Peer windows sharing password issues.

[Metanis]

Changed non-Domain Microsoft Account passwords on all my accounts a couple of weeks ago due to all the recent data breaches!

But, just today I realized that my batch files using net use commands with embedded usernames and passwords continued to work just fine with the OLD passwords.

Of course anything Internet facing required the NEW password.

Turns out that all the machines utilizing the Windows Hello PIN never actually used the new passwords... so the cached credentials never updated and they happily authenticated remote connections using the old passwords.

Once I disabled Windows Hello and forced a login using the new Microsoft Account password then the cached stuff finally went away.

Windows Hello is just plain evil.

 

[Sky-Knight]

No, you just don't understand it.

Windows Hello is passwordless, the password is only used to set a relationship, and a pin. The relationship is based on the TPM module's crypto keys. THAT is what authenticates your access and is vastly stronger than any password will ever be.

Also, you can create local accounts with set passwords to do this sort of thing in a peer-to-peer configuration, which for sanity sake is what you're going to want to do. But also... access on this level is to be avoided for other reasons, but again for the cases you suggest use a local account.

 

[Metanis]

Also, you can create local accounts with set passwords to do this sort of thing in a peer-to-peer configuration

Yes, this works fine except for when you want access to a specific user's files, like when I want to place a file on my wife's desktop to make it easy for her to find. I know, I'm talking about an edge case, but I found it disconcerting that once created, the Windows Hello PIN is completely decoupled from the original underlying account authentication. No wonder so many residential customers have no clue about their original Microsoft Account password that they only used once to create their PIN.

 

[Sky-Knight]

Yes, this works fine except for when you want access to a specific user's files, like when I want to place a file on my wife's desktop to make it easy for her to find. I know, I'm talking about an edge case, but I found it disconcerting that once created, the Windows Hello PIN is completely decoupled from the original underlying account authentication. No wonder so many residential customers have no clue about their original Microsoft Account password that they only used once to create their PIN.

The entire direct access model is on the way out. Each machine is an island, cloud software or a server handle file transfer between users.

That way there is no direct access pathway between workstations, and all transactions like this one can be protected in depth.

Endpoint -> Endpoint's Firewall -> Endpoint's EDR -> Server's Firewall -> Server's EDR -> Datastore Is a vastly better connection chain than.

Endpoint -> Endpoint's Firewall -> Endpoint's EDR -> Another Endpoint's Firewall -> Another Endpoint's EDR running the same rule set -> Datastore

The reason the "cloud" is more secure, is because it enforces Zero Trust methodology, endpoints directly accessing other endpoints are almost never Zero Trust, they are instead walled garden approaches, and need to be eliminated. Honestly, I'm somewhat shocked that WIndows 11 once joined to a personal account even allows for this functionality anymore.

If you're using a proper Entra ID (Free by the way), you can join both machines to Entra ID, and configure permissions on local shares just like you would with Active Directory. The problem is, you can't do it via the GUI. You have to use the command line. It's much easier if you use groups for all permissions (better practice anyway), because then it's just net localgroup groupname /add AzureAD\user@domain.com and BOOM they're in the group.

You're right that users forget their passwords, that too is by design! It causes issues because they aren't appropriately documented, but a forgotten password cannot be stolen and should be reset-able in all circumstances. If the user didn't configure proper password recovery options on their account, THAT is an issue that needs addressed.

Zero Trust > Traditional Architecture (Walled Garden, Trust but verify)
For more, review the SC-900 certification training.