Service running as Local system account Unable to map drive on ano

Hi all
I have a problem. I am developing a service which need to run as Local
System Account, and which need to access a directory on a remote computer, in
order to both read and write files. Both computers are running Windows 2000
and are in the same domain.

As Local System Account do not have any network permissions as such, I have
tried some alternative approaches but none seem to work.

1). I have tried to share the directory on the remote machine as a so called
null session share
(http://support.microsoft.com/default.aspx?scid=kb;en-us;289655), as that in
theory should allow access to everyone and everything. But when I tried to
write a file I got the "System error 5 has occurred.Access is denied." error.

2) Next I have tried to grant the computer account on which the service is
running full access to the share as this article describes
(http://forumz.tomshardware.com/software/Folder-Sharing-Computer-Accounts-ftopict225518.html). With the same result.

The way I tested both approaches this:

In both methods I use UNC format and IP numbers to address the remote share,
like this: \\192.168.106.12\share\

1) Run some code in my service using the function
OpenStreamOnFile(MAPIAllocateBuffer, MAPIFreeBuffer, ulFlags, file_name,
szFilePrefix, out_stream) function, and also fopen(
"\\192.168.106.12\\share\\data.dat", "w+" ). Both methods fail though.

2) started a CMD prompt with Local Systems Account credentials (using the
method described here:
http://www.windowsitpro.com/Article/ArticleID/47673/47673.html and the
psexc.exe tool from sysinternals - running psexec.exe -s cmd.exe). Then tried
to both copy a file manually using the copy command and to map a drive letter
using "net use". But all I got was a "System error 5 has occurred.Access is
denied."

I would appreciate any help I can get. Small things to try or even whole new
approaches, as I am really running out of ideas here. Also if you need
further information regarding my setup, please let me know.

Thanks, and a merry Christmas to all

Kind regards/ Venlig hilsen

Peter Langhoff Feddersen
System Engineer, MCSD

Systematic Software Engineering A/S
Web: www.systematic.dk

Joe
Fri Dec 23 11:33:59 CST 2005

Did you set the appropriate permissions on the file system too? Remote
permissions are a combination of the share and file permissions with the most
restrictive being in control. I.E. Set the files/folders with everyone write.

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


systematic_peter wrote:
> Hi all
> I have a problem. I am developing a service which need to run as Local
> System Account, and which need to access a directory on a remote computer, in
> order to both read and write files. Both computers are running Windows 2000
> and are in the same domain.
>
> As Local System Account do not have any network permissions as such, I have
> tried some alternative approaches but none seem to work.
>
> 1). I have tried to share the directory on the remote machine as a so called
> null session share
> (http://support.microsoft.com/default.aspx?scid=kb;en-us;289655), as that in
> theory should allow access to everyone and everything. But when I tried to
> write a file I got the "System error 5 has occurred.Access is denied." error.
>
> 2) Next I have tried to grant the computer account on which the service is
> running full access to the share as this article describes
> (http://forumz.tomshardware.com/software/Folder-Sharing-Computer-Accounts-ftopict225518.html). With the same result.
>
> The way I tested both approaches this:
>
> In both methods I use UNC format and IP numbers to address the remote share,
> like this: \\192.168.106.12\share\
>
> 1) Run some code in my service using the function
> OpenStreamOnFile(MAPIAllocateBuffer, MAPIFreeBuffer, ulFlags, file_name,
> szFilePrefix, out_stream) function, and also fopen(
> "\\192.168.106.12\\share\\data.dat", "w+" ). Both methods fail though.
>
> 2) started a CMD prompt with Local Systems Account credentials (using the
> method described here:
> http://www.windowsitpro.com/Article/ArticleID/47673/47673.html and the
> psexc.exe tool from sysinternals - running psexec.exe -s cmd.exe). Then tried
> to both copy a file manually using the copy command and to map a drive letter
> using "net use". But all I got was a "System error 5 has occurred.Access is
> denied."
>
> I would appreciate any help I can get. Small things to try or even whole new
> approaches, as I am really running out of ideas here. Also if you need
> further information regarding my setup, please let me know.
>
> Thanks, and a merry Christmas to all
>
> Kind regards/ Venlig hilsen
>
> Peter Langhoff Feddersen
> System Engineer, MCSD
>
> Systematic Software Engineering A/S
> Web: www.systematic.dk

Phillip
Tue Dec 27 10:08:21 CST 2005

You can't use the Local System Account. You will have to use a different
Account even if you have to create one for the purpose.

One other "maybe" would be the design the Application to be able to
"present" credentials to make the connection. The "Scheduled Tasks" in
Windows works this way in that the service runs under the Local System
Account, yet within the config of the "Task" you can give it credentials to
use when the task is "executed".

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx
-----------------------------------------------------


"systematic_peter" <systematic_peter@discussions.microsoft.com> wrote in
message news:0E36DE3F-6A2C-4231-AC35-F0DED2E15FB2@microsoft.com...
> Hi all
> I have a problem. I am developing a service which need to run as Local
> System Account, and which need to access a directory on a remote computer,
in
> order to both read and write files. Both computers are running Windows
2000
> and are in the same domain.
>
> As Local System Account do not have any network permissions as such, I
have
> tried some alternative approaches but none seem to work.
>
> 1). I have tried to share the directory on the remote machine as a so
called
> null session share
> (http://support.microsoft.com/default.aspx?scid=kb;en-us;289655), as that
in
> theory should allow access to everyone and everything. But when I tried to
> write a file I got the "System error 5 has occurred.Access is denied."
error.
>
> 2) Next I have tried to grant the computer account on which the service is
> running full access to the share as this article describes
>
(http://forumz.tomshardware.com/software/Folder-Sharing-Computer-Accounts-ft
opict225518.html). With the same result.
>
> The way I tested both approaches this:
>
> In both methods I use UNC format and IP numbers to address the remote
share,
> like this: \\192.168.106.12\share\
>
> 1) Run some code in my service using the function
> OpenStreamOnFile(MAPIAllocateBuffer, MAPIFreeBuffer, ulFlags, file_name,
> szFilePrefix, out_stream) function, and also fopen(
> "\\192.168.106.12\\share\\data.dat", "w+" ). Both methods fail though.
>
> 2) started a CMD prompt with Local Systems Account credentials (using the
> method described here:
> http://www.windowsitpro.com/Article/ArticleID/47673/47673.html and the
> psexc.exe tool from sysinternals - running psexec.exe -s cmd.exe). Then
tried
> to both copy a file manually using the copy command and to map a drive
letter
> using "net use". But all I got was a "System error 5 has occurred.Access
is
> denied."
>
> I would appreciate any help I can get. Small things to try or even whole
new
> approaches, as I am really running out of ideas here. Also if you need
> further information regarding my setup, please let me know.
>
> Thanks, and a merry Christmas to all
>
> Kind regards/ Venlig hilsen
>
> Peter Langhoff Feddersen
> System Engineer, MCSD
>
> Systematic Software Engineering A/S
> Web: www.systematic.dk

Joe
Tue Dec 27 14:03:13 CST 2005

That is incorrect, this can be made to work. Localsystem will either connect
anonymously or as the computer account depending on whether or not kerberos auth
was used. Both can be used though there could be security implications depending
on the data involved.

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


Phillip Windell wrote:
> You can't use the Local System Account. You will have to use a different
> Account even if you have to create one for the purpose.
>
> One other "maybe" would be the design the Application to be able to
> "present" credentials to make the connection. The "Scheduled Tasks" in
> Windows works this way in that the service runs under the Local System
> Account, yet within the config of the "Task" you can give it credentials to
> use when the task is "executed".
>

Phillip
Tue Dec 27 14:23:27 CST 2005

"Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
news:%23cEgSCyCGHA.2920@tk2msftngp13.phx.gbl...
> That is incorrect, this can be made to work. Localsystem will either
connect
> anonymously or as the computer account depending on whether or not
kerberos auth
> was used. Both can be used though there could be security implications
depending
> on the data involved.

How do you go about doing that?

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

Joe
Tue Dec 27 19:51:47 CST 2005

If kerberos auth is being used, you simply grant rights for the computer account
from AD on the share and the file system. The security concern is that ANYTHING
running as localsystem on the specific computer will have access to the share.
For anonymous access you enable the null session share and set the ACL on the
file system to everyone read or write depending on the access you want. The
security concern here is anyone that knows to connect as anonymous will have
that access.

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


Phillip Windell wrote:
> "Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
> news:%23cEgSCyCGHA.2920@tk2msftngp13.phx.gbl...
>> That is incorrect, this can be made to work. Localsystem will either
> connect
>> anonymously or as the computer account depending on whether or not
> kerberos auth
>> was used. Both can be used though there could be security implications
> depending
>> on the data involved.
>
> How do you go about doing that?
>

Phillip
Wed Dec 28 13:28:15 CST 2005

"Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
news:uK8aEF1CGHA.2644@TK2MSFTNGP09.phx.gbl...
> If kerberos auth is being used, you simply grant rights for the computer
account
> from AD on the share and the file system. The security concern is that
ANYTHING
> running as localsystem on the specific computer will have access to the
share.

Ok, that makes sense.

> For anonymous access you enable the null session share and set the ACL on
the

This is the first time I have seen the term "null session share",...I've
never heard of it.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx
-----------------------------------------------------

Joe
Thu Dec 29 15:35:31 CST 2005

Null session shares used to be quite prevalent, MS has slowly been weaning its
products off their use. I think anymore there are only like 2-3 null session
shares MS uses within their own products. You can get the list of null session
shares for a given machine by looking at
hklm\system\currentcontrolset\services\lanmanserver\parameters. There will be
two null session keys, one for pipes and one for shares.

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


Phillip Windell wrote:
> "Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
> news:uK8aEF1CGHA.2644@TK2MSFTNGP09.phx.gbl...
>> If kerberos auth is being used, you simply grant rights for the computer
> account
>> from AD on the share and the file system. The security concern is that
> ANYTHING
>> running as localsystem on the specific computer will have access to the
> share.
>
> Ok, that makes sense.
>
>> For anonymous access you enable the null session share and set the ACL on
> the
>
> This is the first time I have seen the term "null session share",...I've
> never heard of it.
>

Joe
Thu Dec 29 15:36:19 CST 2005

The most common use I have deployed them for in companies is for software
installation shares for apps that aren't security critical and it doesn't matter
who sees the installation packages.

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


Phillip Windell wrote:
> "Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
> news:uK8aEF1CGHA.2644@TK2MSFTNGP09.phx.gbl...
>> If kerberos auth is being used, you simply grant rights for the computer
> account
>> from AD on the share and the file system. The security concern is that
> ANYTHING
>> running as localsystem on the specific computer will have access to the
> share.
>
> Ok, that makes sense.
>
>> For anonymous access you enable the null session share and set the ACL on
> the
>
> This is the first time I have seen the term "null session share",...I've
> never heard of it.
>

systematicpeter
Fri Dec 30 07:32:02 CST 2005


Hi Joe and Phillip

Thanks for the information and input.

To answer your initial question Joe: Yes i have made sure that the computer
account has full permissions on both the share and the file system itself.
But to no awail, as i still not have been able to access the share.

You mention that Kerberos auth is used when computer accounts are used to
grant permissions. Can it be some setting in there that i need to tweak or
something (i have left the settings to their default values)?

Another thing which puzzels me is that i have noticed the following in the
Security Eventlog:

There are no errors in the Eventlog (on neither of the machines), but the
failed attemp to access the share results in a entry saying that the User
Anonymous Logon has been granted "SeChangeNotifyPrivilege" (and only that
privilege)

I have made sure that the security setting "Additional restrictions for
anonymous connesctions" is set to "None, rely on default", but was wondering
whether there could be other settings which need to be changed?

By the way, i have modified the code in my app, to use the LogonUser() and
ImpersonateLoggedOnUser() functions to run as another user with success (been
able to create files in the share), so the error is not in some other parts
of the code. But this solution is not my first choice so i would prefer to
get the other method working.

Thanks for all your help, and have a happy New Year all

Kind regards/ Venlig hilsen

Peter Langhoff Feddersen
System Engineer, MCSD

Systematic Software Engineering A/S
Web: www.systematic.dk





"Joe Richards [MVP]" wrote:

> The most common use I have deployed them for in companies is for software
> installation shares for apps that aren't security critical and it doesn't matter
> who sees the installation packages.
>
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> www.joeware.net
>
>
> Phillip Windell wrote:
> > "Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
> > news:uK8aEF1CGHA.2644@TK2MSFTNGP09.phx.gbl...
> >> If kerberos auth is being used, you simply grant rights for the computer
> > account
> >> from AD on the share and the file system. The security concern is that
> > ANYTHING
> >> running as localsystem on the specific computer will have access to the
> > share.
> >
> > Ok, that makes sense.
> >
> >> For anonymous access you enable the null session share and set the ACL on
> > the
> >
> > This is the first time I have seen the term "null session share",...I've
> > never heard of it.
> >
>