I have just built a new machine that is going to live on my network. Part of its job is going to be to serve files to clients running various OS:
1) XP Pro
2) XP Home
3) Linux (embedded into media devices)
At present these files are on an XP Pro machine but as I dont have the lolley to buy another Pro license, I thought that XP Home should do fine.
The problem I have, apparently, is that XP Home only supports "Simple File Sharing" and I want to make my shares more secure than just giving the "Everyone" group access.
To do this I have taken the following steps:
1) Changed the "Guest" account password.
2) Created a common user on both the Home and Pro machines, with the same password.
3) Shared a Folder
Now at this point I would expect to be able to browse the share on the Home machine from the Pro machine using the shared user account details. This does not work ! Instead I am presented with a Guest login box ?
I thought that perhaps the permissions were wrong on the Home machine, so I have used CACLS to change the "Users" and "Everyone" group to read only and force the shared account to have Full privilegdes. Even so I am still presented with the Guest Login !
As soon as I put the correct "Guest" account password in, I am allowed to browse the share but only with Guest privildges (ReadOnly) and not with Full rights as defined for the shared account through CACLS.
Does anyone have any ideas or am I expecting too much from XP Home ?
make sure "allow network users to change my files" is ticked. XP Pro allows you to set specific accounts to have access, Home only allows all or nothing. You may have to reboot as well. Ive got my XP home box set for sharing common files, and network drives mapped up to it.
I have some software from intel that provides all the permissions etc on the XPhome machine. not sure if it will help in this instance but ill dig it out.
Will boot Xp in a bit and have a look
Beaker: Thats what I really want to avoid.
I didnt realise that you couldnt use duplicate accounts to specify additional permissions. It seems really crap that there is no way to say "Share Folder to User Bob Only" in XP Home.
brummie, if you do have some software thatd be great :)
pmd ya
It was worth a go but it does not solve the problem :(
It looks like all File/Folder sharing on XP Home is done using the "Everyone" group :s
If I change the permissions for the "Everyone" groupthen the network access is changed accordingly.
If I remove the "Everyone" group then I can no longer access the share even though I am using the same username/password on the remote machine.
XP Home is a bunch of bobbins.
hide the share$ ?
That doesnt solve the problem though.
Dont get me wrong, its not like I have loads of random people who can access my network (or machine). I am just a seriously paranoid (and anal) individual who likes everything locked down as it should be.
I just cannot believe that MS would leave an XP Home machine this vulenerable by default. It seems crazy to me :/
The clues in the name I think unfortunately :(
I think youre right :(
I am currently doing some manual Policy editing (through the registry) but I get the feeling that the actual services are missing :/
What else is the box to be used for ooi? If its just file-serving some flavour of linux would do the job I guess.
Its going to become my main rig, eventually.
So Linux is a big fat no-no :)
I made the fatal mistake of sticking my Pro License on my Shuttle and cannot remove it without ripping/destroying it :/
The more I play with Home the more I think I am going to have to go out and buy Pro though :(
I mean it seems totally daft that they allow Home to be a VPN server (same as Pro) but that you cannot use Terminal Services, Remote Desktop or adjust file sharing permissions !!
Frankly, MS are odd !
oh well, dont be so tight next time ;)
cant you hang on 5months for their next offering?
Home connects to terminal services no problems here. Though this machine is outside the domain.
just remember to put "DOMAIN\USERNAME" into the login box as youll be outside the domain.
http://www.zombiechorus.com/rick/desktop.jpg
You can get VPN to work from HOME?! blimey! Ive never got that working.
And beaker, you can connect to terminal services, but you cant use terminal services on the home machine.
I.E. you cant access home remotely. It also wont work on domains :)
Quote from: M3ta7h3adYou can get VPN to work from HOME?! blimey! Ive never got that working.
And beaker, you can connect to terminal services, but you cant use terminal services on the home machine.
I.E. you cant access home remotely. It also wont work on domains :)
That is semi-true. Ive seen the hack involving the 2k3 disk and XP Home. Just trying to remember where ive seen it. Still not fully functioning, but should work ok.
Yeah sorry, I mustnt have worded that very well.
I am trying to connect to TS/RD over VPN.
I am about 95% convinced that I am going to have to buy Pro.
http://ultravnc.sourceforge.net/
tried that? Supposed to be ok, though ive never used it myself.
Yeah, Ive got TightVNC on there for now but it means installing the client on the machines I want to remote from.
The biggest draw back is the lack of proper security on file shares and there appears to be nothing I can do about that :(
Theres always an FTP server if you want proper control over the access rights.
Not ideal, but tolerable if you get one that allows access through a nice web interface or similar.
Thats not a bad idea but somewhat limiting in the way I would like to share the files. It would mean that anything I want to share with permissions above "read-only" would have to go through the FTP server. Which really means that just my MP3 and TV stuff would be avaliable on windows shares :s
I cannot express in words how much I am ranting about the sh*tness of XP Home ! *rar*
What was I thinking ? And why oh why didnt I do some research first ?
And WHY OH WHY DID I STICK THE DAMN LICENSE STICKER ON THE PC !!!
Ã,£90 freaking quid ffs :s
http://www.ebuyer.com/UK/product/97544/rb/20863226916
Hmmm, I am looking at Windows Media Center 2005 now...
I have just stuck it on a VM and it appears to have all the features of XP Pro except the domain stuff; gpedit and a like.
Its Ã,£20 cheaper than Pro and more suited to one of the reasons for my new machine; delivering content to my 360 !
http://www.ebuyer.com/UK/product/114051
The "Everyone" group does NOT include the Guest account.
Something you should be aware of
Youre quite right but on XP Home it makes little difference as it appears that in order to share a folder in XP Home either the Guest Account or the Everyone group must have access at least read permission on the folder being shared.
The most annoying thing is that the ForceGuest policy setting is ignored, so all network connections are always authenticated as a Guest user. Therefore to access a network resource the Guest (or Everyone Group) account must have access to the shared resource.
You cannot even use specific NTFS File Permissions to override the Share Level permissions. As soon as you remove "Everyone"s permissions from an object you can no longer access it over the network. Regards of whether you have 2 identical User/Password accounts setup between the 2 PCs.
This carries even when the item is within a shared folder. i.e.
PC1 has an user account of "Dave", password "bob".
PC2 has an user account of "Dave, password "bob".
On PC1 a Folder "A" is Shared as "Read-only" on the network tab. By default the "Everyone" group is granted NTFS Read permissions. In addition I grate "Dave" read permissions.
I create a subfolder within "A", folder "B" and by default it inherits its permissions from folder "A".
I then access both folder "A" and folder "B" from the "Dave" account on PC2.
As expected everything is fine and I can browse both directories and their contents...
I then decide that I dont want "Everyone" having access to subfolder "B", so I revoke the NTFS read rights of "Everyone" on "B". So in theory, "B" will still be visible to "Everyone" as a folder within "A" but only the "Dave" account has access to read folder "B". Folder "B" should no longer be accessible to Joe Bloggs on PCWhatever.
Guess what? Not only can Joe Bloggs no longer access folder "B" but neither can the "Dave" account on "PC2". Thats the "Dave" account who has been given explicit read permission to the folder !
And so that is why, on XP Home, the Everyone and Guest account are one in the same.
Oh...
I have just finished trying to use the NTRights.exe app that is part of the Win2k3 Resource Kit to see if I could force the Network Logon rights under the bonnet. But alas, between me not really knowing what the hell goes on under the bonnet and the help file not really helping, it didnt happen :(
http://www.ss64.com/nt/ntrights.html
Its worth noting that on XP Home the ntrights.exe commands fail if "ForceGuest" has been disabled in the registry !
I should add, just for anyone who was reading this in the hope of finding a solution that there is really only one thing you can do to secure shares within XP Home and that is to change the Guest account password.
To change the Guest account password do the following:
Open a command prompt (Start->Run->cmd)
type: net user Guest
Once you have done that, anyone trying to access a share will be prompted to enter the Guest account password. If they know it theyll have access to all of your shares, if they don;t know it then they cannot get in.
This is useless to me as I have devices on the network that need to access the share and they do not allow me to specify a password.
To set the password back to blank, do the same but use "" for the password. Thats a set of empty double quotes.