User Accounts Overview

Every user account on a Windows 2000 machine is part of a local user group on
that computer. A user group is a set of users who have a certain amount of
control over the Windows 2000 computer. The four primary user groups are
Administrators, Power Users, Users, and Guests. As tech support representative,
you will have Administrator rights to all computers in your unit. Faculty and staff
accounts are always set to Power Users.

Administrators

Members of the Administrator group have total control over the computer and
everything on it. The user named Administrator is the default account within this
group. The domain account of each faculty or staff member with a Windows 2000
computer is part of the Administrator group on his or her computer.

Administrators Can:

• Create, modify, and access local user accounts

• Install new hardware and software
• Upgrade the operating system
• Back up the system and files
• Claim ownership of files that have become damaged
• Do anything a Power User can

Power Users

The Power User class can perform any task except for those reserved for
Administrators. They are allowed to carry out functions that will not directly affect
the operating system or risk security. All domain accounts are part of the Power
Users group on public Windows 2000 computers.

Power Users Can:

• Create local user accounts

• Modify user accounts which they have created
• Change user permissions on users, power users, and guests
• Install and run applications that do not affect the operating system
• Customize settings and resources on the Control Panel, such as Printers,
Date/Time, and Power Options
• Do anything a User can
• Power Users Cannot:
• Access other users' data without permission
• Delete or modify user accounts they did not create

Users

Users can perform common tasks, but have little power to affect the computer
outside of their own account. The Users group is the most secure environment in
which to run programs, since a User cannot affect the operating system or
program files.

Users Can:

• Create, modify, and delete their own data files

 • Run system-wide or personally installed applications
• Change their personal settings
• Install programs for their own use only
• Access the network
• Print to local or networked printers
• Do anything a Guest can
• Users Cannot:
• Modify system-wide settings, operating system files, or program files
• Affect other users' data or desktop settings
• Install applications that can be run by other users
• Add printers
• Configure the system for file sharing

Guests

The Guests group grants limited access to occasional or one-time users. Once a
Guest logs out, all files created by the guest is deleted.

Guests Can:

• Log in and out

• Run installed applications
• Navigate through the file system
• Shut down the system

Guests Cannot:

• Do anything else.

How to Add Account

1. Right click My Computer

2. Select Manage
3. Expand Local Users and Groups
4. Right click Users
5. Select New User...
6. Type in required information
7. Click Create

To change membership of the user

1. Right click user name

2. Select Properties
3. Select Member Of
4. Add groups as desired
5. Click OK
How to Reset the Password

To reset password for your account

1. Log onto the system where you want to change the password.
2. Press Ctrl-Alt-Del to bring up the Windows Security dialogue box.
3. Click the "Change Password..." button (bottom left in that window).
4. Verify the correct Username in the first field.
5. Verify the account (whether a Domain account, or local computer account)
in the second field.
6. Enter the old (current) password for the account in the third field.
7. Enter in the new password (to use from now on) in the fourth field, and
again in the fifth to help rule out typing errors.
8. Click OK to finish and change the password.
9. Click OK to acknowledge the message that the password was changed.
10. Press the Esc button, or click Cancel to return to the Windows 2000
desktop.

To reset password for any account

1. Right click My Computer

2. Select Manage
3. Expand Local Users and Groups
4. Select Users
5. Right click user's account in the right pane.
6. Select set Password
7. Type in new password, confirm password
8. Click OK

Passwords

Passwords are used to protect computer systems and the data that they contain.
A computer user may use several passwords to protect several different aspects
of his or her computer. Access to a network, e-mail access, Internet access,
database access, and even access to the computer itself may be controlled by a
password. Therefore, it is not surprising that all of these passwords may cause
some confusion.

When a password fails to work, it is important to first be sure that the password
has been entered proper correctly. Passwords are usually, but not always entered
in all lower case letters, and may contain numbers as well. The two most common
causes for password failure are accidental activation of the keyboard’s Caps Lock
(Capital Lock) function and deactivation of the Num Lock (Number Lock) function
for the numeric keypad. Indicator lights on the keyboard, usually in the upper
right corner, indicate the status of these functions. When the light is on, the
function is active. Another common cause of password failure is the use of the
wrong password. More than one password may be used on a computer to protect
multiple applications. It is important to be sure that the password being used is
the right one for the application in question.

Passwords are intended to protect your information. Posting passwords in an

obvious place, such as on the computer’s monitor compromises the your
computer’s security. Passwords should be written down and kept hidden in a safe
place.

Good passwords contain both upper and lower case letters, as well as a special
character (such as # or ; or -), and numbers.

Some simple guidelines that will help you choose better passwords are:

• A password should be a minimum of eight characters long.

• Try to include some form of punctuation or digit.
• Use mixed case passwords if possible.
• Choose a phrase or a combination of words, that make the password
easier to remember.
• Do not use a word that can be found in any dictionary (including foreign
language dictionaries).
• Do not use a keyboard pattern such as qwertyui or oeuidhtn (look at a
Dvorak keyboard).
• Do not repeat any character more than once in a row like zzzzzzzz.
• Do not use all punctuation, all digit or all alphabetic.
• Do not use things that can be easily determined such as:
o Phone numbers.
o Car registration.
o Friends' or relatives' names.
o Your name or employment details.
o Any Date.
• Never use your account name as its password.
• Use different passwords for each machine.
• Change the password regularly and do not reuse passwords.
• Do not append or prepend a digit or punctuation mark to a word.
• Do not reverse words.
• Do not replace letters with similar looking numbers. For instance, all of the
letters i should not be blindly replaced replaced by the digit 1.

Under Windows 2000, multiple accounts may exist. Each account should have a
password that allows access to the Windows operating system in that account.
File Permission

Introduction

The concept of a network of computers is not new or revolutionary. Servers, typically kept in
locked rooms, store the company resources (folders, files, documents, spreadsheets, etc).
These servers are locked behind closed doors so that the only access that employees have to
the resources is over the network. So, one level of security for protecting the resource is the
physical security that is provided by not allowing employees direct access to the hardware upon
which the resource is located.

In order for employees to access the resources stored on the servers, the server must be
configured to allow the employees to access the resources over the network. For a Windows
environment, this is done through shared folders. When a folder is shared it becomes available
over the network so that all users on the network can see the shared folder name, as shown in
Figure 1.

Figure 1: Listing of shared folders available on a server over the network

In order to protect the resources that are made available through shared folders, administrators
must configure “permissions” for the folders and files that are made available over the network.
There are two types of permissions that can be configured on shared folders: share and NTFS.
We are going to focus on the share permissions, discussing some pitfalls that are exposed when
you use them, as well as some recommended methods to successfully configure permissions for
shared folders.

A Tale of Two Permissions

To make sure that I am clear about my description of the permissions available on a shared
folder, I wanted to start off by describing the two different permissions that can be configured
on each shared folder. The two permissions are: share and NTFS.
NTFS Permission

NTFS permissions are an attribute of the folder or file for which they are configured. The NTFS
permissions include both standard and special levels of settings. The standard settings are
combinations of the special permissions, making the configuration more efficient and easier to
establish. These permissions include the following, as shown in Figure 2:

§ Full Control
§ Modify
§ Read & Execute
§ List Folder Contents
§ Read
§ Write

Figure 2: NTFS standard permissions for a folder

There are 14 special permissions for folders, which include detailed control over creating,
modifying, reading, and deleting subfolders and files contained within the folder where the
permissions are established.

NTFS permissions are associated with the object, so the permissions are always connected with
the object during a rename, move, or archive of the object.

When you check the permissions on an NTFS folder, you see a double set of permissions. The
first set in parentheses refers to the directory itself and the second set of parentheses refer to
the contents of the directory (but not to contents in any subdirectories).

Permission Directory Directory Contents

(RX)
List (not specified)
Read and traverse directory

(RX)
(RX)
Read View data files and run applications
Read and traverse directory
in directory

(WX)
(not specified) cannot read or
Add Traverse directory, add files and
change contents
subdirectories to directory
 (RWX)
(RX)
Add & Read and traverse directory, add
View data files and run applications
Read files and subdirectories to
in directory
directory

(RWXD) (RWXD)
Change Add, read, execute, modify, and Add, read, execute, modify, and
delete directory delete directory contents

(RWXDPO)
(RWXDPO)
Take ownership, change
Full Take ownership, change
permissions, add, read, execute,
Control permissions, add, read, execute,
modify, and delete directory
modify, and delete directory
contents

() ()
No Access
No access to directory No access to directory conte nts

There is also Special Directory Access and Special File Access. Special Access allows you pick
which combination of Read, Write, Execute, Delete, Change Permission and Take Ownership

NTFS permissions for files include Read, Change, Full Control, Special Access and No Access.
Special access for files includes read, write, execute, delete, change permission and take
ownership.

Share permissions

Share permissions are only associated with the folder that is being shared. For example, if there
are 5 subfolders below the folder that is shared, only the initial shared folder can have share
permissions configured on it. NTFS permissions can be established on every file and folder
within the data storage structure, even if a folder is not shared.

Share permissions are configured on the Sharing tab of the shared folder. On this tab, you will
have a Permissions button, which exposes the share permissions when selected, as shown in
Figure 3.

Figure 3: Share permissions on a shared folder

As you can see, the share permissions standard list of options is not as robust as the NTFS
permissions. The share permissions only provide Full Control, Change, and Read. There are no
special permissions available for share permissions, so the standard permissions are as granular
as you can go for this set of access control.
The share permissions are not part of the folder or file, so when the share name is changed, the
folder is moved, or the folder is backed up, the share permissions are not included. This makes
for a fragile control of the share permissions if the folder is modified.

Historic Share Permissions

Microsoft has historically configured all new shared folders with very open share permissions.
The default share permissions for Windows NT, Windows 2000 (Server and Professional), and
Windows XP (pre Service Pack 1) is that the Everyone group has Full Control access.

This might seem insecure with Full Control access, but when the NTFS permissions are
combined with the share permissions, the most secure of the two permissions controls the
access to the resource.

In the past, when share permissions are altered from Everyone having Full Control, it can cause
more problems than it is worth. For example, when a company typically does not use share
permissions, it can take a longer cycle to fix access to resources when they are used. When
share permissions are configured incorrectly on a shared folder, the share permissions are not
the initial configuration to be checked. In most cases, I have found that it can take hours before
the share permissions are investigated. During the troubleshooting procedures, users can be
added to “admin” groups, given elevated user rights, and added directly to the ACL of the
resource. When the share permissions are finally investigated and fixed, it can be hard to
remember all of the other configurations that have been made in an attempt to fix the users
access to the resource. Of course, this leaves the resource and overall network in an insecure
state, all due to share permissions being configured incorrectly.

New Share Permissions

With all of the confusion that old share permissions could cause, Microsoft decided to change the
rules for default share permissions with the release of Windows XP Service Pack 1. With every
operating system after this service pack release (including Windows Server 2003), the new
default permissions for all new shared folders is Everyone having Read only access, as shown in
Figure 3.

This seems like a good security setting, until you consider how many resources on your network
can actually have “read-only” access for everyone. There are not many, due to the fact that
users need to modify and alter the contents of most resources to be productive.

In almost every instance the share permissions will need to be changed from Read access. This
sets up the administrator to configure detailed share permissions, which can cause the issues
that we discussed before with regard to troubleshooting resource access with the old share
permissions being modified. With the share permissions being changed by default, I have found
that many administrators don’t feel that they need to configure NTFS permissions anymore, as
they rely on the share permissions to protect the resource. This is a gross error and leaves the
network and resources in a very vulnerable state. Share permissions are only valid when the
resource is accessed over the network, but not when it is accessed locally, using Terminal
Services, etc. Also remember that share permissions are not backed up with resource, so all
backed up files are vulnerable as well, without any permissions protecting them.

Share Permissions Best Practice

As a best practice, it is most efficient to configure share permissions with Authenticated Users
having Full Control access. Then, the NTFS permissions should configure each group with
standard permissions. This provides excellent security for local and network access to the
resource. It also provides excellent protection of the resource for when it is backed up and
when the resource name is changed or relocated. As I said earlier, the NTFS permissions will
protect the resource even if the share permissions are set to Full Control access.