• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Workgroup user is able to access domain shared folder

I

It's Not Lupus

Senior member
I have this Windows Server (2012 R2 Essentials) where there's a domain and a shared folder. I created an account and gave it read permission to the folder. It's the only permission.

On a workgroup computer, there's an account with the same username and password that is able to access the shared folder. I didn't think this should happened. What's going on?
 
It's Not Lupus said:
On a workgroup computer, there's an account with the same username and password that is able to access the shared folder. I didn't think this should happened. What's going on?
Click to expand...

Well you learned something today. This is how windows behaves and it has done so since the beginning of the NT Domain. If the account attempts to connect to a domain it will attempt to use its current credentials and it they match a domain credential then they are in. I remember using this trick in windows NT 4.0 to get DMZ resources access to domain resources.
 
KB said:
Well you learned something today. This is how windows behaves and it has done so since the beginning of the NT Domain. If the account attempts to connect to a domain it will attempt to use its current credentials and it they match a domain credential then they are in. I remember using this trick in windows NT 4.0 to get DMZ resources access to domain resources.
Click to expand...
I see. It seems like a security issue, and to me, makes more sense for the computer to joined the domain first before accessing the share.
 
It's Not Lupus said:
I see. It seems like a security issue, and to me, makes more sense for the computer to joined the domain first before accessing the share.
Click to expand...

i disagree. it can be pretty useful to shared a folder from a domain machine and allow a non-domain device to access the data. maybe a nas, switch, router, *nix box, apple machine, etc has a need to read/write data to an SMB share but they cannot all necessarily be joined to your domain.

If you want good security, require complex passwords on domain accounts and carefully manage permissions on shared folders.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top