Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 932
  • Last Modified:

Secure XP WorkGroup NOT so Secure! Little Help Please.

Hi Gang: Sorry for the long post.

The XP workgroup I recently put together for my friend has a hole in it.  

After the great and all powerful 'Relder' pushed me in the right direction I got the trouble network running perfectly or so I thought.

The problem now is security.  He wanted a work group that would simply stop his mischievous employees from having the power to delete files over the network, but still have the power completely manipulate the files across the network.  He also did not want the girls to be able to create user account, or do anything in the device manager.

So, I thought it would be easy.  Here’s what I did in the 'Security Tabs' of the folders that needed to be shared, after removing 'Simple file Sharing' and Setting 'Permissions' on the Sharing tab to full:

1) On the C:\ Drive of each workstation (Which I did not share)I first manipulated the security Tab(Under 'groups or user name') by creating/leaving the following groups: Administrators, System, Creator Owner, Power User (which I created with an extra permission (Write). I removed the rest. (He does not want any other form of user.)

2) Next I went to the 'Advanced section', hi-lighted Power Users and ticked the "Replace permission entries on all child objects..." and clicked apply. (I watched as all the files underneath were reset.)

3) Next I made identical 'User' accounts on all three workstations (including identical passwords) and made them all 'Power Users'.

4) I finally set the proper shares on each workstation.

The Problem:

Everything seemed to work perfect until my buddy showed me today how he could get into and 'Delete' all Gina’s files!  He simply logged onto his or any workstation and log on as 'Gina'.  He then navigated his way over the network, enter her folder and delete away!!!  Only her folder was vulnerable.  All other file on that computer were safe from his prodding.  

All I could say was that the girls can NOT give away their passwords???

I sure must have screwed up somewhere.  

Please, what did I do wrong???  I've got the perfect restriction level for the employees (Read & Execute, List Folder Contents, Read, Write) but I guess I don't know how to properly impose it.

Also, are the 'System' and 'Creator Owner' groups absolutely necessary or should they be deleted out of the C:\  “Group or user names” list???

Thanks and sorry Rob to be such a pain!!!!!
I really tried hard to solve this on my own. I've got two great books ("Mastering Windows XP Pro 2nd ed & Windows XP Networking Inside Out") but both could not seem to answer my questions.
1 Solution
Your security hole will be filled by educating your users about keeping their passwords private.  I would advise having your users choose a new password, maybe something fairly complex (i.e. 8 or more characters, combination of numbers and letters, etc.) and teach them not to share it with each other.  I'm assuming you want your users to be able to add/change/delete the files they create.

On the configuration end it looks like everything is pretty tight.  The System and Creator/Owner users are built-in accounts and cannot be deleted (and are quite necessary for Windows to even function).

Getting users to understand why security is needed is sometimes very hard.  I wish you luck.
I agree totaly with redmdcn.... just change the option under each users profile to change password @ next login...Educate them about not giving out thier passwords... I assume you also enabled auditing ?
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
Post your closing recommendations!  No comment means you don't care.
No comment has been added lately, so it's time to clean up this TA.
I will leave the following recommendation for this question in the Cleanup topic area:

Accept: redmdcn {http:#8150690}

Please leave any comments here within the next seven days.

Julian Crawford
EE Cleanup Volunteer

Featured Post

Receive 1:1 tech help

Solve your biggest tech problems alongside global tech experts with 1:1 help.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now