It was a terrible design decision back in NT & Windows 2000, one amongst many that Microsoft has been addressing them with each new version of the OS and with service packs.
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James D. Stallard Sent: Friday, June 13, 2008 5:44 AM To: 'Kurt Dillard'; 'Murda Mcloud'; [email protected]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: default for requiring authentication 2003 Murda Oops, it seems my info was out of date. The behaviour was changed in XP and 2003, and the correct answer is therefore no access with Windows Server 2003 or 2008, regardless of domain membership. Windows 2000 and earlier would allow access as I described and I guess that's what your buddy was familiar with. Thanks to Kurt, Dave, Michael and Matt for the correction. Cheers James -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kurt Dillard Sent: 12 June 2008 20:33 To: 'James D. Stallard'; 'Murda Mcloud'; [email protected] Subject: RE: default for requiring authentication 2003 James; You are incorrect. This behavior was changed starting with XP, look at the default value of this group policy setting: Network access: Let Everyone permissions apply to anonymous users. Unauthenticated users cannot access resources that have permissions for Everyone unless you enable this setting. Regards, Kurt -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James D. Stallard Sent: Thursday, June 12, 2008 1:28 PM To: 'Murda Mcloud'; [email protected] Subject: RE: default for requiring authentication 2003 Murda "Everyone" means everyone, including unauthenticated users. A SHARE secured with the "everyone" permission will allow a non-authenticated user to connect to it, but the default NTFS permissions on windows folders (notably not default non-windows NAS installations) includes "Users" in the ACL. "Users" by default only includes "domain users" (on a domain member), which would require authentication regardless of domain membership. So, the chap with the laptop could connect to the share, but would not be able to access files, unless EITHER the folder being shared included the "everyone" permission in the ACL or as a member of another group in the ACL, OR by slim chance the local user he was logging on with happened to have the same username and password as a user on the domain or on the local server. Changing the share permission to "Authenticated Users" will give you almost the same flexibility as "everyone", but force every connection to be authenticated before presenting the content of the share. There's much more to share and NTFS permissions, but this is probably enough to answer your question. Cheers James James D. Stallard MBCS CITP MIoD Chief Technical Architect Web: www.leafgrove.com LinkedIn: www.linkedin.com/in/jamesdstallard -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Murda Mcloud Sent: 12 June 2008 03:45 To: [email protected] Subject: default for requiring authentication 2003 I'm having a debate with someone over whether a 2003 server by default (OOB)forces someone to authenticate(whether to a DC or to the server itself if standalone) before allowing access to files. He seems to think that the default is that no authentication is required and consequently anyone could rock up and connect a laptop to a network with that server on it and get access to files on it-as the EVERYONE group is given read permissions to new folders etc. I say he is wrong but am looking hard to find something to back me up. I understand that the guest account could access files as it is part of the EVERYONE group but it's disabled by default-but still, there is an authentication process for guest to login
