User and Group Security in Windows XP |
by Mike E. | |
June 16, 2006 | |
It was recommended in the forums that someone create an article that explains how the computer “sees” you as an Administrator or User and also to understand how the identities influence computer access, privacy, security, personal settings, and scheduling tasks. This article will hopefully shed some more light on those questions (in small detail) as to how a user or a group on a Windows XP Pro machine are (un)able to access certain things and are (un)able to do certain things and also provide some tips and info on how to secure your system. Although this article does apply to Windows NT based machines (NT, 2000, XP, 2003) I chose the XP Pro version of the MS Operating System because XP is widely used now. According to w3cschools.com ~75% of web browsers were on XP. The reason for this is that although the security model for the NT based operating systems are practically the same, the way in which you deny/grant access is different. Also please note that XP Home is somewhat crippled in your ability to change a user or groups accessibility. Let's get on with the article. {mospagebreak title=Page 2: The File System}The File SystemThe first thing I feel is necessary to discuss is the Windows XP filesystem(s) (or file system(s)). The wikipedia definition of a filesystem is, “a file system is a method for storing and organizing computer files and the data they contain to make it easy to find and access them. File systems may use a storage device such as a hard disk or CD-ROM and involve maintaining the physical location of the files, or they may be virtual and exist only as an access method for virtual data or for data over a network (e.g. NFS).” To make it a little easier to understand here’s a good analogy. You work for a company (your company is the Operating System, in our case Windows XP) and this company hired you and another person as a filing room clerk. The company gave you free reign on how you want to store files/folders as long as you know how to retrieve them in a timely matter later on. The way in which you and your filing clerk co-worker file your items is your filing system. Although different, the company knows how to work with it. There are 2 filesystems that Windows XP can use, FAT and NTFS. For the sakes of this article, the only difference to you is that NTFS is better because it allows you to have folder/file level access/restrictions (and also encryption). With the FAT filing system you are unable to grant per user/group access to different things such as folders/files without 3rd party software. Don’t worry, if you already installed XP and maybe used the FAT filesystem there is a very easy way to convert to NTFS without having to format and reinstall. Go to a command prompt by clicking the “Start” menu. Now click “run”. When the run box opens, type in “cmd” (no quotes) and then press “ok” button. A black window will open with white text and a white blinking cursor. That is the command prompt. The “down and dirty” command to convert your drives goes like this: Convert C: /FS:NTFS [press enter] Please, note the spacing between Convert and C: and also C: and /FS. Also, you may change the “C:” parameter to any drive letter that exists on your computer that you wish as long as it’s writable by Windows and is not a CDROM. There are other options available with the convert command but go beyond the scope of this article. You may look at those options by typing “convert /?” (no quotes and mind spacing) and then press enter. You’ll see a list of other optional parameters. It’s advised not to change anything unless you know what you’re doing. Going back to our analogy above, you are NTFS and your co-worker is FAT. When someone comes to the filing room and asks you (NTFS) to file something for them first you ask them to put their fingerprint on the document. You also ask them what department within the company they belong to. Afterwards, you ask them to sign a log sheet. The log sheet will basically ask the name of the file they are filing, who else is able to retrieve that file, and if they are able to retrieve that file, what can they do with it. When someone hands your co-worker (FAT) to file, all they do is say “Thank You” and put it in the filing cabinet or wherever it needs to be stored. In the NTFS security model, the fingerprint and department name you asked them for is what’s called an SID. SID stands for Security Identifier and is an internal value used to uniquely identify a user or a group. The SID contains information that defines who you are, what group (department) you work for, and what you’re able to access on the computer. Remember that log sheet you had them fill out? That also exists on XP with NTFS. That log sheet would be called the ACL (Access Control List). The ACL is a list of entries associated with a file or folder that specifies which users and groups have access to that folder or file. There are different levels of access that can be given to a user such as “Read, Read/Write, Modify, and Execute”…etc. etc. To go deeper each entry on your log sheet is called an Access Control Entry. Each entry contains the SID of a user, a mask specifying access rights, and a flag stating whether or not other objects are able to inherit the ACE from the parent object. Example C:\folder1\folder2, the flag would be yes/no, can folder2 inherit the ACE from folder1.{mospagebreak title=Page 3: User Groups} Groups Groups are containers for users. Like in our analogy a group would be a department that our user would work for. Windows has built-in groups. There are a few of them but the ones we are worried about are as listed:
A member of the administrators group is able to do whatever they want to the computer or files/folders on the computer and has the least amount of default restrictions on a computer. A member of the power users group is a slimmed down version of the administrators group. They are able to do a lot of things like create/manage users and groups, change system settings like date and time, They are unable to add themselves to the administrators group nor are they able to access other users files/folders without explicit permission to do so. A member of the user group is unable to do a lot of things like change system wide settings, operating system files, or program files. They do have full control over all of their own data files (C:\documents and settings\username\) and their own portion of the registry (HKEY_CURRENT_USER) To view what rights a member of a certain groups has open the Group Policy Editor by:
You can create/modify groups by going to the Local Users and Groups snap-in by:
{mospagebreak title=Page 4: User/Group Access} User/Groups influences access on the computerAs mentioned above, already depending on what group you belong to depends on what access levels you have. For the most part every user in whatever group they belong to can READ a directory. The reason for this is because the way Windows works. There are things that users NEED access to and if you block access to that folder/file/object they won’t be able to use the computer. Case in point: say you install some program. Everyone is able to use it the way in which it is supposed to work. Then, you go and change access to that programs folder (say C:\program files\my cool program\). You change it in a way that members of the user group can READ and EXECUTE in that directory but are unable to write to it. What if that program stored temp files in that directory? Better yet, what if that program stored and wrote it’s configuration settings in that folder? A member of the user group trying to use that program would now not be able to change it’s configuration settings (which can be good and bad, depending on the situation) and they may now not be able to use the program because the program writes its temp files to that folder but users are now not able to write to that directory. When a user runs a program it “impersonates” the user that was able to run it. So if that user is unable to access certain things that the program needs access to, it will not be able to work because it’s running under those users credentials. Privacy InfluencesPrivacy is a hard one to determine. If you’re worried about applications giving up personal information then of course you are able to grant a person user status and not admin status, therefore, not enabling them to install such an application (like spyware or malware) that will reveal personal information to 3rd parties. There are other means however of releasing private information to certain parties, social engineering being one of them and cookie tracking being another. Cookies are used by a lot of websites, especially sites that you need to logon to. You can deny users from receiving cookies but that would hinder their web experience greatly. Privacy Tips/Information:
Security InfluencesThere are a lot of different ways a user or group can influence security. Once again, by giving someone Administrator access you are basically giving them the go ahead to do anything they want to your computer. It’s not even advised that YOU as the owner of the computer to use the computer on a day to day basis as a member of the administrators group. It sounds tedious but think of how tedious it is to repair a malware/spyware infection or worse yet a virus that can delete documents and files. It’s a good idea to create ONE administrator account to install/upgrade software, install windows service packs or hotfixes, create/delete/manage users. When using the computer as a member of the users group you are taking away a lot of security disadvantages by not letting software be installed (including virii, spyware, malware and basic trash) and also you are denying access to other users files/folders. Security Tips:
Personal Settings InfluencesAfter a user is created and they first logon they have their own personal folder. It’s located at C:\documents and settings\username\ . That folder contains a lot of user settings like their Desktop settings (background image and such), some application settings that are able to save settings on a per user basis, their my documents folder, their Desktop Folder (the files that are stored on the desktop are actually displayed from this folder). Although a user in the USERS group cannot change system settings they are able to change their user settings like folder view options, their desktop settings (like wallpaper image) and a few select things. If you really wanted to be mean, you can logon to their account. Go into their user profile folder (C:\documents and settings\username\. There, you’ll find a hidden file called NTUSER.DAT. That file contains all of their desktop configuration schemes. You can make any changes you want under their name and change their desktop configuration and then rename that file NTUSER.MAN and then give that user read only access. Although that is mostly used in corporate settings you can use it at home. By doing that, you are not giving them the ability to change their desktop settings. They can however change their settings when they logon, but after they logout and logon again, those changes will be lost. Personal Settings Tips:
Scheduling TasksAny user can schedule a task on Windows XP. The only problem with that is whatever task they schedule they mast have access to. If they do not have access to the file or folder in which they want to schedule a task for, it will not run. Also, you as an administrator, if you are setting up a scheduled task and have it setup to run on a day to day basis at a certain time, if a normal user is logged in at that time the scheduled task will not run. Luckily for you, the scheduled task wizard has an option to assign a username/password to run that scheduled task. There you would assign a username to that task and it would run under that users abilities. Please note though, that if you leave the password field blank, the scheduled task will not run. SummaryTo summarize, everything on an NT based system requires some level of access and you as an administrator are able to allow or deny access to objects. Although there are default levels of access for built-in groups you can change those defaults if you so please. On XP, to deny access to a file/folder right click that object, select “properties” and then click the “security” tab. Note: on XP Home you can only see the security tab while in Safe Mode. It is not advisable to start messing with security policies and templates unless you know what they restrict or provide access to. If you add someone to the wrong group or give a group the wrong access or restrict it, you can render your computer useless. There are a lot of things to remember when setting up restrictions for a user or group and is sometimes hard to understand but a good place to start is the MSDN website . There, you can find out how to setup user/group policies and how they affect everyone. Also, if you have any questions regarding security policies on your PC please don’t hesitate to ask in the Help Forums. |