How to Set Up Accounts for Secure Computer Sharing in Windows XP

  • Article

Host Guide_KenM
Welcome to today's TechNet Chat. Our topic is How to setup accounts for secure computer sharing in Windows XP . Questions, comments, and suggestions are welcome.

Host Guest_SecDev_MS
Hello - we're the Microsoft Security Development and Program Management team.

Host Guest_SecDev_MS
In the next one hour, we'll try to answer your questions regarding Windows (XP Home, XP Professional, Server etc.) Security.

Host Guide_KenM
The Input Room (below) is where you can enter questions for our hosts today.

We will read them and select questions to answer.

The questions and answers will be posted in the Reading Room.

Host Guest_Tony_MS
Q: dhopton_MVP : How does securing user's data on Home cope with the lack of user configurable permissions on NTFS in home?

Host Guest_EricF_MS
Our data says that most Home Users don't understand permissions and are more likely to leave themselves less secure if we exposed permissions. We try to set the permissions correctly and securely based on the location of the data and the user's expressed desire to either make the data read-only or writable.

Host Guest_Tony_MS
Q: rhysian : Does Home have Local Security Policy console in the Administrative Tools available?

A: No, home does not expose the local security policy console.

Host Guest_Tony_MS
Q: Tim_Tanner : I have one question - why is the default user type administrator?

Host Guest_Kirk_MS
A: Limited Users do not have sufficient privileges to run non-certified apps, games etc so the default is Admin (for application compatibility)

Host Guest_Tony_MS
Q: dhopton_MVP : Internally Home sets the NTFS perms, but what if the user wants slightly more fine grained control?

Host Guest_Kirk_MS
A: EricF mentioned previously that most home users don't understand perms so there is no ACL editor in Home edition by which users can define more granular permissions. If you really want to, there may be third party command line tools (like cacls)

Host Guest_Tony_MS
Q: dhopton_MVP : Will there be any opportunity in the future for Home to support the "passwording" of shares? A lot of "home network" users like to password shares (under 9x) to protect some data over the network, and in Home this is no longer possible.

Host Guest_EricF_MS
No

Host Guest_Tony_MS
Q: gc : You mentioned "read only" and "write". Does the automatic setting of permission bits support completely hiding data from another user?

Host Guest_EricF_MS
A: Yes, with the 'make private' setting. This removes all SIDs from the ACL except for that user

However an administrator could still take ownership

Host Guest_Tony_MS
Q: dhopton_MVP : It's annoying - I have a friend who wanted to stop his brother from messing with his documents, but let him play games. He came up against the same problem as you.

Host Guest_Jeffrey_MS
A: The "make private" thing would help this as well. It prevents other admins from seeing documents (they can still take ownership)

Host Guest_Tony_MS
Q: dhopton_MVP : Tim: Because the permissions required are the same as an administrator. For example certain registry keys have permissions that only allow the administrators to create/edit them, and games use these - there isn't really much of a way round

Host Guest_Kirk_MS
A: Tim: We do have this concept in PRO (it's called the Power User) but our usability studies for Personal showed conclusively that Home users did not want to deal with more than two groups

Host Guest_Tony_MS
Q: Rebecca : Are you saying that if I give my son administrator privileges that he could take ownership of my documents?

Host Guest_Kirk_MS
A: Yes, if you know how. There are now no visible tools to do this out of the box other than safe mode boot

Host Guest_Tony_MS
Q: Rebecca : Is this only in NTFS?

Host Guest_Kirk_MS
A: FAT is even worse, it has no security

Host Guest_Tony_MS
Q: Rebecca : So what do I do to keep all the important stuff private and still allow him to play games and things?

Host Guest_SecDev_MS
A: Encrypted File System is available on XP Professional (not on Home).

Host Guest_Tony_MS
Q: gc : I assume you could use a different bios password to protect against someone rebooting the machine to safe mood?

Host Guest_SecDev_MS
A: Once someone has physical access to a machine, all bets are off (irrespective of BIOS passwords).

Host Guest_Tony_MS
Q: Rebecca : So what do I do to keep all the important stuff private and still allow him to play games and things?

Host Guest_Kirk_MS
A: The app compat vs. security issue is a difficult problem. The fact is that legacy apps built primarily for Win9x with no security in mind force you to be an admin on Home\Pro. If you run applications that are certified for Windows, they must run as user

Host Guest_Tony_MS
Q: Chris : I have one computer connected to the Internet via a cable modem. How can I make sure that my computer is as safe as possible, using the tools and features in Windows XP Home Edition

Host Guest_Kirk_MS
A: Running the network setup wizard will connect you to the internet and instantiate the firewall such that any unsolicited input from the internet side is blocked.

Furthermore any network connections are forced to authenticate as Guest which only has access to stuff that you've shared.

Host Guest_Tony_MS
Q: gc : When I'm looking at the configuration, I see a net firewall and ICF (hope I got the acronym right). What's the difference?

Host Guest_EricF_MS
A: Actually there are two features: Internet connection firewall and internet connection sharing

Firewall= protect your machine from hackers

Sharing= allow multiple computers to share this computer's internet connection

Host Guest_Tony_MS
Q: AustinMyers : XP pro can be set up as a VPN server. Can this be done with the home version?

Host Guest_EricF_MS
A: According to the KB, yes, it can be set up for dial-in for one connection. I don't have one handy to repro.

Vishnu and I just checked and you can do this, using the "Add new connection" wizard in the Network Connections folder.

Host Guest_Tony_MS
Q: Chris : Would you recommend XP Pro over home for security? Why?

Host Guest_Kirk_MS
A: Home edition trades off granularity for simplicity. If you're an enthusiast and like to tweak things, then PRO is for you. If you're like my Mom and just want things to work without intervention, than home is better

Host Guest_Tony_MS
A: (to Chris) dhopton_MVP : From an external perspective (e.g. remote "hackers"), both home and pro are equally secure. With pro, there are many chances to change a config and open up security holes

Host Guest_Tony_MS
Q: AustinMyers : Are there special consideration when using wireless (802.11b) connections?

Host Guest_EricF_MS
A: The best thing you can do when using 802.11 is to be sure to use a WEP key (and use a random one, not a predictable one). Also if your vendor's implementation has 128bit or other WEP enhancements, use them

Host Guide_KenM
Thanks for joining us today and thanks for the questions. It's time for us to go now. Please see the chats schedule for upcoming topics.