Securing XP Home Systems with XP Professional Permissions

If you’re running Windows XP Home, the Simple File Sharing is enabled by default, and unlike in Windows XP Professional, there is no easy way to turn it off. While some users will find this version of file sharing simple to use, it does lack much of the granularity typically associated with assigning NTFS and shared folder permissions for individual users. For example, with each of the 5 configurable security levels outlined in this article, the permissions assigned to the owner or other users is basically of the “take it or leave it” variety – you cannot use this sharing facility to assign unique or different permissions to individual users.

Thankfully, if you want a more granular level of control over how NTFS and shared folder permissions are assigned on an XP Home system, all is not lost. The traditional NTFS and shared folder permissions available in Windows XP and Windows 2000 Professional can be accessed on a Windows XP Home system by booting into Safe Mode, where Simple File Sharing is disabled.

Once booted into Safe Mode on an XP Home system, you can right-click on a particular folder or file, click Properties, and the traditional Security tab is exposed, as shown at right. From this interface, you’re able to see not only the permissions that Windows XP Home applies for a given security level, but also customize the permissions for individual users. For example, let’s say that you have created an additional user account named Paul on your XP Home system. You could then use the security tab to add Paul’s user account and configure the exact permissions that should be applied to this user. Although these permissions will not be visible when you reboot the system normally, the unique permissions assigned to the Paul user account will still apply regardless. The Sharing tab allows you to configure traditional shared folder permissions in a similar manner.

Consider using this method to configure NTFS and shared folder permissions when none of the Simple File Sharing security levels works for you. The solution may not be perfect (why should we have to boot into Safe Mode to access these?) but it does provide a method to get at the NTFS security structure that Microsoft has in its “wisdom” decided to hide from XP Home users.

Combining Shared Folder and NTFS Permissions

If you choose to apply both shared folder and NTFS permissions to a folder, you need to consider which permissions will actually apply. For example, let’s say that you granted a user named Paul the shared folder permission Read, and the NTFS permission Full Control. When accessing this folder over the network, the more restrictive permission of the two always applies, in this case Read. However, if Paul were to log on to the system locally, only the NTFS permissions would apply, and he would be granted Full Control. Always keep this concept in mind when attempting to troubleshoot user access to shared folders.

File and Folder Security Using NTFS Permissions

Besides increased system stability, the best reason for choosing Windows XP or Windows 2000 as a desktop OS is the ability to take advantage of the NTFS file system. Unlike FAT and FAT32, NTFS provides the ability to configure file and folder security permissions that apply to both local and remote users. On a Windows XP Home system, NTFS permissions are configured as part of the Simple File Sharing feature looked at earlier, or “old style” as explained in the boxout. The obvious prerequisite to using NTFS permissions is that at least one partition is formatted with the NTFS file system.

Thankfully, a default installation of Windows XP Home or Professional on a new system will use the NTFS file system, but your system being configured with NTFS isn’t a given. The easiest way to tell is to access the properties of a drive (like C) and viewing the information on the General tab. If you’re XP or 2000 system is currently running a different file system (like FAT32), all is not lost. Windows includes a utility to convert FAT32 partitions to NTFS, without losing any existing data. The command to convert drive D from FAT32 to NTFS from the command prompt would be:

convert d: /fs:ntfs

Since only Windows 9X/ME systems cannot access NTFS partitions, be very careful with this command if your system is configured in a dual-boot configuration.

As mentioned, NTFS permissions apply to users both locally and across the network, providing the highest degree of security. Subfolders and files inherit NTFS permissions, so this is also another key consideration. For example, if you were to create a new NTFS partition (say E), all new folders and files would inherit the permissions applied to drive E. Inherited permissions are indicated by the fact that they are “grayed out” and cannot be directly changed by default. Inherited permissions can be copied directly to a file or folder or removed, as explained in the NTFS permission stepped procedure.

The default permission applied to the root of a new drive may not meet your security needs, so be sure to change the default permissions at this level at a minimum. For example, consider granting yourself the Full Control permission to the root of the drive, and then individual users permissions to specific subfolders. One drive that you should not tamper with is the root of drive C, and the Windows folder. Changing the permissions on either of these resources might render your system unusable.

Administrative Shared Folders

For system administration purposes, both Windows XP and Windows 2000 Professional systems share the root of each drive. By default, this “folder” is shared using a name created by taking the drive letter (such as C) and appending a dollar sign ($) to the end of it. On a Windows XP/2000 Professional system, these administratively shared folders are only accessible to administrators.

The $ symbol following the drive letter hides the share, ensuring that it is not displayed in My Network Places, Network Neighborhood, or when the NET VIEW command is issued. In order to access hidden shares, an administrator would typically map a network drive or enter the path at the Run command – for example, \\192.168.1.100\C$. To that end, for a higher degree of privacy, consider hiding all shared folders on your network by appending the $ symbol to the end of their share name – such folders will still be accessible over the network, but only to users who know and can provide the correct path.

On Windows XP Home systems, the root of each drive is not shared automatically, but can be by accessing the properties of the drive if required. As a general rule, avoid sharing drives from the root, since the careless assignment of permission potentially exposes the contents of the entire drive to anyone who can connect to it. This can lead to the malicious or accidentally deletion of critical system or data files, something you’ll want to avoid at all costs.

Configuring Security Permissions with Windows XP Simple File Sharing

If you’re running Windows XP Home (or Professional as part of a workgroup), Microsoft has introduced a new feature known as Simple File Sharing. This feature is meant to make the process of sharing files with other users both on the network and the same PC more intuitive. Unfortunately, this method strays from the standard method of assigning permissions that you are probably familiar with from previous OS versions, and can be confusing. While Windows XP Professional users have the option of turning Simple File Sharing off (as shown at right), no such option exists for Windows XP Home users. A simple (is annoying) workaround does exist for XP Home users, however, as outlined in another article that follows.

While Simple File Sharing makes sharing resources a little easier for users, it also hides what is going on behind the scenes in terms of the actual permissions assigned to a particular resource. Simple File Sharing consists of 5 security “levels”, each of which handles how folders are shared and secured differently. Making the entire situation even more cryptic, the methods used to obtain each level of security involves slightly different procedures, but each is outlined below.

Level 1 – configured by checking the Make this folder private checkbox on the Sharing tab of a user’s My Documents folder, this setting grants both the owner and system the Full Control permission, and the folder is not shared.

Level 2 – the default setting on a user’s My Documents folder grants the owner, system, and Administrators group Full Control, and the folder is not shared.

Level 3 – configured by moving or copying a file or folder to a user’s Shared Documents folder, this grants the owner, system, and Administrators group full control, and all other users the Read permission. On a Windows XP Professional system, the Power Users group is granted the Modify permission. This level allows local sharing only, with documents not shared with network users.

Level 4 – configured by accessing the Sharing tab for a folder and checking the Share this folder on the network checkbox. Grants the owner, system, and Administrators group Full Control locally, the Everyone group Read permission locally, and the Everyone group the Read shared folder permission.

Level 5 – configured by accessing the Sharing tab for a folder and checking both the Share this folder on the network and Allow network users to change my files checkboxes. Grants the owner, system, and Administrators group Full Control locally, the Everyone group Change permission locally, and the Everyone group the Full Control shared folder permission.

Securing Shared Files and Printers with Security Permissions

The primary purpose for implementing a network is to allow users to share resources. For example, users on one PC might want to access the contents of a folder or use a printer on another system. Although sharing a folder or printer on a system running any Windows version from 95 forward is a relatively simple proposition, ensuring that the resource is properly secured in a more critical consideration. In a nutshell, the default permissions assigned to shared resources on a Windows system are inherently insecure, and should almost always be changed.

Futhermore, it’s important to keep in mind that shared folder permissions only apply to users connecting to that resource over the network – these permissions do not apply to local users.
Sharing a folder on a Windows system provides a great example of what we mean here. If you were to share a folder named Files on a Windows 98 system, the default permission that is applied to the folder is “Read-Only” to a group known as “The World”. As this group name suggests, this permission will allow any and all users to access the shared folder will Read-Only access. This may not seem like a terrible situation, since Read-Only access would not allow connecting users to make changes to your files. However, it will allow them to open and read files, as well as copy those files to different locations, where they can ultimately do with them what they please. Because the possible shared folder permissions that can be configured on a Windows 98 are limited, storing resources in a shared folder on a Windows 2000 or XP system is generally your best option, as you’ll learn shortly. Barring that, however, be sure to configure passwords for shared folders on Windows 9X/ME systems if the folder contains any data that you consider to be critical or private in nature.

If you’re sharing a folder from a Windows 2000 or Windows XP Professional system (with Simple File Sharing disabled), then you’ll also need to carefully consider the permissions you assign. When a folder is shared from a Windows 2000 system, the default permission grant a group known as “Everyone” full control over the contents of the folder. This permission would ultimately allow any user to do as they pleased with the contents of the folder. The default permission for a new shared folder in Windows XP Professional is a little more secure, granting the Everyone group Read access only, though this makes the folder subject to the same issues looked at in the Windows 98 section. For a higher degree of security, consider removing the Everyone group when configuring shared folder permissions on these operating systems, and grant permissions to an authenticated group (like Users) instead.

It may not seem necessary, but another area that you should also consider is the security of your printers. On a Windows XP or Windows 2000 Professional system, the properties of a printer includes a Security tab, which by default allows the Everyone group the ability to Print documents. Unfortunately, this setting allows anyone to print to the printer. For a higher degree of security, you can use the Security tab to control which printers a user is allowed to print to, or whether they have the ability to change printer settings. This can be useful when you want to avoid having certain users misuse an expensive colour printer, for example.

Securing Your Home Network with Strong Passwords

While good internal security starts with user accounts, more important still is the strength of the passwords assigned to those accounts. Far too many users take the easy way out on this one, assigning very common or “guessable” words as their password. In the same way that it’s a bad idea to set your PIN number on your bankcard to 1111 or the combination of your month/year of birth, the same holds true for the password assigned to user accounts. Quite simply, too many utilities exist that can easily guess passwords based on common words, using what it known as a dictionary attack. If you’re serious about security, then be serious about your password – your last name, dog’s name, or “password” just won’t cut it.

Good password security exhibits two main features. The first is that the password should be hard to guess, including a combination of upper- and lower-case characters, numbers, and special characters (such as %@$^~ as examples). The second critical consideration with passwords is how often they are changed. As a general rule, get users on your network in the habit of changing their passwords at least once every 30-60 days, and be sure to assign a password to all user accounts. On a Windows XP or Windows 2000 Professional system, password changes can be made mandatory by configuring Password Policy settings in the Local Security Policy Administrative Tool.

Home Networks and User Account Security

Securing your internal network always starts with the same concept, namely authentication. In the same way that you need a unique card to access your bank account, all users of a network should have their own unique username for identification purposes. While have all users access a network using the same username is obviously simpler, it is also inherently insecure, and doesn’t allow you to take advantage of the benefits that security measure like permissions provide.

When users log on to a PC using a unique username, they are allocated a dedicated folder structure on the disk that stores their individual files, folders, and settings, which is obviously beneficial in a shared environment. On a Windows XP or 2000 system, this folder structure (which includes folders like My Documents) can be further secured to ensure privacy, and we’ll explore shortly.

More importantly, when users are assigned individual usernames, those users can be assigned unique permissions to network resources such as shared and local folders on a Windows XP or 2000 system. User accounts are created using the User Accounts applet in Control Panel, as shown below. The steps for creating user accounts on a Windows XP Home system is relatively straightforward, and involves following the steps of a very basic wizard-type interface. On a Windows XP or Windows 2000 Professional system, use the Local Users and Group tools available in the Computer Management administrative tool. Both Windows XP and 2000 systems include a built-in Guest account. This account is disabled by default, and should be left as such for security purposes. If you need to grant a new user access to your network, taking the 2 minutes to create a dedicated user account for them is always a better solution.

Introduction to Home Network Security

When it comes to securing a home network, most users fall into the trap of believe that a simple home firewall device will provide all the security they need. While some type of firewall device or firewall software package is imperative for any network, this is where properly securing a network begins, not where it ends. Regardless of whether your network is of the wired or wireless variety, you’ll want to take a good hard look at many of the other recommendations listed in this column to ensure that your network is properly secured.

When thinking about network security, one of the best analogies you can use is one that we’re all familiar with – securing your home. In the same way that you lock your door at night to keep the outside world at bay, firewall hardware and software is designed to keep the general public out of your network – in this case other Internet users.

While locking that door is critical, you probably go a little further when it comes to securing your belongings within your house. For example, it’s probably a safe bet to assume that you don’t leave big stacks of money sitting on the kitchen table, or jewelry boxes sitting open in windows. More likely, you take the extra step to make sure that these items are hidden and secured to at least some degree. In the same way that you secure those valuables already behind a locked door, you also need to seriously consider securing resources on your internal network.

Windows Networking Utilities

Once TCP/IP is installed and configured on the computers on your network, a variety of helpful and interesting diagnostic and troubleshooting utilities become available to you. Most of these utilities are meant to be run from the command line, so make sure that you have that command prompt icon nice and handy on your desktop. The list below outlines some of the common utilities that you’ll want to be familiar with, along with their primary functions, and examples of how they are used.

PING – The most basic and essential of the TCP/IP utilities, the PING command is used to test basic connectivity on a TCP/IP network. When you ping another host on your network, the machine from which the command is used sends out an “echo request” message, and then determines success by whether it receives back an “echo reply”. When echo reply messages are received, it means that the two computers are capable of communicating via TCP/IP. PING is the first utility that should always be used when attempting to troubleshoot a connectivity issue on a TCP/IP network. The ping command can be used with IP addresses or FQDNs. For example, to ping the PC Answers web server, you would type ping www.pcanwers.co.uk, press Enter. If you receive 4 echo reply messages, you’re likely up and running correctly.

IPCONFIG – The IPCONFIG command represents the easiest way to gather TCP/IP configuration information for your computer from the command line. Instead of accessing your network properties through the Windows interface, simply type ipconfig at the command prompt and press Enter. You will be provided with information on the IP address, subnet mask, and default gateway values configured on your PC. For more comprehensive information (including the IP addresses of DNS servers), type ipconfig /all and press Enter. If you’re running Windows 2000 or XP, try using the ipconfig /displaydns command to view the FQDNs that your system has resolved to IP addresses.

TRACERT – One exceptionally interesting TCP/IP command used to troubleshoot network connectivity issues is TRACERT. The purpose of the TRACERT command is to trace the route that a packet takes between a source and destination host. For example, when you cannot ping a host, it does not necessarily mean that the host is unavailable. Instead, it might mean that a problem exists somewhere on the path between the two hosts. When the TRACERT command is issued with an IP address or FQDN, it will report back with information on the entire path taken (namely the routers crossed) in trying to reach the destination network. For example, try typing tracert www.yahoo.com and press Enter. This command will display all of the routers crossed between your PC and the Yahoo web server, as shown above – probably more than you would have thought!

NETSTAT – The NETSTAT command is useful when attempting to determine the status of connections between your computer and other computers on your network or the Internet. From the command line, type netstat and press Enter. The results will show you both the systems that this computer is connected to, along with the status of the connections.
Traceroute.bmp: Use the TRACERT utility to determine the path that a packet takes between a course and destination host.