P
Panos
Hello, I would appreciate any help on the following very weird issue:
- I have 2 computers (one desktop and one laptop) in my home network which
are named “desktop†and “laptopâ€, and belong to the same workgroup MSHOME.
- The Desktop is running Windows MCE SP 2 and the laptop Windows XP Pro SP 2.
- I have activated file and printer sharing on the laptop and try to access
a share from the desktop. I don’t use “simple†file sharing but have
configured the share permissions to allow full access to the share by a user
with administrator rights that exists in the laptop, let’s say “userAâ€
- I have also activated NetBios on both PCs
- I open a window on the desktop and and type \\laptop
- I get the network authentication dialog of Windows XP and put the username
and password of the user on the laptop to whom I have allowed access. The
system doesn’t let me in, and instead the authentication dialog appears
again, with the username filled with laptop\userA and the password filled
with bullets.
- The most weird thing is that this used to work perfectly some time ago. It
stopped working when after 5 unsuccessful log on attempts the account was
locked according to the security policies on the laptop.
I have tried various things to solve this problem but nothing works. I have
managed to disable the network authentication in total and directly access
the shares on the laptop, but this is not what I want. I don’t want anyone in
my local network accessing my laptop.
I am attaching below the exported values from the “user rights assignmentâ€
and “security options†sections of the local security policies management
console.
Thank you very much in advance
user rights assignment
---------------------------
Policy Security Setting
Access this computer from the network Users,Administrators
Act as part of the operating system
Add workstations to domain
Adjust memory quotas for a process LOCAL SERVICE,NETWORK
SERVICE,Administrators
Allow logon through Terminal Services Administrators,Remote Desktop Users
Back up files and directories Administrators,Backup Operators
Bypass traverse checking Administrators,Users,Power Users,Backup Operators
Change the system time Administrators,Power Users
Create a pagefile Administrators
Create a token object
Create global objects Administrators,INTERACTIVE,SERVICE
Create permanent shared objects
Debug programs Administrators
Deny access to this computer from the network SUPPORT_388945a0
Deny logon as a batch job
Deny logon as a service
Deny logon locally
Deny logon through Terminal Services ASPNET
Enable computer and user accounts to be trusted for delegation
Force shutdown from a remote system Administrators
Generate security audits LOCAL SERVICE,NETWORK SERVICE
Impersonate a client after authentication Users,SERVICE,ASPNET,Administrators
Increase scheduling priority Administrators
Load and unload device drivers Administrators
Lock pages in memory
Log on as a batch job SUPPORT_388945a0,ASPNET
Log on as a service NETWORK SERVICE,ASPNET
Log on locally Backup,Administrators,Users,Power Users,Backup Operators
Manage auditing and security log Administrators
Modify firmware environment values Administrators
Perform volume maintenance tasks Administrators
Profile single process Administrators,Power Users
Profile system performance Administrators
Remove computer from docking station Administrators,Users,Power Users
Replace a process level token LOCAL SERVICE,NETWORK SERVICE
Restore files and directories Administrators,Backup Operators
Shut down the system Administrators,Users,Power Users,Backup Operators
Synchronize directory service data
Take ownership of files or other objects Administrators
security options
-------------------
Policy Security Setting
Accounts: Administrator account status Enabled
Accounts: Guest account status Enabled
Accounts: Limit local account use of blank passwords to console logon
only Enabled
Accounts: Rename administrator account ACAdmin
Accounts: Rename guest account Backup
Audit: Audit the access of global system objects Disabled
Audit: Audit the use of Backup and Restore privilege Disabled
Audit: Shut down system immediately if unable to log security audits Disabled
DCOM: Machine Access Restrictions in Security Descriptor Definition Language
(SDDL) syntax Not defined
DCOM: Machine Launch Restrictions in Security Descriptor Definition Language
(SDDL) syntax Not defined
Devices: Allow undock without having to log on Enabled
Devices: Allowed to format and eject removable media Administrators
Devices: Prevent users from installing printer drivers Disabled
Devices: Restrict CD-ROM access to locally logged-on user only Disabled
Devices: Restrict floppy access to locally logged-on user only Disabled
Devices: Unsigned driver installation behavior Warn but allow installation
Domain controller: Allow server operators to schedule tasks Not defined
Domain controller: LDAP server signing requirements Not defined
Domain controller: Refuse machine account password changes Not defined
Domain member: Digitally encrypt or sign secure channel data (always) Enabled
Domain member: Digitally encrypt secure channel data (when possible) Enabled
Domain member: Digitally sign secure channel data (when possible) Enabled
Domain member: Disable machine account password changes Disabled
Domain member: Maximum machine account password age 30 days
Domain member: Require strong (Windows 2000 or later) session key Disabled
Interactive logon: Do not display last user name Disabled
Interactive logon: Do not require CTRL+ALT+DEL Disabled
Interactive logon: Message text for users attempting to log on
Interactive logon: Message title for users attempting to log on Not defined
Interactive logon: Number of previous logons to cache (in case domain
controller is not available) 10 logons
Interactive logon: Prompt user to change password before expiration 14 days
Interactive logon: Require Domain Controller authentication to unlock
workstation Disabled
Interactive logon: Require smart card Not defined
Interactive logon: Smart card removal behavior No Action
Microsoft network client: Digitally sign communications (always) Disabled
Microsoft network client: Digitally sign communications (if server
agrees) Enabled
Microsoft network client: Send unencrypted password to third-party SMB
servers Disabled
Microsoft network server: Amount of idle time required before suspending
session 15 minutes
Microsoft network server: Digitally sign communications (always) Disabled
Microsoft network server: Digitally sign communications (if client
agrees) Disabled
Microsoft network server: Disconnect clients when logon hours expire Enabled
Network access: Allow anonymous SID/Name translation Disabled
Network access: Do not allow anonymous enumeration of SAM accounts Enabled
Network access: Do not allow anonymous enumeration of SAM accounts and
shares Disabled
Network access: Do not allow storage of credentials or .NET Passports for
network authentication Disabled
Network access: Let Everyone permissions apply to anonymous users Disabled
Network access: Named Pipes that can be accessed
anonymously COMNAP,COMNODE,SQL\QUERY,SPOOLSS,LLSRPC,browser
Network access: Remotely accessible registry
paths System\CurrentControlSet\Control\ProductOptions,System\CurrentControlSet\Control\Print\Printers,System\CurrentControlSet\Control\Server
Applications,System\CurrentControlSet\Services\Eventlog,Software\Microsoft\OLAP
Server,Software\Microsoft\Windows
NT\CurrentVersion,System\CurrentControlSet\Control\ContentIndex,System\CurrentControlSet\Control\Terminal
Server,System\CurrentControlSet\Control\Terminal
Server\UserConfig,System\CurrentControlSet\Control\Terminal
Server\DefaultUserConfiguration
Network access: Shares that can be accessed anonymously COMCFG,DFS$
Network access: Sharing and security model for local accounts Classic -
local users authenticate as themselves
Network security: Do not store LAN Manager hash value on next password
change Enabled
Network security: Force logoff when logon hours expire Disabled
Network security: LAN Manager authentication level Send NTLMv2 response
only\refuse LM & NTLM
Network security: LDAP client signing requirements Negotiate signing
Network security: Minimum session security for NTLM SSP based (including
secure RPC) clients Require NTLMv2 session security
Network security: Minimum session security for NTLM SSP based (including
secure RPC) servers Require NTLMv2 session security
Recovery console: Allow automatic administrative logon Disabled
Recovery console: Allow floppy copy and access to all drives and all
folders Enabled
Shutdown: Allow system to be shut down without having to log on Enabled
Shutdown: Clear virtual memory pagefile Disabled
System cryptography: Use FIPS compliant algorithms for encryption, hashing,
and signing Disabled
System objects: Default owner for objects created by members of the
Administrators group Object creator
System objects: Require case insensitivity for non-Windows subsystems Enabled
System objects: Strengthen default permissions of internal system objects
(e.g. Symbolic Links) Enabled
- I have 2 computers (one desktop and one laptop) in my home network which
are named “desktop†and “laptopâ€, and belong to the same workgroup MSHOME.
- The Desktop is running Windows MCE SP 2 and the laptop Windows XP Pro SP 2.
- I have activated file and printer sharing on the laptop and try to access
a share from the desktop. I don’t use “simple†file sharing but have
configured the share permissions to allow full access to the share by a user
with administrator rights that exists in the laptop, let’s say “userAâ€
- I have also activated NetBios on both PCs
- I open a window on the desktop and and type \\laptop
- I get the network authentication dialog of Windows XP and put the username
and password of the user on the laptop to whom I have allowed access. The
system doesn’t let me in, and instead the authentication dialog appears
again, with the username filled with laptop\userA and the password filled
with bullets.
- The most weird thing is that this used to work perfectly some time ago. It
stopped working when after 5 unsuccessful log on attempts the account was
locked according to the security policies on the laptop.
I have tried various things to solve this problem but nothing works. I have
managed to disable the network authentication in total and directly access
the shares on the laptop, but this is not what I want. I don’t want anyone in
my local network accessing my laptop.
I am attaching below the exported values from the “user rights assignmentâ€
and “security options†sections of the local security policies management
console.
Thank you very much in advance
user rights assignment
---------------------------
Policy Security Setting
Access this computer from the network Users,Administrators
Act as part of the operating system
Add workstations to domain
Adjust memory quotas for a process LOCAL SERVICE,NETWORK
SERVICE,Administrators
Allow logon through Terminal Services Administrators,Remote Desktop Users
Back up files and directories Administrators,Backup Operators
Bypass traverse checking Administrators,Users,Power Users,Backup Operators
Change the system time Administrators,Power Users
Create a pagefile Administrators
Create a token object
Create global objects Administrators,INTERACTIVE,SERVICE
Create permanent shared objects
Debug programs Administrators
Deny access to this computer from the network SUPPORT_388945a0
Deny logon as a batch job
Deny logon as a service
Deny logon locally
Deny logon through Terminal Services ASPNET
Enable computer and user accounts to be trusted for delegation
Force shutdown from a remote system Administrators
Generate security audits LOCAL SERVICE,NETWORK SERVICE
Impersonate a client after authentication Users,SERVICE,ASPNET,Administrators
Increase scheduling priority Administrators
Load and unload device drivers Administrators
Lock pages in memory
Log on as a batch job SUPPORT_388945a0,ASPNET
Log on as a service NETWORK SERVICE,ASPNET
Log on locally Backup,Administrators,Users,Power Users,Backup Operators
Manage auditing and security log Administrators
Modify firmware environment values Administrators
Perform volume maintenance tasks Administrators
Profile single process Administrators,Power Users
Profile system performance Administrators
Remove computer from docking station Administrators,Users,Power Users
Replace a process level token LOCAL SERVICE,NETWORK SERVICE
Restore files and directories Administrators,Backup Operators
Shut down the system Administrators,Users,Power Users,Backup Operators
Synchronize directory service data
Take ownership of files or other objects Administrators
security options
-------------------
Policy Security Setting
Accounts: Administrator account status Enabled
Accounts: Guest account status Enabled
Accounts: Limit local account use of blank passwords to console logon
only Enabled
Accounts: Rename administrator account ACAdmin
Accounts: Rename guest account Backup
Audit: Audit the access of global system objects Disabled
Audit: Audit the use of Backup and Restore privilege Disabled
Audit: Shut down system immediately if unable to log security audits Disabled
DCOM: Machine Access Restrictions in Security Descriptor Definition Language
(SDDL) syntax Not defined
DCOM: Machine Launch Restrictions in Security Descriptor Definition Language
(SDDL) syntax Not defined
Devices: Allow undock without having to log on Enabled
Devices: Allowed to format and eject removable media Administrators
Devices: Prevent users from installing printer drivers Disabled
Devices: Restrict CD-ROM access to locally logged-on user only Disabled
Devices: Restrict floppy access to locally logged-on user only Disabled
Devices: Unsigned driver installation behavior Warn but allow installation
Domain controller: Allow server operators to schedule tasks Not defined
Domain controller: LDAP server signing requirements Not defined
Domain controller: Refuse machine account password changes Not defined
Domain member: Digitally encrypt or sign secure channel data (always) Enabled
Domain member: Digitally encrypt secure channel data (when possible) Enabled
Domain member: Digitally sign secure channel data (when possible) Enabled
Domain member: Disable machine account password changes Disabled
Domain member: Maximum machine account password age 30 days
Domain member: Require strong (Windows 2000 or later) session key Disabled
Interactive logon: Do not display last user name Disabled
Interactive logon: Do not require CTRL+ALT+DEL Disabled
Interactive logon: Message text for users attempting to log on
Interactive logon: Message title for users attempting to log on Not defined
Interactive logon: Number of previous logons to cache (in case domain
controller is not available) 10 logons
Interactive logon: Prompt user to change password before expiration 14 days
Interactive logon: Require Domain Controller authentication to unlock
workstation Disabled
Interactive logon: Require smart card Not defined
Interactive logon: Smart card removal behavior No Action
Microsoft network client: Digitally sign communications (always) Disabled
Microsoft network client: Digitally sign communications (if server
agrees) Enabled
Microsoft network client: Send unencrypted password to third-party SMB
servers Disabled
Microsoft network server: Amount of idle time required before suspending
session 15 minutes
Microsoft network server: Digitally sign communications (always) Disabled
Microsoft network server: Digitally sign communications (if client
agrees) Disabled
Microsoft network server: Disconnect clients when logon hours expire Enabled
Network access: Allow anonymous SID/Name translation Disabled
Network access: Do not allow anonymous enumeration of SAM accounts Enabled
Network access: Do not allow anonymous enumeration of SAM accounts and
shares Disabled
Network access: Do not allow storage of credentials or .NET Passports for
network authentication Disabled
Network access: Let Everyone permissions apply to anonymous users Disabled
Network access: Named Pipes that can be accessed
anonymously COMNAP,COMNODE,SQL\QUERY,SPOOLSS,LLSRPC,browser
Network access: Remotely accessible registry
paths System\CurrentControlSet\Control\ProductOptions,System\CurrentControlSet\Control\Print\Printers,System\CurrentControlSet\Control\Server
Applications,System\CurrentControlSet\Services\Eventlog,Software\Microsoft\OLAP
Server,Software\Microsoft\Windows
NT\CurrentVersion,System\CurrentControlSet\Control\ContentIndex,System\CurrentControlSet\Control\Terminal
Server,System\CurrentControlSet\Control\Terminal
Server\UserConfig,System\CurrentControlSet\Control\Terminal
Server\DefaultUserConfiguration
Network access: Shares that can be accessed anonymously COMCFG,DFS$
Network access: Sharing and security model for local accounts Classic -
local users authenticate as themselves
Network security: Do not store LAN Manager hash value on next password
change Enabled
Network security: Force logoff when logon hours expire Disabled
Network security: LAN Manager authentication level Send NTLMv2 response
only\refuse LM & NTLM
Network security: LDAP client signing requirements Negotiate signing
Network security: Minimum session security for NTLM SSP based (including
secure RPC) clients Require NTLMv2 session security
Network security: Minimum session security for NTLM SSP based (including
secure RPC) servers Require NTLMv2 session security
Recovery console: Allow automatic administrative logon Disabled
Recovery console: Allow floppy copy and access to all drives and all
folders Enabled
Shutdown: Allow system to be shut down without having to log on Enabled
Shutdown: Clear virtual memory pagefile Disabled
System cryptography: Use FIPS compliant algorithms for encryption, hashing,
and signing Disabled
System objects: Default owner for objects created by members of the
Administrators group Object creator
System objects: Require case insensitivity for non-Windows subsystems Enabled
System objects: Strengthen default permissions of internal system objects
(e.g. Symbolic Links) Enabled