5-Minute Security Advisor - Configuring Your Computer for Multiple Users

  • Article
Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Updated : May 7, 2002

Is your home office computer starting to feel a little crowded? Are you afraid to use it to store sensitive documents like your budget because you are afraid that your kids will delete it to make room for their new game, or snoop around and ask why they can't have a slightly larger piece of the pie for their allowance? If so, you might be ready to set up your computer so that multiple users can share it without sharing their files in data.

Just like in a typical household, where everyone has their own private space (their bedrooms) and shared public spaces like the family room or kitchen, your computer can be configured to give each user their own private storage space and user privileges.

Windows XP Home Edition is the first operating system for home use that comes with an enhanced security system. It is based upon the same security system that is in the Windows 2000, Windows XP Professional, and Windows .NET operating systems. 8191981Such a security system offers a great deal of flexibility, as long as you know what you're doing. can be complex and confusing; 8191981Windows XP Home Edition simplifies the interface to make it easier for you to secure your machine without hiring a professional security administrator.

On This Page

Prerequisites
User Accounts
Recommendation
On Passwords
Resetting a Password
Securing Login

Prerequisites

In order to take advantage of the security offerings in Windows XP you must be using the NTFS file system. When you installed your operating system, you had a choice of formatting each disk partition as either FAT, FAT32 or NTFS.

To check the file system of each logical drive:

  1. Open My Computer

  2. Right click on each local drive letter and select properties.

    Cc722655.5m3m01(en-us,TechNet.10).gif

    Figure 1: The properties page for the C: drive. Notice that it is using the NTFS filesystem.

  3. At the top of the properties page for the drive, find the File system designation.

  4. Make note of any local drives that are not using the NTFS file system.

To convert a file system to NTFS:

  1. Click on Start and then Run

  2. Type cmd and then click OK

  3. In the command window, type convert C: /fs:ntfs where C: is the drive that you want to convert.

  4. You may have to reboot if you are converting a drive that Windows is currently using (such as the C: drive).

  5. Repeat for each drive that is not NTFS.

User Accounts

Windows XP Home edition allows you to create multiple user accounts for your computer. Each user can log on separately with a unique profile with their own desktop and My Documents folders. Furthermore, users can be configured as either Administrators or Limited Users. When you create an account, you will have to choose which from these two options:

  1. Administrator accounts. User accounts designated as Administrators have full control over the machine. They can install new hardware and software and can read system files and have full control over the system's settings. Administrators can create new user accounts and change other accounts information including passwords. If you gave Windows XP a list of users during install, these users were created as administrators.

  2. Limited Users. These users, on the other hand, have very limited control over the computer. Limited users cannot change system settings, and they can't install any new hardware or software. This includes most video games, media players and chat programs.

Recommendation

One benefit of using an account designated as a limited user is that if you accidentally launch a virus or Trojan horse, the damage will be mitigated by the fact that the program has very limited access to the computer. It is often recommended to have both an administrator and a limited user account. This way you can use the limited user account for your every day tasks, thus limiting your exposure to attacks and when necessary you can switch over to your administrator account when you need to install new hardware or update system settings.

On Passwords

By default, new users are created without passwords. This means, you simply have to know the username in order to logon to the computer as that person. If you are interested in a secure environment at home, you will probably want to add a password soon after you create a new account, especially if that account has administrative privileges. Without giving administrator accounts passwords, you are opening your computer up to attack. Try to create a password that is hard to guess. Using common names, dates and "password" reduces the effectiveness of your security.

To add passwords to existing user accounts:

  1. Open the Control Panel and click User Accounts.

  2. If you are using an administrator account, click your account name

  3. Click Change my password.

  4. In Type your current password, type your old password. In Type a new password and Type the new password again to confirm, type your new password.

    Note that you can add a reminder to help remind you of your password in Type a word or phrase to use as a password hint. Make sure that whatever you type will not tip anyone off to what your password is!

  5. Click Change Password.

One added benefit of giving your accounts passwords is that you also get the option of making their profile, including the "My Documents" folder, private from other users. More advanced users can also take advantage of the Encrypting File System to digitally scramble their data, so that even if someone does gain access to your data, it will be unreadable; however, this requires Windows XP Professional.

Resetting a Password

You might remember from the above description of administrators that any account with these privileges can reset passwords. Windows XP Home Edition mitigates this potential vulnerability by wiping out all other locally stored passwords for that account. For example, If Alice's Windows XP password is reset, all of her web site passwords, her .NET Passport password as well as any other passwords that Windows XP knows about would be erased. This is good if someone else resets her password for malicious purposes, but is not such a great thing to have happen if she needed to reset her password because she forgot it.

Fortunately, Windows XP allows you to create a Password reset disk. A password reset disk is like a hardware password. It is a floppy disk that allows you to reset your password on your computer without losing any of your account information. It is important to note that anyone who has this disk can reset your password and access all of your data, so you should treat this disk just like you treat your password. Keep it in a safe place!

Securing Login

Now that you have created users and accounts for everyone who uses the computer, you need to make sure that they can log on to the machine securely using their account information. Windows XP Home Edition has a feature called AutoLogon that can be configured to automatically log in a specified user when windows boots. If your computer does not prompt you to log in after you turn it on, you will have to disable Auto Logon.

To disable Auto Logon:

  1. Click Start and then click Run.

  2. In the Open box, type control userpasswords2 and then click OK.

  3. In the dialog box that appears, make sure that the Users must enter a user name and password to use this computer check box is checked and click OK.

If your computer is installed as a home computer and not part of a network domain, then setup configures Windows XP to use the friendly Welcome Logon screen. The more robust, business oriented operating systems such as Windows 2000, Windows XP Professional and Windows .NET Server all have a special logon screen that requires that you press Ctrl-Alt-Delete to log on. Ctrl-Alt-Delete is a special key sequence that breaks out of any application that might be running. This effectively prevents Trojan Horses from pretending to be the logon screen and secretly recording your password information. By default, this special logon screen is turned off in Windows XP Home Edition. To turn it on, you have to do some Registry editing. The registry is a database that Windows uses to store important information about the operating system, programs and the computer itself. Without the registry, Windows could not run. In fact, if the wrong things get changed in the registry, Windows will not run, so tread carefully!

To edit the Registry to enable the Ctrl-Alt-Delete Logon screen:

  1. Click Start and then click Run.

  2. In the Open box, type regedit and then click OK.

  3. Starting at HKEY_LOCAL_MACHINE, click down to the following location:

  4. HKEY_LOCAL_MACHINE \Software \Microsoft \WindowsNT \CurrentVersion \Winlogon

  5. Click Edit, click New and chose DWORD value.

  6. Change the name to DisableCAD and press Enter.

  7. Keep the data value set to 0 which is displayed as 0x00000000(0)

By adding multiple users to your computer and following the recommendations set forth in this paper, you are increasing the security of your computer while enhancing each user's experience. One person's cluttered desktop is replaced by another's clean view of the ocean upon logon. Although you will have to make some choices about which users need administrator privileges and which can get by with limited privileges, in the long run, either option you chose will make your computing experience a better one.