Cannot access local shares via the Network window

Hello,

I am logged in as a sub-administrator (not as the "super" administrator)
into Vista Biz. I've created a folder, "Test" and shared it only with the
Administrators group (of which my login account is a member -- it is NOT a
member of the Users group). (I've turned off the Sharing Wizard and set up
the shares via the Advanced Sharing button).

I can access the folder in by it's path in Explorer, i.e., D:\Test. I have
full NTFS permissions as a member of the Administrators group.

If I open another Explorer window on this computer and navigate to this
computer under the Network item in the folder tree and try to access the
folder via it's share, I receive a "Permission Denied" error.

However, if I go to another machine on this peer-to-peer network and log in
with the same credentials, I can access the share as I expect.

I am confused by this. Is this a bug or another "feature".

--
David Dickinson
eveningstar at die-spammer-die dash mvps dot org
Please reply only to the newsgroup, not by email.

David Dickinson wrote:
> Hello,
>
> I am logged in as a sub-administrator (not as the "super" administrator)
> into Vista Biz. I've created a folder, "Test" and shared it only with
> the Administrators group (of which my login account is a member -- it is
> NOT a member of the Users group). (I've turned off the Sharing Wizard
> and set up the shares via the Advanced Sharing button).
>
> I can access the folder in by it's path in Explorer, i.e., D:\Test. I
> have full NTFS permissions as a member of the Administrators group.
>
> If I open another Explorer window on this computer and navigate to this
> computer under the Network item in the folder tree and try to access the
> folder via it's share, I receive a "Permission Denied" error.
>
> However, if I go to another machine on this peer-to-peer network and log
> in with the same credentials, I can access the share as I expect.
>
> I am confused by this. Is this a bug or another "feature".
>
> --
> David Dickinson
> eveningstar at die-spammer-die dash mvps dot org
> Please reply only to the newsgroup, not by email.
>

That's strange.

Do non-admins have read access to the folder?

--
-JB
Microsoft MVP - Windows Shell/User
Windows Vista Support FAQ - http://www.jimmah.com/vista/

"Jimmy Brush" <jb@mvps.org> wrote in message
news:%23vOQEGBrHHA.500@TK2MSFTNGP02.phx.gbl...
> That's strange.
>
> Do non-admins have read access to the folder?

Hi, Jimmy,

No. I removed the Everyone group from the share permissions because I want
ONLY the Administrators group to be able to access the folder over the
network. However, the NTFS permissions are the "standard" inherited ones
from the root of the drive, i.e., Authenticated Users, Administrators,
SYSTEM, and Users all have their usual NTFS permissions.

--
David Dickinson
eveningstar at die-spammer-die dash mvps dot org
Please reply only to the newsgroup, not by email.

David Dickinson wrote:
> "Jimmy Brush" <jb@mvps.org> wrote in message
> news:%23vOQEGBrHHA.500@TK2MSFTNGP02.phx.gbl...
>> That's strange.
>>
>> Do non-admins have read access to the folder?
>
> Hi, Jimmy,
>
> No. I removed the Everyone group from the share permissions because I
> want ONLY the Administrators group to be able to access the folder over
> the network. However, the NTFS permissions are the "standard" inherited
> ones from the root of the drive, i.e., Authenticated Users,
> Administrators, SYSTEM, and Users all have their usual NTFS permissions.
>
> --
> David Dickinson
> eveningstar at die-spammer-die dash mvps dot org
> Please reply only to the newsgroup, not by email.
>

I have verified this behavior.

This seems to be some sort of security protection feature, most likely
to prevent unelevated programs from bypassing UAC restrictions by
accessing administrative shares/named pipes meant for remote
administration from the local machine.

I am not aware of how Windows is accomplishing this or any way to
disable this, but if I find out anything else I will let you know.

I can say that if you access the share from an elevated app, then the
restrictions disappear.

Unfortunately, you cannot easily (or safely) elevate an explorer window.

--
-JB
Microsoft MVP - Windows Shell/User
Windows Vista Support FAQ - http://www.jimmah.com/vista/

"Jimmy Brush" <jb@mvps.org> wrote:
> This seems to be some sort of security protection feature, most likely to
> prevent unelevated programs from bypassing UAC restrictions by accessing
> administrative shares/named pipes meant for remote administration from the
> local machine.

Yeah. It's not a big deal (I just got used to being lazy in every older
version of Windows), and may even be a good idea.

> I can say that if you access the share from an elevated app, then the
> restrictions disappear.

Hmm... sort of defeats the purpose, if it is a security protection feature.

David

David Dickinson wrote:
>> I can say that if you access the share from an elevated app, then the
>> restrictions disappear.
>
> Hmm... sort of defeats the purpose, if it is a security protection feature.
>

Well, if the app is already elevated, it can already do anything it
wants, so there's no point in blocking access at that point.


--
-JB
Microsoft MVP - Windows Shell/User
Windows Vista Support FAQ - http://www.jimmah.com/vista/