BitBasher
02-04-07, 01:34 PM
After some experimentation, I've now got my MG350HD connecting to my WinXP Pro shares without enabling or using the dreaded Guest account.
I've attempted to make this as secure as possible, but the security still comes down to an account name of "media" with the password "gate", and a very limited account "mediagate" with no (blank) password.
Firstly, I've only tested this with WinXP PRO - I have no idea if this will work with WinXP HOME as I don't have it or use it, so these procedures may not work for WinXP HOME.
So here we go...
1. Create Two User Accounts
You need to go Start -> Run, and type in lusrmgr.msc to create two accounts. You need to create the account "mediagate" with NO password and set it to be a member of NO groups. You also need to create the account "media" with password "gate" and set it to be a member of the Guests group.
http://bitbasher.net/mg350hd/account1.jpg
and
http://bitbasher.net/mg350hd/account2.jpg
Make sure to check User cannot change password and Password never expires as show in the above images. Also, don't forget to setup each account's password as indicated.
2. Messing with the Group Policy
Out of the box, WinXP PRO (and probably with the help of SP2) sets some account policies that will prevent this from working. You need to change a few policies to make this all happen.
Do another Start -> Run, and type in gpedit.msc to start the policy editor.
WARNING - EDITING GROUP POLICIES IS JUST AS DANGEROUS AS EDITING YOUR REGISTRY - YOU ARE DOING SO AT YOUR OWN RISK!
First, make sure your system allows zero-length passwords.
http://bitbasher.net/mg350hd/minpass.jpg
Next, setup your system to allow logon with blank passwords.
http://bitbasher.net/mg350hd/allowblankpw.jpg
Lastly, you don't want to allow the two new accounts to logon as users.
http://bitbasher.net/mg350hd/denylogon.jpg
In each of these cases, navigate to the appropriate policy key, and edit it as shown in the images. In the case of the last setting, make sure to ADD the accounts mediagate and media to the policy (keep any existing items like Support and Guest).
3. Adding a Share or Shares
Now you need to add a share or shares that your MG350HD can access. In my example below, I'm sharing the Junk folder and I'm naming the share "Junk". Make sure in the permissions tab you remove any users or groups that you do NOT want to access the share. Then add the "media" account as a permission, giving only Read access. Do NOT add the "mediagate" account to the share.
http://bitbasher.net/mg350hd/makeshare.jpg
This can be repeated for each share (folder) you wish to access from the MG350HD.
4. File Permissions in the Share Folder
Recall that we set the "media" account to be only a member of the Guest group - this is to give it as little permission as possible. If the files located in your sharepoint are hosted on an NTFS partition, you may need to change some file permissions as even the Guest group may not have read access to the files.
You can change your file permissions to one of:
a) Allow Guests to have read access
b) Grant the media account read access to the files
c) Simply grant the Everyone group with at least read access
d) Change the "media" account to use a group other than "Guests"
Remember that the media account has access to the share, but it may not have access to files if those files do not grant permission to either the account or to the group that the media account is a member of.
This you will have to setup yourself, but it may work just fine without any changes.
5. Notes
Because you set the policy, the accounts mediagate and media will NOT be able to logon to your system interactively.
The mediagate account is used by the MG350HD to enumerate shares only - it is not used to access the files or resources. Therefore, by ensuring that the mediagate account is NOT A MEMBER OF ANY GROUP, this account will only be able to VIEW shares, it will not have access to any files or even the directory contents.
The media account (with it's lame password gate) is used to actually access the files within the share(s). This account needs to be able to read the files in the share so the file permissions must be set accordingly.
I'm using the MG350HD 1.1.0 firmware. I have no idea if this works with any previous version of the firmware.
If anyone at AITECH is reading this, PLEASE get rid of the mediagate account completely and only use the media account. BLANK PASSWORDS ARE EVIL! Also, change the password from "gate" to either something user-selectable, or perhaps the MAC address or serial number of the unit. This would help security even more.
Bit.
I've attempted to make this as secure as possible, but the security still comes down to an account name of "media" with the password "gate", and a very limited account "mediagate" with no (blank) password.
Firstly, I've only tested this with WinXP PRO - I have no idea if this will work with WinXP HOME as I don't have it or use it, so these procedures may not work for WinXP HOME.
So here we go...
1. Create Two User Accounts
You need to go Start -> Run, and type in lusrmgr.msc to create two accounts. You need to create the account "mediagate" with NO password and set it to be a member of NO groups. You also need to create the account "media" with password "gate" and set it to be a member of the Guests group.
http://bitbasher.net/mg350hd/account1.jpg
and
http://bitbasher.net/mg350hd/account2.jpg
Make sure to check User cannot change password and Password never expires as show in the above images. Also, don't forget to setup each account's password as indicated.
2. Messing with the Group Policy
Out of the box, WinXP PRO (and probably with the help of SP2) sets some account policies that will prevent this from working. You need to change a few policies to make this all happen.
Do another Start -> Run, and type in gpedit.msc to start the policy editor.
WARNING - EDITING GROUP POLICIES IS JUST AS DANGEROUS AS EDITING YOUR REGISTRY - YOU ARE DOING SO AT YOUR OWN RISK!
First, make sure your system allows zero-length passwords.
http://bitbasher.net/mg350hd/minpass.jpg
Next, setup your system to allow logon with blank passwords.
http://bitbasher.net/mg350hd/allowblankpw.jpg
Lastly, you don't want to allow the two new accounts to logon as users.
http://bitbasher.net/mg350hd/denylogon.jpg
In each of these cases, navigate to the appropriate policy key, and edit it as shown in the images. In the case of the last setting, make sure to ADD the accounts mediagate and media to the policy (keep any existing items like Support and Guest).
3. Adding a Share or Shares
Now you need to add a share or shares that your MG350HD can access. In my example below, I'm sharing the Junk folder and I'm naming the share "Junk". Make sure in the permissions tab you remove any users or groups that you do NOT want to access the share. Then add the "media" account as a permission, giving only Read access. Do NOT add the "mediagate" account to the share.
http://bitbasher.net/mg350hd/makeshare.jpg
This can be repeated for each share (folder) you wish to access from the MG350HD.
4. File Permissions in the Share Folder
Recall that we set the "media" account to be only a member of the Guest group - this is to give it as little permission as possible. If the files located in your sharepoint are hosted on an NTFS partition, you may need to change some file permissions as even the Guest group may not have read access to the files.
You can change your file permissions to one of:
a) Allow Guests to have read access
b) Grant the media account read access to the files
c) Simply grant the Everyone group with at least read access
d) Change the "media" account to use a group other than "Guests"
Remember that the media account has access to the share, but it may not have access to files if those files do not grant permission to either the account or to the group that the media account is a member of.
This you will have to setup yourself, but it may work just fine without any changes.
5. Notes
Because you set the policy, the accounts mediagate and media will NOT be able to logon to your system interactively.
The mediagate account is used by the MG350HD to enumerate shares only - it is not used to access the files or resources. Therefore, by ensuring that the mediagate account is NOT A MEMBER OF ANY GROUP, this account will only be able to VIEW shares, it will not have access to any files or even the directory contents.
The media account (with it's lame password gate) is used to actually access the files within the share(s). This account needs to be able to read the files in the share so the file permissions must be set accordingly.
I'm using the MG350HD 1.1.0 firmware. I have no idea if this works with any previous version of the firmware.
If anyone at AITECH is reading this, PLEASE get rid of the mediagate account completely and only use the media account. BLANK PASSWORDS ARE EVIL! Also, change the password from "gate" to either something user-selectable, or perhaps the MAC address or serial number of the unit. This would help security even more.
Bit.