Secure XP WorkGroup NOT so Secure!  Little Help Please.

Posted on 2003-03-16
Medium Priority
Last Modified: 2007-12-19
Hi Gang: Sorry for the long post.

The XP workgroup I recently put together for my friend has a hole in it.  

After the great and all powerful 'Relder' pushed me in the right direction I got the trouble network running perfectly or so I thought.

The problem now is security.  He wanted a work group that would simply stop his mischievous employees from having the power to delete files over the network, but still have the power completely manipulate the files across the network.  He also did not want the girls to be able to create user account, or do anything in the device manager.

So, I thought it would be easy.  Here’s what I did in the 'Security Tabs' of the folders that needed to be shared, after removing 'Simple file Sharing' and Setting 'Permissions' on the Sharing tab to full:

1) On the C:\ Drive of each workstation (Which I did not share)I first manipulated the security Tab(Under 'groups or user name') by creating/leaving the following groups: Administrators, System, Creator Owner, Power User (which I created with an extra permission (Write). I removed the rest. (He does not want any other form of user.)

2) Next I went to the 'Advanced section', hi-lighted Power Users and ticked the "Replace permission entries on all child objects..." and clicked apply. (I watched as all the files underneath were reset.)

3) Next I made identical 'User' accounts on all three workstations (including identical passwords) and made them all 'Power Users'.

4) I finally set the proper shares on each workstation.

The Problem:

Everything seemed to work perfect until my buddy showed me today how he could get into and 'Delete' all Gina’s files!  He simply logged onto his or any workstation and log on as 'Gina'.  He then navigated his way over the network, enter her folder and delete away!!!  Only her folder was vulnerable.  All other file on that computer were safe from his prodding.  

All I could say was that the girls can NOT give away their passwords???

I sure must have screwed up somewhere.  

Please, what did I do wrong???  I've got the perfect restriction level for the employees (Read & Execute, List Folder Contents, Read, Write) but I guess I don't know how to properly impose it.

Also, are the 'System' and 'Creator Owner' groups absolutely necessary or should they be deleted out of the C:\  “Group or user names” list???

Thanks and sorry Rob to be such a pain!!!!!
I really tried hard to solve this on my own. I've got two great books ("Mastering Windows XP Pro 2nd ed & Windows XP Networking Inside Out") but both could not seem to answer my questions.
Question by:ChiroGeek
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Accepted Solution

redmdcn earned 740 total points
ID: 8150690
Your security hole will be filled by educating your users about keeping their passwords private.  I would advise having your users choose a new password, maybe something fairly complex (i.e. 8 or more characters, combination of numbers and letters, etc.) and teach them not to share it with each other.  I'm assuming you want your users to be able to add/change/delete the files they create.

On the configuration end it looks like everything is pretty tight.  The System and Creator/Owner users are built-in accounts and cannot be deleted (and are quite necessary for Windows to even function).

Getting users to understand why security is needed is sometimes very hard.  I wish you luck.

Expert Comment

ID: 8154420
I agree totaly with redmdcn.... just change the option under each users profile to change password @ next login...Educate them about not giving out thier passwords... I assume you also enabled auditing ?

Expert Comment

ID: 9153067
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
Post your closing recommendations!  No comment means you don't care.

Expert Comment

ID: 10085093
No comment has been added lately, so it's time to clean up this TA.
I will leave the following recommendation for this question in the Cleanup topic area:

Accept: redmdcn {http:#8150690}

Please leave any comments here within the next seven days.

Julian Crawford
EE Cleanup Volunteer

Featured Post

Will your db performance match your db growth?

In Percona’s white paper “Performance at Scale: Keeping Your Database on Its Toes,” we take a high-level approach to what you need to think about when planning for database scalability.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
This month, Experts Exchange’s free Course of the Month is focused on CompTIA IT Fundamentals.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question