Secure XP WorkGroup NOT so Secure! Little Help Please.
Posted on 2003-03-16
Hi Gang: Sorry for the long post.
The XP workgroup I recently put together for my friend has a hole in it.
After the great and all powerful 'Relder' pushed me in the right direction I got the trouble network running perfectly or so I thought.
The problem now is security. He wanted a work group that would simply stop his mischievous employees from having the power to delete files over the network, but still have the power completely manipulate the files across the network. He also did not want the girls to be able to create user account, or do anything in the device manager.
So, I thought it would be easy. Here’s what I did in the 'Security Tabs' of the folders that needed to be shared, after removing 'Simple file Sharing' and Setting 'Permissions' on the Sharing tab to full:
1) On the C:\ Drive of each workstation (Which I did not share)I first manipulated the security Tab(Under 'groups or user name') by creating/leaving the following groups: Administrators, System, Creator Owner, Power User (which I created with an extra permission (Write). I removed the rest. (He does not want any other form of user.)
2) Next I went to the 'Advanced section', hi-lighted Power Users and ticked the "Replace permission entries on all child objects..." and clicked apply. (I watched as all the files underneath were reset.)
3) Next I made identical 'User' accounts on all three workstations (including identical passwords) and made them all 'Power Users'.
4) I finally set the proper shares on each workstation.
Everything seemed to work perfect until my buddy showed me today how he could get into and 'Delete' all Gina’s files! He simply logged onto his or any workstation and log on as 'Gina'. He then navigated his way over the network, enter her folder and delete away!!! Only her folder was vulnerable. All other file on that computer were safe from his prodding.
All I could say was that the girls can NOT give away their passwords???
I sure must have screwed up somewhere.
Please, what did I do wrong??? I've got the perfect restriction level for the employees (Read & Execute, List Folder Contents, Read, Write) but I guess I don't know how to properly impose it.
Also, are the 'System' and 'Creator Owner' groups absolutely necessary or should they be deleted out of the C:\ “Group or user names” list???
Thanks and sorry Rob to be such a pain!!!!!
I really tried hard to solve this on my own. I've got two great books ("Mastering Windows XP Pro 2nd ed & Windows XP Networking Inside Out") but both could not seem to answer my questions.