Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account



Photo

Server 2008R2 NAS - MAKE ALL SECURITY 100% ANONYMOUS


  • Please log in to reply
8 replies to this topic

#1
hydroeon

hydroeon

    Newbie

  • Member
  • 13 posts
  • Joined 17-February 11
  • OS:Windows 7 x64
Greetings fellow MSFN-ers!

I seek to find the knowledge of how one could COMPLETELY eliminate folder sharing/network security features.
What I need to do is to have one 08R2 server let ANYONE access its shared folders with FULL control WITHOUT entering ANY passwords at ANY stage.

Now, the reason I can't be flexible on the above is because some applications I use are refused write access even when all security settings are properly configured. This is probably due to the software not being able to handle/pass down appropriate details but it's currently irrelevant as I just want to strip the server of ALL security to see if it's even possible.

By the way when I first learnt to configure the server to share securely I had to deal with something like 6 bugs in windows 7/08R2 SP1 so I'm not sure if the above is even possible in reality. For example, if the group policy is stripped of all security and everyone permissions are applied to shared folders then although anyone could fully access the folders PROVIDED they enter a fake i.e. ANY logon details at the prompt that pops up! NO this is not a 'feature', it's a bug because I've turned off all of the password prompt things anyway; they just keep doing it. A password prompt is enough to stop an app writing some files.


Current settings:
Firewall disabled
Anonymous settings sorted (enabled in several places)
Turned off various authentication processes in group policy
UAC disabled everywhere
Using native Administrator account on all machines
Password prompt off (still does it though :(

Any ideas? :unsure:


How to remove advertisement from MSFN

#2
Tripredacus

Tripredacus

    K-Mart-ian Legend

  • Super Moderator
  • 9,909 posts
  • Joined 28-April 06
  • OS:Server 2012
  • Country: Country Flag

Donator

In Local Security Policy, Security Options, try playing with the Network Access objects.

Honestly, I would not have disabled any of those features, and instead created an account to map network drives with the appropriate permissions required for your tasks.
MSFN RULES | GimageX HTA for PE 3-5 | lol probloms
msfn2_zpsc37c7153.jpg

#3
hydroeon

hydroeon

    Newbie

  • Member
  • 13 posts
  • Joined 17-February 11
  • OS:Windows 7 x64

In Local Security Policy, Security Options, try playing with the Network Access objects.

Honestly, I would not have disabled any of those features, and instead created an account to map network drives with the appropriate permissions required for your tasks.


That's the problem I'm on about. It's easy to beef up the security and sort out the credentials so that network shares are easily accessible YES....BUT something in windows prevents software packages receiving the same authority as a user clicking in explorer. I'm just under the impression now that it's a bug in windows and there is also a lot of inconsistencies in security features.
None of these machines have people using them (they are render servers) and I'm just at a stage where I don't care who's bug it is..I just want it to work...like it would work by using linux for example.
Incidentally, software can access all resources if I set up an AD with a domain...which is a PITA for render servers with no users as they often have to be reconfigured.

The only workaround so far is to automout network shares with a batch file; this works (at a high security level) but there are too many drives to mount and I shouldn't have to think of so many workarounds.
AHA! I can even say this: NO software would be able to write to any of those shares when the software does not call windows explorer for its file copying! i.e. if you click save as etc. it would work...if the app tries to run in the background it wouldn't... it's either some settings or a bug :unsure:

#4
Tripredacus

Tripredacus

    K-Mart-ian Legend

  • Super Moderator
  • 9,909 posts
  • Joined 28-April 06
  • OS:Server 2012
  • Country: Country Flag

Donator

It may be what accounts those programs are running under. Are they running on one of the local machine accounts?
MSFN RULES | GimageX HTA for PE 3-5 | lol probloms
msfn2_zpsc37c7153.jpg

#5
hydroeon

hydroeon

    Newbie

  • Member
  • 13 posts
  • Joined 17-February 11
  • OS:Windows 7 x64
After a couple of very late nights I have tracked down the following bug (which I hope isn't really a bug):

On a default Win7x64SP1 MSDN install with all relevant credentials permanently installed for the \\fileserver-name-and-IP, all shares are accessible with full control in EXPLORER.

However, all applications that don't use explorer are not able to write any files to any share **UNTIL** that share is open in explorer i.e. open that share in explorer, leave the window open, and NOW all programs can access it! :wacko:

YES I thought it was just some parameter in Win7 security policy but after hours of trying nothing so far has worked :(

To replicate this bug you just need some software that doesn't utilise explorer for file copying.

If this can't be corrected by some setting on the win7 machine (don't see how the server could have anything to do with this since this behaviour is observed on 2003R2SP2 also!) then it's a bug and surely I'm not the only one who's come across it.

I really hope that somebody here knows how to fix this :angel

#6
Tripredacus

Tripredacus

    K-Mart-ian Legend

  • Super Moderator
  • 9,909 posts
  • Joined 28-April 06
  • OS:Server 2012
  • Country: Country Flag

Donator

Well I don't think any program actually would use Explorer to copy files. It would either be done via the API or Comspec call. Why opening the file in Explorer first would make a difference, I do not know.
MSFN RULES | GimageX HTA for PE 3-5 | lol probloms
msfn2_zpsc37c7153.jpg

#7
hydroeon

hydroeon

    Newbie

  • Member
  • 13 posts
  • Joined 17-February 11
  • OS:Windows 7 x64
For example when using Adobe software and clicking "save as" explorer pops up for the location and it saves normally.

Other software does not do this; you choose where to save the files within the applications own interface and it doesn't work.

Advanced installer for example saves the file ok (again using the explorer-type-method) but when running the compiler it gets no write permissions unless the share is open in explorer :wacko:

#8
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,577 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag
If I may, (in an attempt to clear what the problem is) most programs use for the "Save as" a Windows API or dll.
Some don't, an example is (if I remember correctly) - and BTW somewhat surprisingly - some versions of MS Office.
This is often evident when using localized versions of the software but English MS OS, or viceversa.

jaclaz

#9
Tripredacus

Tripredacus

    K-Mart-ian Legend

  • Super Moderator
  • 9,909 posts
  • Joined 28-April 06
  • OS:Server 2012
  • Country: Country Flag

Donator

For example when using Adobe software and clicking "save as" explorer pops up for the location and it saves normally.


Ok, for some reason I was thinking that the programs having this problem were using a non Save As type method to write files.
MSFN RULES | GimageX HTA for PE 3-5 | lol probloms
msfn2_zpsc37c7153.jpg




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users