COMMAND

    share

SYSTEMS AFFECTED

    WinNT

PROBLEM

    Brian Steele remembered  us all of  following feature.   NT4.0/SP4
    Server, used as file server with personal shares for users.   Each
    personal  share  is  configured  so  that  only  one connection is
    allowed at a time, and share permissions are set so that only  the
    user of the share can access the files in the share.

    User A tries to  map user B's share  to a drive letter  on his PC.
    While  he  can't  access  the  files  on the share, THE MAPPING IS
    STILL MADE, and thus bars User B from being able to access his own
    share!  Bug, or  feature?  Feature!   Before it can be  determined
    that a user doesn't have access  to a share, a connection must  be
    made to  check the  ACL for  that share.   Then, even  though  the
    request for the  share is denied  and the connection  is idle, the
    connection will remain for the default duration of 15 minutes.

    The problem is that a 'net  use' dont make a 'real' access  to the
    share.  Here is what happens with a 'net use'

        - TCP/IP connection setup
        - NBT session setup
        - SMB Dialect negotiation
        - SMB Command 'Tree connenct and X' to 'connect' to the  share
          and to create a TID  in the server session table  for future
          access

    so, as  far as  here, no  file access,  no permission  checked, no
    refused  connection  by  design.   Look  what  happens  during any
    access on the share:

        - SMB Create file  & X to make  access to file (read  or write
          the command is always 'create file')
        - Access allowed or denied according to SHARE/NTFS permissions

    Only in this phase the system  check permissions, so if a user  is
    already connected, the new user cant connect.

SOLUTION

    The duration  before the  idle-connection is  disconnected can  be
    changed in the registry  by modifying the value  of autodisconnect
    under the key:

        HKLM\System\CCS\Services\LanmanServer\Parameters

    (value is hex, representing  minutes).  Setting autodisconnect  to
    -1 disables autodisconnect (not what you're looking for).  Setting
    it  to  0  will  cause  idle  connection to disconnect after a few
    seconds, although this may affect performance of other aspects  of
    your server.  Setting it to several minutes would be adequate  for
    most situations.  Setting this value to any "low" number opens the
    possibility of DoS  attacks.  Assuming  you have the  security set
    correctly, there is little need to limit the number of connections.
    A careful balance must be made between the:

        HKLM\System\Current\Services\LanmanServer\Parameters\Autodisconnect

    (which is the timeout (in minutes - guess) before the server  axes
    NetBIOS connections) and the  sharepoint maximum connections.   If
    you limit connections to the sharepoint, make sure  autodisconnect
    is enabled and that it is  a relatively "small" value as to  avoid
    the potential DoS  situation you're experiencing.   Be aware  that
    setting autodisconnect too low will reduce performance.