Guest Confusion
Tuesday 3rd April, 2007 00:15 Comments: 0
A friend raised an interesting point regarding Simple File Sharing on Windows. Personally, I keep my Guest account disabled and rely upon having the same local username and password (or mapping a different username and password) on two machines that are not part of a domain (things are obviously a lot simpler when both machines are on the same domain), as I don't like the idea of anyone connecting to my shares.
According to this article "By default, the Everyone group no longer includes anonymous users on a computer that is running Windows XP Service Pack 2 (SP2)" and this article also states that "When a Windows 2000 system is upgraded to Windows XP Professional, resources with permission entries for the Everyone group (and not explicitly to the Anonymous Logon group) will no longer be available to Anonymous users after the upgrade. In most cases, this is an appropriate restriction on anonymous access. you may need to permit anonymous access in order to support pre-existing applications that require it. If you need to grant access to the Anonymous logon group, you should explicitly add the Anonymous Logon security group and its permissions. However, in some situations where it might be difficult to determine and modify the permission entries on resources hosted on Windows XP Professional computers, you can change the Network access: Let Everyone permissions apply to anonymous users security setting." (some of you may have already noticed that the first link specifically mentions the change in behaviour as of SP2, while the second link suggests it applies to all versions of XP).
And according to this MSDN article, Authenticated Users are "Any user recognized by the local machine or by a domain. Note that users logged in using the Builtin Guest account are not authenticated. However, members of the Guests group with individual accounts on the machine or the domain are authenticated." and an Anonymous Logged-on User is "Any user logged on without an identity, such as an anonymous network session. Note that users logging in using the Builtin Guest account are neither authenticated nor anonymous. This SID is only available on Windows XP and later."
So if the Guest account is "neither authenticated nor anonymous", why does enabling the group policy setting "Network access: Let Everyone permissions apply to anonymous users" apparently allow a Guest account to access a folder that is shared with default permissions of Everyone: Read only ?
To help confuse things, according to the XP Professional Product Documentation (that I also linked to above), "The group whose membership is controlled by the operating system or domain is Authenticated Users. It is the same as the Everyone group, except that it does not contain anonymous users or guests." This implies that the Everyone group does not contain anonymous users or Guests, yet the MSDN article clearly says that "members of the Guests group with individual accounts on the machine or the domain are authenticated" (perhaps by "Guests" they meant "Guest"?).
My assumption is that enabling the group policy setting must also let Everyone permissions apply to the Guest account (as other members of Guests are apparently considered to be authenticated). I still think it's odd that the Guest account is not considered to be an Anonymous user (I shall have to see if adding Anonymous users will allow access with the Guest account), but at the same time apparently isn't included as Everyone. I wish Microsoft's documentation was clearer.
According to this article "By default, the Everyone group no longer includes anonymous users on a computer that is running Windows XP Service Pack 2 (SP2)" and this article also states that "When a Windows 2000 system is upgraded to Windows XP Professional, resources with permission entries for the Everyone group (and not explicitly to the Anonymous Logon group) will no longer be available to Anonymous users after the upgrade. In most cases, this is an appropriate restriction on anonymous access. you may need to permit anonymous access in order to support pre-existing applications that require it. If you need to grant access to the Anonymous logon group, you should explicitly add the Anonymous Logon security group and its permissions. However, in some situations where it might be difficult to determine and modify the permission entries on resources hosted on Windows XP Professional computers, you can change the Network access: Let Everyone permissions apply to anonymous users security setting." (some of you may have already noticed that the first link specifically mentions the change in behaviour as of SP2, while the second link suggests it applies to all versions of XP).
And according to this MSDN article, Authenticated Users are "Any user recognized by the local machine or by a domain. Note that users logged in using the Builtin Guest account are not authenticated. However, members of the Guests group with individual accounts on the machine or the domain are authenticated." and an Anonymous Logged-on User is "Any user logged on without an identity, such as an anonymous network session. Note that users logging in using the Builtin Guest account are neither authenticated nor anonymous. This SID is only available on Windows XP and later."
So if the Guest account is "neither authenticated nor anonymous", why does enabling the group policy setting "Network access: Let Everyone permissions apply to anonymous users" apparently allow a Guest account to access a folder that is shared with default permissions of Everyone: Read only ?
To help confuse things, according to the XP Professional Product Documentation (that I also linked to above), "The group whose membership is controlled by the operating system or domain is Authenticated Users. It is the same as the Everyone group, except that it does not contain anonymous users or guests." This implies that the Everyone group does not contain anonymous users or Guests, yet the MSDN article clearly says that "members of the Guests group with individual accounts on the machine or the domain are authenticated" (perhaps by "Guests" they meant "Guest"?).
My assumption is that enabling the group policy setting must also let Everyone permissions apply to the Guest account (as other members of Guests are apparently considered to be authenticated). I still think it's odd that the Guest account is not considered to be an Anonymous user (I shall have to see if adding Anonymous users will allow access with the Guest account), but at the same time apparently isn't included as Everyone. I wish Microsoft's documentation was clearer.