Allowing file share browsing for un-authenticated users

[Nonapeptide@gmail.com]

I have a Windows Server 2003 file server in a workgroup environment
that needs to allow anyone who plugs into the network to browse its
file shares without being prompted for a username and password.
Ideally it would behave just like a Windows XP machine that has a file
share. A simple UNC path like this: \\ServerName\ should reply with
the available file shares to anyone who asks.

What is the option to get this behaviour? I can't seem to find the
local policy to get this to work.

Thanks bunches,

[jameshanley39@yahoo.co.uk]

On 27 May, 00:25, Nonapept...@gmail.com wrote:
> I have a Windows Server 2003 file server in a workgroup environment
> that needs to allow anyone who plugs into the network to browse its
> file shares without being prompted for a username and password.
> Ideally it would behave just like a Windows XP machine that has a file
> share. A simple UNC path like this: \\ServerName\ should reply with
> the available file shares to anyone who asks.
>
> What is the option to get this behaviour? I can't seem to find the
> local policy to get this to work.
>
> Thanks bunches,

In Win XP, there are 3 crucial options with file sharing.
Within ctrl panel..administrative tools....Local Security
Settings...Local policies
2 interesting options are in one subcategory, 1 is in the other.


Whether you check or uncheck SFS.. i.e. choose SFS or AFS.
It changes an option here.. And vice versa.
The place where the option is is
Local Security Settings...local policies...Security Options
Now see there are a bunch of items called "Network Access........."
The last one is "Sharing and security model for local accounts"

If you change that to Guest. then it does SFS.
If you change it to Authenticate as themselves, then it does AFS.

And vice versa.

Now.. regarding SFS
It does require the Guest account to be enabled,
And the other 2 interesting options are very important
"User rights assignments"
Allow - Everyone
Deny - <-- remove Guest from that list if it is there.

If you do those things, then any user can access. Because they
authenticate as Guest, and Guest can access.

I haven't used AFS as much, but

In Win XP..
if using AFS
and I mentioned how to set that option.. Your post suggests that
perhaps that classic tools..folder options..view..SFS/AFS option is
hard to find. So you can set AFS with that other option too. From
Local Security Settings.
Maybe it is in windows server too.

I think with AFS, users authenticate as themselves, and if that fails,
then it prompts them for a username/password. The username/password on
the remote machine.. (perhaps any user/pass on the remote machine)

So, if the account you are currently logged on as, exists on the
remote machine, then it will log in without a prompt.. i.e. identical
user account .
I don't know if it requires identical username, full name, and
password. Or just identical username and password.

[Nonapeptide@gmail.com]

Thanks for the prompt reply, James!

Your pointer to the Local Policies >> Security Settings node in local
security policy opened up some new possibilities for me.

Let me restate my goal. What I really need is to create a public
folder or two on the file server (much like the public folder on XP or
Vista). That way anyone can access files in those folders without
being prompted for username and password. Other shares can, and
probably should stay access restricted.

At first I thought "Network access: Named pipes that can be accessed
anonymously" and "Network access: Shares that can be accessed
anonymously" would be the way to go, but after messing with it I now
think otherwise. When a Windows client tries to access shares on
another computer in a workgroup, it seems to send the credentials of
the local machine and user, so in effect it's not try to access it
anonymously. Unless I'm missing something anonymous shares are not the
way to go. Neither is allowing the ANONYMOUS_LOGON access to the share
because again the logon attempt isn't really anonymous. Argh.

What befuddles me is that this behaviour is default in XP and Vista.
If you share something, everyone can access it on the network without
username and password. I've just taken that behaviour for granted. I
can't help but thinking to myself that this should be alot simpler
than I'm making it.

[jameshanley39@yahoo.co.uk]

I have had this with windows xp.. Being prompted for a user/pass..

I have found it just to be whether you choose AFS or SFS..
Either can prompt you, in a different way.

if you don't like the prompt, them either way you can get rid of it.
Slightly more easily with SFS. If SFS is prompting you then it's not
set up right e.g. Guest account is disabled perhaps. With AFS, if you
have identical accounts it will prob not prompt you.

And that setting I mentioned switches between AFS and SFS.

And I mentioned how not to get the prompts with them.

I only know Win XP though for file sharing.

[Nonapeptide@gmail.com]

On May 26, 11:30 pm, "jameshanle...@yahoo.co.uk"
<jameshanle...@yahoo.co.uk> wrote:
> On 27 May, 04:04, Nonapept...@gmail.com wrote:
>
>
>
> > Thanks for the prompt reply, James!
>
> > Your pointer to the Local Policies >> Security Settings node in local
> > security policy opened up some new possibilities for me.
>
> > Let me restate my goal. What I really need is to create a public
> > folder or two on the file server (much like the public folder on XP or
> > Vista). That way anyone can access files in those folders without
> > being prompted for username and password. Other shares can, and
> > probably should stay access restricted.
>
> > At first I thought "Network access: Named pipes that can be accessed
> > anonymously" and "Network access: Shares that can be accessed
> > anonymously" would be the way to go, but after messing with it I now
> > think otherwise. When a Windows client tries to access shares on
> > another computer in a workgroup, it seems to send the credentials of
> > the local machine and user, so in effect it's not try to access it
> > anonymously. Unless I'm missing something anonymous shares are not the
> > way to go. Neither is allowing the ANONYMOUS_LOGON access to the share
> > because again the logon attempt isn't really anonymous. Argh.
>
> > What befuddles me is that this behaviour is default in XP and Vista.
> > If you share something, everyone can access it on the network without
> > username and password. I've just taken that behaviour for granted. I
> > can't help but thinking to myself that this should be alot simpler
> > than I'm making it.
>
> > I know I'm missing something obvious. Back to Googling...
>
> I have had this with windows xp.. Being prompted for a user/pass..
>
> I have found it just to be whether you choose AFS or SFS..
> Either can prompt you, in a different way.
>
> if you don't like the prompt, them either way you can get rid of it.
> Slightly more easily with SFS. If SFS is prompting you then it's not
> set up right e.g. Guest account is disabled perhaps. With AFS, if you
> have identical accounts it will prob not prompt you.
>
> And that setting I mentioned switches between AFS and SFS.
>
> And I mentioned how not to get the prompts with them.
>
> I only know Win XP though for file sharing.

Okay. It seems that if I simply enable the guest account on my Server
2003 machine I am then able to list file shares using an account on a
workgroup computer that does not have an identical counterpart on the
server. That's a step in the right direction, but not quite what I had
in mind.

When I look through the server's event logs, it looks like the first
access attempt is using the workstation's local username and password.
When that is unsuccessful, it immediately retries using "Guest" (this
is behaviour that I was heretofore unaware of). That access request is
successful when the guest account is enabled.

There are a number of things that puzzle me about this whole thing
though. The "Network Access: sharing and security model for local
accounts" seems to be irrelevant in this scenario. That policy simply
states that in Classic mode if you access the server using a local
account then your permissions will be granular; allowing one account
the ability to have different permissions than another account. In
Guest Only mode, no matter what account you put in, it will map your
account to whatever permissions the Guest account has been given. That
may or may not included anonymous logins. I haven't figured that out
yet. Either way, I have the server in Client mode and enabling the
Guest account still allows me to enumerate file shares so that Network
Access policy can't be the solution.

So now I can allow any workgroup machine\user the ability to use the
server's shares, but I have yet to track down the specific policy that
grants this to the guest account. I also have yet to figure out if I
can select individual folders that the guest account can see and use.
That's my ultimate goal.



On a related note:

I've mentioned several times that I wondered how client OSs like XP
and Vista share their folders with anyone on the local network by
default. That's still unanswered. It doesn't seem to be through the
guest account, as its disabled and the user rights assignment "Deny
access to this computer from the network" includes the Guest account.
Yet, anonymous access seems to be unlikely as well since several of
the Network Access policies dealing with Anonymous accounts look like
they stymie anon access.

What a can of worms.

I'll get to the bottom of this someday... :-|

[jameshanley39@yahoo.co.uk]

On 27 May, 06:00, Nonapept...@gmail.com wrote:
> On May 26, 11:30 pm, "jameshanle...@yahoo.co.uk"
<snip>
> > I only know Win XP though for file sharing.
>
> Okay. It seems that if I simply enable the guest account on my Server
> 2003 machine I am then able to list file shares using an account on a
> workgroup computer that does not have an identical counterpart on the
> server. That's a step in the right direction, but not quite what I had
> in mind.
>

In Win XP, I would say it sounds like you are set to SFS

> When I look through the server's event logs, it looks like the first
> access attempt is using the workstation's local username and password.
> When that is unsuccessful, it immediately retries using "Guest" (this
> is behaviour that I was heretofore unaware of). That access request is
> successful when the guest account is enabled.
>


Where are these logs.. Do they exist in Windows XP?

I have never seen that behaviour. From my Win XP use, it sounds like a
mixture of AFS and SFS. I think that's impossible.. I have never
heard of that. Are you sure?
Is this retry a second later?

I haven't seen the logs though.. would be interested to know where
they are accessible.



> There are a number of things that puzzle me about this whole thing
> though. The "Network Access: sharing and security model for local
> accounts" seems to be irrelevant in this scenario. That policy simply
> states that in Classic mode if you access the server using a local
> account then your permissions will be granular; allowing one account
> the ability to have different permissions than another account. In
> Guest Only mode, no matter what account you put in, it will map your
> account to whatever permissions the Guest account has been given. That
> may or may not included anonymous logins. I haven't figured that out
> yet. Either way, I have the server in Client mode and enabling the
> Guest account still allows me to enumerate file shares so that Network
> Access policy can't be the solution.
>

you say you "have the server in client mode"? That is absolute
nonsense. Like saying you have the dart board acting as an arrow.

I think you mean Classic.. As in users authenticate as themselves.

I don't know much about NT file permissions. (they are for multi-user
environment of potentially malicious users. I don't need to really for
my own computers at home)

> So now I can allow any workgroup machine\user the ability to use the
> server's shares, but I have yet to track down the specific policy that
> grants this to the guest account. I also have yet to figure out if I
> can select individual folders that the guest account can see and use.
> That's my ultimate goal.
>

I mentioned 3 interesting options.
2 of them were "Allow...." and "Deny......"

The default is to Allow everyone, and Deny Guest.
(deny wins..I guess it is processed after)

(so another way of looking at it, is that if you don't deny guest,
ten Guest is allowed. So there is no policy that allows Guest, it's
allowed if it is not denied. So in a sense, that is a default setting
- an unchangeable one. Stupid way of looking at it though. Or maybe
it's the Allowing everyone, that allows Guest.)
Default is Deny Guest.

Although I mentioned that in the context of being relevant to SFS. I
suppose it is relevant to AFS too.

Infact, windows xp machines are set to AFS by default. Guest Account
disabled. Guest Denied. (judging by my win xp installation from the
win xp sp2 cd I burned anyway)

> On a related note:
>
> I've mentioned several times that I wondered how client OSs like XP
> and Vista share their folders with anyone on the local network by
> default. That's still unanswered.

Out of interest.. Where did you see the terminology of calling XP a
client OS?

I know.. I have seen it too.. and it's common. But just wondering
where you saw it..
I actually saw that kind of terminology in a book called Networking
Complete, described windows 98 as a client OS.. Because relative to
Windows NT(the Network OS), its network features were limited.. e.g.
just basic password access to network directories. .

I think the default is AFS.

I think
Win XP only has 2 options . SFS or AFS, and no way of opting out.
But you can choose not to share any folders.

Certainly, I remember that Guest is disabled and Denied. I guess
Network Access is - Classic - users authenticate as themselves.

People who want SFS will have a problem if they just check the box.
They should either run the "Network Setup Wizard". Or after setting
SFS..
Check that it does Allow Everyone (it probably is)
-remove Guest from the deny list -

And check that authentication is as Guest - though it would be if it
is set to SFS.
As explained.

> It doesn't seem to be through the
> guest account, as its disabled and the user rights assignment "Deny
> access to this computer from the network" includes the Guest account.
> Yet, anonymous access seems to be unlikely as well since several of
> the Network Access policies dealing with Anonymous accounts look like
> they stymie anon access.
>

What is an anonymous account?

BTW, I think with SFS users ONLY authenticate as Guest.
So whoever they are. I don't hink it's like , they try to
authenticate as themselves and if it fails they do so as Guest. They
just do so as Guest.

Your logs claim otherwise.. be interesting to know where these logs
are..

and if they are in Win XP. 'cos I have win xp.

[Nonapeptide@gmail.com]

I think essentially it is. This post explains it rather cogently:
http://episteme.arstechnica.com/eve/...m/957006982831

Look for the last message on the list from a user called Bluenote.
It's basiclaly what you told me to do.


>> Where are these logs.. Do they exist in Windows XP? <<

It's just standard event viewer. You can navigate to it in the Admin
Tools folder or open up the run box and type 'eventvwr'. You must
first turn on both "audit account logon events" and "audit logon
events" from the following local policy: Local Computer Policy >>
Computer Configuration >> Windows Settings >> Security Settings >>
Local Policies >> Audit Policy.

Then access network resources on your machine from another machine.
You should see logon/logoff events in the Security log in event
viewer.


>> I have never heard of that. Are you sure? <<

Pretty sure I'm sure.



>> Is this retry a second later? <<

It's not even a second later. It's so quick that it shows both logon
events at the exact same second.


>> you say you "have the server in client mode"? That is absolute
nonsense. Like saying you have the dart board acting as an arrow.

I think you mean Classic.. As in users authenticate as themselves. <<

Yep. Just a typo.



>> Out of interest.. Where did you see the terminology of calling XP a
client OS? <<

It's just a common way of talking about OSs that are not explicitly
designed to handle being dedicated servers. Of course, client machines
can serve things and have software installed on it that in effect
makes the client os a server (IIS on XP comes to mind). It's just a
matter of semantics.



>> What is an anonymous account? <<

An anonymous user or an anonymous access attempt is also known as a
"null session". Googling should bring back ample results. It is an
attempt at accessing a computer or resource with a null username and
no password. As I ponder this situation further, Anonymous access
doesn't seem to be relevant to my situation.



So here's what I think I'll do. If I enable the guest account, I can
enumerate all shares on the server (side note: that baffles me how I
can enumerate file shares on XP of Vista even though the guest account
is disabled... %-| ). However, for the guest account to actually
access anything it needs to be explicitly allowed, so I'll set NTFS
permissions appropriately on the shares that all folks need to get to.

I'd prefer to restrict even the listing of shares to only the ones
that guests can access, but that might be too much to ask.



>> BTW, I think with SFS users ONLY authenticate as Guest.
So whoever they are. I don't hink it's like , they try to
authenticate as themselves and if it fails they do so as Guest. They
just do so as Guest. <<

My understanding of the difference between SFS and AFS is that it
merely obscures or reveals the guts of file sharing to the user who is
attempting to share something. With SFS you only have two options: To
share or not to share, and wether or not to allow people to modify
resources. AFS exposes the three levels of share permissions, all of
the NTFS permission scheme, as well as the ability to apply different
levels of permission to different users and groups. It has nothing to
do with wether or not another user on the network accesses your share
first with a local account and then with a guest account or only with
a guest account. In fact, it couldn't have any effect on that since
the option is only modifying your computer's behaviour and not other
computer's.

This looks like a good article on the topic:
http://www.microsoft.com/windowsxp/u..._august13.mspx


Thanks for your input. Does anyone else out there have anything to
contribute concerning this whole file sharing thing? I'd love to grasp
Window's concept of permissions and network access better, but fear
I'd lose my mind if I try to trace every loose end back to its
origin. :-/

Thanks

[jameshanley39@yahoo.co.uk]

On May 28, 3:11 am, Nonapept...@gmail.com wrote:
<snip>
> > and if they are in Win XP. 'cos I have win xp.
> >> In Win XP, I would say it sounds like you are set to SFS <<
>
> I think essentially it is. This post explains it rather cogently:http://episteme.arstechnica.com/eve/...9443/m/9570069...
>

interesting.. Good forum, I hadn't thought of that forum for windows /
non-hardware, but good to know.

> Look for the last message on the list from a user called Bluenote.
> It's basiclaly what you told me to do.
>

he mentions another option which is potentially interesting..
Accounts: Guest Account Status <-- enabled




> >> Where are these logs.. Do they exist inWindowsXP? <<
>
> It's just standard event viewer. You can navigate to it in the Admin
> Tools folder or open up the run box and type 'eventvwr'. You must
> first turn on both "audit account logon events" and "audit logon
> events" from the following local policy: Local Computer Policy >>
> Computer Configuration >>WindowsSettings >> Security Settings >>
> Local Policies >> Audit Policy.
>

fantastic.. I will turn these on now and analyse what I see - when I
can!

in win xp..
ctrl panel..administrative tools..local security settings..local
policies..audit policies



> Then access network resources on your machine from another machine.
> You should see logon/logoff events in the Security log in event
> viewer.
>

thanks

> >> I have never heard of that. Are you sure? <<
>
> Pretty sure I'm sure.
>
> >> Is this retry a second later? <<
>
> It's not even a second later. It's so quick that it shows both logon
> events at the exact same second.
>
> >> you say you "have theserverin client mode"? That is absolute
>
> nonsense. Like saying you have the dart board acting as an arrow.
>
> I think you mean Classic.. As in users authenticate as themselves. <<
>
> Yep. Just a typo.
>
> >> Out of interest.. Where did you see the terminology of calling XP a
>
> client OS? <<
>
> It's just a common way of talking about OSs that are not explicitly
> designed to handle being dedicated servers. Of course, client machines
> can serve things and have software installed on it that in effect
> makes the client os aserver(IIS on XP comes to mind). It's just a
> matter of semantics.
>
> >> What is an anonymous account? <<
>
> An anonymous user or an anonymous access attempt is also known as a
> "null session". Googling should bring back ample results. It is an
> attempt at accessing a computer or resource with a null username and
> no password. As I ponder this situation further, Anonymous access
> doesn't seem to be relevant to my situation.
>
> So here's what I think I'll do. If I enable the guest account, I can
> enumerate all shares on theserver(side note: that baffles me how I
> can enumeratefileshares on XP of Vista even though the guest account
> is disabled... %-| ). However, for the guest account to actually
> access anything it needs to be explicitly allowed, so I'll set NTFS
> permissions appropriately on the shares that all folks need to get to.
>

Here's a stab in the dark, maybe part of the answer is there's a
difference between the Guest account being disabled, and that option
of
Account: Guest Account Status
Though I suppose that just complicates things further and doesn't
answer your question.

> I'd prefer to restrict even the listing of shares to only the ones
> that guests can access, but that might be too much to ask.
>

anyone?

<snip>
> My understanding of the difference between SFS and AFS is that it
> merely obscures or reveals the guts offilesharingto the user who is
> attempting to share something. With SFS you only have two options: To
> share or not to share, and wether or not to allow people to modify
> resources. AFS exposes the three levels of share permissions, all of
> the NTFS permission scheme, as well as the ability to apply different
> levels of permission to different users and groups. It has nothing to
> do with wether or not another user on the network accesses your share
> first with a local account and then with a guest account or only with
> a guest account. In fact, it couldn't have any effect on that since
> the option is only modifying your computer's behaviour and not other
> computer's.
>
> This looks like a good article on the
> topic: >http://www.microsoft.com/windowsxp/u..._august13.mspx

No.. My test is conclusive..

Change the network access setting, between Guest and Classic. And it
changes file sharing mode between AFS and SFS. And Vice Versa.


I am using Win XP and If you have a Win XP machine, you can see for
yourself..
Tools...Folder Options...View...
scroll down to the bottom
Now look if SFS is checked or not
Checked is SFS. Unchecked is AFS.

Note down. in your short term memory, or notepad.
Let's say it is SFS.

Now. Look at that setting about
Network Access:
about how users authenticate.

You will see it is set to Guest.

Now do tools..folder options..view... Uncheck it. So it is set to AFS

Now go back to look at that setting about Network Access

You will see it has changed from Guest to Classic.

Now change it from Classic to Guest, and then go to tools..folder
options..view.
You will see that that setting has now changed to AFS.

I actually said this in probably my first reply to you.. I guess you
overlooked it!

That only covers a bit of what you mentioned about the access though.
I look forward to checking the logs.

I don't know about the file permissions..
<snip>

[jameshanley39@yahoo.co.uk]

On May 27, 12:25 am, Nonapept...@gmail.com wrote:
> I have a Windows Server 2003 file server in a workgroup environment
> that needs to allow anyone who plugs into the network to browse its
> file shares without being prompted for a username and password.
> Ideally it would behave just like a Windows XP machine that has a file
> share. A simple UNC path like this: \\ServerName\ should reply with
> the available file shares to anyone who asks.
>
> What is the option to get this behaviour? I can't seem to find the
> local policy to get this to work.
>
> Thanks bunches,

You mentioned that you are puzzled as to how win xp enumerates shares
with Guest disabled.
I had found that it doesn't.. - BUT

I know that with advanced file sharing, with an account on the remtoe
machine the same as the currently logged in account on the local
machine. Then it will go in automatically.
So in that instance , it will

Maybe the situation you ran into with xp, was that one.

I haven't tested this, but maybe that happens if you are logged on as
Administrator on the local machine.?
I guess you'd need a non blank password on it.. (otherwise windows
might not let you do it)

And since you're not logging in as Guest. Then that may help you with
your permissions goal.

You can always check your win xp machines for this duplicate account
thing. And the logs must give it away.
It should show it logging in as e.g. user1 , and you know user1
exists on the remote machine. I can't imagine it logging in as user1
and user1 not existing.

I know that above probably won't help, or you tried it 'cos I kind of
half mentioned.. But I thought i'd have another look at your post
'cos I tried the log thing you mentioned.. and made a small finding I
posted on arstechnica
http://episteme.arstechnica.com/eve/...1#880000292931
, which corrects or updates some of the things I said here not
directly related to your problem.
My findings did correlate quite nicely with what you wrote. (though
not related to solving your prob!). But I thought maybe the duplicate
account thing had been overlooked..
I cannot see any other way that your win xp machines could see each
others' shares when the Guest account is disabled.

did you come any closer to solving it?

[jameshanley39@yahoo.co.uk]

On Jun 19, 6:21 am, "jameshanle...@yahoo.co.uk"
<jameshanle...@yahoo.co.uk> wrote:
<snip>

and I meant to mention...
another promising option was mentioned in that arstechnica thread -
the one i just mentioned..

http://episteme.arstechnica.com/eve/...1#880000292931

one a reply to the question I asked, somebody posted a response..

it wasn't the solution but it is relevant to your problem

Control Panel > User Accounts > Advanced > Manage Passwords

(or in win xp - ctrl panel..user accounts..[click whichever user
account]..manage my network passwords)

Then you can add usernames and passwords, and a server to connect to..
I haven't tested it but it looks like this would give you some good
control over how you log in. (prob wouldn't even need "duplicate
accounts")