Server 2008R2 NAS - MAKE ALL SECURITY 100% ANONYMOUS

[hydroeon]

Greetings fellow MSFN-ers!

I seek to find the knowledge of how one could COMPLETELY eliminate folder sharing/network security features.

What I need to do is to have one 08R2 server let ANYONE access its shared folders with FULL control WITHOUT entering ANY passwords at ANY stage.

Now, the reason I can't be flexible on the above is because some applications I use are refused write access even when all security settings are properly configured. This is probably due to the software not being able to handle/pass down appropriate details but it's currently irrelevant as I just want to strip the server of ALL security to see if it's even possible.

By the way when I first learnt to configure the server to share securely I had to deal with something like 6 bugs in windows 7/08R2 SP1 so I'm not sure if the above is even possible in reality. For example, if the group policy is stripped of all security and everyone permissions are applied to shared folders then although anyone could fully access the folders PROVIDED they enter a fake i.e. ANY logon details at the prompt that pops up! NO this is not a 'feature', it's a bug because I've turned off all of the password prompt things anyway; they just keep doing it. A password prompt is enough to stop an app writing some files.

Current settings:

Firewall disabled

Anonymous settings sorted (enabled in several places)

Turned off various authentication processes in group policy

UAC disabled everywhere

Using native Administrator account on all machines

Password prompt off (still does it though

Any ideas?

[Tripredacus]

In Local Security Policy, Security Options, try playing with the Network Access objects.

Honestly, I would not have disabled any of those features, and instead created an account to map network drives with the appropriate permissions required for your tasks.

[hydroeon]

In Local Security Policy, Security Options, try playing with the Network Access objects.

Honestly, I would not have disabled any of those features, and instead created an account to map network drives with the appropriate permissions required for your tasks.

That's the problem I'm on about. It's easy to beef up the security and sort out the credentials so that network shares are easily accessible YES....BUT something in windows prevents software packages receiving the same authority as a user clicking in explorer. I'm just under the impression now that it's a bug in windows and there is also a lot of inconsistencies in security features.

None of these machines have people using them (they are render servers) and I'm just at a stage where I don't care who's bug it is..I just want it to work...like it would work by using linux for example.

Incidentally, software can access all resources if I set up an AD with a domain...which is a PITA for render servers with no users as they often have to be reconfigured.

The only workaround so far is to automout network shares with a batch file; this works (at a high security level) but there are too many drives to mount and I shouldn't have to think of so many workarounds.

AHA! I can even say this: NO software would be able to write to any of those shares when the software does not call windows explorer for its file copying! i.e. if you click save as etc. it would work...if the app tries to run in the background it wouldn't... it's either some settings or a bug

[Tripredacus]

It may be what accounts those programs are running under. Are they running on one of the local machine accounts?

[hydroeon]

After a couple of very late nights I have tracked down the following bug (which I hope isn't really a bug):

On a default Win7x64SP1 MSDN install with all relevant credentials permanently installed for the \\fileserver-name-and-IP, all shares are accessible with full control in EXPLORER.

However, all applications that don't use explorer are not able to write any files to any share **UNTIL** that share is open in explorer i.e. open that share in explorer, leave the window open, and NOW all programs can access it!

YES I thought it was just some parameter in Win7 security policy but after hours of trying nothing so far has worked

To replicate this bug you just need some software that doesn't utilise explorer for file copying.

If this can't be corrected by some setting on the win7 machine (don't see how the server could have anything to do with this since this behaviour is observed on 2003R2SP2 also!) then it's a bug and surely I'm not the only one who's come across it.

I really hope that somebody here knows how to fix this

[Tripredacus]

Well I don't think any program actually would use Explorer to copy files. It would either be done via the API or Comspec call. Why opening the file in Explorer first would make a difference, I do not know.

[hydroeon]

For example when using Adobe software and clicking "save as" explorer pops up for the location and it saves normally.

Other software does not do this; you choose where to save the files within the applications own interface and it doesn't work.

Advanced installer for example saves the file ok (again using the explorer-type-method) but when running the compiler it gets no write permissions unless the share is open in explorer

[jaclaz]

If I may, (in an attempt to clear what the problem is) most programs use for the "Save as" a Windows API or dll.

Some don't, an example is (if I remember correctly) - and BTW somewhat surprisingly - some versions of MS Office.

This is often evident when using localized versions of the software but English MS OS, or viceversa.

jaclaz

[Tripredacus]

For example when using Adobe software and clicking "save as" explorer pops up for the location and it saves normally.

Ok, for some reason I was thinking that the programs having this problem were using a non Save As type method to write files.