Monday, September 10, 2007

Accessing Windows XP Machines

Have you noted that when you try to access a Windows XP machine, in the Connect To window (Login screen) the User name field is disabled?
Earlier versions of Windows did not had this disabled so we were able to logon as any valid user by typing the account name and the password. But in Wondows XP this was disabled by a security policy.

This policy will also restrict the machine's ability of sharing files, per user sharing will not be possible.
Want to change it? Ok proceed by openning the Local Security Policy Settings window through Start -> Control Panel -> Administrative Tools -> Local Security Policy.
Now go to Network Access section and find out Net access : Sharing and security model for local accounts.
Then open the properties page of that by double clicking or right clicking and clicking on properties.

Did you note that the default is, Guest only - local users authenticate as Guest change this to Classic - local users authenticate as themselves.
Then press Ok to apply the setting and close all the opened windows.

Now from some other machine try to access your machine. See the difference. Now you can type any user name and the appropriate password and log in.

Also if you now go to folder properties you will see that the Sharing tab is having different content than earlier and also you will see a new tab named Security. You can use these tabs to set per user security and access rights.

For people who would like to know more, following is the explanation for the setting Net access : Sharing and security model for local accounts given by Microsoft.



Network access: Sharing and security model for local accounts
This security setting determines how network logons using local accounts are authenticated. If this setting is set to Classic, network logons that use local account credentials authenticate by using those credentials. If this setting is set to Guest only, network logons that use local accounts are automatically mapped to the Guest account.

The Classic model allows fine control over access to resources. By using the Classic model, you can grant different types of access to different users for the same resource. By using the Guest only model, you can have all users treated equally. All users authenticate as Guest, and they all receive the same level of access to a given resource, which can be either Read Only or Modify.

There are two models available:

  • Classic: Local users authenticate as themselves.
  • Guest only: Local users authenticate as Guest.

Default:Guest only on Windows XP Professional. Classic on the Windows Server 2003 family and Windows XP Professional computers joined to a domain.

Important:With the Guest only model, any user who can access your computer over the network (including anonymous Internet users) can access your shared resources. You must use the Internet Connection Firewall (ICF) or other similar device to protect your computer from unauthorized access. Similarly, with the Classic model, local accounts must be password protected; otherwise, those user accounts can be used by anyone to access shared system resources.
This setting only affects computers running Windows XP Professional which are not joined to a domain.This policy will have no impact on computers running Windows 2000.

Notes:This setting does not affect interactive logons that are performed remotely by using such services as Telnet or Terminal Services.When the computer is not joined to a domain, this setting also modifies the Sharing and Security tabs in the Windows Explorer to correspond to the sharing and security model that is being used.

2 comments:

Fkitten said...

Thanks for the article, I'm having a problem with windows 2000PCs that are not allowed to authenticate (gain access to a share on a XP machine) unless I change the Local Security Settings to Classic from Guest. These machines have the same accounts and same password on both machines. The user accounts are both in the administrators group. It would seem that these accounts should receive guest access but instead I received an error stating either userid or password is wrong.
I believe the issue is tied the user accounts/passwords are the same (on both machines) or the fact they are in the administrator group.

Arjuna said...

Hi Fkitten,
I am not 100% clear of your problem, but note that if you change the Windows XP machine security settings to Classic mode then you should be able to authenticate properly. I don't suspect that there is any problem with your Windows 2000 machines nor they need any changes.

Also note that having same user name in different machines is not a problem.
To properly authenticate prefix the machine name that you are going to connect before the user name.
For example if I am to connect to a machine named ‘DellServer’ having IP address 192.168.5.12 which having a user name ‘Adam’, I can type the user name as
DellServer\Adam
or
192.168.5.12\Adam

If you need more support please write back, I will try helping you.