Default security settings for groups

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Default security settings for groups

Before modifying any security settings, it is important to take into consideration the default settings.

There are three fundamental levels of security that are granted to users. These are granted to end users through membership in the Administrators, Power Users, or Users groups.

Administrators

The Administrators group is provided to perform computer maintenance tasks. The default permissions allotted to this group allow complete control over the entire system. As a result, only trusted personnel should be members of this group.

Power Users

Members of the Power Users group have more permissions than members of the Users group and fewer than members of the Administrators group. Power Users can perform any operating system task except tasks reserved for the Administrators group. The default permissions that are allotted to the Power Users group allow members of the Power Users group to modify computerwide settings.

When you upgrade from Windows NT 4.0, members of the Restricted Users group are automatically placed in the Power Users group to prevent backward compatibility issues with the applications that your organization used before the upgrade. Many applications used on Windows NT 4.0 required elevated permissions to run correctly. The default Windows 2000, Windows XP Professional, and Windows Server 2003 family security settings for Power Users are very similar to the default security settings for Users in Windows NT 4.0. Any program that a user can run in Windows NT 4.0, a Power User can run in Windows 2000, Windows XP Professional or Windows Server 2003 family.

If you do not want end users to have the elevated permissions of the Power Users group, you can make them members of the Users group and only run applications that belong to the Windows Logo program for Software. If applications that do not belong to the Windows Logo program for Software must be supported, then end users will need to be part of the Power Users group. For information about the Windows Logo program for Software, see the Windows Logo program for Software on the Microsoft Web site.

Power Users can:

  • Run legacy applications, in addition to applications for Windows 2000, Windows XP Professional, or the Windows Server 2003 family that belong to the Windows Logo program for Software.

  • Install programs that do not modify operating system files or install system services.

  • Customize systemwide resources including printers, date, time, power options, and other Control Panel resources.

  • Create and manage local user accounts and groups.

  • Stop and start system services which are not started by default.

Power Users do not have permission to add themselves to the Administrators group. Power Users do not have access to the data of other users on an NTFS volume, unless those users grant them permission.

Caution

  • Running legacy programs on Windows 2000, Windows XP Professional, or a member of the Windows Server 2003 family often requires you to modify access to certain system settings. The same default permissions that allow Power Users to run legacy programs also make it possible for a Power User to gain additional privileges on the system, even complete administrative control. Therefore, it is important to deploy applications belonging to the Windows Logo program for Software in order to achieve maximum security without sacrificing program functionality. These programs can run successfully under the Secure configuration that is provided by the Users group.

  • Since Power Users can install or modify programs, running as a Power User when connected to the Internet could make the system vulnerable to Trojan horse programs and other security risks.

Users

The Users group is the most secure, because the default permissions allotted to this group do not allow members to modify operating system settings or other users' data.

The Users group provides the most secure environment in which to run programs. On a volume formatted with the NTFS file system, the default security settings on a newly-installed system (but not on an upgraded system) are designed to prevent members of this group from compromising the integrity of the operating system and installed programs. Users cannot modify systemwide registry settings, operating system files, or program files. Users can shut down workstations but not servers. Users can create local groups, but can manage only the local groups that they created. They can run Windows 2000, Windows XP Professional, or a member of the Windows Server 2003 family programs that belong to the Windows Logo program for Software that have been installed or deployed by administrators. Users have full control over all of their own data files (stored at %userprofile%) and their own portion of the registry (located in HKEY_CURRENT_USER).

Note that user-level permissions often do not allow the user to successfully run legacy applications. To run these legacy applications, you must either loosen security to allow members of the Users group to run the applications or you must promote members of the Users group to the Power Users group. Both options decrease the security of your organization. Since members of the Users group are guaranteed to be able to run applications belonging to the Windows Logo program for Software, it is a best practice to only use applications that belong to the Windows Logo program for Software. For more information, see the Windows Logo program for Software on the Microsoft Web site.

To secure a system running Windows 2000, Windows XP Professional, or a member of the Windows Server 2003 family, an administrator should:

  • Make sure that end users are members of the Users group only.

  • Deploy programs that members of the Users group can run successfully, such as programs that belong to the Windows Logo program for Software.

Users will not be able to run most programs written for versions of Windows prior to Windows 2000, because they did not support file system and registry security (such as Windows 95 and Windows 98) or shipped with other default security settings (Windows NT). If you have problems running legacy applications on newly-installed NTFS systems, then do one of the following:

  1. Install new versions of the applications that belong to the Windows Logo program for Software.

  2. Move end users from the Users group into the Power Users group.

  3. Decrease the default security permissions for the Users group. This can be accomplished by using the Compatible security template.

The Anonymous group is no longer a member of the Everyone group

For Windows XP Professional and the Windows Server 2003 family, the Anonymous group is no longer a member of the Everyone group.

When a Windows 2000 system is upgraded to Windows XP Professional or the Windows Server 2003 family, resources with permission entries for the Everyone group (and not explicitly to the Anonymous Logon group) will no longer be available to Anonymous users after the upgrade. In most cases, this is an appropriate restriction on anonymous access. You may need to permit anonymous access in order to support pre-existing applications that require it. If you need to grant access to the Anonymous logon group, you should explicitly add the Anonymous Logon security group and its permissions.

However, in some situations where it might be difficult to determine and modify the permission entries on resources, you can change the Network access: Let Everyone permissions apply to anonymous users security setting.

Other groups

  • Interactive. This group contains the user who is currently logged on to the computer. During an upgrade to Windows 2000, Windows XP Professional, or the Windows Server 2003 family, members of the Interactive group will also be added to the Power Users group, so that legacy applications will continue to function as they did before the upgrade.

  • Network. This group contains all users who are currently accessing the system over the network.

  • Backup Operators

    Members of the Backup Operators group can back up and restore files on the computer, regardless of any permissions that protect those files. They can also log on to the computer and shut it down, but they cannot change security settings.

    Caution

    • Backing up and restoring data files and system files requires permissions to read and write those files. The same default permissions granted to Backup Operators that allow them to back up and restore files also make it possible for them to use the group's permissions for other purposes, such as reading another user's files or installing Trojan horse programs. Group Policy settings can be used to create an environment in which Backup Operators only can run a backup program. For more information, see the Microsoft Security page on the Microsoft Web site.

For more information, see Default groups, Default settings for services, and Differences in default security settings, and the Security page on the Microsoft Web site