Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Requiring Authentication to Network Shares
Requiring Authentication to Network Shares [message #160267] Mon, 24 August 2009 08:26 Go to next message
Bart Perrier  is currently offline Bart Perrier
Messages: 12
Registered: August 2009
Junior Member
We have a group of workstations configured as shared workstations with
managed AD accounts logging them into the network. Our desktop team has
historically allowed access to network shares for the shared accounts and
this has created an issue with our security team.

I am looking for a way, on a pretty large scale, to force authentication to
network shares/resources (not IE) either from the computer or user
perspective. OUr target workstation is XP SP2. Is anyone aware of a GPO or
registry setting that can accomplish this?

Thanks,
Bart Perrier
Re: Requiring Authentication to Network Shares [message #160268 is a reply to message #160267] Mon, 24 August 2009 08:37 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Bart Perrier" <bart_perrierNOT@HOMEhotmail.com> wrote in message
news:1ACD58BB-8C83-4ED9-9516-1162FF4B3D0B@microsoft.com...
> We have a group of workstations configured as shared workstations with
> managed AD accounts logging them into the network. Our desktop team has
> historically allowed access to network shares for the shared accounts and
> this has created an issue with our security team.
>
> I am looking for a way, on a pretty large scale, to force authentication
> to network shares/resources (not IE) either from the computer or user
> perspective. OUr target workstation is XP SP2. Is anyone aware of a GPO or
> registry setting that can accomplish this?
>
> Thanks,
> Bart Perrier


I'm having a bit of difficulty understanding the current scenario. Are you
saying there are shares on the workstations that others are accessing and
mapping drives to?

Or are you saying the workstations are being used by different users to
logon with their own user account or password, meaning one would use the
workstation, logoff, then someone else would logon, then logoff, etc?

Or are you saying one workstation is constantly logged on with a common user
account that multiple people are using? (I think this is what you mean?)


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.
Re: Requiring Authentication to Network Shares [message #160270 is a reply to message #160267] Mon, 24 August 2009 08:56 Go to previous messageGo to next message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello Bart,

If you need separate access permissions on the shares, reconfigure your shares
with new security groups, the correct members added to them and do NOT use
shared accounts.

If the domain accunts are authenticated they can access any location where
they are allowed to with share permissions/NTFS permissions. You can not
require a second authentication for another account through the already authenticated
account.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> We have a group of workstations configured as shared workstations with
> managed AD accounts logging them into the network. Our desktop team
> has historically allowed access to network shares for the shared
> accounts and this has created an issue with our security team.
>
> I am looking for a way, on a pretty large scale, to force
> authentication to network shares/resources (not IE) either from the
> computer or user perspective. OUr target workstation is XP SP2. Is
> anyone aware of a GPO or registry setting that can accomplish this?
>
> Thanks,
> Bart Perrier
Re: Requiring Authentication to Network Shares [message #160271 is a reply to message #160268] Mon, 24 August 2009 10:06 Go to previous messageGo to next message
Bart Perrier  is currently offline Bart Perrier
Messages: 12
Registered: August 2009
Junior Member
"Ace Fekay [MCT]" <aceman@mvps.RemoveThisPart.org> wrote in message
news:O59DphMJKHA.3928@TK2MSFTNGP04.phx.gbl...
> "Bart Perrier" <bart_perrierNOT@HOMEhotmail.com> wrote in message
> news:1ACD58BB-8C83-4ED9-9516-1162FF4B3D0B@microsoft.com...
>> We have a group of workstations configured as shared workstations with
>> managed AD accounts logging them into the network. Our desktop team has
>> historically allowed access to network shares for the shared accounts and
>> this has created an issue with our security team.
>>
>> I am looking for a way, on a pretty large scale, to force authentication
>> to network shares/resources (not IE) either from the computer or user
>> perspective. OUr target workstation is XP SP2. Is anyone aware of a GPO
>> or registry setting that can accomplish this?
>>
>> Thanks,
>> Bart Perrier
>
>
> I'm having a bit of difficulty understanding the current scenario. Are you
> saying there are shares on the workstations that others are accessing and
> mapping drives to?
>
> Or are you saying the workstations are being used by different users to
> logon with their own user account or password, meaning one would use the
> workstation, logoff, then someone else would logon, then logoff, etc?
>
> Or are you saying one workstation is constantly logged on with a common
> user account that multiple people are using? (I think this is what you
> mean?)
>
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Please reply back to the newsgroup or forum for collaboration benefit
> among responding engineers, and to help others benefit from your
> resolution.
>
> Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging
> Microsoft Certified Trainer
>
> For urgent issues, please contact Microsoft PSS directly. Please check
> http://support.microsoft.com for regional support phone numbers.

Yes, Ace, the third option. the workstations are configured to automatically
login (with the exception of the message at startup) with a preconfigured
account, using TweakUI. The shares are server side and we discourage mapped
drives due to the functional limitation of available drive letters and
excessive number of applications (to many drive letter conflicts). To take
it a step further, I hope to be ablet to disallow the actual saving of any
credentials provided, but I will address that in my testing, etc.

Thans, Ace.

Bart
Re: Requiring Authentication to Network Shares [message #160272 is a reply to message #160270] Mon, 24 August 2009 10:13 Go to previous messageGo to next message
Bart Perrier  is currently offline Bart Perrier
Messages: 12
Registered: August 2009
Junior Member
Thanks for the reply, Meinolf.

Unfortunately, the results of requiring the users to uniquely log in creates
a separate issue that will greatly hinder the user workflow -- in short,
locked screensavers = helpdesk calls.

I am hoping for a setting that will prevent the passing of the token, or
keys, when the resource is requested (double-clicked). If I can find this
configuration, without using a local account, then I can take it to the test
lab.

Thanks again.

Bart


"Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
news:ff16fb662ddee8cbf2f304381557@msnews.microsoft.com...
> Hello Bart,
>
> If you need separate access permissions on the shares, reconfigure your
> shares with new security groups, the correct members added to them and do
> NOT use shared accounts.
>
> If the domain accunts are authenticated they can access any location where
> they are allowed to with share permissions/NTFS permissions. You can not
> require a second authentication for another account through the already
> authenticated account.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>> We have a group of workstations configured as shared workstations with
>> managed AD accounts logging them into the network. Our desktop team
>> has historically allowed access to network shares for the shared
>> accounts and this has created an issue with our security team.
>>
>> I am looking for a way, on a pretty large scale, to force
>> authentication to network shares/resources (not IE) either from the
>> computer or user perspective. OUr target workstation is XP SP2. Is
>> anyone aware of a GPO or registry setting that can accomplish this?
>>
>> Thanks,
>> Bart Perrier
>
>
Re: Requiring Authentication to Network Shares [message #160274 is a reply to message #160272] Mon, 24 August 2009 10:26 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Bart Perrier" <bart_perrierNOT@HOMEhotmail.com> wrote in message
news:E4F11FF0-AC1E-4696-9596-806656F7FA87@microsoft.com...
> Thanks for the reply, Meinolf.
>
> Unfortunately, the results of requiring the users to uniquely log in
> creates a separate issue that will greatly hinder the user workflow -- in
> short, locked screensavers = helpdesk calls.
>
> I am hoping for a setting that will prevent the passing of the token, or
> keys, when the resource is requested (double-clicked). If I can find this
> configuration, without using a local account, then I can take it to the
> test lab.
>


When the share is first accessed, the Share permissions govern whether they
can get into the folder by parsing the token, then when they try to access
the actual folder(s), the token once again is parsed and the system will
compare the SIDs in the token to the entries in the ACL.

Are you are trying to prevent that from occuring?

If you don't want them to access the share, don't include that specific user
account that everyone is using on that specific workstation, in the Security
permissions on the folder.

Ace
Re: Requiring Authentication to Network Shares [message #160275 is a reply to message #160271] Mon, 24 August 2009 10:46 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Bart Perrier" <bart_perrierNOT@HOMEhotmail.com> wrote in message
news:2169B7E7-570E-4D6F-8B1D-1EFAFFA90DE6@microsoft.com...
>
>
> Yes, Ace, the third option. the workstations are configured to
> automatically login (with the exception of the message at startup) with a
> preconfigured account, using TweakUI. The shares are server side and we
> discourage mapped drives due to the functional limitation of available
> drive letters and excessive number of applications (to many drive letter
> conflicts). To take it a step further, I hope to be ablet to disallow the
> actual saving of any credentials provided, but I will address that in my
> testing, etc.
>
> Thans, Ace.
>
> Bart


Bart,

I replied to your response to Meinolf. So let me get this straight, you want
to allow that user account that you've set the registry to autologon with
(using TweakUI) to access a share and the folders within the share, but you
don't wnat it to save the credentials? You mean you don't want it to cache
the credentials on the local machine? Once the resource is accessed, the
server side (IIRC) caches the credentials for the IPC$ that was established
at connection time. That's why, if you've ever noticed, that you can't
connect to another shaer on the same machine using the Administrator account
once the domain user account has already accessed the resource. You would
have to restart the machine to reset it.

You may also want to take a look at the local machine to delete the cahced
credentials its using for the resource. Delete everything in the following:
%USERPROFILE%\Application Data\Microsoft\Credentials\
%USERPROFILE%\Local Settings\Application Data\Microsoft\Credentials\

YOu can also try the following:
net sessions command.
net use * /delete

Or have the machine logoff/logon again.

Ace
Re: Requiring Authentication to Network Shares [message #160276 is a reply to message #160274] Mon, 24 August 2009 10:50 Go to previous messageGo to next message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello Ace Fekay [MCT],

This will not open a username/password window to enter an additional account
name, just access denied will pop up as far as i know and also realized when
working with NTFS permissions.

As long as the logon account is authenticated and has the share mapped, which
must be done with that account, or all users have to learn mapping, no additonal
logon will come up.

Also if i am not wrong, if a user was able to logon with his permissions
and he just close explorer and another user will use it, this one is able
to see the previous users folder and can not change ot it's own because of
cached credentials.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> "Bart Perrier" <bart_perrierNOT@HOMEhotmail.com> wrote in message
> news:E4F11FF0-AC1E-4696-9596-806656F7FA87@microsoft.com...
>
>> Thanks for the reply, Meinolf.
>>
>> Unfortunately, the results of requiring the users to uniquely log in
>> creates a separate issue that will greatly hinder the user workflow
>> -- in short, locked screensavers = helpdesk calls.
>>
>> I am hoping for a setting that will prevent the passing of the token,
>> or keys, when the resource is requested (double-clicked). If I can
>> find this configuration, without using a local account, then I can
>> take it to the test lab.
>>
> When the share is first accessed, the Share permissions govern whether
> they can get into the folder by parsing the token, then when they try
> to access the actual folder(s), the token once again is parsed and the
> system will compare the SIDs in the token to the entries in the ACL.
>
> Are you are trying to prevent that from occuring?
>
> If you don't want them to access the share, don't include that
> specific user account that everyone is using on that specific
> workstation, in the Security permissions on the folder.
>
> Ace
>
Re: Requiring Authentication to Network Shares [message #160279 is a reply to message #160274] Mon, 24 August 2009 11:09 Go to previous messageGo to next message
Bart Perrier  is currently offline Bart Perrier
Messages: 12
Registered: August 2009
Junior Member
"Ace Fekay [MCT]" <aceman@mvps.RemoveThisPart.org> wrote in message
news:%23OsLkeNJKHA.1248@TK2MSFTNGP04.phx.gbl...
> "Bart Perrier" <bart_perrierNOT@HOMEhotmail.com> wrote in message
> news:E4F11FF0-AC1E-4696-9596-806656F7FA87@microsoft.com...
>> Thanks for the reply, Meinolf.
>>
>> Unfortunately, the results of requiring the users to uniquely log in
>> creates a separate issue that will greatly hinder the user workflow -- in
>> short, locked screensavers = helpdesk calls.
>>
>> I am hoping for a setting that will prevent the passing of the token, or
>> keys, when the resource is requested (double-clicked). If I can find this
>> configuration, without using a local account, then I can take it to the
>> test lab.
>>
>
>
> When the share is first accessed, the Share permissions govern whether
> they can get into the folder by parsing the token, then when they try to
> access the actual folder(s), the token once again is parsed and the system
> will compare the SIDs in the token to the entries in the ACL.
>
> Are you are trying to prevent that from occuring?
>
> If you don't want them to access the share, don't include that specific
> user account that everyone is using on that specific workstation, in the
> Security permissions on the folder.
>
> Ace

Sorry I am not being very clear. The picture in my head is much more clear
than the one passing through my keyboard.

The workstation is powered on by the user and is automatically logged in
using TweakUI and a managed account for that workstation. The workstation is
shared between 5 - 15 users over the course of a shift. Each user needs
access to one or many UNC paths. I can take the the managed account out of a
group, preventing access to the resource but the 5 - 15 users still need
access to various shares. I'd like to put a shortcut on the desktop to
various locations and when they click it, they are prompted to enter
credentials. That is the first thing I am trying to accomplish. Then, the
second part of this, when credentials are provided , disallow the user from
saving the credentials.

Does that make more sense?
Re: Requiring Authentication to Network Shares [message #160282 is a reply to message #160279] Mon, 24 August 2009 11:39 Go to previous messageGo to next message
florian  is currently offline florian  Germany
Messages: 484
Registered: July 2009
Senior Member
Howdie!

Bart Perrier schrieb:
> The workstation is powered on by the user and is automatically logged in
> using TweakUI and a managed account for that workstation. The
> workstation is shared between 5 - 15 users over the course of a shift.
> Each user needs access to one or many UNC paths. I can take the the
> managed account out of a group, preventing access to the resource but
> the 5 - 15 users still need access to various shares. I'd like to put a
> shortcut on the desktop to various locations and when they click it,
> they are prompted to enter credentials. That is the first thing I am
> trying to accomplish. Then, the second part of this, when credentials
> are provided , disallow the user from saving the credentials.

Remove the server from the domain or use an auto logon user that is not
a domain user (local user) with TweakUI. Windows will first try to use
the credentials provided and if won't ask for credentials if it succeeds
with the connection. If the user and the resource (the file server) are
in different domains, Windows will ask for credentials.

As for your second wish, preventing users from saving the passwords, I'm
pretty much out of ideas. I'm not sure if you can prevent them entirely.
An idea maybe clearing the credentials cache on logoff/logon. The
command "rundll32.exe keymgr.dll, KRShowKeyMgr" shows them so you could
delete them manually.

Cheers,
Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste
Re: Requiring Authentication to Network Shares [message #160285 is a reply to message #160282] Mon, 24 August 2009 11:53 Go to previous messageGo to next message
Bart Perrier  is currently offline Bart Perrier
Messages: 12
Registered: August 2009
Junior Member
"Florian Frommherz [MVP]" <florian@frickelsoft.DELETETHIS.net> wrote in
message news:ODS7sIOJKHA.4168@TK2MSFTNGP05.phx.gbl...
> Howdie!
>
> Bart Perrier schrieb:
>> The workstation is powered on by the user and is automatically logged in
>> using TweakUI and a managed account for that workstation. The workstation
>> is shared between 5 - 15 users over the course of a shift. Each user
>> needs access to one or many UNC paths. I can take the the managed account
>> out of a group, preventing access to the resource but the 5 - 15 users
>> still need access to various shares. I'd like to put a shortcut on the
>> desktop to various locations and when they click it, they are prompted to
>> enter credentials. That is the first thing I am trying to accomplish.
>> Then, the second part of this, when credentials are provided , disallow
>> the user from saving the credentials.
>
> Remove the server from the domain or use an auto logon user that is not a
> domain user (local user) with TweakUI. Windows will first try to use the
> credentials provided and if won't ask for credentials if it succeeds with
> the connection. If the user and the resource (the file server) are in
> different domains, Windows will ask for credentials.
>
> As for your second wish, preventing users from saving the passwords, I'm
> pretty much out of ideas. I'm not sure if you can prevent them entirely.
> An idea maybe clearing the credentials cache on logoff/logon. The command
> "rundll32.exe keymgr.dll, KRShowKeyMgr" shows them so you could delete
> them manually.
>
> Cheers,
> Florian
> --
> Microsoft MVP - Group Policy
> eMail: prename [at] frickelsoft [dot] net.
> blog: http://www.frickelsoft.net/blog.
> Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste
Re: Requiring Authentication to Network Shares [message #160287 is a reply to message #160282] Mon, 24 August 2009 12:06 Go to previous messageGo to next message
Bart Perrier  is currently offline Bart Perrier
Messages: 12
Registered: August 2009
Junior Member
"Florian Frommherz [MVP]" <florian@frickelsoft.DELETETHIS.net> wrote in
message news:ODS7sIOJKHA.4168@TK2MSFTNGP05.phx.gbl...
> Howdie!
>
> Bart Perrier schrieb:
>> The workstation is powered on by the user and is automatically logged in
>> using TweakUI and a managed account for that workstation. The workstation
>> is shared between 5 - 15 users over the course of a shift. Each user
>> needs access to one or many UNC paths. I can take the the managed account
>> out of a group, preventing access to the resource but the 5 - 15 users
>> still need access to various shares. I'd like to put a shortcut on the
>> desktop to various locations and when they click it, they are prompted to
>> enter credentials. That is the first thing I am trying to accomplish.
>> Then, the second part of this, when credentials are provided , disallow
>> the user from saving the credentials.
>
> Remove the server from the domain or use an auto logon user that is not a
> domain user (local user) with TweakUI. Windows will first try to use the
> credentials provided and if won't ask for credentials if it succeeds with
> the connection. If the user and the resource (the file server) are in
> different domains, Windows will ask for credentials.
>
> As for your second wish, preventing users from saving the passwords, I'm
> pretty much out of ideas. I'm not sure if you can prevent them entirely.
> An idea maybe clearing the credentials cache on logoff/logon. The command
> "rundll32.exe keymgr.dll, KRShowKeyMgr" shows them so you could delete
> them manually.
>
> Cheers,
> Florian
> --
> Microsoft MVP - Group Policy
> eMail: prename [at] frickelsoft [dot] net.
> blog: http://www.frickelsoft.net/blog.
> Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste


I like the "out of the box" thinking -- I'm open to news ways of looking at
it. Unfortunately, it would require an additional login for the user to
remember (or forget).

We have considered the following options:

1) SharePoint based community (a new concept for our below average users)
2) Login to a Citrix web site and publish each share using IEXPLORE (this
has worked in an isolated environment)
3) An FTP site using AD authentication

The only one that works well is option two and it will be a monster to
maintain...

Again, thanks for the suggestion -- I will share that with other folks on my
team.

Bart
Re: Requiring Authentication to Network Shares [message #160358 is a reply to message #160287] Tue, 25 August 2009 14:35 Go to previous message
MrChris  is currently offline MrChris
Messages: 1
Registered: August 2009
Junior Member
I believe what you need to do is create a DNS alias to the resource(server):
http://support.microsoft.com/kb/938120

"After you use one of these methods, you can use different user credentials
to connect to the network share. In this situation, the computer behaves as
if it is connecting to a different server."

or
http://support.microsoft.com/kb/173199/

"Bart Perrier" wrote:

>
> "Florian Frommherz [MVP]" <florian@frickelsoft.DELETETHIS.net> wrote in
> message news:ODS7sIOJKHA.4168@TK2MSFTNGP05.phx.gbl...
> > Howdie!
> >
> > Bart Perrier schrieb:
> >> The workstation is powered on by the user and is automatically logged in
> >> using TweakUI and a managed account for that workstation. The workstation
> >> is shared between 5 - 15 users over the course of a shift. Each user
> >> needs access to one or many UNC paths. I can take the the managed account
> >> out of a group, preventing access to the resource but the 5 - 15 users
> >> still need access to various shares. I'd like to put a shortcut on the
> >> desktop to various locations and when they click it, they are prompted to
> >> enter credentials. That is the first thing I am trying to accomplish.
> >> Then, the second part of this, when credentials are provided , disallow
> >> the user from saving the credentials.
> >
> > Remove the server from the domain or use an auto logon user that is not a
> > domain user (local user) with TweakUI. Windows will first try to use the
> > credentials provided and if won't ask for credentials if it succeeds with
> > the connection. If the user and the resource (the file server) are in
> > different domains, Windows will ask for credentials.
> >
> > As for your second wish, preventing users from saving the passwords, I'm
> > pretty much out of ideas. I'm not sure if you can prevent them entirely.
> > An idea maybe clearing the credentials cache on logoff/logon. The command
> > "rundll32.exe keymgr.dll, KRShowKeyMgr" shows them so you could delete
> > them manually.
> >
> > Cheers,
> > Florian
> > --
> > Microsoft MVP - Group Policy
> > eMail: prename [at] frickelsoft [dot] net.
> > blog: http://www.frickelsoft.net/blog.
> > Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste
>
>
> I like the "out of the box" thinking -- I'm open to news ways of looking at
> it. Unfortunately, it would require an additional login for the user to
> remember (or forget).
>
> We have considered the following options:
>
> 1) SharePoint based community (a new concept for our below average users)
> 2) Login to a Citrix web site and publish each share using IEXPLORE (this
> has worked in an isolated environment)
> 3) An FTP site using AD authentication
>
> The only one that works well is option two and it will be a monster to
> maintain...
>
> Again, thanks for the suggestion -- I will share that with other folks on my
> team.
>
> Bart
>
Previous Topic:ADMT - Migration Profile and Computer
Next Topic:Re: Active Directory Installation Wizard was unable to convert the com
Goto Forum:
  


Current Time: Wed Jan 17 05:44:20 MST 2018

Total time taken to generate the page: 0.03706 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software