Help2Go.com

User and Group Security in Windows XP

by Mike E.
June 16, 2006

It was recommended in the forums that someone create an article that explains how the computer “sees” you as an Administrator or User and also to understand how the identities influence computer access, privacy, security, personal settings, and scheduling tasks.  This article will hopefully shed some more light on those questions (in small detail) as to how a user or a group on a Windows XP Pro machine are (un)able to access certain things and are (un)able to do certain things and also provide some tips and info on how to secure your system.

Although this article does apply to Windows NT based machines (NT, 2000, XP, 2003) I chose the XP Pro version of the MS Operating System because XP is widely used now. According to w3cschools.com ~75% of web browsers were on XP. The reason for this is that although the security model for the NT based operating systems are practically the same, the way in which you deny/grant access is different. Also please note that XP Home is somewhat crippled in your ability to change a user or groups accessibility.  Let's get on with the article.

{mospagebreak title=Page 2: The File System}

The File System

The first thing I feel is necessary to discuss is the Windows XP filesystem(s) (or file system(s)).  The wikipedia definition of a filesystem is, “a file system is a method for storing and organizing computer files and the data they contain to make it easy to find and access them. File systems may use a storage device such as a hard disk or CD-ROM and involve maintaining the physical location of the files, or they may be virtual and exist only as an access method for virtual data or for data over a network (e.g. NFS).”

To make it a little easier to understand here’s a good analogy.  You work for a company (your company is the Operating System, in our case Windows XP) and this company hired you and another person as a filing room clerk.  The company gave you free reign on how you want to store files/folders as long as you know how to retrieve them in a timely matter later on.  The way in which you and your filing clerk co-worker file your items is your filing system.  Although different, the company knows how to work with it.

There are 2 filesystems that Windows XP can use, FAT and NTFS.  For the sakes of this article, the only difference to you is that NTFS is better because it allows you to have folder/file level access/restrictions (and also encryption).  With the FAT filing system you are unable to grant per user/group access to different things such as folders/files without 3rd party software.  Don’t worry, if you already installed XP and maybe used the FAT filesystem there is a very easy way to convert to NTFS without having to format and reinstall.  Go to a command prompt by clicking the “Start” menu.  Now click “run”.  When the run box opens, type in “cmd” (no quotes) and then press “ok” button.  A black window will open with white text and a white blinking cursor.  That is the command prompt.  The “down and dirty” command to convert your drives goes like this:

Convert C: /FS:NTFS [press enter]

Please, note the spacing between Convert and C: and also C: and /FS.  Also, you may change the “C:” parameter to any drive letter that exists on your computer that you wish as long as it’s writable by Windows and is not a CDROM.  There are other options available with the convert command but go beyond the scope of this article.  You may look at those options by typing “convert /?” (no quotes and mind spacing) and then press enter.  You’ll see a list of other optional parameters.  It’s advised not to change anything unless you know what you’re doing.

Going back to our analogy above, you are NTFS and your co-worker is FAT.  When someone comes to the filing room and asks you (NTFS) to file something for them first you ask them to put their fingerprint on the document.  You also ask them what department within the company they belong to.  Afterwards, you ask them to sign a log sheet.  The log sheet will basically ask the name of the file they are filing,  who else is able to retrieve that file, and if they are able to retrieve that file, what can they do with it.   When someone hands your co-worker (FAT) to file, all they do is say “Thank You” and put it in the filing cabinet or wherever it needs to be stored.

In the NTFS security model, the fingerprint and department name you asked them for is what’s called an SID.  SID stands for Security Identifier and is an internal value used to uniquely identify a user or a group.  The SID contains information that defines who you are, what group (department) you work for,  and what you’re able to access on the computer.

Remember that log sheet you had them fill out?  That also exists on XP with NTFS.  That log sheet would be called the ACL (Access Control List).  The ACL is a list of entries associated with a file or folder that specifies which users and groups have access to that folder or file.  There are different levels of access that can be given to a user such as “Read, Read/Write, Modify, and Execute”…etc. etc.  To go deeper each entry on your log sheet is called an Access Control Entry.  Each entry contains the SID of a user, a mask specifying access rights, and a flag stating whether or not other objects are able to inherit the ACE from the parent object.  Example C:\folder1\folder2, the flag would be yes/no, can folder2 inherit the ACE from folder1.
{mospagebreak title=Page 3: User Groups}

Groups

Groups are containers for users.  Like in our analogy a group would be a department that our user would work for.  Windows has built-in groups.  There are a few of them but the ones we are worried about are as listed:

  • Administrators
  • Power Users
  • Users
  • Guests

A member of the administrators group is able to do whatever they want to the computer or files/folders on the computer and has the least amount of default restrictions on a computer.

A member of the power users group is a slimmed down version of the administrators group.   They are able to do a lot of things like create/manage users and groups, change system settings like date and time,  They are unable to add themselves to the administrators group nor are they able to access other users files/folders without explicit permission to do so.

A member of the user group is unable to do a lot of things like change system wide settings, operating system files, or program files.  They do have full control over all of their own data files (C:\documents and settings\username\)  and their own portion of the registry (HKEY_CURRENT_USER)

To view what rights a member of a certain groups has open the Group Policy Editor by:

  • clicking the “Start” menu then clicking “run”. 
  • type in “gpedit.msc” (no quotes), and press the “ok” button. 
  • The Group Policy Editor will open. 
  • Now DOUBLE click “Computer Configuration
  • Double click “Windows Settings
  • Double click “Security Settings
  • Double click “Local Policies
  • Double click “User Rights Assignments”.
After double clicking the “user rights assignments” the right pane will open and tell you which group has which rights.  As you will see, the “Users” group doesn’t have much listed in there.

You can create/modify groups by going to the Local Users and Groups snap-in by:

  • Clicking the “Start” menu
  • Click “run
  • Type “lusrmgr.msc” (no quotes)
  • Press “ok” button. 
When the local users and groups window opens, in the left pane you’ll see 2 folders named “Users” and “Groups”.  By clicking on the relevant folder you are able to add/delete users or groups.  Add (Delete) a user from a group.
{mospagebreak title=Page 4: User/Group Access}

User/Groups influences access on the computer

As mentioned above, already depending on what group you belong to depends on what access levels you have.  For the most part every user in whatever group they belong to can READ a directory.  The reason for this is because the way Windows works.  There are things that users NEED access to and if you block access to that folder/file/object they won’t be able to use the computer. 

Case in point:  say you install some program.  Everyone is able to use it the way in which it is supposed to work.  Then, you go and change access to that programs folder (say C:\program files\my cool program\).  You change it in a way that members of the user group can READ and EXECUTE in that directory but are unable to write to it.  What if that program stored temp files in that directory?  Better yet, what if that program stored and wrote it’s configuration settings in that folder?  A member of the user group trying to use that program would now not be able to change it’s configuration settings (which can be good and bad, depending on the situation) and they may now not be able to use the program because the program writes its temp files to that folder but users are now not able to write to that directory. 

When a user runs a program it “impersonates” the user that was able to run it.  So if that user is unable to access certain things that the program needs access to, it will not be able to work because it’s running under those users credentials. 

{mospagebreak title=Page 5: Privacy and Security}

Privacy Influences

Privacy is a hard one to determine.  If you’re worried about applications giving up personal information then of course you are able to grant a person user status and not admin status, therefore, not enabling them to install such an application (like spyware or malware) that will reveal personal information to 3rd parties.  There are other means however of releasing private information to certain parties, social engineering being one of them and cookie tracking being another.  Cookies are used by a lot of websites, especially sites that you need to logon to.  You can deny users from receiving cookies but that would hinder their web experience greatly.

Privacy Tips/Information:

  • Use the hosts file (C:\windows\system32\drivers\etc\hosts).  You can open it with notepad, create the entries you want to block, save it, and then give regular users or users group read only access.(more info on the HOSTS file http://www.mvps.org/winhelp2002/hosts.htm )
  • Add web surfers to the user groups.  There hindering them from being able to install applications.
  • Teach your users what is acceptable and not acceptable site browsing.
  • When creating a new user make sure you select the option to make their personal folders private.  That way,  when someone comes over to your house and wants to use your computer you can create a separate account for them and they are unable to view personal files/folders.
  • More info on XP privacy and security -> http://www.microsoft.com/windowsxp/using/security/default.mspx

 

Security Influences

There are a lot of different ways a user or group can influence security.  Once again, by giving someone Administrator access you are basically giving them the go ahead to do anything they want to your computer. It’s not even advised that YOU as the owner of the computer to use the computer on a day to day basis as a member of the administrators group.  It sounds tedious but think of how tedious it is to repair a malware/spyware infection or worse yet a virus that can delete documents and files.  It’s a good idea to create ONE administrator account to install/upgrade software, install windows service packs or hotfixes, create/delete/manage users.

When using the computer as a member of the users group you are taking away a lot of security disadvantages by not letting software be installed (including virii, spyware, malware and basic trash) and also you are denying access to other users files/folders.

Security Tips:

  • Do not use the computer on a day to day basis as a member of the administrators group
  • Do not let multiple users use the same user account.  That way you can track who does what
  • Install firewall and antivirus software/hardware to better help protect your computer.  It’s better to have multiple lines of defense rather than just 1.
  • Disable system services that you are not using or don’t think you will ever use.
  • Disable the guest account. (On XP Home, simply password protect the guest account
  • Rename the built-in administrators account and password protect that account.  By default on XP Home the administrator account is built-in and has no password associated with it.  You can rename the administrator account by going into the group policy editor (gpedit.msc)
  • Keep up to date on service packs and hotfixes that patch security vulnerabilities.
  • Although a user in the USERS group has minimum access, make sure you tell them to password protect their username.  That way, you are denying access to random people and even hackers by making them find a password.\
  • Setup password expiration policies.  Using the same password for long period amounts of time is a bad idea.  It's a good idea to change your password at least once every 2-3 months if not short and remember, try to make each password unique.
{mospagebreak title=Page 6: Personal Settings and Scheduling Tasks}

Personal Settings Influences

After a user is created and they first logon they have their own personal folder.  It’s located at C:\documents and settings\username\ .  That folder contains a lot of user settings like their Desktop settings (background image and such),  some application settings that are able to save settings on a per user basis, their my documents folder, their Desktop Folder (the files that are stored on the desktop are actually displayed from this folder). 

Although a user in the USERS group cannot change system settings they are able to change their user settings like folder view options, their desktop settings (like wallpaper image) and a few select things.  If you really wanted to be mean, you can logon to their account.  Go into their user profile folder (C:\documents and settings\username\.  There, you’ll find a hidden file called NTUSER.DAT.  That file contains all of their desktop configuration schemes.  You can make any changes you want under their name and change their desktop configuration and then rename that file NTUSER.MAN and then give that user read only access. 

Although that is mostly used in corporate settings you can use it at home.  By doing that, you are not giving them the ability to change their desktop settings.  They can however change their settings when they logon, but after they logout and logon again, those changes will be lost.

Personal Settings Tips:

  • The C:\documents and settings\all users folder is merged into a new user account.  That is basically the template for each users desktop and local settings.
  • Make sure either you as administrator password protect their account and make their personal directories private when creating the user account or that they do.

 

Scheduling Tasks

Any user can schedule a task on Windows XP.  The only problem with that is whatever task they schedule they mast have access to.  If they do not have access to the file or folder in which they want to schedule a task for, it will not run.  Also,  you as an administrator, if you are setting up a scheduled task and have it setup to run on a day to day basis at a certain time, if a normal user is logged in at that time the scheduled task will not run. 

Luckily for you, the scheduled task wizard has an option to assign a username/password to run that scheduled task.  There you would assign a username to that task and it would run under that users abilities.  Please note though, that if you leave the password field blank, the scheduled task will not run.

{mospagebreak title=Page 7: Summary}

Summary 

To summarize, everything on an NT based system requires some level of access and you as an administrator are able to allow or deny access to objects.  Although there are default levels of access for built-in groups you can change those defaults if you so please.

On XP, to deny access to a file/folder right click that object, select “properties” and then click the “security” tab.  Note: on XP Home you can only see the security tab while in Safe Mode.

It is not advisable to start messing with security policies and templates unless you know what they restrict or provide access to.  If you add someone to the wrong group or give a group the wrong access or restrict it, you can render your computer useless.

There are a lot of things to remember when setting up restrictions for a user or group and is sometimes hard to understand but a good place to start is the MSDN website .   There,  you can find out how to setup user/group policies and how they affect everyone. 

Also, if you have any questions regarding security policies on your PC please don’t hesitate to ask in the Help Forums.