Differences in default security settings

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Differences in default security settings

The Anonymous Logon group is no longer a member of the Everyone group. This change will impact anonymous users attempting to access resources hosted on computers running Windows XP Professional and members of the Windows Server 2003 family.

Anyone who accesses a computer and its resources through the network without an account name, password, or domain is a member of the Anonymous Logon built-in security group. In previous versions of Windows, members of the Anonymous Logon security group had access to many resources, due to membership of the Everyone group. Because Administrators did not realize that anonymous users were members of the Everyone group they might have inadvertently granted them access to resources only intended for authenticated users.

When a computer running Windows 2000 is upgraded to a member of the Windows Server 2003 family, resources with permission entries for the Everyone group (and not explicitly to the Anonymous Logon group) will no longer be available to anonymous users after the upgrade. In most cases, this is an appropriate restriction on anonymous access. you may need to permit anonymous access in order to support pre-existing applications that require it. If you need to grant access to the Anonymous logon group you should explicitly add the Anonymous Logon security group and its permissions.

However, in some situations where it might be difficult to determine and modify the permission entries on resources hosted on Windows Server 2003 family or Windows XP Professional computers you can change the security setting, Network access: Let Everyone permissions apply to anonymous users.

For more information, see Edit security settings on a Group Policy object or Edit local security settings.

Differences between Windows NT 4.0 and Windows Server 2003 family default security settings

Windows NT 4.0 provided two key groups whose membership could be controlled by the administrator: Administrators and Users. There was one group, Everyone, whose membership was controlled by the operating system or domain. Every user who was authenticated by the domain was a member of the Everyone group. If an administrator wanted stricter control of access to the computer's resources, the discretionary access control list (DACL) could be modified by removing the Everyone group.

Windows Server 2003 family provides three groups whose membership is controlled by the administrator: Users, Power Users, and Administrators. The group whose membership is controlled by the operating system or domain is Authenticated Users. It is the same as the Everyone group, except that it does not contain anonymous users or guests.

Unlike the Everyone group in Windows NT 4.0, the Authenticated Users group is not used to assign permissions. Only groups controlled by the administrator, primarily Users, Power Users, and members of the Administrators group, are used to assign permissions. The default members of each group are listed below.

Local Group On Windows XP Professional this group contains On computers running Windows Server 2003 family this group contains

Administrators

Administrator

Administrator

Power Users

Authenticated Users

none

Users

Authenticated Users

Authenticated Users

By default, any authenticated user is a member of the Users group. Power Users have all the capabilities that Windows NT 4.0 Users had. This ensures backward compatibility with Windows NT 4.0. If an administrator wants to implement higher security on a computer, Authenticated Users should be made members of the Users group only.

When a Professional or Server computer joins a domain, the same domain groups are added to the computer that were added to a Windows NT 4.0 computer. Domain Administrators are added to the local Administrators group and Domain Users are added to the local Users group.

For information about changes to security settings on services, see Default settings for services.

For more information, see Default security settings for groups and Default groups.