Focus on Microsoft
RE: default for requiring authentication 2003 Jun 12 2008 06:46PM
Talkovic, Scott A. (satalkov uci edu)
Would the default "NullSessionShares" registry value in Server 2003 prevent unauthenticated network access to files as well?

Scott

-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Kurt Dillard
Sent: Thursday, June 12, 2008 9:39 AM
To: 'Murda Mcloud'; focus-ms (at) securityfocus (dot) com [email concealed]
Subject: RE: default for requiring authentication 2003

Murda,
You are correct, in Windows XP, 2003, and later the Everyone group only
includes Authenticated Users, it no longer includes Anonymous Users. You can
change this but Microsoft strongly recommends against doing so. Your nemesis
is thinking of older versions of Windows.

Kurt

-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On
Behalf Of Murda Mcloud
Sent: Wednesday, June 11, 2008 11:45 PM
To: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: default for requiring authentication 2003

I'm having a debate with someone over whether a 2003 server by default
(OOB)forces someone to authenticate(whether to a DC or to the server itself
if standalone) before allowing access to files.

He seems to think that the default is that no authentication is required and
consequently anyone could rock up and connect a laptop to a network with
that server on it and get access to files on it-as the EVERYONE group is
given read permissions to new folders etc.

I say he is wrong but am looking hard to find something to back me up.

I understand that the guest account could access files as it is part of the
EVERYONE group but it's disabled by default-but still, there is an
authentication process for guest to login

This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus