Accessing another computer's administrative shares

[Birthday]

Hi, I try to make an ASP application that can access to other computer's
administrative shares like (c$, d$) in the network. There are computers that
have XP Professional or 2000 installed in the network. All the computers
have "administrator" account and password for this account. I try to make an
application that I can administrate all the files in the network computers
(in my network from my ISS based web page.

Can this type of application can be done by using ASP? If yes, how? Please
tell me the details about it, because of being new in ASP, please make it
easy to understand for me.

Thank you.

 

[Lance Wynn]

You just need to give permission to the administrative shares on the
computers to the user that is running the ASP application (A good way would
be to make the ASP App use NT Authentication vs. anonymous)

That should work


Hi, I try to make an ASP application that can access to other computer's
administrative shares like (c$, d$) in the network. There are computers that
have XP Professional or 2000 installed in the network. All the computers
have "administrator" account and password for this account. I try to make an
application that I can administrate all the files in the network computers
(in my network from my ISS based web page.

Can this type of application can be done by using ASP? If yes, how? Please
tell me the details about it, because of being new in ASP, please make it
easy to understand for me.

Thank you.

 

[Birthday]

How can I use NT Authentication in ASP? I do not know much about it. Could
you give an example?

 

[Lance Wynn]

It's not an ASP setting, it's a setting in your IIS Admin console. Right
Click on the web in the IIS Admin Console, and click the Security Tab.
There you can find instructions, and if you click F1, it will give you
detailed help on it.



How can I use NT Authentication in ASP? I do not know much about it. Could
you give an example?

 

[Birthday]

Thank you for your reply and explanation. But is there any other way to
introduce my computer as the administrator (with the administrator password
of the computer which I want to connect in my network) with ASP. Because
periodically harddisks of the all computers in my network is formatted and a
new Xp or 2000 system installed but administrator accounts and passwords
remain same for the newly installed operating system.

Thank you.

 

[Lance Wynn]

If the Admin password is the same on all the computers, you can use that
password to login to your ASP App, and it should work. A domain, or AD user
would probably be preferred though


Thank you for your reply and explanation. But is there any other way to
introduce my computer as the administrator (with the administrator password
of the computer which I want to connect in my network) with ASP. Because
periodically harddisks of the all computers in my network is formatted and a
new Xp or 2000 system installed but administrator accounts and passwords
remain same for the newly installed operating system.

Thank you.

 

[Chris Barber]

In real terms there are two (see later for a third) possible means of making
an ASP site run under a specific user account (eg. a domain administrator
account) to allow access administrative shares.

1. In IIS settings for the website, remove anonymous login and enable basic
or integrated authentication. Basic will pass passwords across the net (or
LAN) in clear whilst integrated will use the local client account if
applicable or prompt for a full login using NT challenge and response
(passwords are never sent in clear with this method and as such is the
preferred - won;t work though most proxy servers though).

2. Set the user account that the ASP website runs under for the anonymous
login to be a domain administrator account (not good because anyone visiting
the site will then be running under the domain administrative account so
it's only really useful for internal LAN and even then you have to be
careful).

A third option is available. You can use scripts that explicitly set the
user account that they will run under using VBS. However, you have to allow
shell scripts to run from the site by changing an IIS metabase setting (it's
turned off by default because of the security reasons - eg. you could
instantiate Word, Excel, run your own uploaded executables etc.).

Hope this helps.

Chris.

Thank you for your reply and explanation. But is there any other way to
introduce my computer as the administrator (with the administrator password
of the computer which I want to connect in my network) with ASP. Because
periodically harddisks of the all computers in my network is formatted and a
new Xp or 2000 system installed but administrator accounts and passwords
remain same for the newly installed operating system.

Thank you.

 

[Roland Hall]

: In real terms there are two (see later for a third) possible means of
making
: an ASP site run under a specific user account (eg. a domain administrator
: account) to allow access administrative shares.
:
: 1. In IIS settings for the website, remove anonymous login and enable
basic
: or integrated authentication. Basic will pass passwords across the net (or
: LAN) in clear whilst integrated will use the local client account if
: applicable or prompt for a full login using NT challenge and response
: (passwords are never sent in clear with this method and as such is the
: preferred - won;t work though most proxy servers though).

Using integrated authentication, the password is never sent, plain or
otherwise. A prompt is offered only after authentication fails because the
server assumes the user might know an account, with credentials, that will
authenticate properly. The credentials are not sent over the site. The
server actually sends an encrypted message the user could decrypt if they
had the right credentials and respond successfully.

http://www.microsoft.com/windows200...indows2000/en/server/iis/htm/core/iiabasc.htm

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp
MSDN Library - http://msdn.microsoft.com/library/default.asp

 

[Birthday]

Thank you for giving useful informations but probably I explain the problem
wrongly. My English is not so good so I'll write the problem a basic way. We
can think about a network which have only two computers. One of them is mine
(which is administrator computer) and the other is user computer. In my
computer, I run ISS but the user computer does not. So ASP application is
located in the my computer which has to connect the user's computer's
administrative shares with a password and list the files in c$. Changing any
setttings of user computer is not useful for me because it will be formatted
and installed new windows 2000 or xp periodically.

How can I connect in the explained way with ASP. Is there any connection
object that can handle the connection to a computer through network, for
example. If the information in your replies can solve the problem, I am
totally sorry but cannot understand. Please make the answer easy for me.

 

[Roland Hall]

in message : Thank you for giving useful informations but probably I explain the
problem
: wrongly. My English is not so good so I'll write the problem a basic way.
We
: can think about a network which have only two computers. One of them is
mine
: (which is administrator computer) and the other is user computer. In my
: computer, I run ISS but the user computer does not. So ASP application is
: located in the my computer which has to connect the user's computer's
: administrative shares with a password and list the files in c$. Changing
any
: setttings of user computer is not useful for me because it will be
formatted
: and installed new windows 2000 or xp periodically.
:
: How can I connect in the explained way with ASP. Is there any connection
: object that can handle the connection to a computer through network, for
: example. If the information in your replies can solve the problem, I am
: totally sorry but cannot understand. Please make the answer easy for me.

Only Administrators can connect to administrative shares.

Untested, if you set your 'IIS' [not ISS] security settings to Integrated
and the user was logged on with their domain account and their domain user
account had Admin rights to their system, AND you had a virtual directory to
their computer using the their administrative share, would you then have the
access you need?

However, it begs the question of why would a user need to connect to an ASP
page to access something on their local drive where they had administrative
access?

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp
MSDN Library - http://msdn.microsoft.com/library/default.asp

 

[Birthday]

Users certainly does not need to connect to an ASP page to access something
on their local drive where they had administrative access. Actually in my
explaination user has nothing to do with this ASP page, even they do not
know about it. This ASP page is for the Administrators who want to control
the all the coming and going files on the users' computers. I can do it by
mapping the administrative shares of the all user computers in the
administrator's computer but I want to control the users' computers' files
by pressing a button in my ASP generated page, and all the controls will be
done by ASP then I will see the results on the screen.

By the way, if I can set the security settings of my IIS in a proper way
that makes me Administrator on the all local computers, how can I handle to
list the files on the local computer computer by using ASP. How should I
connect?

in message : Thank you for giving useful informations but probably I explain the
problem
: wrongly. My English is not so good so I'll write the problem a basic way.
We
: can think about a network which have only two computers. One of them is
mine
: (which is administrator computer) and the other is user computer. In my
: computer, I run ISS but the user computer does not. So ASP application is
: located in the my computer which has to connect the user's computer's
: administrative shares with a password and list the files in c$. Changing
any
: setttings of user computer is not useful for me because it will be
formatted
: and installed new windows 2000 or xp periodically.
:
: How can I connect in the explained way with ASP. Is there any connection
: object that can handle the connection to a computer through network, for
: example. If the information in your replies can solve the problem, I am
: totally sorry but cannot understand. Please make the answer easy for me.

Only Administrators can connect to administrative shares.

Untested, if you set your 'IIS' [not ISS] security settings to Integrated
and the user was logged on with their domain account and their domain user
account had Admin rights to their system, AND you had a virtual directory to
their computer using the their administrative share, would you then have the
access you need?

However, it begs the question of why would a user need to connect to an ASP
page to access something on their local drive where they had administrative
access?

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp
MSDN Library - http://msdn.microsoft.com/library/default.asp

 

[Chris Barber]

UNC pathname are as follows for a computer with an administrative share for
the C drive:

\\MACHINENAME\C$\FOLDERSANDFILES

In order for any remote machine to connect to and be able to use this
filepath the remote machine must be able to authenticate as either a local
administrative account or a domain administrative account (if the target
machine has been added to the domain).

Administrative shares can ONLY be accessed by a remote client authenticating
in this manner.

What you have asked for is that an ASP site on a remote machine be able to
use this UNC path to be able to access files and folders on a target
machine. For this to be able to happen, the IIS page MUST run under the same
restraints but in this case it is further restricted - it can only (in
practice) run under a domain administrative account (eg.
DOMAIN\Administrator).

Now ... for this to happen you have tow choices (as already outlined in my
previous post):

1. Enable Integrated Authentication and disable Anonymous Login for the
website so that a visiting user is prompted for their account (eg.
DOMAIN\Administrator). Once this is entered then the ASP site will run as if
that user is logged in and any ASP scripts such as FSO will be able to
access the UNC filepath for the administrative share.
2. Use the Anonymous Login but set the account used (instead of
IUSR_MACHINE) to be DOMAIN\Administrator.

The funny thing is that you are aware of administrative shares but seem to
have no concept of domain or groups security principals which leads me to
believe that you are trying to run before you can walk. A lot of damage can
be done to a networks security if you start throwing domain administrative
logins around and use them indiscriminately.

My suggestion is that you find an easier way to achieve what you want using
normal methods. You are aware that you can just access these files in
Windows Explorer if you are logged in with the relevant account from any
computer by just typing the UNC path into the 'Run As' box?

Hope this helps and please don't take my comments too personally. I
appreciate what you might be trying to achieve but think you may be going
down a route that will only lead to issues and dead-ends.

Chris.

Users certainly does not need to connect to an ASP page to access something
on their local drive where they had administrative access. Actually in my
explaination user has nothing to do with this ASP page, even they do not
know about it. This ASP page is for the Administrators who want to control
the all the coming and going files on the users' computers. I can do it by
mapping the administrative shares of the all user computers in the
administrator's computer but I want to control the users' computers' files
by pressing a button in my ASP generated page, and all the controls will be
done by ASP then I will see the results on the screen.

By the way, if I can set the security settings of my IIS in a proper way
that makes me Administrator on the all local computers, how can I handle to
list the files on the local computer computer by using ASP. How should I
connect?

in message : Thank you for giving useful informations but probably I explain the
problem
: wrongly. My English is not so good so I'll write the problem a basic way.
We
: can think about a network which have only two computers. One of them is
mine
: (which is administrator computer) and the other is user computer. In my
: computer, I run ISS but the user computer does not. So ASP application is
: located in the my computer which has to connect the user's computer's
: administrative shares with a password and list the files in c$. Changing
any
: setttings of user computer is not useful for me because it will be
formatted
: and installed new windows 2000 or xp periodically.
:
: How can I connect in the explained way with ASP. Is there any connection
: object that can handle the connection to a computer through network, for
: example. If the information in your replies can solve the problem, I am
: totally sorry but cannot understand. Please make the answer easy for me.

Only Administrators can connect to administrative shares.

Untested, if you set your 'IIS' [not ISS] security settings to Integrated
and the user was logged on with their domain account and their domain user
account had Admin rights to their system, AND you had a virtual directory to
their computer using the their administrative share, would you then have the
access you need?

However, it begs the question of why would a user need to connect to an ASP
page to access something on their local drive where they had administrative
access?

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp
MSDN Library - http://msdn.microsoft.com/library/default.asp

 

[Birthday]

Thank you for your detailed answer.

Okay for everything you explained. In the first place, I had focused on the
thought that we can use some objects in ASP like CDO for sending emails so
we can use some API that handle making connection between two computers in
the network in ASP as an object. Or I think that we can make a connection
through port 449, send username and password through this port or the proper
port. Or I think, I can learn how windows handles this and imitate the
windows by using proper objects (if any).

Any comments?

UNC pathname are as follows for a computer with an administrative share for
the C drive:

\\MACHINENAME\C$\FOLDERSANDFILES

In order for any remote machine to connect to and be able to use this
filepath the remote machine must be able to authenticate as either a local
administrative account or a domain administrative account (if the target
machine has been added to the domain).

Administrative shares can ONLY be accessed by a remote client authenticating
in this manner.

What you have asked for is that an ASP site on a remote machine be able to
use this UNC path to be able to access files and folders on a target
machine. For this to be able to happen, the IIS page MUST run under the same
restraints but in this case it is further restricted - it can only (in
practice) run under a domain administrative account (eg.
DOMAIN\Administrator).

Now ... for this to happen you have tow choices (as already outlined in my
previous post):

1. Enable Integrated Authentication and disable Anonymous Login for the
website so that a visiting user is prompted for their account (eg.
DOMAIN\Administrator). Once this is entered then the ASP site will run as if
that user is logged in and any ASP scripts such as FSO will be able to
access the UNC filepath for the administrative share.
2. Use the Anonymous Login but set the account used (instead of
IUSR_MACHINE) to be DOMAIN\Administrator.

The funny thing is that you are aware of administrative shares but seem to
have no concept of domain or groups security principals which leads me to
believe that you are trying to run before you can walk. A lot of damage can
be done to a networks security if you start throwing domain administrative
logins around and use them indiscriminately.

My suggestion is that you find an easier way to achieve what you want using
normal methods. You are aware that you can just access these files in
Windows Explorer if you are logged in with the relevant account from any
computer by just typing the UNC path into the 'Run As' box?

Hope this helps and please don't take my comments too personally. I
appreciate what you might be trying to achieve but think you may be going
down a route that will only lead to issues and dead-ends.

Chris.

Users certainly does not need to connect to an ASP page to access something
on their local drive where they had administrative access. Actually in my
explaination user has nothing to do with this ASP page, even they do not
know about it. This ASP page is for the Administrators who want to control
the all the coming and going files on the users' computers. I can do it by
mapping the administrative shares of the all user computers in the
administrator's computer but I want to control the users' computers' files
by pressing a button in my ASP generated page, and all the controls will be
done by ASP then I will see the results on the screen.

By the way, if I can set the security settings of my IIS in a proper way
that makes me Administrator on the all local computers, how can I handle to
list the files on the local computer computer by using ASP. How should I
connect?

in message : Thank you for giving useful informations but probably I explain the
problem
: wrongly. My English is not so good so I'll write the problem a basic way.
We
: can think about a network which have only two computers. One of them is
mine
: (which is administrator computer) and the other is user computer. In my
: computer, I run ISS but the user computer does not. So ASP application is
: located in the my computer which has to connect the user's computer's
: administrative shares with a password and list the files in c$. Changing
any
: setttings of user computer is not useful for me because it will be
formatted
: and installed new windows 2000 or xp periodically.
:
: How can I connect in the explained way with ASP. Is there any connection
: object that can handle the connection to a computer through network, for
: example. If the information in your replies can solve the problem, I am
: totally sorry but cannot understand. Please make the answer easy for me.

Only Administrators can connect to administrative shares.

Untested, if you set your 'IIS' [not ISS] security settings to Integrated
and the user was logged on with their domain account and their domain user
account had Admin rights to their system, AND you had a virtual

directory

to
their computer using the their administrative share, would you then have the
access you need?

However, it begs the question of why would a user need to connect to an ASP
page to access something on their local drive where they had administrative
access?

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp
MSDN Library - http://msdn.microsoft.com/library/default.asp

 

[Chris Barber]

What *exactly* do you need to achieve?

So far it's been discussion on accessing and using the administrative file
shares C$, D$ etc. which requires passing NT challenge response
authentication to access - now your talking about CDO, emails etc?

Chris.

Thank you for your detailed answer.

Okay for everything you explained. In the first place, I had focused on the
thought that we can use some objects in ASP like CDO for sending emails so
we can use some API that handle making connection between two computers in
the network in ASP as an object. Or I think that we can make a connection
through port 449, send username and password through this port or the proper
port. Or I think, I can learn how windows handles this and imitate the
windows by using proper objects (if any).

Any comments?

UNC pathname are as follows for a computer with an administrative share for
the C drive:

\\MACHINENAME\C$\FOLDERSANDFILES

In order for any remote machine to connect to and be able to use this
filepath the remote machine must be able to authenticate as either a local
administrative account or a domain administrative account (if the target
machine has been added to the domain).

Administrative shares can ONLY be accessed by a remote client authenticating
in this manner.

What you have asked for is that an ASP site on a remote machine be able to
use this UNC path to be able to access files and folders on a target
machine. For this to be able to happen, the IIS page MUST run under the same
restraints but in this case it is further restricted - it can only (in
practice) run under a domain administrative account (eg.
DOMAIN\Administrator).

Now ... for this to happen you have tow choices (as already outlined in my
previous post):

1. Enable Integrated Authentication and disable Anonymous Login for the
website so that a visiting user is prompted for their account (eg.
DOMAIN\Administrator). Once this is entered then the ASP site will run as if
that user is logged in and any ASP scripts such as FSO will be able to
access the UNC filepath for the administrative share.
2. Use the Anonymous Login but set the account used (instead of
IUSR_MACHINE) to be DOMAIN\Administrator.

The funny thing is that you are aware of administrative shares but seem to
have no concept of domain or groups security principals which leads me to
believe that you are trying to run before you can walk. A lot of damage can
be done to a networks security if you start throwing domain administrative
logins around and use them indiscriminately.

My suggestion is that you find an easier way to achieve what you want using
normal methods. You are aware that you can just access these files in
Windows Explorer if you are logged in with the relevant account from any
computer by just typing the UNC path into the 'Run As' box?

Hope this helps and please don't take my comments too personally. I
appreciate what you might be trying to achieve but think you may be going
down a route that will only lead to issues and dead-ends.

Chris.

Users certainly does not need to connect to an ASP page to access something
on their local drive where they had administrative access. Actually in my
explaination user has nothing to do with this ASP page, even they do not
know about it. This ASP page is for the Administrators who want to control
the all the coming and going files on the users' computers. I can do it by
mapping the administrative shares of the all user computers in the
administrator's computer but I want to control the users' computers' files
by pressing a button in my ASP generated page, and all the controls will be
done by ASP then I will see the results on the screen.

By the way, if I can set the security settings of my IIS in a proper way
that makes me Administrator on the all local computers, how can I handle to
list the files on the local computer computer by using ASP. How should I
connect?

in message : Thank you for giving useful informations but probably I explain the
problem
: wrongly. My English is not so good so I'll write the problem a basic way.
We
: can think about a network which have only two computers. One of them is
mine
: (which is administrator computer) and the other is user computer. In my
: computer, I run ISS but the user computer does not. So ASP application is
: located in the my computer which has to connect the user's computer's
: administrative shares with a password and list the files in c$. Changing
any
: setttings of user computer is not useful for me because it will be
formatted
: and installed new windows 2000 or xp periodically.
:
: How can I connect in the explained way with ASP. Is there any connection
: object that can handle the connection to a computer through network, for
: example. If the information in your replies can solve the problem, I am
: totally sorry but cannot understand. Please make the answer easy for me.

Only Administrators can connect to administrative shares.

Untested, if you set your 'IIS' [not ISS] security settings to Integrated
and the user was logged on with their domain account and their domain user
account had Admin rights to their system, AND you had a virtual

directory

to
their computer using the their administrative share, would you then have the
access you need?

However, it begs the question of why would a user need to connect to an ASP
page to access something on their local drive where they had administrative
access?

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp
MSDN Library - http://msdn.microsoft.com/library/default.asp

 

[Birthday]

I meant "I think we can use some objects (to be able handle with accessing a
local machine's administrative shares) like cdonts, adodb.connection, etc."
Those were only examples, not the things I want to use to achieve my goal.
As I said the messages above, my english may be not very good to explain my
"wish to do" and I also thank your patience to my english and expression but
please do try to understand me. In my last message, I tried to explain the
way I thought before posting here. And I still wonder, whether or not the
way I approach the problem that I have (accessing another computer's
administrative shares), is valuable or not. If it is valuable, I will try to
develope it. If not and anybody explains me why it is not, I try to follow
your suggestions and quit.

So I would like to hear any comments about this questions:

1. And as far as I know, some API can be used as an object in ASP. So I
thought that if windows handle my request of writing \\computer_ip\C$ , by
using some API maybe I can use them in ASP as an object to create a
connection between my machine and the other machine. Is it possible?

2. Also, I controlled that when I open \\computer_ip\c$ by writing this into
windows explorer, port 449 is opened which is named as "microsoft-ds". So I
speculate if there is a way to connect to port 449 via using ASP by using
any technique, object or method of ASP. Is it possible?

Thank you very much for your patience replies until now. Learning is a slow
process for me. I should know every point of the topic to be understand it.
Please if you know or think any think about my speculations above, please
write in detail and please share with me.

What *exactly* do you need to achieve?

So far it's been discussion on accessing and using the administrative file
shares C$, D$ etc. which requires passing NT challenge response
authentication to access - now your talking about CDO, emails etc?

Chris.

Thank you for your detailed answer.

Okay for everything you explained. In the first place, I had focused on the
thought that we can use some objects in ASP like CDO for sending emails so
we can use some API that handle making connection between two computers in
the network in ASP as an object. Or I think that we can make a connection
through port 449, send username and password through this port or the proper
port. Or I think, I can learn how windows handles this and imitate the
windows by using proper objects (if any).

Any comments?

UNC pathname are as follows for a computer with an administrative share for
the C drive:

\\MACHINENAME\C$\FOLDERSANDFILES

In order for any remote machine to connect to and be able to use this
filepath the remote machine must be able to authenticate as either a local
administrative account or a domain administrative account (if the target
machine has been added to the domain).

Administrative shares can ONLY be accessed by a remote client authenticating
in this manner.

What you have asked for is that an ASP site on a remote machine be able to
use this UNC path to be able to access files and folders on a target
machine. For this to be able to happen, the IIS page MUST run under the same
restraints but in this case it is further restricted - it can only (in
practice) run under a domain administrative account (eg.
DOMAIN\Administrator).

Now ... for this to happen you have tow choices (as already outlined in my
previous post):

1. Enable Integrated Authentication and disable Anonymous Login for the
website so that a visiting user is prompted for their account (eg.
DOMAIN\Administrator). Once this is entered then the ASP site will run

as

if
that user is logged in and any ASP scripts such as FSO will be able to
access the UNC filepath for the administrative share.
2. Use the Anonymous Login but set the account used (instead of
IUSR_MACHINE) to be DOMAIN\Administrator.

The funny thing is that you are aware of administrative shares but seem to
have no concept of domain or groups security principals which leads me to
believe that you are trying to run before you can walk. A lot of damage can
be done to a networks security if you start throwing domain administrative
logins around and use them indiscriminately.

My suggestion is that you find an easier way to achieve what you want using
normal methods. You are aware that you can just access these files in
Windows Explorer if you are logged in with the relevant account from any
computer by just typing the UNC path into the 'Run As' box?

Hope this helps and please don't take my comments too personally. I
appreciate what you might be trying to achieve but think you may be going
down a route that will only lead to issues and dead-ends.

Chris.

Users certainly does not need to connect to an ASP page to access something
on their local drive where they had administrative access. Actually in my
explaination user has nothing to do with this ASP page, even they do not
know about it. This ASP page is for the Administrators who want to control
the all the coming and going files on the users' computers. I can do it by
mapping the administrative shares of the all user computers in the
administrator's computer but I want to control the users' computers' files
by pressing a button in my ASP generated page, and all the controls will be
done by ASP then I will see the results on the screen.

By the way, if I can set the security settings of my IIS in a proper way
that makes me Administrator on the all local computers, how can I handle to
list the files on the local computer computer by using ASP. How should I
connect?

in message : Thank you for giving useful informations but probably I explain the
problem
: wrongly. My English is not so good so I'll write the problem a basic way.
We
: can think about a network which have only two computers. One of them is
mine
: (which is administrator computer) and the other is user computer. In my
: computer, I run ISS but the user computer does not. So ASP

application
is

: located in the my computer which has to connect the user's computer's
: administrative shares with a password and list the files in c$. Changing
any
: setttings of user computer is not useful for me because it will be
formatted
: and installed new windows 2000 or xp periodically.
:
: How can I connect in the explained way with ASP. Is there any connection
: object that can handle the connection to a computer through network, for
: example. If the information in your replies can solve the problem, I am
: totally sorry but cannot understand. Please make the answer easy for me.

Only Administrators can connect to administrative shares.

Untested, if you set your 'IIS' [not ISS] security settings to Integrated
and the user was logged on with their domain account and their domain user
account had Admin rights to their system, AND you had a virtual

directory

to
their computer using the their administrative share, would you then

have
the

access you need?

However, it begs the question of why would a user need to connect to

an
ASP

page to access something on their local drive where they had administrative
access?

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp
MSDN Library - http://msdn.microsoft.com/library/default.asp

 

[Chris Barber]

\\COMPUTER\C$ is *just* a hidden UNC filepath and in essence is identical to
\\COMPUTER\C if the C drive where to be set as a share for that machine. The
*only* difference is that the administrative shares can *only* be accessed
by an authenticated administrator for the computer (eg a local admin or a
domain admin account).
There is nothing else to consider. No API's, no third party objects,
*nothing*. You can (once you have managed to get yourself executing under a
relevant account) use FSO (FileSystemObject) to access the files and folders
exactly the same as if you were doing so on the local machine.

There are other hidden shares. See:.
http://www.comptechdoc.org/os/windows/win2k/win2kshares.html

FSO:
http://msdn.microsoft.com/library/d...en-us/vbenlr98/html/vaobjfilesystemobject.asp

Port 449 is used by Windows and is often referred to as 'Server Mapper' - I
doubt you would be able to use it for anything specific.

Please forgive the excessive usage of '*' - I get carried away sometimes.

Chris.


I meant "I think we can use some objects (to be able handle with accessing a
local machine's administrative shares) like cdonts, adodb.connection, etc."
Those were only examples, not the things I want to use to achieve my goal.
As I said the messages above, my english may be not very good to explain my
"wish to do" and I also thank your patience to my english and expression but
please do try to understand me. In my last message, I tried to explain the
way I thought before posting here. And I still wonder, whether or not the
way I approach the problem that I have (accessing another computer's
administrative shares), is valuable or not. If it is valuable, I will try to
develope it. If not and anybody explains me why it is not, I try to follow
your suggestions and quit.

So I would like to hear any comments about this questions:

1. And as far as I know, some API can be used as an object in ASP. So I
thought that if windows handle my request of writing \\computer_ip\C$ , by
using some API maybe I can use them in ASP as an object to create a
connection between my machine and the other machine. Is it possible?

2. Also, I controlled that when I open \\computer_ip\c$ by writing this into
windows explorer, port 449 is opened which is named as "microsoft-ds". So I
speculate if there is a way to connect to port 449 via using ASP by using
any technique, object or method of ASP. Is it possible?

Thank you very much for your patience replies until now. Learning is a slow
process for me. I should know every point of the topic to be understand it.
Please if you know or think any think about my speculations above, please
write in detail and please share with me.

What *exactly* do you need to achieve?

So far it's been discussion on accessing and using the administrative file
shares C$, D$ etc. which requires passing NT challenge response
authentication to access - now your talking about CDO, emails etc?

Chris.

Thank you for your detailed answer.

Okay for everything you explained. In the first place, I had focused on the
thought that we can use some objects in ASP like CDO for sending emails so
we can use some API that handle making connection between two computers in
the network in ASP as an object. Or I think that we can make a connection
through port 449, send username and password through this port or the proper
port. Or I think, I can learn how windows handles this and imitate the
windows by using proper objects (if any).

Any comments?

UNC pathname are as follows for a computer with an administrative share for
the C drive:

\\MACHINENAME\C$\FOLDERSANDFILES

In order for any remote machine to connect to and be able to use this
filepath the remote machine must be able to authenticate as either a local
administrative account or a domain administrative account (if the target
machine has been added to the domain).

Administrative shares can ONLY be accessed by a remote client authenticating
in this manner.

What you have asked for is that an ASP site on a remote machine be able to
use this UNC path to be able to access files and folders on a target
machine. For this to be able to happen, the IIS page MUST run under the same
restraints but in this case it is further restricted - it can only (in
practice) run under a domain administrative account (eg.
DOMAIN\Administrator).

Now ... for this to happen you have tow choices (as already outlined in my
previous post):

1. Enable Integrated Authentication and disable Anonymous Login for the
website so that a visiting user is prompted for their account (eg.
DOMAIN\Administrator). Once this is entered then the ASP site will run

as

if
that user is logged in and any ASP scripts such as FSO will be able to
access the UNC filepath for the administrative share.
2. Use the Anonymous Login but set the account used (instead of
IUSR_MACHINE) to be DOMAIN\Administrator.

The funny thing is that you are aware of administrative shares but seem to
have no concept of domain or groups security principals which leads me to
believe that you are trying to run before you can walk. A lot of damage can
be done to a networks security if you start throwing domain administrative
logins around and use them indiscriminately.

My suggestion is that you find an easier way to achieve what you want using
normal methods. You are aware that you can just access these files in
Windows Explorer if you are logged in with the relevant account from any
computer by just typing the UNC path into the 'Run As' box?

Hope this helps and please don't take my comments too personally. I
appreciate what you might be trying to achieve but think you may be going
down a route that will only lead to issues and dead-ends.

Chris.

Users certainly does not need to connect to an ASP page to access something
on their local drive where they had administrative access. Actually in my
explaination user has nothing to do with this ASP page, even they do not
know about it. This ASP page is for the Administrators who want to control
the all the coming and going files on the users' computers. I can do it by
mapping the administrative shares of the all user computers in the
administrator's computer but I want to control the users' computers' files
by pressing a button in my ASP generated page, and all the controls will be
done by ASP then I will see the results on the screen.

By the way, if I can set the security settings of my IIS in a proper way
that makes me Administrator on the all local computers, how can I handle to
list the files on the local computer computer by using ASP. How should I
connect?

in message : Thank you for giving useful informations but probably I explain the
problem
: wrongly. My English is not so good so I'll write the problem a basic way.
We
: can think about a network which have only two computers. One of them is
mine
: (which is administrator computer) and the other is user computer. In my
: computer, I run ISS but the user computer does not. So ASP

application
is

: located in the my computer which has to connect the user's computer's
: administrative shares with a password and list the files in c$. Changing
any
: setttings of user computer is not useful for me because it will be
formatted
: and installed new windows 2000 or xp periodically.
:
: How can I connect in the explained way with ASP. Is there any connection
: object that can handle the connection to a computer through network, for
: example. If the information in your replies can solve the problem, I am
: totally sorry but cannot understand. Please make the answer easy for me.

Only Administrators can connect to administrative shares.

Untested, if you set your 'IIS' [not ISS] security settings to Integrated
and the user was logged on with their domain account and their domain user
account had Admin rights to their system, AND you had a virtual

directory

to
their computer using the their administrative share, would you then

have
the

access you need?

However, it begs the question of why would a user need to connect to

an
ASP

page to access something on their local drive where they had administrative
access?

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp
MSDN Library - http://msdn.microsoft.com/library/default.asp