ChiroGeek
asked on
Secure XP WorkGroup NOT so Secure! Little Help Please.
Hi Gang: Sorry for the long post.
The XP workgroup I recently put together for my friend has a hole in it.
After the great and all powerful 'Relder' pushed me in the right direction I got the trouble network running perfectly or so I thought.
The problem now is security. He wanted a work group that would simply stop his mischievous employees from having the power to delete files over the network, but still have the power completely manipulate the files across the network. He also did not want the girls to be able to create user account, or do anything in the device manager.
So, I thought it would be easy. Here’s what I did in the 'Security Tabs' of the folders that needed to be shared, after removing 'Simple file Sharing' and Setting 'Permissions' on the Sharing tab to full:
1) On the C:\ Drive of each workstation (Which I did not share)I first manipulated the security Tab(Under 'groups or user name') by creating/leaving the following groups: Administrators, System, Creator Owner, Power User (which I created with an extra permission (Write). I removed the rest. (He does not want any other form of user.)
2) Next I went to the 'Advanced section', hi-lighted Power Users and ticked the "Replace permission entries on all child objects..." and clicked apply. (I watched as all the files underneath were reset.)
3) Next I made identical 'User' accounts on all three workstations (including identical passwords) and made them all 'Power Users'.
4) I finally set the proper shares on each workstation.
The Problem:
Everything seemed to work perfect until my buddy showed me today how he could get into and 'Delete' all Gina’s files! He simply logged onto his or any workstation and log on as 'Gina'. He then navigated his way over the network, enter her folder and delete away!!! Only her folder was vulnerable. All other file on that computer were safe from his prodding.
All I could say was that the girls can NOT give away their passwords???
I sure must have screwed up somewhere.
Please, what did I do wrong??? I've got the perfect restriction level for the employees (Read & Execute, List Folder Contents, Read, Write) but I guess I don't know how to properly impose it.
Also, are the 'System' and 'Creator Owner' groups absolutely necessary or should they be deleted out of the C:\ “Group or user names” list???
Thanks and sorry Rob to be such a pain!!!!!
I really tried hard to solve this on my own. I've got two great books ("Mastering Windows XP Pro 2nd ed & Windows XP Networking Inside Out") but both could not seem to answer my questions.
The XP workgroup I recently put together for my friend has a hole in it.
After the great and all powerful 'Relder' pushed me in the right direction I got the trouble network running perfectly or so I thought.
The problem now is security. He wanted a work group that would simply stop his mischievous employees from having the power to delete files over the network, but still have the power completely manipulate the files across the network. He also did not want the girls to be able to create user account, or do anything in the device manager.
So, I thought it would be easy. Here’s what I did in the 'Security Tabs' of the folders that needed to be shared, after removing 'Simple file Sharing' and Setting 'Permissions' on the Sharing tab to full:
1) On the C:\ Drive of each workstation (Which I did not share)I first manipulated the security Tab(Under 'groups or user name') by creating/leaving the following groups: Administrators, System, Creator Owner, Power User (which I created with an extra permission (Write). I removed the rest. (He does not want any other form of user.)
2) Next I went to the 'Advanced section', hi-lighted Power Users and ticked the "Replace permission entries on all child objects..." and clicked apply. (I watched as all the files underneath were reset.)
3) Next I made identical 'User' accounts on all three workstations (including identical passwords) and made them all 'Power Users'.
4) I finally set the proper shares on each workstation.
The Problem:
Everything seemed to work perfect until my buddy showed me today how he could get into and 'Delete' all Gina’s files! He simply logged onto his or any workstation and log on as 'Gina'. He then navigated his way over the network, enter her folder and delete away!!! Only her folder was vulnerable. All other file on that computer were safe from his prodding.
All I could say was that the girls can NOT give away their passwords???
I sure must have screwed up somewhere.
Please, what did I do wrong??? I've got the perfect restriction level for the employees (Read & Execute, List Folder Contents, Read, Write) but I guess I don't know how to properly impose it.
Also, are the 'System' and 'Creator Owner' groups absolutely necessary or should they be deleted out of the C:\ “Group or user names” list???
Thanks and sorry Rob to be such a pain!!!!!
I really tried hard to solve this on my own. I've got two great books ("Mastering Windows XP Pro 2nd ed & Windows XP Networking Inside Out") but both could not seem to answer my questions.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I agree totaly with redmdcn.... just change the option under each users profile to change password @ next login...Educate them about not giving out thier passwords... I assume you also enabled auditing ?
ChiroGeek:
This old question needs to be finalized -- accept an answer, split points, or get a refund. For information on your options, please click here-> http:/help/closing.jsp#1
EXPERTS:
Post your closing recommendations! No comment means you don't care.
This old question needs to be finalized -- accept an answer, split points, or get a refund. For information on your options, please click here-> http:/help/closing.jsp#1
EXPERTS:
Post your closing recommendations! No comment means you don't care.
No comment has been added lately, so it's time to clean up this TA.
I will leave the following recommendation for this question in the Cleanup topic area:
Accept: redmdcn {http:#8150690}
Please leave any comments here within the next seven days.
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!
Julian Crawford
EE Cleanup Volunteer
I will leave the following recommendation for this question in the Cleanup topic area:
Accept: redmdcn {http:#8150690}
Please leave any comments here within the next seven days.
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!
Julian Crawford
EE Cleanup Volunteer