DSmithLady
Premium,MVM
join:2002-04-23
Deep South
clubs: 
| reply to psloss
Re: TIP: Add Folder Security tab to XP Home
I can tell you that I am now able to share "my documents" folder on my HOME machine that I was not able to do before...without using the safe mode and accessing the security tab.
--
It's really easy to join one of our Cancer fighting teams. JOIN TEAM HELIX! JOIN TEAM DISCOVERY UD/TSC! |
|
psloss
Premium
join:2002-02-24
Alpharetta, GA
| said by DSmithLady  :
I can tell you that I am now able to share "my documents" folder on my HOME machine that I was not able to do before...without using the safe mode and accessing the security tab.
That's odd...I've shared out folders and even drives on XP Home before using Simple File Sharing...what was the problem before installing the NT4 SCE GUI?
Or are you talking about something a little different? The sharing interface (and sharing permissions) are much simpler than file system permissions and are probably less prone to problems.
Thanks,
Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org |
|
Shootist
Premium
join:2003-02-10
Decatur, GA
| I haven't dug into it but this must turn off Simple file sharing. Even in XP Pro if you have SFS enabled you don't get the security tab. Does anyone know if you can Uninstall it to enable SFS.
I have DLed it and installed it and it seems to be running fine. This is a real bonus because the security tab is the only thing I need from Pro. As far as connecting to a Domain at this time I could care less about it but I was considering upgrading my Dell laptop to Pro once the warranty was off, now I don't have to.
Thanks for the TIP.
--
Are You Ready--Stand By BEEP ******** |
|
psloss
Premium
join:2002-02-24
Alpharetta, GA
| said by Shootist :
I haven't dug into it but this must turn off Simple file sharing. Even in XP Pro if you have SFS enabled you don't get the security tab. Does anyone know if you can Uninstall it to enable SFS.
I just installed this on a "fresh" XP Home install (no SP1 yet) and it doesn't appear to have changed one of the basics of SFS -- all logins are still authenticated as Guest, rather than the provided credentials. I can connect with a bogus user and password, or rather, with any user and password.
There's less of a chance for conflict because some of the core libraries that come in the package -- aclui.dll and esent.dll -- are a part of the XP Home setup and the old versions of the files are restored by System File Protection.
One of the major missing pieces is the wsecedit.dll file, which seems to provide the Security tab interface itself. Those of you who have XP Professional will find an XP version of this file in their System32 directory, but it's not in a default XP Home install and this library remains from the SCESP4I.EXE "package," along with the scedll.dll and rshx32_5.dll libraries.
(Of course, a big difference is that the SCESP4I.EXE package appears to legally available, while the XP Pro files are not redistributable without purchase of XP Pro.)
I haven't had a chance to do much testing of this yet; the first thing was to look at contents of the package and how they install on XP Home. Next thing to test is whether one can unregister the libraries that the package installs to "uninstall" the Security tab.
Rather than adding much underlying functionality, I think this package mostly provides a way to access the Security GUI without having to run in Safe Mode. The CACLS.EXE program uses the same underlying functionality and is available, Safe Mode or no, but is a command-line program.
I'm still nervous about the difference in implementations -- both in terms of the 2-3 year difference and the difference in "size" (the old wsecedit.dll is 376 KB, the XP one is 533 KB)...
...but it's definitely interesting and I don't want to discourage anyone who wants to take a look at it. I'm more curious now than anything.
If I find anything of note, I'll post more.
Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org |
|
redxii
too big to fail
Premium,Mod
join:2001-02-26
Texas | Does this compromise security by using 5 year old code?
I just want to be able to use the Security tab, and it wasn't very nice of MS to leave it out.. I guess I could use Server 2003 Standard's files.. |
|
Kramer
Premium,Mod
join:2000-08-03
Richmond, VA
clubs:
 ·Verizon FIOS
 ·GoDaddy Hosting
Host:
Microsoft Help
Wireless Security
| reply to psloss
said by psloss :
I just installed this on a "fresh" XP Home install (no SP1 yet) and it doesn't appear to have changed one of the basics of SFS -- all logins are still authenticated as Guest, rather than the provided credentials. I can connect with a bogus user and password, or rather, with any user and password.
Exactly. I don't understand what value this would have unless that behavior (all users authenticated as guest) is corrected. Isn't there a "sometimes works" registry value that turns this behavior off? |
|
psloss
Premium
join:2002-02-24
Alpharetta, GA
| reply to redxii
said by redxii :
Does this compromise security by using 5 year old code?
I just want to be able to use the Security tab, and it wasn't very nice of MS to leave it out.. I guess I could use Server 2003 Standard's files..
I hear you -- it would have been nice if they had at least provided a way to enable the functionality for power users.
My concern isn't about a security compromise so much as data corruption -- and it's still unsubstantiated. I just found it odd that this package would "work" given that it predates XP. There has to be a reason why it works and short of that (or several reasons), it may only partially work (or worse).
I just tried breaking the Security tab or making it go away and I found that two of the DLLs I referred to earlier -- the wsecedit.dll file and the scedll.dll file both do NOT work on the system. They fail to load, even manually, so that can't be providing the functionality.
What I found is that the rshx32_5.dll file seems to be providing it. If I move that file to the Recycle Bin and bring up a Properties dialog, the tab isn't there.
And it doesn't make sense anyway, since the tab is available without this package in Safe Mode. There has to be something like a dynamic Registry setting or something like that, so I'm looking for references there. So far, what I've found is that there's a file named rshx32.dll in XP Pro that is registered similarly to what I found in XP Home.
Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org |
|
psloss
Premium
join:2002-02-24
Alpharetta, GA
| Security tab Registry entries
OK, I believe this boils down to a series of Registry keys and entries. I need to take a break so for now, I'll just post the details and come back later. Thanks to the restore point functionality, I was able to restore the config back to the "fresh" XP Home and then install InCtrl5 to do a before and after snapshot; here are the Registry changes that I believe to be relevant:
Keys added...
HKEY_CLASSES_ROOT\*\shellex\PropertySheetHandlers\{1F2E5C40-9550-11CE-99D2-00AA006E086 C} "(Default)"
Type: REG_SZ
Data:
HKEY_CLASSES_ROOT\CLSID\{85BBD920-42A0-1069-A2E4-08002B30309D}\shellex\PropertySheetHa ndlers\{1F2E5C40-9550-11CE-99D2-00AA006E086C} "(Default)"
Type: REG_SZ
Data:
HKEY_CLASSES_ROOT\Directory\shellex\PropertySheetHandlers\{1F2E5C40-9550-11CE-99D2-00A A006E086C} "(Default)"
Type: REG_SZ
Data:
HKEY_CLASSES_ROOT\Drive\shellex\PropertySheetHandlers\{1F2E5C40-9550-11CE-99D2-00AA006 E086C} "(Default)"
Type: REG_SZ
Data:
Values changed...
HKEY_CLASSES_ROOT\CLSID\{1F2E5C40-9550-11CE-99D2-00AA006E086C}\InProcServer32 "(Default)"
Old type: REG_SZ
New type: REG_SZ
Old data: rshx32.dll
New data: rshx32_5.dll
This last entry -- the change -- could be bad, since it substitutes the XP version of the functionality (rshx32.dll) with the 1998 version of the functionality (rshx32_5.dll).
Anyway, the common link is the GUID "{1F2E5C40-9550-11CE-99D2-00AA006E086C}" and scanning through the setup files from the SCESP4I.EXE package, I found this in the [Strings] section of the setup.inf file:
CLSID_RSHX_NTFS={1f2e5c40-9550-11ce-99d2-00aa006e086c}
Then looking for "CLSID_RSHX_NTFS" in the file, I found this in the [MMCPostSetupCmdSection] section (with a couple of entries snipped):
[MMCreg]
HKCR,Clsid\%CLSID_RSHX_NTFS%,,,%DESCRIPTION%
HKCR,Clsid\%CLSID_RSHX_NTFS%\InProcServer32,,,%MODULENAME%
HKCR,Clsid\%CLSID_RSHX_NTFS%\InProcServer32,"ThreadingModel",,Apartment
HKCR,*\%SHEXPS%\%CLSID_RSHX_NTFS%,,,
HKCR,Drive\%SHEXPS%\%CLSID_RSHX_NTFS%,,,
HKCR,Directory\%SHEXPS%\%CLSID_RSHX_NTFS%,,,
HKCR,Clsid\%CLSID_BRIEFCASE%\%SHEXPS%\%CLSID_RSHX_NTFS%,,,
The first three entries here cover the "Values changed" part of the InCtrl5 report and could probably be skipped, which leaves these entries (I'm repeating them):
HKCR,*\%SHEXPS%\%CLSID_RSHX_NTFS%,,,
HKCR,Drive\%SHEXPS%\%CLSID_RSHX_NTFS%,,,
HKCR,Directory\%SHEXPS%\%CLSID_RSHX_NTFS%,,,
HKCR,Clsid\%CLSID_BRIEFCASE%\%SHEXPS%\%CLSID_RSHX_NTFS%,,,
SHEXPS is from the Strings section:
SHEXPS=shellex\PropertySheetHandlers So the Security tab is registered in Property Sheets for three areas: * or all, Drive, and Directory.
All very interesting, but now my brain hurts (my brain in my head). So I'm not dead sure, but right now I think the bottom line is that people who install this should fix their Registry so that Explorer uses the XP version of the rshx32.dll.
People who want to add the functionality may be able to cobble together a Registry script instead of running this install package. At some point, I'll try to test that.
I still have to do an InCtrl5 compare of the Registry between "normal" mode and Safe Mode, but that's where I am right now.
Hope that helps somebody,
Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org |
|
Kramer
Premium,Mod
join:2000-08-03
Richmond, VA
clubs:
·Verizon FIOS
·GoDaddy Hosting
Host:
Microsoft Help
Wireless Security
| Nice work Philip! I just hope everyone understands that this GUI will allow one to set permissions for local access, but because XP Home authenticates all network users as guests, things could get very confusing for network access.
For instance lets say I give Bill, Mary and Spot full control to folder x and all it's subfolders. That's fine as long as they are working on that computer, but regardless of what the share permissions are set for, those people are not going to access those files unless the guest account or everyone is also included in the permissions (Share permissions too!). With XP Home, all network users either have access to a file or don't have access to a file, there is no in-between. You can't be selective among users. Now, I'm ready for Dave to pounce upon me with a silver hammer. |
|
psloss
Premium
join:2002-02-24
Alpharetta, GA
| said by Kramer :
Now, I'm ready for Dave to pounce upon me with a silver hammer.
Me, too. Hopefully he can straighten us out. 
Actually, I'm still looking at this and it's looking like I've got something wrong and am about to come full circle on this.
More in a bit,
Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org |
|
Hall
Premium,MVM
join:2000-04-28
Dayton, OH
 ·EarthLink
·AT&T Midwest
 ·Earthlink Cable Mo..
| reply to redxii
Re: TIP: Add Folder Security tab to XP Home
said by redxii :
Does this compromise security by using 5 year old code?
Any more so than using "new" code ??
This should be safe, I think. The kernel in XP is simply an updated Win2K kernel, which is supposedly a complete re-write from the NT4 days. This is called a "back port" from Win2K, meaning they took this good feature from Win2K and applied it back to NT4.
--
-= Mindspring MaxDSL via Covad 1536/384 TeleSurfer Pro =- |
|
DSmithLady
Premium,MVM
join:2002-04-23
Deep South
clubs:
| reply to psloss
said by psloss :
said by DSmithLady :
I can tell you that I am now able to share "my documents" folder on my HOME machine that I was not able to do before...without using the safe mode and accessing the security tab.
That's odd...I've shared out folders and even drives on XP Home before using Simple File Sharing...what was the problem before installing the NT4 SCE GUI?
Or are you talking about something a little different? The sharing interface (and sharing permissions) are much simpler than file system permissions and are probably less prone to problems.
Thanks,
Philip Sloss
With simple file sharing, you are unable to share program files of documents and settings files.
--
It's really easy to join one of our Cancer fighting teams. JOIN TEAM HELIX! JOIN TEAM DISCOVERY UD/TSC! |
|
psloss
Premium
join:2002-02-24
Alpharetta, GA
| said by DSmithLady :
With simple file sharing, you are unable to share program files of documents and settings files.
I can share both folders, but you have to consider that you're using Windows file sharing and it goes back many years; so sharing the "Documents and Settings" folder with the defaults generated by the GUI (the same name with spaces) gives a warning dialog. The GUI does "prevent" sharing the "Program Files" folder, but there are at least two ways around that. The first is to share the whole drive. The second is to use the net.exe command line utility, viz.:net share Goo="C:\Program Files"
The same applies to NTFS security settings. The Security tab provides a "point and click" interface to the security functions, but those functions are there on XP Home regardless of whether the tab is. For example, the CACLS.EXE command line utility provides a good "scripting" interface and it doesn't have the operational restrictions the GUI interface does on XP Home. Another example is that Registry keys are also securable and those can be administered in RegEdit on XP Home using the same underlying functionality.
Edit: yet another example is a nice utility recently released from SysInternals called AccessEnum (»www.sysinternals.com/ntw2k/source.shtml)
(Sharing any of those three points on the drive the O/S is installed probably isn't a good idea from a security standpoint, though.)
Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org
[text was edited by author 2003-10-20 11:44:47] |
|
redxii
too big to fail
Premium,Mod
join:2001-02-26
Texas
Host:
/dev/null
Broadband Tweaks
Suddenlink
ISDN
Fiber Optic
| The Windows 2000 DLL worked, whereas the Windows 2003 did not. So I guess your hypothesis proves right that DLLs from XP and higher use the checking, whilst any predating DLLs work. I also believe that you can hex edit to disable this check just as you can for the uxtheme.dll to be able to use non-MS themes.
Xteq X-Setup also can supposedly enable/disable SFS as there is an option for it regardless of Home or Pro. System > Advanced System Settings > Windows XP Simple Shares.
[text was edited by author 2003-10-20 18:09:47] |
|
