EJC said:
Steve,
This is great stuff and I have reviewed a great deal of sharing and
file/folder security information. I'm gradually getting it! Your article your
referred to is very useful.
Thanks. You're asking very good questions about a very confusing
subject, and I'll answer them as best I can. If I get something
wrong, I hope that Ron Lowe (or anyone else who understands this
better than I do) will jump in and correct it.
I still have a couple of questions lurking in the back of my mind. I have
been trying various sharing and security settings. As I learn about this, it
seems that the Guest account and Everyone group have essentially the same
function.
They have similar functions, but in mutually exclusive circumstances.
The Guest account is only relevant if simple file sharing is enabled.
The Everyone group is only relevant if simple file sharing is
disabled.
Regarding the Guest account:
1. Enabling or disabling the Guest account in Control Panel | User
Accounts has nothing to do with networking. It controls whether
someone can log on to a computer as Guest at the local keyboard.
2. With simple file sharing enabled, a Windows XP Pro server forces
all users on all computers to access its shared disks and folders
through the Guest account, regardless of the actual account being
used. You can control Guest access to shares with these commands:
net user guest /active:no ; disables Guest, blocks access to all
net user guest /active:yes ; enables Guest, allows access to all
2. With simple file sharing disabled on a Windows XP server, the Guest
account has no role in share access.
The rest of my answers apply to a server computer running Windows XP
Professional with simple file sharing disabled. I'm not addressing
servers with simple file sharing enabled.
With one exception that I note below, it makes no difference what
operating system a client computer is running.
Is the Everyone group for anyone without an explicit account on the
XP server machine?
No, just the opposite. The Everyone group includes everyone who has
an explicit account.
The Everyone group is simply a convenience. It's easier to give
permission to the Everyone group than to give individual permission to
each user account.
So that if I remove it, as I have, only people with
accounts can access my XP Pro server system?
Only people with accounts on an XP Pro server can access shares on
that server. It makes no difference whether the Everyone group has
permission.
Or, withouth any Everyone share
permission, an unkown user will be prompted for another user and password?
Everyone permission is irrelevant to an unknown user, because the
Everyone group only contains known users.
When an unknown user requests share access, an XP Pro server replies
with a request to log on with different credentials. The result
depends on the client computer's operating system:
1. Windows 2000 and XP display a logon prompt, allowing the user to
enter a different user name and/or password.
2. Windows 95/98/Me display a prompt for the IPC$ (Interprocess
Communication) password. There's no correct reply to this prompt, and
access to the server isn't possible.
BTW, a user will be unknown if the user name doesn't exist on the
server, or if the user name is the same on the client and server but
the password for that user is different between them.
So, if you keep the Everyone group, does this mean that an unkown user can
access the share without being prompted for a userid and password?
No. Unknown users can't access XP Pro shares.
BTW, I have disabled the Guest account under Computer Administration.
I'm sorry, but I don't know what you mean by "Computer
Administration". What exactly did you do?
I also need to understand the interaction of share permissions (first gate)
and then file permissions (second gate). I have set up share permissions by
group to allow specific permissions. Let's say one group only has Read
permission under sharing permissions. Let's say then under the Security tab
for file/folder permissions, the Users group is present with Read, Write, and
Execute permission. Does this mean that a remote use with only Read share
permission could then modify files because once connected, via the Users
group, they now have Write permission? Or does the share permission control
whatever is shown under the file/folder Security settings?
To have a particular type of access, a user needs permission on both
the share and the file. In Boolean algebra terms:
network access permission = share permission AND file permission
So, a user connecting through a read-only share can only have read
access to a file, and then only if the file permissions allow it.
I'm sorry, but I've run out of time for now. I'll be glad to answer
the rest of your questions later.
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)
Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.
Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com