How to protect shared folders

Status
Not open for further replies.
You can try using windows firewall to do this. Just block sharing on the three comps, then make exceptions for the IP's. :D
 
I'm testing this thing at home, and I'm reading this
http://www.practicallynetworked.com/sharing/xp_filesharing/whole.htm

It's not a long read, but it gives you a lot of idea why it doesn't work for you.

You can't password protect an individual folder or file with ACL, or at the local level with NTFS permission.

To be able to get the result you need but differently, you must be able to make the user authenticate before being able to view the shares! You still protect the individual folder using ACL (share tab) and NTFS (security tab).

Ok, here's an example:

ComputerA---what's to connect to ComputerB---->ComputerB
ComputerA is login locally as Tom
When ComputerA goes to My Network Place and browse entire network and see ComputerB, double click on ComputerB and before it even shows the share it prompts for a login.

Now on ComputerB side, lets say there's a user account call Private and Public. 2 folders are shared, (public and private). Everyone can browse public but only the account Private was setup for the ACL (sharing tab) and the NTFS (security tab) to be able to browse the folder private.

Now back on ComputerA, it's still at the prompt, ComputerA login as ComputerB\Public account. He can see all 2 folder (public & private) but he can only access public because the account he is login as (ComputerB\Public) don't have permission for the folder Private.

Now if ComputerA were to login as ComputerB\Private, than he will still see all 2 folder but he will have access to the Private folder because of his credential.

This is how it works in a workgroup environment. And this is how you need to do it.
 
Well I try this at home and it works flawlessly. The only problem is to be able to get the prompt back since the remote XP Pro machine store the previous login, you have to restart. This is a default behavior with XP and 2000.

Because of this method, I think it's the reason why you are running into issues.

Not sure if there's a fix for this in the registry but I will look it up.

Just remember that, if you have identical account with identical password on each computer, it will skip the login prompt. This goes true if you have the guest account enable, since XP Home and XP Pro (if using simple file sharing) are force to authenticate with this account by default.
 
You know it works very well on Linux, you actually get a login prompt before connecting to the computer, then if your login doesn't have permission for a specific folder it also gives you a login prompt for that folder.

Yea, only problem is getting it to do like Linux on Windows XP. That I don't know, I am pretty sure this will require a registry tweak some where. :(
 
thanks for your advises mate.. specially on this one:

Well I try this at home and it works flawlessly. The only problem is to be able to get the prompt back since the remote XP Pro machine store the previous login, you have to restart. This is a default behavior with XP and 2000.

Because of this method, I think it's the reason why you are running into issues.

Not sure if there's a fix for this in the registry but I will look it up.

Just remember that, if you have identical account with identical password on each computer, it will skip the login prompt. This goes true if you have the guest account enable, since XP Home and XP Pro (if using simple file sharing) are force to authenticate with this account by default.

.. it answers lots of my "what gives?" questions lol

yes i do have identical accounts on all the computers and is used as default login (most of the computers here are imaged/cloned)..

regarding the way to FORCE PROMPT it, there is a command line to do it:

Net use IP /u:username or something like that.. i've used it before and it seems to work ok.. but i dont want my users to have to do this..

so what i really need is for XP to somehow let users login (and not store it), or at least find a way to clear that login cache.. i thought it was the "Disconnect mapped drive" option in explorer but tried it and it didnt work..

hmm
 
Just remember that, if you have identical account with identical password on each computer, it will skip the login prompt. This goes true if you have the guest account enable, since XP Home and XP Pro (if using simple file sharing) are force to authenticate with this account by default.

hmm about this.. all my computers have same accounts, on them, as per your examples, PRIVATE and PUBLIC.. the connecting computers logged in as PUBLIC, the folders are protected on the host computer and has priviledges for PRIVATE account..

i usually dont go through network neighborhood anymore, i just run "\\computername" in the run dialogue.

on some connecting computers i get the prompt and on some they seem to want to login automatically as PUBLIC (since it's the logged in user)..

i tried rebooting, still the same results.. will play around some more. keep posting tips. it's GREATLY appreciated..
 
hmm.. that article (http://www.techist.com/showthread.php?s=&postid=1037593#post1037593) is confusing me. at one part, it says
If Windows XP Professional doesn't recognize the user name and password presented by a Windows 2000 or XP computer which wants to access a share, you can enter different credentials. Here, we're logged on to another Windows XP computer as a user which doesn't have an account on the computer named RONS-PC. Entering a valid user name and password grants access.

basically says here that if the client computer doesnt have an account similar in the host computer, the client PC gets prompted for username and pass so it can log on using a permitted account on the host pc.. this is what i would expect...

then at the bottom part it says:
he basic answer is YES. You need to create identical user accounts on all machines which a user needs to access. It's best if the user name and password are the same on all of them. Then, the user name and password offered by that machine will be accepted by all of the other computers.

what is it really then? i've tried both ways and still getting unregular results.. some prompts, some just completely denied...with no way to get the prompts..
 
If Windows XP Professional doesn't recognize the user name and password presented by a Windows 2000 or XP computer which wants to access a share, you can enter different credentials. Here, we're logged on to another Windows XP computer as a user which doesn't have an account on the computer named RONS-PC. Entering a valid user name and password grants access.

Yes you are right, computerA wants to connect to computerB, so computerA has to login as an account on computerB. That's basically how workgroup works on Windows. If you had the same account and that account has the same password, it would use this identical account and skip the prompt. Take the Guest account for example, this Guest account has no password and it's on every Windows XP and 2000. This is the account that XP and 2000 use by default for network file sharing. This is the only account that doesn't need a password. All other created account must be password protected in order to be able to be used over the network.


he basic answer is YES. You need to create identical user accounts on all machines which a user needs to access. It's best if the user name and password are the same on all of them. Then, the user name and password offered by that machine will be accepted by all of the other computers.

This is the transparent way, identical account with identical password. No login prompt is presented. ComputerA has an account call Tom and password of "password" and so does ComputerB, while the Guest account is disable, ComputerA will use Tom on ComputerB to login without prompting you. The same is true if ComputerB wants to access ComputerA. ComputerB will use the account Tom on ComputerA without prompting you.

The stupid thing is the local computer cache the previous login, and I don't know how to clear it up or get the login prompt back with a command.

The solution I found, is to delete the account that it's using on the remote computer and recreate another one. Then it will prompt again. Check Computer Management >Share Folder> Session to on the remote computer and see what the other computer is login as.
 
Yes you are right, computerA wants to connect to computerB, so computerA has to login as an account on computerB. That's basically how workgroup works on Windows. If you had the same account and that account has the same password, it would use this identical account and skip the prompt. Take the Guest account for example, this Guest account has no password and it's on every Windows XP and 2000. This is the account that XP and 2000 use by default for network file sharing. This is the only account that doesn't need a password. All other created account must be password protected in order to be able to be used over the network.

yes.. so it is then possible to login to a remote computer and see the private shares, without any identical account on both connecting and host computers, so long as i log in using an account (with access rights) on the host when prompted for a username and password..

this is how i thought it was really...but if only i can get that prompt..

This is the transparent way, identical account with identical password. No login prompt is presented. ComputerA has an account call Tom and password of "password" and so does ComputerB, while the Guest account is disable, ComputerA will use Tom on ComputerB to login without prompting you. The same is true if ComputerB wants to access ComputerA. ComputerB will use the account Tom on ComputerA without prompting you.

ok, so both computers (Com A and Com B) have identical accounts called "Tom" on them.. transparrent sharing of a secured shared resource.. fine.. but, will it work when:

1) Com A is not logged in as Tom
2) Com B is not logged in as Tom
3) Both arent logged in as Tom

The solution I found, is to delete the account that it's using on the remote computer and recreate another one. Then it will prompt again. Check Computer Management >Share Folder> Session to on the remote computer and see what the other computer is login as.
this could prove useful, thanks. will try it.
 
ok, so both computers (Com A and Com B) have identical accounts called "Tom" on them.. transparrent sharing of a secured shared resource.. fine.. but, will it work when:

1) Com A is not logged in as Tom
2) Com B is not logged in as Tom
3) Both arent logged in as Tom

Yes, as long as the account is enable on both computer, they don't need to be login locally. You can even disable the Tom account from logging in locally which would still preserved it for logging through the network.
 
Status
Not open for further replies.
Back
Top Bottom