Re: Tweaking security on XP Pro machine

Wowbagger wrote:
My XP Pro sp2 machine is doing double duty as a file server for a
small workgroup. No domains are involved. I have created a local
user that is used when I map the shared drive from the other machines
but have two questions:

1. How can I prevent anybody from using this username/password to log
on locally

2. From time to time I'd like to be able to change/reset the
password. When I try to do so I get the message indicating that if I
change the password all of the EFS files will forever be locked, etc
- how can I relax the security settings to allow the admin (me) to
reset/change the password at will and not create any of those issues?

Thanks

1) You would be better security wise to have a different user account for
each user with a strong password. Using XP for a "server" you would then
need to create the same accounts and passwords on the server. Next create a
security group on the server (e.g. Network Users) then add all the accounts
to the group. Then only allow the "Network Users" group to access the
shares. Do not add individual user accounts to the share permissions or NTFS
permissions. This allows you to add/remove users easily from accessing the
share by adding/removing them from the group. You can then setup groups for
special access (e.g Accounting, Temp Users, etc.) It is more administrative
overhead but this is one of the pitfalls of peer to peer networking. To
prevent users from logging on to the server, the server should have
restricted physical access. If this can't be done you can edit the local
policy to deny logon for the Network Users group. Be careful not to include
the administrator account in the group denied local logon.

2) EFS is almost impossible to administer in a workgroup. I recommend you
use the local policy on each computer to disable it. Then if a particular
user wants to use it they will have to ask about it and can be warned about
the possibilities of data loss etc.

--
Kerry
MS-MVP Windows - Shell/User
www.VistaHelp.ca


.

Relevant Pages

  • Re: Win2k8 in a workgroup - share permissions
    ... A friend bought a Windows 2008 server to start a small business. ... It is the only server and it is in a Workgroup. ... I put all 3 user accounts in this group called Financial Admins ...
    (microsoft.public.windows.server.security)
  • Re: Win2k8 in a workgroup - share permissions
    ... A friend bought a Windows 2008 server to start a small business. ... It is the only server and it is in a Workgroup. ... I put all 3 user accounts in this group called Financial Admins ...
    (microsoft.public.windows.server.security)
  • Re: Can user change their password with remote login?
    ... you have created 30 local user accounts on your workgroup, ... Accounts in workgroup are machine specific, ... use them to physically login to particular machine. ... Given that you are using Windows 2003 Server, why not using its full power, ...
    (microsoft.public.windows.server.general)
  • Re: Using a Group Policy in an XP Workgroup
    ... >I have a small office network all on XP Pro and all in the same Workgroup. ... > do not run Active Server Directory and do not operate a Domain. ... > whomever is logged on to the PC will have access to the folders. ... you will need matching accounts on all PCs for all users ...
    (microsoft.public.windowsxp.security_admin)
  • Re: copying *LOCAL* accounts from/to different PCs running Win2000 ser
    ... What I usually did is I used tools such as LC to crack user's ... We are upgrading our office's local server with a brand new ... network users to access/share documents. ... Is there any chance to COPY accounts from OLD machine to the NEW (without ...
    (microsoft.public.windows.server.setup)
Loading