Networking "Rules" 3

[zestril5]

Ihave seen checklists posted many time in response to neworking problems.
The most clear and consise list is from Bcastner and is as follows:

1. Same workgroup name (use all Capital letters for safety), unique Computer Name.
2. No firewall issues, including the native ICF XP firewall; third-party firewalls; and "hidden" firewalls in antivirus programs (PC-Illan for example);
3. All usernames and passwords synchronized at all machines: Username and passwords (exactly) on Computer A
made usernames with passwords (exactly) on Computer B, C , etc. Or, use the default "Simple File Sharing" and enable the Guest account on all machines;
4. Something: drive, Folder, printer, something shared on all machines. But something
5. For all machines, under TCP/IP Properties for the Network Connection, Advanced, WINS tab, disable 'use LMHOSTS' and check to 'enable Netbios over TCP/IP'

I have no questions about 1,2,4 and 5. If I do have problems with a network I install and use netbui which usually resolves the problem.
BUT.... what is 3 all about. I have many networks in businesses and homes running where simple files sharing is not enabled and user names and passwords are not the same on all computers, in fact on none of the computers, yet I'm able to share whatever files I want using permissions and security settings. So why this "rule" #3?

 

[satrow]

I think logging on WITH a password is the key - no password (blank) = no network.

Netbui is fine on small (up to @12 machines?) networks,but it's broadcasting can play havoc with larger.

Andy.

 

[bcastner]

If "Simple File Sharing", the default, is enabled (you have no choice with XP Home), then all remote access occurs under Guest priviliges. There is no security or permissions issues, and no password is required.

Except in the smallest of networks, some security and permissions control is usually desired.

The "normal" case is to disable Simple File Sharing. To use blank or empty passwords and create a "Mixed" setting under the case where you have disabled Simple File Sharing, it is decidedly not obvious the steps that are required (hence in small networks the comments you cite above are the easiest case to make).

The following "addendum" explains how to enable the use of blank or empty passwords in a "Mixed" security context:

1. Disable Simple Filesharing (Not possible in WinXP Home).
Start Button -> My Computer
In the menu of My Computer select "Tools" -> "Folder Options"
In "Folder Options" select the "View" fan
Uncheck the setting "Use Simple File Sharing (Recommended)"

This change should be reflected in this registry key:
[HKEY_LOCAK_MACHINE \SYSTEM \CurrentControlSet \Control \Lsa]
ForceGuest = 0

It is advised to create an account with a secure password for each user who should have access to a share. But some times it is just too cumbersome, even if one creates a group containing all the users which should have access.

2. Enable the guest account, so everyone will use that to access your shares:
Go to "Control Panel" -> "Performance and Maintenance" -> "Administrative Tools" -> "Computer Management"
Expand "Local Users" -> "Users"
Right click the "Guest" account and select "Properties"
Uncheck "Account is disabled"

3. Enable listing of shares:
Go to "Control Panel" -> "Performance and Maintenance" -> "Administrative Tools" -> "Local Security Policy"
Expand "Local Policies" -> "Security options"
Check that the setting "Network access: Do not allow anonymous enumeration of SAM accounts and shares " is set to disabled

4. Enable access of shares using empty password:
Go to "Control Panel" -> "Performance and Maintenance" -> "Administrative Tools" -> "Local Security Policy"
Expand "Local Policies" -> "Security options"
Check that "Accounts: Limit local account use of blank passwords to console login only" is disabled

5. Make sure your security policy allows network access for everyone:
Go to "Control Panel" -> "Performance and Maintenance" -> "Administrative Tools" -> "Local Security Policy"
Expand "Local Policies" -> "User Rights Assignment"
Check that "Access this computer from the network" has these groups included "Guests" and "Everyone"
Check that "Deny access to this computer from the network" doesn't contain the above groups

6. If wanting to give extra rights to some accounts, then disable that all network logins gets guest access when in a workgroup :
Go to "Control Panel" -> "Performance and Maintenance" -> "Administrative Tools" -> "Local Security Policy"
Expand "Local Policies" -> "Security options"
Check that "Network access: Sharing and security model for local accounts" is set to "Classic: local users authenticate as themselves"

Remember to reboot to make sure settings are activated.

Note the above settings only opens the policies for allowing guests to access the computer. When making a share one has to allow guests to access the share, and if the folder being shared is placed on a NTFS drive, then the security setting for the folder must allow Guests.

Reference and some quoted sections:

http://snakefoot.fateback.com/tweak/winnt/sharing.html

 

[zestril5]

Thanks for the information. On larger networks that I have I use Windows 2000 Professional Server.
The smaller networks that I am referring to here all use XP Pro and are generally all peer to peer with no server.
Although I understand the addendum you have posted here and, have printed it for reference, I definitely don't do this.
I would like to persue this further, if you don't mind, but I have to go on the road for a few days. When I get back I'll post what it is I do to allow sharing with no same names and passwords. Maybe there is inherently something radically wrong with my approach but it does work. Perhaps it's just a matter of how secure the network is. In most of my cases security is not a big issue, the customers just want ot be able to share everything.

 

[bcastner]

The easiest thing would be to allow the default of Simple File Sharing enabled; or do Step #4 in my listing above.

 

[satrow]

Hey bcastner, that's a great blow by blow but how do I bookmark it ;-)

Andy.

 

[bcastner]

Thank you satrow,
It is part of my notes for a FAQ about a "Mixed" security model for XP Pro with Simple File Sharing disabled, but I could for one never figure out what to call it so that it could be found.

"Blank passwords under XP Pro"?
"A Mixed Security Implementation 0f XP Pro"?
"Simplifying Shares with Simple File Sharing Disabled"?

I also wanted to include notes I have made here in the past about simplifying the Security tab under XP Home; and simplifying the application of Policies under XP Workgroups.

Perhaps they should be seperate topics, and that will simplify things for me as a writer.

There have been so many wonderful guides to Simple and disabled-Simple File Sharing under Pro that I am slightly intimidated to add another. When I write the FAQ it will cover the issues discussed above as a "Mixed" security model for XP Pro with Simple File Sharing disabled.

 

[bcastner]

Satrow,

You are a welcome and wonderful addition to Tek-Tips, so let me send you a belated welcome.

Bill Castner

 

[satrow]

Thanks for that Bill,

I've got a long way to go before I get close to the shadow that you cast!

Cheers, I'm enjoying the challenge.

Andy.