    >>
    >>I just love Dilbert
    >>
    >>
    >>EXTRA CREDIT QUESTION 2:
    >>When a user connects to a server via UNC paths from the run line, is there
    >>any way to disconnect/logout from the server without restarting or logging
    >>off the machine?
    >
    >
    >
Ask a new question

Read More

Computers Windows XP