Windows XP Simple Sharing, Security and ForceGuest

by Johannes Helmig [Published on 3 June 2002 / Last Updated on 3 June 2002]

The "Microsoft Windows XP Professional : Resource Kit Documentation" shows in
Part II, chapter 6 :

Simple Sharing and ForceGuest

When a Windows XP Professional–based computer is not joined to a domain, the simple sharing model is fundamentally different than the model used in previous versions of Windows. By default, all users logging on to such computers over the network are forced to use the Guest account; this is called ForceGuest.

How ForceGuest Works

On computers running Windows 95 and Windows 98 you can specify read-only and full-control share passwords: any user connecting to a share can enter the appropriate password and get the specified level of access. However, this share-level password model is insecure, because share passwords are passed in plaintext and can be intercepted by someone with physical access to the network.

On computers running Windows 2000 and not joined to a domain, identical user accounts with matching passwords must be created on two computers (to enable transparent sharing) or the user must type a user name and password when connecting. Windows 2000 also requires that you grant permissions to the user account on the computer hosting a share to the share and to the files and directories being shared or that you enable the Guest account. However, using the Guest account can cause broader than intended access to the share, because the Everyone group (which allows Guest access) is widely used in the default system permissions.

By default, on computers running Windows XP Professional and not joined to a domain, all incoming network connections are forced to use the Guest account. This means that an incoming connection, even if a user name and password is provided, has only Guest-level access to the share. Because of this, either the Guest user account or the Everyone group (the only group to which the Guest account belongs) must have permissions on the share and on the directories and files that are shared. It also means that, in contrast to Windows 2000, you do not need to configure matching user accounts on computers to share files. Because Windows XP Professional supports Anonymous connections, and because it severely limits the use of the Everyone group in file system permissions, granting the Everyone group access to shared folders does not present the security problem that it does on Windows 2000–based computers.

ForceGuest is enabled by default, but can be disabled on Windows XP Professional by disabling the local security policy Network Access: Force Network Logons using Local Accounts to Authenticate as Guest. By contrast, on Windows XP Professional–based computers joined to a domain, the default sharing and security settings are the same as in Windows 2000. Likewise, if the ForceGuest policy setting on a Windows XP Professional–based computer not joined to a domain is disabled, then the computer behaves as in Windows 2000.

Sharing Files and Folders Using the Simple Sharing User Interface

To simplify configuring sharing and to reduce the possibility of misconfiguration, Windows XP Professional uses the Simple Sharing User Interface (UI). The simple sharing UI appears if ForceGuest is turned on; the traditional sharing and security tabs are shown if ForceGuest is turned off.

On computers running Windows XP Professional that are not joined to a domain, ForceGuest is turned on by default. To access the traditional sharing and security tabs and manage permissions manually on these computers, go to Windows Explorer or My Computer, click the Tools menu, click Folder Options, click the View tab, and then clear the Use simple file sharing (Recommended) check box. Note that changes made manually cannot be undone by using the simple sharing UI, and although you might make what appears to be a reasonable change to permissions, the resultant permissions might not work as expected if ForceGuest is subsequently turned on.

By using the simple sharing UI you can create or remove a share and set permissions on the share. When simple sharing is in effect, appropriate permissions are automatically set on shared files and folders. The following permissions are added when you use the simple sharing UI:

  • Share permissions
  • File permissions
  • Allow others to change my files
  • Don’t allow others to change my files

When the Guest-only security model is used, the Sharing tab has only three options:

  • Share this folder on the network. Grants the Everyone group Read permissions on the folder and its contents.
  • Share name. The name of the share on the network.
  • Allow other users to change my files. Grants the Everyone group Full Control permissions on folders and Change permissions on files.

Sharing the Root Directory of a Drive

You can create a share at the root of the system drive, but simple sharing does not adjust the file permissions on such shares. On a share created at the root, the simple sharing UI is displayed in the property sheet, and Sharing is added to the shortcut menu on the system drive icon in Windows Explorer. There are two important reasons why it is recommended that you not share the root directory of the system drive:

  • By default the Everyone group is granted only Read permissions on the root of the system drive, so sharing the root of the system drive is not sufficient for most remote administration tasks.
  • Sharing the root of the system drive is not secure — it essentially grants anyone who can connect to the computer access to system configuration information. For maximum security, it is recommended that you only share folders within your user profile, and only share information that you specifically want others to access.

Let's have a closer look to this.

I have created on my C:-drive a folder "JHTEST". To be able to view in the properties of this
folder the tab "Security", I have to reboot and press the F8-hey (before before getting the
Windows XP startup screen) to get to the "Windows Advanced Options Menu" ,
where you select to boot in "Safe Mode" :

When displaying the "Properties" of a
disk or folder (in this example of C:\JHTEST)
in "Safe Mode", then Windows XP Home
(and Windows XP Professional with
"Simple File Sharing" switched ON)
will display the tab "Security", allowing to
view / change the security settings on a disk
formatted in NTFS.

By default, the group "Administrators"
has "Full Control"
(see Security information via "cacls")
"Limited Users" (members of the UserGroup
"Users") have only Read permission.
(as it is now the default on Windows XP )
(see Security information via "cacls")
When this folder is now "Shared" (not possible
in Safe Mode) using the "Simple File Sharing"
(tab : Sharing, Section "Network Sharing and Security")
then also the Security Settings of such a folder
are modified.
In this example other users are allowed to change
the files.
The process to "share" the folder has also
added the usergroup "Everyone" to the
permission list, giving the permission to
read/write/modify (which includes Delete).
(see Security information via "cacls")

Since using "Simple FileSharing" forces the activation of the "Guest" account and since
"Guest" is by default member of the usergroup "Everyone", shared folders can be accessed
from the network by everyone, regardless of the username and password used on the remote
system.


Checking Security via "cacls":
If you do not want to boot in "Safe Mode", you can check the Security Settings using
the Command-prompt program "cacls" :

Security of folder C:\JHTEST,not yet shared,
displayed via command-window : "cacls C:\jhtest" :

C:\jhtestBUILTIN\Administrators:F
BUILTIN\Administrators:(OI)(CI)(IO)F
NT AUTHORITY\SYSTEM:F
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F
P733XPH\Owner:F
CREATOR OWNER:(OI)(CI)(IO)F
BUILTIN\Users:R
BUILTIN\Users:(OI)(CI)(IO)(special access:)


BUILTIN\Users:(CI)(special access:)


BUILTIN\Users:(CI)(special access:)








GENERIC_READ
GENERIC_EXECUTE

FILE_APPEND_DATA


FILE_WRITE_DATA

Security of folder C:\JHTEST, shared without permisison to change files,
displayed via command-window : "cacls C:\jhtest" , giving "Read" (R) permission
to the usergroup "Everyone" :

C:\jhtestEveryone:(OI)(CI)R
BUILTIN\Administrators:F
BUILTIN\Administrators:(OI)(CI)(IO)F
NT AUTHORITY\SYSTEM:F
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F
P733XPH\Owner:F
CREATOR OWNER:(OI)(CI)(IO)F
BUILTIN\Users:R
BUILTIN\Users:(OI)(CI)(IO)(special access:)


BUILTIN\Users:(CI)(special access:)


BUILTIN\Users:(CI)(special access:)









GENERIC_READ
GENERIC_EXECUTE

FILE_APPEND_DATA


FILE_WRITE_DATA



Security of folder C:\JHTEST, shared with permisison to change files,
displayed via command-window : "cacls C:\jhtest" , giving "Full Control" (C) permission
to the usergroup "Everyone" :

C:\jhtestEveryone:(OI)(CI)C
BUILTIN\Administrators:F
BUILTIN\Administrators:(OI)(CI)(IO)F
NT AUTHORITY\SYSTEM:F
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F
P733XPH\Owner:F
CREATOR OWNER:(OI)(CI)(IO)F
BUILTIN\Users:R
BUILTIN\Users:(OI)(CI)(IO)(special access:)


BUILTIN\Users:(CI)(special access:)


BUILTIN\Users:(CI)(special access:)









GENERIC_READ
GENERIC_EXECUTE

FILE_APPEND_DATA


FILE_WRITE_DATA

For more information on "cacls", please use the Online-Help information ("cacls /?")
Displays or modifies access control lines (ACLs) of files

CACLS filename [/T] [/E/ [/C] [/G user:perm] [/R user [...]] [/P user:perm [...]] [/D user [...]]

Featured Links