|Home||Download | Exchange Server | Feedback | Index | ISA-Server | Jokes | Terms of Service/Usage Policy | Windows Security | What's New | White Papers|
Windows XP Simple Sharing and ForceGuest
The "Microsoft Windows XP
Professional : Resource Kit Documentation" shows in
When a Windows XP Professionalbased computer is not joined to a domain, the simple sharing model is fundamentally different than the model used in previous versions of Windows. By default, all users logging on to such computers over the network are forced to use the Guest account; this is called ForceGuest.
How ForceGuest Works
On computers running Windows 95 and Windows 98 you can specify read-only and full-control share passwords: any user connecting to a share can enter the appropriate password and get the specified level of access. However, this share-level password model is insecure, because share passwords are passed in plaintext and can be intercepted by someone with physical access to the network.
On computers running Windows 2000 and not joined to a domain, identical user accounts with matching passwords must be created on two computers (to enable transparent sharing) or the user must type a user name and password when connecting. Windows 2000 also requires that you grant permissions to the user account on the computer hosting a share to the share and to the files and directories being shared or that you enable the Guest account. However, using the Guest account can cause broader than intended access to the share, because the Everyone group (which allows Guest access) is widely used in the default system permissions.
By default, on computers running Windows XP Professional and not joined to a domain, all incoming network connections are forced to use the Guest account. This means that an incoming connection, even if a user name and password is provided, has only Guest-level access to the share. Because of this, either the Guest user account or the Everyone group (the only group to which the Guest account belongs) must have permissions on the share and on the directories and files that are shared. It also means that, in contrast to Windows 2000, you do not need to configure matching user accounts on computers to share files. Because Windows XP Professional supports Anonymous connections, and because it severely limits the use of the Everyone group in file system permissions, granting the Everyone group access to shared folders does not present the security problem that it does on Windows 2000based computers.
ForceGuest is enabled by default, but can be disabled on Windows XP Professional by disabling the local security policy Network Access: Force Network Logons using Local Accounts to Authenticate as Guest. By contrast, on Windows XP Professionalbased computers joined to a domain, the default sharing and security settings are the same as in Windows 2000. Likewise, if the ForceGuest policy setting on a Windows XP Professionalbased computer not joined to a domain is disabled, then the computer behaves as in Windows 2000.
Sharing Files and Folders Using the Simple Sharing User Interface
To simplify configuring sharing and to reduce the possibility of misconfiguration, Windows XP Professional uses the Simple Sharing User Interface (UI). The simple sharing UI appears if ForceGuest is turned on; the traditional sharing and security tabs are shown if ForceGuest is turned off.
On computers running Windows XP Professional that are not joined to a domain, ForceGuest is turned on by default. To access the traditional sharing and security tabs and manage permissions manually on these computers, go to Windows Explorer or My Computer, click the Tools menu, click Folder Options, click the View tab, and then clear the Use simple file sharing (Recommended) check box. Note that changes made manually cannot be undone by using the simple sharing UI, and although you might make what appears to be a reasonable change to permissions, the resultant permissions might not work as expected if ForceGuest is subsequently turned on.
By using the simple sharing UI you can create or remove a share and set permissions on the share. When simple sharing is in effect, appropriate permissions are automatically set on shared files and folders. The following permissions are added when you use the simple sharing UI:
When the Guest-only security model is used, the Sharing tab has only three options:
Sharing the Root Directory of a Drive
You can create a share at the root of the system drive, but simple sharing does not adjust the file permissions on such shares. On a share created at the root, the simple sharing UI is displayed in the property sheet, and Sharing is added to the shortcut menu on the system drive icon in Windows Explorer. There are two important reasons why it is recommended that you not share the root directory of the system drive: