Tech Support banner

Status
Not open for further replies.
1 - 5 of 5 Posts

·
Registered
Joined
·
1,481 Posts
Discussion Starter #1
For thoes of you that tried to help me with my unkown 31 error when my 98 laptop tried to see my XP machine this artical explains it....

This week we continue the discussion on how connection credentials are used with Windows 2000 and Windows XP. Last week we looked at the steps or rules that are used when you connect to a Windows 2000 computer. This week I will expand on that by examining the additional rules that Windows XP uses when dealing with connection credentials. This is when a connection is made to a Windows XP computer. There are also several enhancements when you create a connection from Windows XP to another computer, such as the use of the Credentials Manager in Windows XP, but that is not discussed in this week's feature.

The additional steps for Windows XP are step 4 and step 5c.

Just to recap: for a connection to a Windows 2000 computer, I listed several steps to determine which set of credentials will actually be used on Windows 2000. Steps 1 through 3 are processed on the client side of the connection, while steps 4-6 are processed on the server side. Step 2 or 3 is: use <domain>\<user name> and <password>, or use just <user name> and <password> without the domain indication to set up the connection. Windows 2000 continues with step 5a (Does the user name exist?), but there is a step 4 that I skipped last week.

Step 4 is the first thing a Windows XP computer will do for an incoming connection:

4) Is ForceGuest enabled? Yes: Success, create access token using the Guest account and we are done. No: go to 5.

ForceGuest is a new feature of Windows XP that ensures that all file and print connections to the Windows XP computer, either using an existing user name or a non-existing user name, will use the Guest account, instead of the true credentials of the user. You may know it under the more familiar name: Simple File Sharing.

Effectively this means, that no one can create a remote administrative connection to the Windows XP computer. And this includes the local administrator of Windows XP! This is a great plus for home users. Even if somebody on the Internet were to know a user name and password combination for administrative access to the Windows XP computer, that combination can not be used to remotely connect to the computer with higher privileges. The attacker would always just be Guest.

This option is always on for Windows XP Home, but does not apply to Windows XP Professional computers in a domain. For stand-alone Windows XP Professional computers, you can disable the option.

The registry value ForceGuest at HKLM\System\CurrentControlSet\Control\LSA determines whether this option is on or off. In the Windows XP user interface, you can change this through Explorer/Tools/Folder Options/View/Use simple file sharing or set a security option in group policies: 'Network access:Sharing and security model for local accounts'.

The other additional step for Windows XP is step 5c. After steps 5a (Does the user name exist?: yes), and step 5b (Does the password match?: yes), Windows XP does not yet create an access token for the account represented by this matching user name and password combination.

5c) Is the password blank? Yes: Success, create access token using the Guest account. No: Success, create access token for the actual user name.

You can change this special behavior for blank passwords with a security option in group policies: 'Accounts:Limit local account use of blank password to local console logon only'.

Notice that we now found three ways that a connecting user will automatically use the Guest account on Windows XP: when ForceGuest/Simple File Sharing (step 4) is enabled, when an existing user name has a blank password (step 5c), or when a non-existing user name (step 6) is used. You can see that this automatic Guest usage took place by checking the Guest column under Shared Folder/Sessions in Computer Management. Right-click on My Computer and select Manage to open Computer Management.

Of course, this automatic Guest usage does not happen when you disable the Guest account. But watch out here! A stand-alone Windows XP computer has two different ways of 'disabling' the Guest account. In Control Panel/User Accounts, you can 'turn off' the Guest account. This is not the same as disabling the Guest account in Computer Management! When you turn off the Guest account, it will no longer be listed on the Welcome Screen, and it will have the 'Deny log on locally' right. However, a Guest account that is turned off will still be used for network connections! Very surprising that 'turn off' is not the same as 'disable'.

Before I finish this article on the use of connection credentials, here's a nice tip that several readers sent me:

When you create a connection to a computer, using "net use \<server> /user:<user name> <password>", you can specify the server name by name (\\ServerA), or by IP address (\\10.64.1.7). It so happens that both representations can use their own set of credentials, without causing the error message "The credentials supplied conflict with an existing set of credentials." to appear. That is a great way to connect to the same computer with an alternate set of credentials, without having to delete the first connection
:clap: :clap: :cheers: :jump2: :wave:
 

·
Registered
Joined
·
1,691 Posts
Thanks for the info :D

But most likely the only people that are gonna understand that ... are the ones that don't really need the help anyway.;)

But I guess it will give the support guys a couple new cards to play.
 

·
Registered
Joined
·
1,481 Posts
Discussion Starter #3 (Edited)
If you are an expert in EVERYTHING...then my hats off to you sir...:winkgrin: :winkgrin: :winkgrin:

where were you when I first asked it:confused:



hehehehe -I do this for a living and work with a talanted buch and we were all stumped:laugh1: :laugh3: :crackup:
 

·
Registered
Joined
·
1,691 Posts
:no: I had no clue either, it was the explanation I was talking about, it was also difficult to understand.

I meant that anyone who could figure it out (the explanation of the problem) reading it probably wouldnt be having computer problems anyway. :D

I read it a couple times and I think I'm still a little fuzzy..
 

·
Registered
Joined
·
1,481 Posts
Discussion Starter #5
I agree...but in plain english....if your having networking problems in a non domain setting....make sure simplified sharing is enabled...:|
 
1 - 5 of 5 Posts
Status
Not open for further replies.
Top