You are on page 1of 6

(http://www.windowsnetworking.

com)
Home
Home

Articles & Tutorials

Articles & Tutorials

KBase Tips

Products

Reviews

Free Tools

Blogs

Forums

W hite Papers

Contact Us

Windows XP

Windows XP Simple Sharing, Security and ForceGuest


by Joh a n n es H elmig [Published on 3 Ju n e 2002 / Last Updated on 3 Ju n e 2002]
Like

Tw eet

The "Microsoft Windows XP Professional : Resource Kit Documentation (/j_helmig/wxpreskt.htm)" shows in


Part II, chapter 6 :

Simple Sharing and ForceGuest


When a Windows XP Professionalbased computer is not joined to a domain, the simple sharing model is fundamentally different than the model used in previous versions of
Windows. By default, all users logging on to such computers over the network are forced to use the Guest account; this is called ForceGuest.

How For ceGuest W or k s


On computers running Windows 95 and Windows 98 you can specify read-only and full-control share passwords: any user connecting to a share can enter the appropriate
password and get the specified level of access. However, this share-level password model is insecure, because share passwords are passed in plaintext and can be intercepted
by someone with physical access to the network.
On computers running Windows 2000 and not joined to a domain, identical user accounts with matching passwords must be created on two computers (to enable transparent
sharing) or the user must type a user name and password when connecting. Windows 2000 also requires that you grant permissions to the user account on the computer hosting a
share to the share and to the files and directories being shared or that you enable the Guest account. However, using the Guest account can cause broader than intended access to
the share, because the Everyone group (which allows Guest access) is widely used in the default system permissions.

By default, on computers running Windows XP Professional and not joined to a domain, all incoming network connections are forced to use the Guest account. This means that an
incoming connection, even if a user name and password is provided, has only Guest-level access to the share. Because of this, either the Guest user account or the Everyone group
(the only group to which the Guest account belongs) must have permissions on the share and on the directories and files that are shared. It also means that, in contrast to
Windows 2000, you do not need to configure matching user accounts on computers to share files. Because Windows XP Professional supports Anonymous connections, and
because it severely limits the use of the Everyone group in file system permissions, granting the Everyone group access to shared folders does not present the security problem that
it does on Windows 2000based computers.
ForceGuest is enabled by default, but can be disabled on Windows XP Professional by disabling the local security policy Network Access: Force Network Logons using Local
Accounts to Authenticate as Guest. By contrast, on Windows XP Professionalbased computers joined to a domain, the default sharing and security settings are the same as in
Windows 2000. Likewise, if the ForceGuest policy setting on a Windows XP Professionalbased computer not joined to a domain is disabled, then the computer behaves as in
Windows 2000.

Shar ing Files and Folder s U sing the Simple Shar ing U ser I nter face
To simplify configuring sharing and to reduce the possibility of misconfiguration, Windows XP Professional uses the Simple Sharing User Interface (UI). The simple sharing UI
appears if ForceGuest is turned on; the traditional sharing and security tabs are shown if ForceGuest is turned off.
On computers running Windows XP Professional that are not joined to a domain, ForceGuest is turned on by default. To access the traditional sharing and security tabs and
manage permissions manually on these computers, go to Windows Explorer or My Computer, click the Tools menu, click Folder Options, click the View tab, and then clear the Use
simple file sharing (Recommended) check box. Note that changes made manually cannot be undone by using the simple sharing UI, and although you might make what appears
to be a reasonable change to permissions, the resultant permissions might not work as expected if ForceGuest is subsequently turned on.

By using the simple sharing UI you can create or remove a share and set permissions on the share. When simple sharing is in effect, appropriate permissions are automatically set
on shared files and folders. The following permissions are added when you use the simple sharing UI:
Share permissions
File permissions
Allow others to change my files
Dont allow others to change my files
When the Guest-only security model is used, the Sharing tab has only three options:
Share this folder on the network. Grants the Everyone group Read permissions on the folder and its contents.
Share name. The name of the share on the network.
Allow other users to change my files. Grants the Everyone group Full Control permissions on folders and Change permissions on files.

Shar ing the Root Dir ector y of a Dr iv e


You can create a share at the root of the system drive, but simple sharing does not adjust the file permissions on such shares. On a share created at the root, the simple sharing UI
is displayed in the property sheet, and Sharing is added to the shortcut menu on the system drive icon in Windows Explorer. There are two important reasons why it is
recommended that you not share the root directory of the system drive:
By default the Everyone group is granted only Read permissions on the root of the system drive, so sharing the root of the system drive is not sufficient for most remote
administration tasks.
Sharing the root of the system drive is not secure it essentially grants anyone who can connect to the computer access to system configuration information. For maximum
security, it is recommended that you only share folders within your user profile, and only share information that you specifically want others to access.

Let's have a closer look to this.


I have created on my C:-drive a folder "JHTEST". To be able to view in the properties of this
folder the tab "Security", I have to reboot and press the F8-hey (before before getting the
Windows XP startup screen) to get to the "Windows Advanced Options Menu" ,
where you select to boot in "Safe Mode" :

When displaying the "Properties" of a


disk or folder (in this example of C:\JHTEST)
in "Safe Mode", then Windows XP Home
(and Windows XP Professional with
"Simple File Sharing" switched ON)
will display the tab "Security", allowing to
view / change the security settings on a disk
formatted in NTFS.
By default, the group "Administrators"
has "Full Control"
(see Security information via "cacls (/j_helmig/wxpsimsh.htm#cacls)")

"Limited Users" (members of the UserGroup


"Users") have only Read permission.
(as it is now the default on Windows XP (/j_helmig/wxpdeflt.htm))
(see Security information via "cacls (/j_helmig/wxpsimsh.htm#cacls)")

When this folder is now "Shared" (not possible


in Safe Mode) using the "Simple File Sharing"
(tab : Sharing, Section "Network Sharing and Security")
then also the Security Settings of such a folder
are modified.
In this example other users are allowed to change
the files.

The process to "share" the folder has also


added the usergroup "Everyone" to the
permission list, giving the permission to
read/write/modify (which includes Delete).
(see Security information via "cacls (/j_helmig/wxpsimsh.htm#cacls)")

Since using "Simple FileSharing" forces the activation of the "Guest" account and since
"Guest" is by default member of the usergroup "Everyone", shared folders can be accessed
from the network by everyone, regardless of the username and password used on the remote
system.
()Checking Security via "cacls":
If you do not want to boot in "Safe Mode", you can check the Security Settings using
the Command-prompt program "cacls" :
Security of folder C:\JHTEST,not yet shared,
displayed via command-window : "cacls C:\jhtest" :
C:\jhtest BUILTIN\Administrators:F
BUILTIN\Administrators:(OI)(CI)(IO)F
NT AUTHORITY\SYSTEM:F
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F
P733XPH\Owner:F
CREATOR OWNER:(OI)(CI)(IO)F
BUILTIN\Users:R
BUILTIN\Users:(OI)(CI)(IO)(special access:)
GENERIC_READ
GENERIC_EXECUTE
BUILTIN\Users:(CI)(special access:)
FILE_APPEND_DATA
BUILTIN\Users:(CI)(special access:)
FILE_WRITE_DATA
Security of folder C:\JHTEST, shared without permisison to change files,
displayed via command-window : "cacls C:\jhtest" , giving "Read" (R) permission
to the usergroup "Everyone" :
C:\jhtest Everyone:(OI)(CI)R
BUILTIN\Administrators:F
BUILTIN\Administrators:(OI)(CI)(IO)F
NT AUTHORITY\SYSTEM:F

NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F
P733XPH\Owner:F
CREATOR OWNER:(OI)(CI)(IO)F
BUILTIN\Users:R
BUILTIN\Users:(OI)(CI)(IO)(special access:)
GENERIC_READ
GENERIC_EXECUTE
BUILTIN\Users:(CI)(special access:)
FILE_APPEND_DATA
BUILTIN\Users:(CI)(special access:)
FILE_WRITE_DATA

Security of folder C:\JHTEST, shared with permisison to change files,


displayed via command-window : "cacls C:\jhtest" , giving "Full Control" (C) permission
to the usergroup "Everyone" :
C:\jhtest Everyone:(OI)(CI)C
BUILTIN\Administrators:F
BUILTIN\Administrators:(OI)(CI)(IO)F
NT AUTHORITY\SYSTEM:F
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F
P733XPH\Owner:F
CREATOR OWNER:(OI)(CI)(IO)F
BUILTIN\Users:R
BUILTIN\Users:(OI)(CI)(IO)(special access:)
GENERIC_READ
GENERIC_EXECUTE
BUILTIN\Users:(CI)(special access:)
FILE_APPEND_DATA
BUILTIN\Users:(CI)(special access:)
FILE_WRITE_DATA
For more information on "cacls", please use the Online-Help information ("cacls /?")
Displays or modifies access control lines (ACLs) of files
CACLS filename [/T] [/E/ [/C] [/G user:perm] [/R user [...]] [/P user:perm [...]] [/D user [...]]

See Also
Use CACLS Windows NT utility to edit or display file permissions
(http://www.windowsnetworking.com/kbase/WindowsTips/WindowsNT/AdminTips/FileSystems/UseCACLSWindowsNTutilitytoeditordisplayfilepermissions.html)
on 20 April 2004 (2004-04-20 02:00) by Wayne Maples

Rename Windows NT Administrator account as a security measure - Bull!


(http://www.windowsnetworking.com/kbase/WindowsTips/WindowsNT/AdminTips/Administrator/RenameWindowsNTAdministratoraccountasasecuritymeasure-Bull.html)
on 20 April 2004 (2004-04-20 02:00) by Wayne Maples

Managing the Builtin Administrator Account


(http://www.windowsnetworking.com/kbase/WindowsTips/WindowsXP/AdminTips/Security/ManagingtheBuiltinAdministratorAccount.html) on 12 July 2006 (2006-07-12 02:00)
by Mitch Tulloch

Avoiding Legacy Built-in Groups (http://www.windowsnetworking.com/kbase/WindowsTips/Windows2003/AdminTips/ActiveDirectory/AvoidingLegacyBuilt-inGroups.html)


on 10 May 2006 (2006-05-10 02:00) by Mitch Tulloch

HKEY_USERS (http://www.windowsnetworking.com/kbase/WindowsTips/WindowsNT/RegistryTips/Registry/HKEY_USERS.html) on 20 April 2004 (2004-04-20 02:00)


by Wayne Maples

DelGuest - deletes the built-in Guest account in Windows NT (http://www.windowsnetworking.com/kbase/WindowsTips/WindowsNT/AdminTips/Utilities/DelGuest-deletesthebuiltinGuestaccountinWindowsNT.html) on 20 April 2004 (2004-04-20 02:00) by Wayne Maples
Add Administrator to Windows XP Welcome logon screen
(http://www.windowsnetworking.com/kbase/WindowsTips/WindowsXP/RegistryTips/Security/AddAdministratortoWindowsXPWelcomelogonscreen.html)
on 20 April 2004 (2004-04-20 02:00) by Wayne Maples

Microsoft Office Communications Server Resource Kit Chapter 5: Conferencing Scenarios (Part 3) (http://www.windowsnetworking.com/articles-tutorials/voip/Microsoft-OfficeCommunications-Server-Resource-Kit-Chapter5-Conferencing-Scenarios-Part3.html) on 14 Feb. 2008 (2008-02-14 09:17) by Mitch Tulloch
DACL Manager for Windows NT Registry keys
(http://www.windowsnetworking.com/kbase/WindowsTips/WindowsNT/AdminTips/Registry/DACLManagerforWindowsNTRegistrykeys.html) on 20 April 2004 (2004-04-20 02:00)
by Wayne Maples

An Introduction to AppLocker (Part 4) (http://www.windowsnetworking.com/articles-tutorials/windows-7/Introduction-AppLocker-Part4.html) on 21 Jan. 2010 (2010-01-21 14:04)


by Brien M. Posey

Microsoft Exchange Server Resource Site:


Articles & Tutorials
(http://www.msexchange.org/)

Network Security Articles for Windows


Server 2003, 2008 & Vista
(http://www.windowsecurity.com/)

The essential Virtualization resource site


for administrators.
(http://www.virtualizationadmin.com/)

Microsoft ISA Server Firewall Resource


Site: Articles & Tutorials
(http://www.isaserver.org/)

CloudComputingAdmin.com | Cloud
Computing Resource Site for IT Pros
(http://www.cloudcomputingadmin.com/)

Networking & Server software / hardware


for Windows 2003, 2000, NT & Linux
(http://www.wservernews.com/)

About Us

Advertise With Us

TechGenix Ltd is an online media


company which sets the standard
for providing free high quality
technical content to IT
professionals.
(http://www.techgenix.com)

Contact Us

WindowsNetworking.com is in no way affiliated with Microsoft Corp.


Copyright 2014, TechGenix Ltd (http://www.techgenix.com/). All rights reserved. Please read our Privacy Policy (/pages/privacy.html) and Terms & Conditions (/pages/terms.html).