Home Download | Exchange Server | Feedback | Index | ISA-Server | Jokes | Terms of Service/Usage Policy | Windows Security | What's New | White Papers
 
 Networking Topics
Windows XP Prof
Windows XP Home
Windows 2000 Server
Windows 2000 Prof
Windows NT4 Server
Windows NT4 Work.
Windows ME
Windows 98
Windows 95
Windows 3.x
MS-DOS

Step-By-Step
Network Basics
Trouble Shooting

Exchange Server
e-Mail Security
e-Mail Spam
ISA-Server
Server Software
Windows Security
 
 Featured Product
 
 Network Addons
Direct Cable
-
Serial / Parallel
-
Infrared
-
USB
-
High Speed Cables
-
WLAN - Wireless
-
Jokes ( computer )
-
Download Site

Windows XP Simple Sharing and ForceGuest

The "Microsoft Windows XP Professional : Resource Kit Documentation" shows in
Part II, chapter 6 :

Simple Sharing and ForceGuest

When a Windows XP Professional–based computer is not joined to a domain, the simple sharing model is fundamentally different than the model used in previous versions of Windows. By default, all users logging on to such computers over the network are forced to use the Guest account; this is called ForceGuest.

How ForceGuest Works

On computers running Windows 95 and Windows 98 you can specify read-only and full-control share passwords: any user connecting to a share can enter the appropriate password and get the specified level of access. However, this share-level password model is insecure, because share passwords are passed in plaintext and can be intercepted by someone with physical access to the network.

On computers running Windows 2000 and not joined to a domain, identical user accounts with matching passwords must be created on two computers (to enable transparent sharing) or the user must type a user name and password when connecting. Windows 2000 also requires that you grant permissions to the user account on the computer hosting a share to the share and to the files and directories being shared or that you enable the Guest account. However, using the Guest account can cause broader than intended access to the share, because the Everyone group (which allows Guest access) is widely used in the default system permissions.

By default, on computers running Windows XP Professional and not joined to a domain, all incoming network connections are forced to use the Guest account. This means that an incoming connection, even if a user name and password is provided, has only Guest-level access to the share. Because of this, either the Guest user account or the Everyone group (the only group to which the Guest account belongs) must have permissions on the share and on the directories and files that are shared. It also means that, in contrast to Windows 2000, you do not need to configure matching user accounts on computers to share files. Because Windows XP Professional supports Anonymous connections, and because it severely limits the use of the Everyone group in file system permissions, granting the Everyone group access to shared folders does not present the security problem that it does on Windows 2000–based computers.

ForceGuest is enabled by default, but can be disabled on Windows XP Professional by disabling the local security policy Network Access: Force Network Logons using Local Accounts to Authenticate as Guest. By contrast, on Windows XP Professional–based computers joined to a domain, the default sharing and security settings are the same as in Windows 2000. Likewise, if the ForceGuest policy setting on a Windows XP Professional–based computer not joined to a domain is disabled, then the computer behaves as in Windows 2000.

Sharing Files and Folders Using the Simple Sharing User Interface

To simplify configuring sharing and to reduce the possibility of misconfiguration, Windows XP Professional uses the Simple Sharing User Interface (UI). The simple sharing UI appears if ForceGuest is turned on; the traditional sharing and security tabs are shown if ForceGuest is turned off.

On computers running Windows XP Professional that are not joined to a domain, ForceGuest is turned on by default. To access the traditional sharing and security tabs and manage permissions manually on these computers, go to Windows Explorer or My Computer, click the Tools menu, click Folder Options, click the View tab, and then clear the Use simple file sharing (Recommended) check box. Note that changes made manually cannot be undone by using the simple sharing UI, and although you might make what appears to be a reasonable change to permissions, the resultant permissions might not work as expected if ForceGuest is subsequently turned on.

By using the simple sharing UI you can create or remove a share and set permissions on the share. When simple sharing is in effect, appropriate permissions are automatically set on shared files and folders. The following permissions are added when you use the simple sharing UI:

  • Share permissions
  • File permissions
  • Allow others to change my files
  • Don’t allow others to change my files

When the Guest-only security model is used, the Sharing tab has only three options:

  • Share this folder on the network. Grants the Everyone group Read permissions on the folder and its contents.
  • Share name. The name of the share on the network.
  • Allow other users to change my files. Grants the Everyone group Full Control permissions on folders and Change permissions on files.

Sharing the Root Directory of a Drive

You can create a share at the root of the system drive, but simple sharing does not adjust the file permissions on such shares. On a share created at the root, the simple sharing UI is displayed in the property sheet, and Sharing is added to the shortcut menu on the system drive icon in Windows Explorer. There are two important reasons why it is recommended that you not share the root directory of the system drive:

  • By default the Everyone group is granted only Read permissions on the root of the system drive, so sharing the root of the system drive is not sufficient for most remote administration tasks.
  • Sharing the root of the system drive is not secure — it essentially grants anyone who can connect to the computer access to system configuration information. For maximum security, it is recommended that you only share folders within your user profile, and only share information that you specifically want others to access.

 

WindowsNetworking.com is in no way affiliated with Microsoft Corp.
Copyright © 2014, TechGenix Ltd. All rights reserved. Please read our Privacy Policy and Terms & Conditions.