disabling password request when connecting from the LAN

[Guest]

Hi. One of the machines on my LAN is running Win2k Pro. Whenever I need to
access its files, etc, from any of the other machines (running an assortment
of other OSes) it always asks me for a username and password before allowing
the connection - I want to set it to accept any connection from the LAN
without asking for identification.

The win2k machine is already set not to ask for a username or password for
local login (it automatically logs in to the 'Adminstrator' account by
default), but this has made no difference to the identification request it
seeks every time I want to connect to it remotely - and I can't find anything
anywhere to tell me how to fix it. Any suggestions gratefully received!
Thanks.

 

[Tx2]

(e-mail address removed), a.k.a =?Utf-8?B?TkdTaGFrZQ==?=
says...

Hi. One of the machines on my LAN is running Win2k Pro. Whenever I need to
access its files, etc, from any of the other machines (running an assortment
of other OSes) it always asks me for a username and password before allowing
the connection - I want to set it to accept any connection from the LAN
without asking for identification.

The win2k machine is already set not to ask for a username or password for
local login (it automatically logs in to the 'Adminstrator' account by
default), but this has made no difference to the identification request it
seeks every time I want to connect to it remotely - and I can't find anything
anywhere to tell me how to fix it. Any suggestions gratefully received!
Thanks.

Have you set up user accounts for the other machines on the LAN on the
Win2k box?

 

[Richard G. Harper]

There is no "fix" - this is Windows security working as it is supposed to.
In the absence of a domain controller to provide access control lists to
shared resources, you must create an account on the host PC (the one with
the resources you want to share) with the same username (and password, if
one is used) that is used to log onto the client PC (the one you want to use
to access the shared resources on the host).

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

 

[Herb Martin]

Hi. One of the machines on my LAN is running Win2k Pro. Whenever I need to
access its files, etc, from any of the other machines (running an assortment
of other OSes) it always asks me for a username and password before allowing
the connection - I want to set it to accept any connection from the LAN
without asking for identification.

The win2k machine is already set not to ask for a username or password for
local login (it automatically logs in to the 'Adminstrator' account by
default), but this has made no difference to the identification request it
seeks every time I want to connect to it remotely - and I can't find anything
anywhere to tell me how to fix it. Any suggestions gratefully received!
Thanks.

If it were in a domain, this would be trivial so
we must assume you have only a workgroup.

The following should work: Make the Workgroup
name the same as all other machines on the network
(this may not be a requirement, but it helps with
visibility anyway), and then for each user who will
access the machine, create an account with the same
name and password that user employs to login
locally on the user's own machine.

When connecting if the same user name and password
is present it should auto-log you onto the target
(resource) machine.

You will of course have to create a group and provide
permissions for that/those user(s).

When changing the password, the user will need to
manually synchronize all such accounts -- with a
domain there would only be a SINGLE account
for all machines in the domain+.

 

[Steve Riley [MSFT]]

The win2k machine is already set not to ask for a username or password

for local login (it automatically logs in to the 'Adminstrator'
account by default)

This is unwise because anyone using this machine can do anything they want,
including drop malicious code on the computer accidentally or maliciously.
Why have you configured administrator auto-logon?

Steve Riley
(e-mail address removed)

 

[Guest]

Thank you everyone for your information and advice. Windows networking is a
fairly new thing to me, but now I know what I'm meant to do, I'm sure there
won't be any complications.

Steve Riley: The machine in question is a private home computer, so I'm
more concerned about convenience than security (i.e. everyone who uses this
computer is perfectly allowed to do anything they want to it, and obviously I
want to be free to do anything without having to bother switching accounts).
The only way I'd have to worry about the implications of this would be if
someone broke in and stole the machine...in which case obviously they'd gain
access to everything anyway in moments, no matter how securely I set the
system up!

Thank you again for your advice,
Nic Shakeshaft

 

[Steve Riley [MSFT]]

Good point.

I let my XP home machine, the game/photo editing computer, log in without
a password. It's connected to the Internet, but one thing that's cool about
XP is that the passwordless administrator account can't be accessed remotely.

Steve Riley
(e-mail address removed)

 

[Herb Martin]

Thank you everyone for your information and advice. Windows networking is a
fairly new thing to me, but now I know what I'm meant to do, I'm sure there
won't be any complications.

Steve Riley: The machine in question is a private home computer, so I'm
more concerned about convenience than security (i.e. everyone who uses this
computer is perfectly allowed to do anything they want to it, and obviously I
want to be free to do anything without having to bother switching accounts).
The only way I'd have to worry about the implications of this would be if
someone broke in and stole the machine...in which case obviously they'd gain
access to everything anyway in moments, no matter how securely I set the
system up!

If the machine ever connects to the Internet, then
you must treat it as if any hacker in the world is
free to take a crack at it.

If that doesn't bother you, e.g., you don't mind the
data there becoming public nor would you mind
if it were eradictated or polluted, then you don't
have to worry about the security issues.

If you use the SameUser/SamePassword method
I described elsewhere in this thread, then you
will have (almost) precisely the same security as
you enjoy on the logon machine (the one where the
user physically sits.)

Consider that even a 14 character password with
partial complexity is not difficult to break (about
10-20 seconds with current technology) though.

 

[Steve Riley [MSFT]]

Consider that even a 14 character password with partial complexity is

not difficult to break (about 10-20 seconds with current technology)
though.

Herb -- this is a little alarmist since complexity can vary wildly. What
kind of "partial complexity" do you have in mind that would fall so rapidly?
And what do you mean by "break"? Be more precise: you can guess passwords,
you can crack hashes.

Passwords that fall in 10 to 20 seconds are usually extremely weak passwords
that cracking programs have either already generated the hashes for or can
generate the hash instantly -- meaning dictionary words, words with numbers
appended at the end, obvious substitutions (like zero for O, 4 for A, and
so on).

Steve Riley
(e-mail address removed)

 

[Herb Martin]

Herb -- this is a little alarmist since complexity can vary wildly. What

Yes, it certainly alarmed me when I saw it done that easily.

kind of "partial complexity" do you have in mind that would fall so

rapidly?

14-characters, upper/lower case, and numbers was the actual case.

The password was otherwise highly random.

And what do you mean by "break"? Be more precise: you can guess passwords,
you can crack hashes.

It was cracked (I believe) -- 20 seconds but it was
a BIG computer.

One the other hand it was only ONE computer. With
distributed attacks, you can figure it gets worse.

Passwords that fall in 10 to 20 seconds are usually extremely weak passwords
that cracking programs have either already generated the hashes for or can
generate the hash instantly -- meaning dictionary words, words with numbers
appended at the end, obvious substitutions (like zero for O, 4 for A, and
so on).

Not in this case -- it was highly random.

 

[Steve Riley [MSFT]]

Do you remember exactly what it was you witnessed? Your mention of a "BIG
computer" leads me to believe you might have seen someone demonstrate rainbow
tables or something simliar--software that precomputes all possible hashes.
There's really very little defense against something like that. Yes, the
use of only a password as an authenticator is rapidly reaching the end of
its useful life.

Steve Riley
(e-mail address removed)

 

[Herb Martin]

Do you remember exactly what it was you witnessed? Your mention of a "BIG
computer" leads me to believe you might have seen someone demonstrate rainbow
tables or something simliar--software that precomputes all possible hashes.
There's really very little defense against something like that. Yes, the
use of only a password as an authenticator is rapidly reaching the end of
its useful life.

No, not off the top of my head -- I might think of enough
to get a Google search to track it down and if I do then
I will let you know but (you know me pretty well) I was
completely convinced on using at least 15 characters
for all secure systems and have done so every since.

This has the added advantage of disabling the LANMAN
hash for THAT user even if the domain in question does
not turn it off for everyone.

There are also (very good) arguments that 7 is more
secure than 8,9 10 unless you go all the way to 14
but this 'feature' may have changed in recent OS versions.

Seems the hashing is actually applied to each 7-byte
half individually.

 

[Steve Riley [MSFT]]

Seems the hashing is actually applied to each 7-byte half

individually.

That's true only for LM "hashes" (I put that in quotes because it really
isn't a hash in the true definition of the term). And in networks that still
use LM "hashes," it's true that 7 characters is better than 8 because of
the way the cracking programs divide the hash in two.

NTLM and NTLMv2 create true hashes of the entire password at once, not two
7-byte halves.

I'm now using a 25-character passphrase on all my accounts. It would take
more storage than exists on the planet to store rainbow tables for 25-character
phrases; brute-force attacks would take approximately 500,000 centuries even
accomodating for Moore's law.

Steve Riley
(e-mail address removed)

 

[Herb Martin]

I'm now using a 25-character passphrase on all my accounts. It would take

more storage than exists on the planet to store rainbow tables for 25-character
phrases; brute-force attacks would take approximately 500,000 centuries even
accomodating for Moore's law.

I won't tell you (or anyone else) how many characters
we use <grin>, but since you use 25 characters it
won't matter whether you tell or not.

That fact that 15+ effectively turns off the LanMan
support is a big feature as far as I am concerned.