Windows 7 Permission Based Networking for small business

Customer has small permission-based XP workgroup consisting of 4 PCs, NASs & NAPs. They have upgraded to Windows 7 & want as much security as reasonable/possible. In XP, we disabled switch user option, enabled ctrl+alt+del logon sequence, lockout policies, enforced complex passwords, etc. We have figured out how to do this in Windows 7 w/o being connected to a domain but want experts to advise how to setup the network since Windows 7 has created different networking arrangements. In addition, I have *not* located how to remove the auto username population (e.g. I need the username/password to be manually filled in by the user as I did in XP). I am pretty sure out of the 3 Windows 7 sharing options (Public folder sharing, individual folder sharing, and homegroups) the most secure would be individual folder sharing. How do you recommend using Encrypting File System (EFS)?.  Lastly, I cannot find out where to turn off simple file sharing, if that is even an option, & if it’s recommended. In XP it obviously was.
LVL 32
Blue Street TechLast KnightAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
"I need the username/password to be manually filled in by the user as I did in XP). "

Try: Start -> Run control userpasswords2   Then in Advanced Tab, check Require users to press Ctrl Alt Del to login. Once done, the userid field must be manually filled in (along with password).

For networking, I use Home and Work and not Public. In Home and Work, at the bottom, you want to check the setting that requires userid and password authentication.
... Thinkpads_User
There is no simple file sharing in win7, best you can do is turn off Sharing wizard under folder options/view and set the network to Work. You may want to assign IPs
You can leave public sharing on and drag any folder you want to share to it.

I don't think there's a Ctrl Alt Del to logon in win7, but give it a try.
Should you not be succesful,  the gpo has an option to set to classic logon,
but I know this reg key works
dword   HideFastUserSwitching  set to 1
Hope this helps you.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

JohnBusiness Consultant (Owner)Commented:
@centerv - The steps I outline give a Ctrl Alt Del logon in Windows 7 (Win 7 Pro at least). I use it every day. And it performs (leaves fields blank) just as the asker requested. No registry entries required at all.
... Thinkpads_User
Hi thinkpads_user
I stand partially corrected.    Start -> Run control userpasswords2   does not work, which started me
on the quest of the regfix.     The command should be   Start -> Run netplwiz in win7
I should also add that with the regfix the welcome screen hides all users in multiuser accounts
leaving the welcome screen ready to logon.  Matter of preference.

The gpo setting is as follows
Computer Config\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Do not display last user name  Enabled

Sorry for the confusion.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
JohnBusiness Consultant (Owner)Commented:
Interesting. Start -> Run netlpwiz brings up exactly the same screen as control userpasswords2 on my Windows 7 machine. So the end result using this screen should then be the same. Amd I do not see the username either.

I wonder if that is a Pro thing or if it is a User Account Control (UAC) thing. I run Pro and normally keep UAC disabled (not a good thing for everyday users). ... Thinkpads_User
I'm using pro, clean install, uac on.    Maybe a vista upgrade or you're in a domain setting?
Looking at this link I found the winkey option goes nowhere for me.
JohnBusiness Consultant (Owner)Commented:
Seems it must be UAC then. We both are using Pro. I did a clean install, not upgrade (new hard drive) and I am not on a domain. Both the command from your post and the one from my post work on my machine and produce the same result. The only difference I can see is UAC. ... Thinkpads_User
JohnBusiness Consultant (Owner)Commented:
Hmm. I load the Admin Tools for Windows 7 from Microsoft (RSAT). I wonder if that is a difference?
... Thinkpads_User
Nope. Just tried. Don't want to beat it to death, but no idea other than when I searched there was
a lot on it, certainly not unique. Guess we'll find out in time.
Always great to have these new OSs :-)
>>>>Admin Tools for Windows 7 from Microsoft (RSAT).
I would bet on that as that option is not an issue in domains.
Blue Street TechLast KnightAuthor Commented:
@IanTh: thank you but this does not answer my question - it shows how to setup permission-less, unsecure network.

@thinkpads_user:  thank you for your comments! I already established the CTRL+ALT+DEL logon sequence as stated in the intro, however the problem i am facing is that it still provides me with all the availible users rather than just displaying a user box with a password box below it. Any ideas?
 @centerv: thank you for your comments! I did assign dedicated IPs to all devices. RE: GPO mod – “Do not display last user name: enabled”…I tried that & it did provide a dialog box for the username as I desired however, I wanted this to function the way it did in XP where it provides both username & password w/dialogue boxes but does remember the last user name. Any ideas?
It seems there are two ways to enable CTRL+ALT+DEL:
1.     Start >> Run netplwiz. Advanced tab >> check “require users to press CTRL+ALT+DEL”; and
2.     GPO >> computer configuration >> windows settings >> security settings >> local policies >> security options >> interactive logon: Do not require CTRL+ALT+DEL disabled.
They seem to work independent from each other and I do not understand why nor the difference between them. By working independently, I mean that by using method #1, it does not disable method#2, which would be the correct assumption if they were a connected service.
Blue Street TechLast KnightAuthor Commented:
FYI: (3) Win 7 Pro; (1) Win 7 Ultimate.
RE: permission-based sharing. There are specific shared resources (directories) that certain people should not have access to but need other sharing privileges & vice versa. In XP we used a workaround to fool the OS into achieving this by placing every user on each machine. This way when we setup sharing permissions we could grant only specific user & define privileges accordingly. Can this be done in the same fashion in Win7?
RE: EFS - Do you recommend using Encrypting File System (EFS)?  
Are there any other recommendations you have to creating a more secure environment?
JohnBusiness Consultant (Owner)Commented:
@diverseit - I tested the command I supplied (control userpasswords2) and the on centerv supplied (netplwiz) and they both led to the same screen. When I logon, I must press Ctrl Alt Del and I get logon entry boxes with no users listed. I added some other uses to test this.  I use the Classic Windows appearance, and that may well play into this. Try the wWindows Classis appearance. I do know I am not seeing any list of users.

With respect to file sharing and your first post, go to Folder Options (Control Panel or Windows Explorer) and turn off (uncheck) Use Sharing Wizard.

Combine the above with ensuring that userid and password authentication be required (my first post) and file sharing should have the same security properties as any other NTFS system. You would have to provide a user on each system (otherwise they have to log on as the user owner (administrator), but then they would only be able to access the folders they were authorized to. I would use the Map Network Drive function in Explorer to access folders as browsing may be less effective. Securing folders works best with full mapped drives (\\pcname\foldername) in my opinion.

I never fooled around wth XP Pro, so I don't know what you mean there, but I would observe that Windows 7 is entirely different than XP and does not emulate it.

I have a hard drive with built-in encryption and do not use it, and I don't use encrypting file systems. The risk of losing data (forgotten credentials) outweighs any benefit in my opinion.

... Thinkpads_User
JohnBusiness Consultant (Owner)Commented:
More on user logons.

I found a document I created when I did this some months ago.

To review, in netplwiz, Advanced Tab, check Require Users to press Ctrl Alt Del.

Now (new) in Admin Toolls -> Local Security Policy -> Local Policies -> Security options and then in Interactive login -> Do Not Display Last User Name.

I should have seen this earlier. ... Thinkpads_User
Blue Street TechLast KnightAuthor Commented:
well i'm stuck, i did try windows classic...nothing changed at logon. GPO option to set to always use classic logon did nothing either.
 Am i missing something?
In order to specify user access to a share, i will need to include that user on the machine even if the user will never actually logon correct?
Blue Street TechLast KnightAuthor Commented:
RE More on user logons.
They (GPO & netplwiz methods) seem to work independent from each other and I do not understand why nor the difference between them. By working independently, I mean that by using th netplwiz method, it does not disable the GPO method, which would be the correct assumption if they were a connected service.
JohnBusiness Consultant (Owner)Commented:
" i will need to include that user on the machine even if the user will never actually logon correct?"

Yes, as has been the case for me in prior operating systems. Without this, you cannot really do granualar folder-based permissions over a small workgroup (at least so far as I know).

"More on user logons"

I think the policy to enforce Ctrl Alt Del is independent of the logins. At least that is the way I see it and use Windows 7.

I have the following variables in Interactive Logon (Security Policy):
Display user information when session is locked: Not defined. Not set by me
Do not display last user name: Enabled. Set by me
Do not require Ctrl Alt Del: Not defined. Not set by me, but seem to relate to the first part (netplwiz)

All the remaining Interactive Logon variables are Windows 7 default and I am not on a domain.

I don't think Windows Classic affect this. This was an unfortunate red herring on my part. I do think the two specific things I pointed to result in no userids in a Ctrl Alt Del logon. Why? I set this machine up twice: once to test and generally hammer away at; and once for live production. This particular method worked in both builds.

... Thinkpads_User
>>>Any ideas?

Yes, use the regfix I outlined for you if this is what you want for a screen logon regardless of number of users.
JohnBusiness Consultant (Owner)Commented:
@diverseit - See what happens with centerv's idea. I never had to make a registry fix on my system, and my login screen looks exactly like the above post. ... Thinkpads_User
BTW, there's enough difference between win7 and XP that you may want to clear your head of win xp.
>>>>RE: EFS - Do you recommend using Encrypting File System (EFS)?  
I don't think it matters much overall IMO if you have limited accounts but depends on what the company needs are.
I'm in the process of setting up a 3 user workgroup for a small business. Much as you have outlined.
All run on a limited account. I have my own user Admin account with my password so I don't need to
enable the system Admin when I need to use as well as have dignostic tools etc not available to others.
When required in limited account, the UAC asks for admin account password. The owner needs to
make changes he sees fit on his machine but I did not want him to have my passoword, so therefore on
his pc I created an admin account for him just for the sake of giving him his own password.
He never needs to get into his admin account.
With that logon screen hiding the users, all's well for everyone.
PS    There are no power users in win7 although you can give permission to limited users with the gpo.
Also, one needs to address the costumer's  needs and computer proficiency.
Blue Street TechLast KnightAuthor Commented:
Maybe what I want cannot happen.
I want that screenshot above in thread http://32088268 except i want the last user name to display (as XP did or as it does in a domain envir.) however the only way i have seen to do this is be enabling the Do Not Display Last User Name configuration.
The fact that i can get it to at least provide a username dialogue box is great. I am just wondering if there is a way to achieve my goal or not. if not i will call it a day.
JohnBusiness Consultant (Owner)Commented:
@diverseit - As you note, XP would leave the last user name to display. I did not always like that because users did not always remember to put their own userid back after I had serviced their computer.

So (certainly not because of me) starting with Vista, you have either the Switch type of menu listing all users, or no last name at all. This continues with Windows 7 and so the picture above (no userid) is definitely how Windows 7 works. It is not XP as I noted earlier.

The rest of the folder permission stuff, you can make that work similar to XP and any other NTFS windows system and it will be quite secure. .... Thinkpads_User
>>>>>the last user name to display
The only way you get that is if   1) There's only one user account, Guest off, and Administrator off
2) If more than one users, hide the accounts, but that makes them inactive and unable to logon.
I've looked high and low to find an option as you describe but no joy.
At least on my machine  :-)
Blue Street TechLast KnightAuthor Commented:
Thank you both. Solution worked as suggested! Thank you again for all the follow through.
JohnBusiness Consultant (Owner)Commented:
Thank you, and you are most welcome. Good luck proceeding with Windows 7. ... Thinkpads_User
Glad to help and best of luck.
         Pleasure collaborating with you.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
File Sharing Software

From novice to tech pro — start learning today.