ITKE member BillBald posed this question:
I need to reorganize a network that uses
Windows Server 2003 and Windows XP Pro. While it's possible to log into the domain that resides on the server, users typically don't log into the domain. Instead, they log into the local machine, with usernames that are NOT known on the server. By using the server's IP address in shortcuts and scripts, unauthorized users can access files stored on the server. I believe that the server's security must have been partly disabled to allow this unauthorized access. I'm not sure if this matters, but I recently discovered that the router is being used as the Dynamic Host Configuration Protocol (DHCP) Server, instead of the Win2003 box. Can anyone suggest a mehod that forces users to log into the domain, to prevent this unauthorized behavior?
ITKE member lerandell replied:
It sounds like all of the systems have been created with the same username and password. I tend to believe that they are using the "administrator" username. And, if the "administrator" account is on both computers, and the account's password is "p@ssw0rd," each client has access to the other network accounts. To stop this, change the local administrator's account name to something users will not know. It's easy to do, simply go through Group Policies. I would also change the domain controller and workstation accounts. This will force everyone to use their assigned domain user accounts. And, if you want to follow up to see who attempts to access the account, create a fake, disabled administrator account and use it for security logging purposes.
ITKE member Guardian replied:
I would check the domain security policy and the local security policy. Make sure everyone has been joined into the domain and your permissions are not restrictive. Users must be authenticated to access the domain and resources. Most of these you can find in the Administrative Tools. Remove work grouped PCs like in XP home (type your Domain Name System (DNS) Suffix and select "change DNS suffix").
ITKE member dwiebesick replied:
To restrict local logon, you can use Group Policy. There is a security setting that can be set under a group policy, Computer Configwindows settingssecurity settingslocal policiesuser rights assignmentlogon locally, which you can learn about by reading Microsoft's Knowledge Base article number 823659.
You can also change the New Technology File System (NTFS) security setting to control what files/folders the end users access. Set it so only authorized domain authenticated users™ can access what you deem is appropriate.
IF you know what username and password users are using, change it. If it is the local computer administrator account, there are scripts available to easily change them.
ITKE member astronomer replied:
It seems that you have a domain working like a workgroup. If you have the authority, create domain accounts that have different names than the local accounts. Then, disable any domain accounts, (or at least change passwords), that are being used to get around the domain security, and force the users to use their domain accounts. You need to make sure the users have to use their own domain accounts to reach the resources they need on the server.
Keep in mind, however, I am assuming that the workstations are domain members. Once the users begin to log in with domain accounts, start managing them with Groups and Policies.
And, for the record, it doesn't matter what device is the DHCP server as long as it provides the proper addresses and options for your environment. The router should be a reasonable choice for a single subnet. Since it doesn't have a hard drive it is likely to be more reliable than a server.
ITKE member DaJackal replied:
Here's what I would do. First, go to: Start > Programs > Administrator Tools > Domain Controller Security Policy. Then, drill down to Security options.
Next, verify that the two entries below are as follows:
Selecting these two options should correct the anonymous access problem.
Finally, I would verify that the local accounts that the users are logging into are different than the ones on your domain, or local to your domain controller. The usernames can be the same if you want them to be, but you must make sure the passwords are different and that the users don't know what they are. Therefore, if the usernames are the same, the domain will prompt them for a password. Unfortunately, Windows only confirms the username; it does not verify the security identifier (SID). Following these steps should solve your server unauthorized access dilemma.
This was first published in June 2006