Windows XP Pro SP2 User's Guide 3.0

7/27/2019 Windows XP Pro SP2 User's Guide 3.0

1/114

Windows XP Professional

with SP2

Evaluated Configuration

Users GuideVersion 3.0

July 11, 2007

Prepared For:

Microsoft Corporation

Corporate Headquarters

One Microsoft Way

Redmond, WA 98052-6399

Prepared By:

Science Applications International CorporationCommon Criteria Testing Laboratory

7125 Columbia Gateway Drive, Suite 300

Columbia, MD 21046


2/114

Windows XP Professional SP2 Evaluated Configuration Users Guide Version 3.0, 07/11/2007

This is a preliminary document and may be changed substantially prior tofinal commercial release of the software described herein.

The information contained in this document represents the current viewof Microsoft Corporation on the issues discussed as of the date of

publication. Because Microsoft must respond to changing market

conditions, it should not be interpreted to be a commitment on the part ofMicrosoft, and Microsoft cannot guarantee the accuracy of anyinformation presented after the date of publication.

This document is for informational purposes only. MICROSOFT MAKESNO WARRANTIES, EXPRESS OR IMPLIED, AS TO THEINFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of theuser. This work is licensed under the Creative Commons Attribution-NoDerivs-NonCommercial License (which allows redistribution of thework). To view a copy of this license, visithttp://creativecommons.org/licenses/by-nd-nc/1.0/or send a letter toCreative Commons, 559 Nathan Abbott Way, Stanford, California 94305,USA.

Microsoft may have patents, patent applications, trademarks, copyrights,

or other intellectual property rights covering subject matter in thisdocument. Except as expressly provided in any written licenseagreement from Microsoft, the furnishing of this document does not giveyou any license to these patents, trademarks, copyrights, or otherintellectual property.

The example companies, organizations, products, people and eventsdepicted herein are fictitious. No association with any real company,organization, product, person or event is intended or should be inferred.

Copyright 2008 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, Visual Basic, Visual Studio, Windows, theWindows logo, Windows NT, and Windows Server are either registeredtrademarks or trademarks of Microsoft Corporation in the United Statesand/or other countries.

The names of actual companies and products mentioned herein may bethe trademarks of their respective owners.
http://creativecommons.org/licenses/by-nd-nc/1.0/http://creativecommons.org/licenses/by-nd-nc/1.0/


3/114


Copyright 2008 Microsoft Corporation.

All Rights Reserved. i

Windows XP Professional with SP2 EvaluatedConfiguration Users GuideVersion 3.0, 07/11/2007

1. INTRODUCTION ......................................................................................................................... 1AUDIENCEASSUMPTIONS ............................................................................................................... 1DOCUMENT OVERVIEW ................................................................................................................... 1CONVENTIONS................................................................................................................................ 1

2. WINDOWS XP PROFESSIONAL EVALUATED CONFIGURATION ........................................ 2SYSTEM REQUIREMENTS ................................................................................................................ 2

Hardware .................................................................................................................................. 2Software ................................................................................................................................... 3

3. USING WINDOWS XP PROFESSIONAL IN A SECURE MANNER ......................................... 4OPERATING ENVIRONMENT............................................................................................................. 4

Organizational Security Policies ............................................................................................... 4Secure Usage Assumptions ..................................................................................................... 5Connectivity Assumptions ........................................................................................................ 5Personnel Assumptions ............................................................................................................ 6Physical Assumptions .............................................................................................................. 7

SECURITY OVERVIEW...................................................................................................................... 7USER AND GROUPACCOUNTS ........................................................................................................ 8SECURITY FUNCTIONS .................................................................................................................. 11

Passwords .............................................................................................................................. 11Creating Strong Passwords ................................................................................................ 12Changing a Password ......................................................................................................... 12Mandatory Password Changes........................................................................................... 13Password Reset .................................................................................................................. 14User Initiated Password Change ........................................................................................ 15

Computer Access ................................................................................................................... 16Logging on with a User Account Name and Password ...................................................... 16 User Account Locked due to Invalid Password Attempts ................................................... 17Logging on to a Computer with a Smart Card .................................................................... 17Changing the Smart Card PIN ............................................................................................ 19Logging Off ......................................................................................................................... 21Shutdown Computer ........................................................................................................... 21Restart Computer ............................................................................................................... 22


4/114



All Rights Reserved. ii

Disk Quotas ............................................................................................................................ 22Exceeding Disk Quota Limits .............................................................................................. 23

Data Protection ....................................................................................................................... 24Password Protected Screen Locks ..................................................................................... 24Implementing a Password Protected Screen Saver ........................................................... 24

Initiating a Screen Lock ...................................................................................................... 25Unlocking the Computer Screen ......................................................................................... 26Setting Access Controls on Files, Folders, and Other System Objects ............................. 26Copying vs. Moving ............................................................................................................ 27File Permissions ................................................................................................................. 28Folder Permissions ............................................................................................................. 28Selecting Where to Apply Permissions ............................................................................... 29Setting or Modifying Permissions ....................................................................................... 31How Inheritance affects File and Folder Permissions ........................................................ 34Shared Folder Permissions ................................................................................................ 36Default Share Permissions ................................................................................................. 37How Shared Folder Permissions are Applied ..................................................................... 38Sharing Folders .................................................................................................................. 39Mapping a Network Share .................................................................................................. 39

Encrypting File System in Windows XP Professional ............................................................ 40EFS Enhancements in Windows XP Professional ............................................................. 40Components of EFS ........................................................................................................... 41Maintaining File Confidentiality ........................................................................................... 42Encrypting a File or Folder .................................................................................................. 42Obtaining EFS Certificates ................................................................................................. 43Import EFS Certificates ....................................................................................................... 44Request an EFS Certificate from a CA within a Domain .................................................... 46 Granting Local Users Authorization to Open Encrypted Files ............................................ 48Granting Domain Users Authorization to Open Encrypted Files ........................................ 50 Revocation Checking .......................................................................................................... 54Removing a Users Authorization to Open an Encrypted File ............................................ 55Decrypting Files and Folders .............................................................................................. 56Copying an Encrypted Folder or File .................................................................................. 57Moving or Renaming an Encrypted Folder or File .............................................................. 58 Deleting an Encrypted Folder or File .................................................................................. 58System Folders and Files ................................................................................................... 58Encryption and Local Password Resets on Windows XP .................................................. 58


5/114



All Rights Reserved. iii

Restoring Files to a Different Computer ............................................................................. 59Folder and File Encryption on a Remote Server ................................................................ 64 Web Distributed Authoring and Versioning (WebDAV) ...................................................... 64WebDAV Clients ................................................................................................................. 64Connecting to a WebDAV Directory ................................................................................... 65

Remote EFS Operations on File Shares and Web Folders (WebDAV folders) ................. 69Remote EFS Operations in a Web Folder Environment ..................................................... 69Remote Encryption of Files on Web Folders ...................................................................... 70Remote Decryption of Files on Web Folders ...................................................................... 70 File Copy from a Web Folder .............................................................................................. 70

Certificates and Certification Authorities ................................................................................ 70Certificate Uses .................................................................................................................. 72Certificate Stores ................................................................................................................ 73CA Trust .............................................................................................................................. 75

Requesting Certificates from a Windows Server 2003 Certificate Server ............................. 77Requesting Certificates ....................................................................................................... 77Processing of Certificate Requests .................................................................................... 78

ADFS Enabled Web Applications ........................................................................................... 97Configuring the Web Browser for Accessing ADFS-enabled Web Applications .................... 97Using Federated Web Applications ........................................................................................ 98Configuring the Web Browser for Accessing ADFS-enabled Web Applications .................... 99Using Federated Web Applications ........................................................................................ 99Types of ADFS-aware Web applications ............................................................................. 100

Accessing ADFS-enabled Sample Web Applications from the Account Realm: FederatedWeb SSO Scenario ........................................................................................................... 100Accessing ADFS-enabled Web Applications from within the Resource Realm: FederatedWeb SSO Scenario ........................................................................................................... 103Accessing ADFS-enabled Web Applications: Web SSO Scenario .................................. 104

Troubleshooting ADFS-enabled Application Failures .......................................................... 1054. ACRONYMS ............................................................................................................................ 1065. REFERENCES ........................................................................................................................ 108


6/114



All Rights Reserved. 1

1. Introduction

Welcome to the Windows XP Professional with SP2 Evaluated Configuration Users Guide, Version 3.0.The Microsoft Windows 2003, XP Professional and XP Embedded Security Target, defines the

requirements for the Windows Server 2003 and XP Professional Common Criteria Evaluation (Version3.0) and is henceforth referred to in this document as the Windows 2003/XP V3 ST. Windows XPProfessional was evaluated against the Windows 2003/XP V3 ST and found to satisfy the STrequirements.

This document provides sufficient guidance for Windows XP Professional users to securely use theproduct in accordance with the requirements stated in the Windows 2003/XP V3 ST. This document isspecifically targeted at the non-administrative (e.g. non-privileged) user of Windows XP Professional.

Audience Assumptions

This document assumes the audience is generally familiar with Windows XP Professional with ServicePack 2.

Document Overview

This document has the following chapters:

Chapter 1, Introduction, introduces the purpose and structure of the document and the as sumptions ofthe audience.

Chapter 2, Windows XP Professional Evaluation Configuration, describes the evaluated configuration.

Chapter 3, Using Windows XP Professional in a Secure Manner, describes the environment of theevaluation configuration, an overview of the security functions, an overview of user and group accounts,and a description of how to use the security functions of Windows XP Professional. It also provides users

with a brief description of digital certificate and provides procedures for making certificate requests andverifying the certificates.

Chapter 4, Acronyms

Chapter 5, References

Conventions

Throughout the document, the following conventions are followed:

Warnings: Actions that have critical security ramifications. Warnings are identified with the boldedword Warning(e.g. Warning).

Evaluation Note: Conditions that are specific to the Evaluated Configuration that the user should beaware of. Evaluation Notes are identified with the bolded words Evaluation Note (e.g. EvaluationNote).

Note: Text that is important for the user to take notice of is identified with the bolded word Note (e.g.Note).


7/114




2. Windows XP Professional Evaluated Configuration

The primary focus of this section is to describe the concept of an Evaluated Configuration. This sectiondoes NOT give instruction of how to install and configure the Windows XP Professional to be in the

evaluated configuration. Such instruction is provided in the Windows XP Professional SecurityConfiguration Guide. This section introduces the notion of an Evaluated Configuration so theadministrator is aware of potential consequences if the system is not in the proper configuration, andspecifies the hardware and software requirements.

The Target of Evaluation (TOE) includes a homogenous set of Windows XP Professional systems thatcan be connected via their network interfaces and may be organized as domain or workgroup members.Within the TOE, a domain is a logical collection of Windows XP Professional and Windows Server 2003systems that allows the administration and application of a common security policy and the use of acommon accounts database. Domains use established trust relationships to share account informationand validate the rights and permissions of users. A user with one account in one domain can be grantedaccess to resources on any server or workstation on the network. Each domain must include at least onedesignated server known as a Domain Controller (DC) to manage the domain.

A workgroup is a logical grouping of networked computers that share resources, such as files andprinters. A workgroup is sometimes referred to as a peer-to-peer network because all computers in theworkgroup can share resources as equals, without a dedicated server. Each Windows XP Professionalcomputer in a workgroup maintains its own local security database, which contains a list of user accountsand resource security information specific to that computer.

Each Windows XP Professional system, whether it is a domain member, workgroup member, or astandalone computer, is part of the TOE and provides a subset of the TOE Security Functions (TSFs).The TSF for Windows XP Professional can consist of the security functions from a single system (in thecase of a stand-alone system) or the collection of security functions from an entire network of systems (inthe case of domain or workgroup configurations).

System RequirementsThis section describes the minimum system requirements for the evaluated configuration.

Hardware

Physically, each Windows XP Professional system in the Evaluated Configuration consists of a computerwith a 32-bit (x86) or 64-bit (x64) processor (including Intel Pentium and Xeon, as well as AMD Opteronfamilies). A set of devices may be attached and they are listed as follows:

Display Monitor,

Keyboard,

Mouse,

Floppy Disk Drive,

Compact DiskRead Only Memory (CD-ROM) Drive,

Fixed Disk Drives,

Printer,

USB Smart Card Reader,


8/114




Audio Adaptor, and

Network Adaptor.

The TOE does not include any physical network components between network adaptors of a connection.The ST assumes that any network connections, equipment, and cables are appropriately protected in theTOE security environment.

Software

Windows XP Professional is a workstation operating system. Windows XP Professional is suited forbusiness desktops and notebook computers. The security features addressed by the ST are thoseprovided by Windows XP Professional as an operating system.


9/114




3. Using Windows XP Professional in a Secure Manner

This section describes the security environment of Windows XP Professional in the evaluatedconfiguration and how to use the Windows XP Professional security functions.

Evaluation Note: Users should ensure that they each uphold theSecure Usage Assumptionsrelatedto users.

Operating Environment

The security environment of the Evaluated Configuration of Windows XP Professional is described in theWindows 2003/XP V3 ST and identifies the threats to be countered by Windows XP Professional, theorganizational security policies, and the usage assumptions as they relate to Windows XP Professional.The assumptions and policies are primarily derived from the Controlled Access Protection Profile (CAPP);while the threats were introduced in the Windows 2003/XP V3 ST have been introduced to betterrepresent specific threats addressed by Windows XP Professional. The administrator should ensure thatthe environment meets the organizational policies and assumptions. They are repeated below from theST.

Organizational Security Policies

Table 3-1 describes organizational security policies that are addressed by Windows XP Professional.


10/114




Table 3-1 Organizational Security Policies

Security Policy Description PP Source

P.ACCOUNTABILITY The users of the system shall be held accountable fortheir actions within the system.

CAPP

P.AUTHORIZED_USERS Only those users who have been authorized access to

information within the system may access the system.

CAPP

P.NEED_TO_KNOW The system must limit the access to, modification of, anddestruction of the information in protected resources tothose authorized users which have a "need to know" forthat information.

CAPP

P.AUTHORIZATION The system must have the ability to limit the extent ofeach user's authorizations.

P-ADD-IPSEC The system must have the ability to protect system datain transmission between distributed parts of theprotected system

P.WARN The system must have the ability to warn users

regarding the unauthorized use of the system.

Secure Usage Assumptions

This section describes the security aspects of the environment in which Windows XP Professional isintended to be used. This includes assumptions about the connectivity, personnel, and physical aspectsof the environment.

Windows XP Professional is assured to provide effective security measures in the defined environmentonly if it is installed, managed, and used correctly. The operational environment must be managed inaccordance with the user and administrator guidance.

Connectivity Assumptions

Windows XP Professional is a distributed system connected via network media. It is assumed that thefollowing connectivity conditions will exist.


11/114




Table 3-2 Connectivity Assumptions

Assumption Description PP Source

A.CONNECT All connections to peripheral devices reside within the controlledaccess facilities. The TOE only addresses security concerns relatedto the manipulation of the TOE through its authorized access points.Internal communication paths to access points such as terminals are

assumed to be adequately protected.

CAPP

A.PEER Any other systems with which the TOE communicates are assumed tobe under the same management control and operate under the samesecurity policy constraints. The TOE is applicable to networked ordistributed environments only if the entire network operates under thesame constraints and resides within a single management domain.There are no security requirements that address the need to trustexternal systems or the communications links to such systems.

CAPP

Personnel Assumptions

It is assumed that the following personnel conditions will exist.

Table 3-3 Personnel Assumptions


A.COOP Authorized users possess the necessary authorization toaccess at least some of the information management by theTOE and are expected to act in a cooperating manner in abenign environment.

CAPP

A.MANAGE There will be one or more competent individuals assigned tomanage the TOE and the security of the information itcontains.

CAPP

A.NO_EVIL_ADM The system administrative personnel are not careless, willfullynegligent, or hostile, and will follow and abide by the

instructions provided by the administrator documentation.

CAPP

Evaluation Note: The user must adhere to A.COOP as described in the above table.


12/114




Physical Assumptions

Windows XP Professional is intended for application in user areas that have physical control andmonitoring. It is assumed that the following physical conditions will exist.

Table 3-4 Physical Assumptions


A.LOCATE The processing resources of the TOE will be located within controlledaccess facilities that will prevent unauthorized physical access.

CAPP

A.PROTECT The TOE hardware and software critical to security policy enforcementwill be protected from unauthorized physical modification.

CAPP

Security overview

It is important to keep a computer system secure, not only to protect data on the computer itself, but onthe network as well. A good security system confirms the identity of the people who are attempting toaccess the resources on a computer, protects specific resources from inappropriate access by users, andprovides a simple, efficient way to set up and maintain security on the computer.

To help accomplish these goals, Windows XP Professional offers these security features:

User Accounts: To use a computer that is running Windows XP Professional, users must have avalid account, established by an authorized administrator, which consists of a unique user name anda password. Windows XP Professional verifies the user name and password when the user pressesCTRL+ALT+DEL and then types his/her user name and password. If the user account has beendisabled or deleted, Windows XP Professional prevents the user from accessing the computer,ensuring that only valid users have access to the computer.

Group Accounts: Users must have certain user rights and permissions to perform tasks on acomputer running Windows XP Professional. Group accounts help to efficiently assign those userrights and permissions to users. Windows XP Professional comes with many built-in groups based

on the tasks users commonly perform, such as the Administrators, Backup Operators, or Usersgroups. Assigning users to one or more of the built-in groups gives most users all of the user rightsand permissions they need to perform their jobs. Only authorized domain administrators can addmembers to Domain groups. Only members of the local Administrators group can add and modifygroup membership on the local workstation. Members of the Power Users group can create usersand groups, but can only modify accounts that were created by the specific member of the PowerUsers group.

Encryption (New Technology File System (NTFS) drives only): Encrypting files and folders makesthem unreadable to unauthorized users. If a user attempting to access an encrypted file has theprivate key to that file (that is, if the user either encrypted the file personally, has been granted accessto the file by the owner, or is a registered recovery agent), the user will be able to open the file andwork with it transparently as a normal document. A user without the private key to the file is deniedaccess. Encryption is available only on NTFS formatted drives.

File and Folder Permissions (NTFS drives only): When permissions are set on a file or folder, theowner specifies the groups and users whose access is to be restricted or allowed, and then selectsthe type of access. It is more efficient to specify group accounts when assigning permissions toobjects, so that users can simply be added to the appropriate group to allow or restrict access forthose users. For example, managers can be given Full Control of a folder that contains electronictimesheets, and employees can be given Write access so that they can copy timesheets to thatfolder, but not read the contents of the folder. File and folder permissions can be set only on NTFSdrives.


13/114




Share Folder Permissions: Members of the Administrators or Power Users group can share folderson a local computer so that users on other computers can access those folders. By assigning sharedfolder permissions to any NTFS, File Allocation Table (FAT), or FAT32 shared folder, authorizedadministrators can restrict or allow access to those folders over the network. In addition to sharepermissions, NTFS folder permissions can be used if the shared folder is located on an NTFS drive.NTFS permissions are effective on the local computer and over the network.

Printer Permissions: Because shared printers are available to all users on the network,administrators might want to limit access for some users by assigning printer permissions. Forexample, all non-administrative users in a department could be given Print permission and allmanagers the Print and Manage Documents permissions. By doing this, all users and managers canprint documents, but managers can change the status of any print job submitted by any user.

Auditing: Authorized administrators can use auditing to track which user account was used to accessfiles or other objects, as well as logon attempts, system shutdowns or restarts, and similar events.Before any auditing takes place, the administrator must use Group Policy to specify the types ofevents that are to be audited. For example, to audit a folder, Audit Object Access must first beenabled in the Auditing policy in Group Policy. Next, the administrator sets up auditing in the samefashion as permissions for files and folders.

User Rights: User rights are rules that determine the actions a user can perform on a computer. In

addition, user rights control whether a user can log on to a computer directly (locally) or over thenetwork, add users to local groups, delete users, and so on. Built-in groups have sets of user rightsalready assigned. Authorized administrators usually assign user rights by adding a user account toone of the built-in groups or by creating a new group and assigning specific user rights to that group.Users who are subsequently added to a group are automatically granted all user rights assigned tothe group account. User rights are managed using a Group Policy.

Group Policy: Group Policies are used to set a variety of software, computer, and user policies. Forexample, an authorized administrator can define the various components of the user's desktopenvironment, such as the programs that are available to users, the icons that appear on the user'sdesktop, the Start menu options, which users can modify their desktops and which cannot, and soon. Group Policy is also used to set user rights. A subcomponent of Group Policy in Windows XPProfessional is Security Settings, which provides options for configuring system security and is alsodirectly accessible via the Local Security Policy interface.

User and Group Accounts

The default security settings for Windows XP Professional can be described by summarizing thepermissions granted to default user and group accounts as well as special groups.

Administrator: The default Administrator account has full control over the computer's software,contents, and settings. Only authorized administrators should log on as Administrator. The accountcan be used to perform tasks such as creating user accounts, installing software, or making anychanges that need to be available to all users.

Note:As a best security practice, the default Administrator account should not be used for day-to-day

administration and should only be used in the event of an emergency. Instead, authorizedadministrators should log on with a user account that has been added to the Administrators group.The use of individual user accounts by administrators supports requirements for accountability.

Guest: Default user account available to allow anonymous access to the computer and resources. Itis disabled by default.


14/114




Evaluation Note: The Windows XP Professional with SP2 Security Configuration Guide, Version 3.0(Appendix D: User and Group Accounts) instructs the administrator to disable the guest account inthe Evaluated Configuration.

Help Assistant (identified as HelpAssistant): Account used by remote help desk personnel to logonto a computer during the Remote Assistance session. It is disabled by default.

Evaluation Note: The Windows XP Professional with SP2 Security Configuration Guide, Version 3.0(Appendix D: User and Group Accounts) instructs the administrator to keep the Help Assistantaccount disabled in the Evaluated Configuration.

SUPPORT_388945a0: Account used to control access to signed scripts that are accessible fromwithin Help and Support Services. Administrators can use this account to delegate the ability for anordinary user who does not have administrative access over a computer, and to run signed scriptsfrom links embedded within Help and Support Services. It is disabled by default.

Evaluation Note: The Windows XP Professional with SP2 Security Configuration Guide, Version 3.0(Appendix D: User and Group Accounts) instructs the administrator to keep the SUPPORT_388945a0account disabled in the Evaluated Configuration.

Administrators: Members of the Administrators group can perform all functions supported by theoperating system. Administrators are able to grant themselves any rights that they do not have bydefault. Ideally, administrative access should only be used to:

Install the operating system and components (such as hardware drivers, system services, and so on).

Install Service Packs and Patches.

Upgrade the operating system.

Repair the operating system.

Configure critical operating system parameters (such as password policy, access control, audit policy,kernel mode driver configuration, and so on).

Take ownership of files that have become inaccessible.

Manage the security and auditing logs.

Back up and restore the system.

Manage user and group accounts.

Backup Operators: Members of the Backup Operators group can back up and restore files on thecomputer, regardless of any permission that protect those files. They can also log on to the computerand shut it down, but they cannot change security settings.

Evaluation Note: The Windows XP Professional with SP2 Security Configuration Guide, Version 3.0(Appendix D: User and Group Accounts) instructs the administrator to not add non-administrativeaccounts to the Backup Operators group.

Guests: The Guests group offers limited access to resources on the system. By default, membersof the Guests group are denied access to the application and system event logs. They also cannotmake permanent changes to their desktop environment. Otherwise, members of the Guests grouphave the same access rights as members of the Users group. This allows occasional or one-timeusers to log on to a workstation's built-in Guest account and be granted limited abilities. The Guestuser account is disabled by default.


15/114




Evaluation Note: The Windows XP Professional with SP2 Security Configuration Guide, Version 3.0(Appendix D: User and Group Accounts) instructs the administrator to not add any accounts to theGuests group.

Help Services Group (identified as HelpServicesGroup): Members of this group can use helperapplications to diagnose system problems. This group, in conjunction with the SUPPORT_388945a0and Help Assistant accounts, can be used by members of Microsoft Help and Support Center toaccess the computer from the network and to log on locally.

Evaluation Note: The Windows XP Professional with SP2 Security Configuration Guide, Version 3.0(Appendix D: User and Group Accounts) instructs the administrator to not add any accounts to HelpServices Group.

Network Configuration Operators: Members of this group have limited administrative privilegesthat allow them to configure networking features, such as Internet Protocol (IP) address assignment.

Evaluation Note: The Windows XP Professional with SP2 Security Configuration Guide, Version 3.0(Appendix D: User and Group Accounts) instructs the administrator to not add non-administrativeaccounts to the Network Configuration Operators group.

Power Users: Members of the Power Users group have more permissions than members of theUsers group and fewer than members of the Administrators group. Power Users can perform anyoperating system task except tasks reserved for the Administrators group. Power Users can:

Run legacy applications in addition to Windows XP Professional certified applications.

Install programs that do not modify operating system files or install system services.

Customize system-wide resources including Printers, Date/Time, Power Options, and otherControl Panel resources.

Create and manage local user accounts and groups.

Stop and start system services that are not started by default.

Power Users do not have permission to add themselves to the Administrators group. Power Users do

not have access to the data of other users on an NTFS volume, unless those users grant thempermission.

Evaluation Note: The Windows XP Professional with SP2 Security Configuration Guide, Version 3.0(Appendix D: User and Group Accounts) instructs the administrator to not add non-administrativeaccounts to the Power Users group.

Remote Desktop Users: Members of this group have the right to log on remotely.

Evaluation Note: The Windows XP Professional with SP2 Security Configuration Guide, Version 3.0(Appendix D: User and Group Accounts) instructs the administrator to not add any accounts to theRemote Desktop Users group.

Replicator: Members can support file replication services in a domain. The replicator service isused to automatically copy files, such as user logon scripts.

Evaluation Note: The Windows XP Professional with SP2 Security Configuration Guide, Version 3.0(Appendix D: User and Group Accounts) instructs the administrator to not add non-administrativeaccounts to the Replicator group.

Users: The Users group provides the most secure environment in which to run programs. On avolume formatted with NTFS, the default security settings on a newly installed system (but not on anupgraded system) are designed to prevent members of this group from compromising the integrity of


16/114




the operating system and installed programs. Users cannot modify system-wide registry settings,operating system files, or program files. Users can shut down workstations, but not servers. Theycan run certified Windows XP Professional programs that have been installed or deployed byadministrators. Users have full control over all of their own data files.

Users cannot install programs that can be run by other Users (this prevents introduction of Trojanhorse programs). They also cannot access other Users' private data or desktop settings.

Special Groups: Several additional groups are automatically created by Windows XP Professional:

Interactive This group contains the user who is currently logged on to the computer.

Network This group contains all users who are currently accessing the system over thenetwork.

Terminal Server User When Terminal Servers are installed in application serving mode, thisgroup contains any users who are currently logged on to the system using Terminal Server.

Evaluation Note: The Windows XP Professional with SP2 Security Configuration Guide, Version 3.0instructs the administrator to not grant resource permissions or user rights to this account.

Security Functions

This section describes how to use the security functions of Windows XP Professional.

Passwords

The security provided by a password system depends on the passwords being kept secret at all times.Thus, a password is vulnerable to compromise whenever it is used, stored, or even known. To ensuresecurity, passwords must be used carefully. These recommendations will help protect passwords:

Never write down passwords.

Never share passwords with anyone.

Never use a network logon password for another purpose.

Use different passwords for network logon and the Administrator account on a computer.

Change the network password every 60 to 90 days or as dictated by local security policies.Administrators may force periodic password changes through group/domain policies.

Change the password immediately if it is believed to have been compromised.

Note: Windows XP Professional includes a Forgotten Password Wizard that may be used to create aPassword Reset Disk. The evaluated configuration currently does not include the use of theForgotten Password Wizard and the Password Reset Disk.

Be careful about where a password is saved on the computer. Some dialog boxes, such as those forremote access and other telephone connections, present an option to save or remember passwords. Donot select that option.


17/114




Creating Strong Passwords

Good computer security includes the use of strong passwords for network or local logons. For apassword to be strong and hard to break, it should:

Be at least eight characters long,

Contain characters from each of the following three groups,

Description Examples

Letters (uppercase and lowercase) A, B, C,...; a, b, c,...

Numerals 0, 1, 2, 3, 4, 5, 6, 7, 8, 9

Symbols (all characters notdefined as letters or numerals)

` ~ ! @ # $ % ^ & * ( ) _ + - = { } | [ ] \ : " ; ' < > ? , . /

Have at least one symbol character in the second through sixth positions,

Be significantly different from prior passwords,

Not contain the users actual name or user account name, and

Not be a common word or name.

Passwords can be the weakest link in a computer security scheme. Strong passwords are importantbecause password-cracking tools continue to improve and the computers used to crack passwords aremore powerful. Network passwords that once took weeks to break can now be broken in hours.

Password cracking software uses one of three approaches: intelligent guessing, dictionary attacks, andautomation that try every possible combination of characters. Given enough time, the automated methodcan crack any password. However, it still can take months to crack a strong password.

Evaluation Note: The Windows XP Professional Evaluated Configuration Administra tors Guidedocument and Windows XP Professional with SP2 Security Configuration Guide, Version 3.0bothinstruct the administrator to set the minimum password length to be at least eight (8) characters in the

evaluation configuration.

Changing a Password

Several methods can be used to initiate password changes:

Policies may dictate periodic mandatory password changes,

Account passwords may need to be reset by an authorized administrator, and

Users may choose to initiate a password change.


18/114




Mandatory Password Changes

The Windows domain password policy, or the Local Security Policy on a standalone computer, maydictate a maximum password age. A maximum password age determines how long users can keep apassword before they have to change it. The aim is to periodically force users to change their passwords.Once a password has expired due to this policy, the user will receive the following message after initiatinga login attempt:

The password will need to be changed as follows:

1. Click the OK.

2. The Change Password interface will appear with the old password already filled in.

3. Enter a new password and confirm it by entering it a second time.

If the new password does not match the one entered in the Confirm New Password block, awarning message will appear stating that the passwords typed do not match.

If the domain policy or Local Security Policy requires the use of strong passwords and hasdefined password policies addressing issues such as length and history, and a non-conformingpassword is entered, the following warning message will appear:


19/114




For either of the two cases above, reenter and confirm the new password in the proper formatneeded to conform to policy requirements.

4. A successful password change is verified with the following message:

Password Reset

Occasionally, a user may forget a password. If the user is locked out of the computer due to notremembering a password, the only way to recover is to have an authorized administrator reset the useraccount password. The typical practice when resetting an account password is immediately expire thenew password that is provided by the administrator, and require users to enter a new password upon theirfirst logon attempt. This practice helps maintain the secrecy of the user account password by forcingusers to create a password that is not known by the administrator. The procedures that must be followedby the user to enter a new password are identical to those described above for mandatory passwordchanges. The message users receive when required to change their passwords at fist logon is shownbelow.


20/114




User Initiated Password Change

To initiate a password change:

1. Press CTRL+ALT+DELETE to access the Windows Security interface.

2. Click Change Password. A Change Password interface will appear (old password dialog box isblank).

3. Enter the old password, then enter a new password and confirm it by entering it a second time.

4. A successful password change is verified with the following message:


21/114




Computer Access

Logging on with a User Account Name and Password

To Log on to the computer:

1. Initiate a trusted path for login by pressing CTRL+ALT+DELETE.

2. If the administrator has implemented a log on banner, a message banner will appear on the screen.Read the message and click OK, or hit to continue with the logon process.

3. At the Log On to Windows interface, enter a user name and password.

4. Click on the Options >> button. In the Log on to: drop down box select to either log on to a networkDomain Controller or directly to the local computer.

5. Click OK.


22/114




User Account Locked due to Invalid Password Attempts

If the domain policy or Local Security Policy includes an account lockout threshold, user accounts will belocked immediately after executing the specified number of invalid login attempts. Initial invalid loginattempts will be presented to the user in a Logon Message as shown below. By design, the messagedoes not specifically indicate whether it is the password or the user login Identification (ID) that isincorrect.

The final invalid login attempt will inform the user that the account has been locked by presenting theLogon Message shown below. By design, the message does not state whether the account is disableddue to a bad password or a bad login ID.

Account lockouts may be set by policy to remain locked for a set period of time or may be lockedindefinitely until an authorized administrator unlocks the account. An authorized administrator must becontacted to unlock user accounts that have been locked indefinitely or that require immediate access.

Logging on to a Computer with a Smart Card

To log on to a computer with a smart card, users do not need to type CTRL+ALT+DEL. They simplyinsert the smart card into the smart card reader and the computer prompts them for their PersonalIdentification Number (PIN) instead of their user name and password.


23/114




Note: Users will need to obtain a smart card from an authorized Smart Card Enrollment Agent, who isresponsible for adding user certificates to smart cards on behalf of the users.

1. If the computer is configured to use a smart card, the Welcome to Windows logon interface willshow a smart card icon. Insert the smart card into the smart card reader.

2. Type the PIN for the smart card when prompted by the computer. Click OK.

Note: The Smart Card Enrollment Agent will provide users with a PIN that can be used for the initial

logon. Users should change their PINs immediately after their initial logon with the smart card.


24/114




Notes:

The Smart Card must be prepared by creating the appropriate credentials before using it to log onto the computer.

If the PIN entered is recognized as legitimate, this logs the user on to the computer and to the

Windows Server 2003 family domain, based on the permissions assigned to the user account bythe domain administrator.

If the incorrect PIN is entered for a Smart Card several times in a row, the user will be unable tolog on to the computer using that Smart Card. The number of allowable invalid logon attemptsbefore lockout occurs varies according to the Smart card Manufacturer. By default, the InfineonSicrypt Smart Cards become locked if an incorrect PIN is entered three times in a row. A lockedcard can only be unlocked by an authorized administrator using the Infineon SicryptCryptographic Service Provider (CSP) Tools and an administrator PIN.

If the Smart Card is inserted backwards or upside down, the Smart Card will not work; however,the user may be prompted for a PIN which will not work.

Smart Card logons only work for computers that are joined to a domain.

If a Domain Controller is not available, the Smart Card logon fails even if the user has previouslylogged onto the computer using the Smart Card. If the Domain Controller is available but doesnot have a valid Certificate Revocation List (CRL) for the issuing Certification Authority (CA), thenthe logon fails.

Changing the Smart Card PIN

All users must be required by policy to change the default Smart Card PIN as soon as they receive theirSmart Card. Procedures for changing the Smart Card PIN are dependent on Smart Card vendorapplications which are outside the TOE. For the Evaluated Configuration, the Sicrypt Smart Card from

Infineon Technologies is used. To allow users the capability to change their Smart Card PINs, theInfineon Sicrypt CSP Tools must first be installed on the users computer by an authorizedadministrator.

To change a Smart Card PIN:

1. The Smart Card user logs on to the computer using a regular domain account and password(alternatively, the user may log on using the issued Smart Card with the default PIN).

2. Click Start, point to Infineon SICRYPT CSP Tools, and select SICRYPT Smart Card Admin Tool.

3. The SICRYPT Smart Card Admin Tool interface will appear. Insert the Smart Card into the smartcard reader.


25/114




4. Click the PIN button. Enter the current PIN number in the PIN entry box, then enter the new PIN inthe new PIN box and confirm it by entering it again in the Confirm PIN box. Guidelines for selectinga PIN are as follow:

The SICRYPT Smart Card Admin Tool allows the PIN to be set to a minimum of four (4)characters and a maximum of eight (8). For the Evaluated Configuration, PINs must becomprised of eight (8) characters.

For strong security, create the PIN by using a mixture of alphabet characters, numbers, and otherspecial characters such as #, @, or $.

5. Click the Change PIN button. A message will appear indicating that the PIN of the signature cardhas been changed successfully. Click OK.


26/114




6. Close the SICRYPT Smart Card Admin Tool interface.

Logging Off

To log off from the computer so that someone else can use it:

1. Click Start, and then click Log Off.

2. In the Log Off Windows interface, click the Log offbutton. This closes all programs, disconnects thecomputer from the network, and prepares the computer to be used by someone else.

3. Alternatively, users can log off by pressing CTRL+ALT+DELETE, and then clicking the Log Offbutton on the Windows Security interface.

Shutdown Computer

To shut down the computer:

1. Click Start, and then click Shut Down.

2. In the Shut Down Windows interface, select Shut down from the drop-down menu and click OK.


27/114




3. After the data is saved, Windows XP Professional notifies the user that it is okay to turn off thecomputer. Some computers have configurable Basic Input-Output System (BIOS) settings that allowthe computer hardware to turn itself off automatically once the operating system shutdown process iscompleted.

4. The computer can also be shut down by pressing CTRL+ALT+DELETE and clicking the Shut Downbutton on the Windows Security interface and then selecting Shut down from the drop-down menu

of the Shut Down Windows interface.

Restart Computer

To restart the computer

1. Click Start, and then click Shut Down.

2. In the Shut Down Windows interface, select Restart from the drop-down menu and click OK.

3. The computer can also be restarted by pressing CTRL+ALT+DELETE, clicking the Shut Downbutton on the Windows Security interface and then selecting Restart from the drop-down menu ofthe Shut Down Windows interface.

Disk Quotas

Windows XP Professional disk quotas track and control disk storage usage on a per-user, per-volumebasis. Windows XP Professional tracks disk quotas for each volume, even if the volumes are on thesame hard disk. Because quotas are tracked on a per-user basis, every users disk space is trackedregardless of the folders in which the user stores files.

The following list describes several important characteristics of Windows XP Professional disk quotas.


28/114




Windows XP Professional calculates disk space usage for users based on the files and folders theyown. When a user copies or saves a file to an NTFS volume or takes ownership of a file on an NTFSvolume, Windows XP Professional charges the disk space for the file against the users quota limit.

Windows XP Professional ignores compression when it calculates hard disk space usage. Users arecharged for each uncompressed byte, regardless of how much hard disk space is actually used. Inpart, this charge is made because file compression produces different degrees of compression for

different types of files. Different file types that are the same size when uncompressed might end upto be very different sizes when they are compressed.

When disk quotas is enabled, the free disk space Windows XP Professional reports to applications forthe volume is the amount ofspace remaining within the users disk quota limit. For example, a userwhose files occupy 50 MegaBytes (MB) of an assigned disk quota limit of 100MB will show 50MB offree space even if the volume contains several gigabytes of free space.

Authorized administrators can use disk quotas to monitor and control hard disk space usage.Administrators can perform the following tasks:

Set a disk quota limit to specify the amount of disk space for each user.

Set a disk quota warning to specify when Windows XP Professional should log an event, indicatingthat the user is nearing his or her limit.

Enforce disk quota limits and either deny users access if they exceed their limit or allow them tocontinue access.

Log an event when a user exceeds a specific disk space threshold. For example, a threshold mightbe when users exceed their quota limit or when they exceed their warning level.

Once disk quotas are enabled for a volume, Windows XP Professional collects disk usage data for allusers who own files and folders on the volume. This allows the monitoring of volume usage on a per-userbasis. By default, only members of the Administrators group can view and change the quota settings.However, an authorized administrator can allow users to view quota settings.

Exceeding Disk Quota Limits

When the administrator selects the Deny disk space to users exceeding quota limit option, users whoexceed their quota limit receive an "insufficient disk space" error from Windows XP Professional andcannot write additional data to the volume without first deleting or moving some existing files from it.

Individual programs determine their own error handling for this condition. To the program, it appears thatthe volume is full. Enabling quotas and not limiting disk space use are useful when administrators do notwant to deny users access to a volume, but want to track disk space use on a per-user basis. Theadministrator can also specify whether or not to log an event when users exceed either their quotawarning level or their quota limit.

When the administrator selects the Log event when a user exceeds their quota limit option, an eventis written to the Windows system log on the computer running disk quotas whenever users exceed theirquota limit. Administrators can view these events with Event Viewer, filtering for disk event types.

When the administrator selects the Log event when a user exceeds their warning level option, anevent is written to the Windows system log on the computer running disk quotas whenever users exceedtheir quota warning level. Administrators can view these events with Event Viewer, filtering for disk eventtypes. Unless a trigger is set to do so, users are not warned of this event.

Users who receive indications that they may have exceeded their disk quota should try removing anyunnecessary files. Otherwise they should contact the system administrator for assistance.


29/114




Data Protection

Information security strategies protect data on servers and client computers, and also conceal and protectpackets traversing insecure networks. The organizations distributed security plan needs to identify whichinformation must be protected in the event computer equipment is lost or stolen. Also, types of networktraffic that are sensitive or private and need to be protected from network sniffers must be included in theplan.

In terms of users on your enterprise network, access control is the primary mechanism to protect sensitivefiles from unauthorized access. However, the computers themselves might be portable and subject tophysical theft. Therefore, access control is not sufficient to protect the data stored on these computers.This is a special problem with laptop computers that can be easily stolen while traveling. Windows XPProfessional provides the Encrypting File System (EFS) to address this problem.

To protect data on their computers, users should secure individual files and folders and take steps tosecure the physical computer itself. If the computer contains sensitive information, it should be kept in asafe location.

Password Protected Screen Locks

Users can secure their computers by locking them whenever they are away from their desk and setting upa password-protected screen saver. By pressing CTRL+ALT+DEL and clicking Lock Computer, userscan prevent unauthorized access to their computers. Once the computer screen is locked, only the userand members of the Administrators group on the computer can unlock it (it is unlocked by pressingCTRL+ALT+DEL, typing the user password, and then clicking OK). Users can also set up a screen saverso that whenever the computer is idle for more than a specified length of time, the screen saver starts andthe computer automatically locks.

Implementing a Password Protected Screen Saver

Users may set an automatic screen lock on a workstation by setting screensaver based screen lock asfollows:

1. Right-click on the user desktop and select Properties. The Display Properties window will appear.

2. Click on the Screen Savertab.

3. Select a screen saver from the Screen Saverdrop down menu.

4. Enter the number of minutes of inactivity that the system must wait before initiating the screen saverin the Wait: dialog box. The default setting is ten (10) minutes.

5. Select the Password Protected box.


30/114




6. Click OK to set the password protected screen saver.

Warning: Users must ensure there is no un-intentional pressure (e.g. a book pressing on a key) onthe keyboard to allow the screen lock function to work properly. Any pressure on the keyboard willprevent the screen lock from being invoked.

Initiating a Screen Lock

A user may manually initiate a screen lock as follows:

1. Simultaneously press the Ctrl-Alt-Del buttons. This will invoke the trusted path function and presentthe Windows Security interface.

2. Click on the Lock Computerbutton.

3. This will lock the users desktop, as indicated by the Computer Locked interface.


31/114




Unlocking the Computer Screen

A user can unlock the screen as follows:

1. Simultaneously press the Ctrl-Alt-Del buttons. This will invoke the trusted path function and presenta login interface to unlock the computer.

2. Enter the account name of the currently logged on user and the associated password.

3. Click OK to unlock the computer screen.

In the event emergency access is required to a user desktop that has been locked by either ascreensaver based password lock or through a user-initiated action, an authorized administrator mayunlock the computer.

Setting Access Controls on Files, Folders, and Other System Objects

Access control is the process of authorizing users and groups to access objects on the network. Keyconcepts that make up access control are described below.

Least Privilege Principle: A key component of authorization is the least privilege principle, which

states that all users should have the least possible amount of systems access or system authorizationthat still allows them to perform their job functions. Thus, if a user only needs to be able to view aparticular file, that user should have read-only access to the file; the user should not be able to writeto that file.

Ownership of Objects: Windows XP Professional assigns an owner to an object when the object iscreated. By default, the owner is the creator of the object.

Permissions Attached to Objects: The primary means for access control is permissions, or accessrights. In Windows systems, permissions can be set on files, folders, and other objects within thesystem. Permissions allow or deny users and groups particular actions on folder, file, or other system


32/114




objects. Permissions are implemented primarily by way of security descriptors, which also defineauditing and ownership.

Inheritance of Permissions: Windows XP Professional provides a feature for administrators toeasily assign and propagate permissions. Known as inheritance, this feature automatically causesobjects within a container to inherit the permissions of that container. For example, the files within afolder, when created, inherit the permissions of the folder.

Object Managers: If a user needs to change the permissions on an individual object, the user cansimply start the appropriate tool and change the properties for that object. For example, to changethe permissions on a file, users can start Windows Explorer, browse to find the desired object, right-click on the file name, and click Properties. The through the Security tab of the Propertiesinterface, the object owner change permissions as needed.

Object Auditing: Windows XP Professional allows authorized administrators to audit users accessto objects. Authorized administrators can then view these security-related events in the Security logwith the Event Viewer.

Copying vs. Moving

When using NTFS permissions to secure access to specific files or folders, it is very important to payclose attention to what happens to those permissions whenever the object is moved or copied to anotherlocation on the system.

When an object is copied into another folder it inherits the access permissions in place at thedestination folder.

When a file or folder object is moved from one folder to another folder the NTFS permissions thathave been applied to the object move with it.


33/114




File Permissions

File permissions include Full Control, Modify, Read & Execute, Read, and Write. Each of thesepermissions consists of a logical group of special permissions. The following table lists NTFS filepermissions and specifies which special permissions are associated with that permission.

NTFS File Permissions

Special PermissionsFullControl

ModifyRead &Execute

Read Write

Traverse Folder/Execute File List Folder/Read Data Read Attributes Read Extended Attributes Create Files/Write Data Create Folders/Append Data

Write Attributes Write Extended Attributes Delete Read Permissions Change Permissions Take Ownership

Warning: Groups or users granted Full Control on a folder can delete any files in that folderregardless of the permissions protecting the file.

Folder Permissions

Folder permissions include Full Control, Modify, Read & Execute, List Folder Contents, Read, and Write.Each of these permissions consists of a logical group of special permissions. The following table listsNTFS folder permission and specifies which special permissions are associated with that permission.


34/114




Folder Permissions

Special PermissionsFullControl Modify

Read &Execute

ListFolderContents

Read Write

Traverse Folder/Execute File List Folder/Read Data Read Attributes Read Extended Attributes Create Files/Write Data Create Folders/Append Data Write Attributes Write Extended Attributes

Delete Subfolders and Files Delete Read Permissions Change Permissions Take Ownership

Although List Folder Contents and Read & Execute appear to have the same special permissions,

these permissions are inherited differently. List Folder Contents is inherited by folders but not files, andit should only appear when viewing folder permissions. Read & Execute is inherited by both files andfolders and is always present when viewing file or folder permissions.

Selecting Where to Apply Permissions

The Permission Entry dialog box appears when setting permissions on files and folders through theAdvanced Security Settings interface. In this dialog box, Apply onto lists the locations wherepermissions can be applied. How these permissions are applied depends on whether the Apply thesepermissions to objects and/or containers within this container only check box is selected. Bydefault, this check box is clear.


35/114




When the Apply these permissions... check box is clear, permissions are applied as shown below:

Apply ontoAppliespermissions tocurrent folder

Appliespermissions tosubfolders incurrent folder

Appliespermissions tofiles in currentfolder

Appliespermissions toall subsequentsubfolders

Appliespermissions tofiles in allsubsequentsubfolders

This folder only The folder, subfoldersand files

This folder andsubfolders

This folder and files Subfolders and filesonly

Subfolders only Files only


36/114




When the Apply these permissions... check box is selected, permissions are applied as shown below:

Apply ontoAppliespermissions tocurrent folder

Appliespermissions tosubfolders incurrent folder

Appliespermissions tofiles in currentfolder

Appliespermissions toall subsequentsubfolders

Appliespermissions tofiles in allsubsequentsubfolders

This folder only The folder, subfoldersand files

This folder andsubfolders

This folder and files Subfolders and filesonly

Subfolders only Files only

Setting or Modifying Permissions

To set, view, change, or remove special permissions for files and folders:

1. Open Windows Explorer; click Start, point to All Programs, point to Accessories, and then selectWindowsExplorer.

2. Navigate Windows Explorerand locate the file or folder for which special permissions are to be set.

3. Right-click the file or folder, click Properties, and then click the Security tab.

4. Click Advanced.

Perform any of the following:


37/114




To set special permissions for a new group or user, click Add to open the Select User,Computer, or Group interface. Enter the name of the user or group using the formatdomainname\name or click the Advanced button, then the Find Now button to select an accountname from a list. To access account names from a domain, click the Locations button. Thereshould now be a list that shows the current machine, the local domain, trusted domains, andother resources that can be accessed. Select the local domain to view all the account names in

the domain.

Select an account and click OK on the Select User, Computer, or Group interface. If theAdvanced feature was used, click OK again in the next Select User, Computer, or Groupinterface. The Permission Entry dialog box for the selected account will appear.

Set permissions by checking the desired permission check boxes under the Allow column. Toexplicitly deny an access permission to the account, check the appropriate check box under theDeny column.


38/114




Note: Permissions that are explicitly denied will take precedence over all others. Therefore, if theaccount is a member of a group that is allowed the permission as well as another group that deniedthe permission on the same object, the effective setting will be to Deny the permission.

To view or change special permissions for an existing group or user, select the name of theaccount and then click Edit. If the permission settings are not selectable (grayed out), it isbecause the permissions are inherited from a parent folder. SeeHow inheritance affects file andfolder permissionsfor details.

To remove a group or user and its special permissions, select the name of the account and thenclick Remove. If the Remove button is unavailable, it is because the permissions are inheritedfrom a parent folder. SeeHow inheritance affects file and folder permissionsfor details on how tomake changes to inherited permissions.

In the Permission Entry for dialog box, select where the permissions are tobe applied, if necessary, by using the Apply onto drop-down menu. Apply onto is available onlyfor folders.

To prevent subfolders and files within the tree from inheriting these permissions, click to selectthe Apply these permissions to objects and/or containers within this container only checkbox.

Note: To change permissions, a user must be the owner or have been granted permission to do soby the owner.


39/114




Warning: Groups or users granted Full Control for a folder can delete files and subfolders within thatfolder regardless of the permissions protecting the files and subfolders.

How Inheritance affects File and Folder Permissions

After setting permissions on a parent folder, new files and subfolders created in the folder inherit thesepermissions. If propagation of inherited permissions is not desired, select This folder only in Apply ontowhen special permissions are set for the parent folder.

To prevent only certain files or subfolders from inheriting permissions from a parent folder:

1. Right-click the file or subfolder, click Properties, click the Security tab. If the permission checkboxes for an account appear shaded, the file or folder has inherited permissions from the parentfolder.

2. There are three ways to make changes to inherited permissions:

Make the changes to the parent folder, and then the file or folder will inherit these permissions.

Select the opposite permission (Deny) to override the inherited permission.

Clear the Inherit from parent the permission entries that apply to child objects. Includethese with entries explicitly defined here check box. This will allow changes to thepermissions or removal of the user or group from the permissions list. However, the file or folderwill no longer inherit permissions from the parent folder.

3. To clear the inheritance of permissions from a parent folder, click the Advanced tab on the accountProperties interface and uncheck the Inherit from parent the permission entries that apply to

child objects check box.


40/114




4. A Security window, shown below, will appear asking whether to copy inherited permissions or

remove them. If the Copy button is clicked, inheritance is removed and the permissions previouslyinherited are copied to the object. The copied permissions can then be modified. If the Removebutton is clicked, all inherited permissions are removed and new permissions must be added. Clickon the Remove button.

5. All permissions previously inherited are removed from the file or subfolder.


41/114




6. Click the add button to add and modify permissions as previously described above in Setting ormodifying permissions.

Shared Folder Permissions

Shared folders are used to provide network users with access to files and application resources on thenetwork. When a folder is shared, users can connect to the folder over the network and gain access tothe files that it contains. However, to gain access to the files, users must have permissions to access theshared folder.

A shared folder can contain applications, data, or a user's personal data, called a home folder. Each typeof data requires different shared folder permissions. The following are characteristics of shared folderpermissions:

Shared folder permissions apply to folders, not individual files. Since shared folder permissions canbe applied only to the entire shared folder, and not to individual files or subfolders in the sharedfolder, shared folder permissions provide less detailed security than NTFS permissions.

Shared folder permissions do not restrict access to users who gain access to the folder at thecomputer where the folder is stored. They apply only to users who connect to the folder over the

network.

Shared folder permissions are the only way to secure network resources on a FAT volume. NTFSpermissions are not available on FAT volumes.

On an NTFS volume, share permissions control access to the location of resource objects and NTFSpermissions provide additional access restrictions to the objects within the share.

A shared folder appears in Windows Explorer as an icon of a hand holding the shared folder as shownbelow.

To control how users gain access to a shared folder, assign shared folder permissions. The followingtable shows shared folder permissions and the actions on shared folders allowed to users by the sharepermission.


42/114




Shared Folder Permission

Actions Allowed by Share Permissions FullControl

Change Read

Viewing file names and subfolder names Traversing to subfolders Viewing data in files and running programs Adding files and subfolders to the shared folder Changing data in files Deleting subfolders and files Changing permissions (NTFS only) Taking ownership (NTFS only)

Shared folder permissions can be set to allow or deny. Generally, it is best to allow permissions and toassign those permissions to a group rather than to individual users. Deny permissions should only beused when it is necessary to override permissions that are otherwise applied. In most cases, denypermissions should only be applied when it is necessary to deny permission to a specific user whobelongs to a group to which has been given the permission. If a shared folder is set with deny permissionto a user, the user will not have that permission. For example, to deny all access to a shared folder, denythe Full Control permission.

Default Share Permissions

Prior to the introduction of Service Pack (SP) one (1) for Windows XP, all newly created share folderswere automatically assigned the Full Control permissions for the group Everyone by default. Thispermission setting allowed Full Control share access to anyone that could reach the share on thenetwork. To provide stronger security of shared resources and ensure that administrators take the time toimplement proper share permissions, the addition of SP1 or higher changes the default sharepermissions to grant only the Read permission to the Everyone group.


43/114




The default permissions must be modified to Full Control or to add the Change permission if users will

be required to add, delete, or modify objects in the share. Additionally, it is best to remove sharepermissions for the group Everyone and set permissions for explicit user or group accounts instead.

How Shared Folder Permissions are Applied

Applying shared permissions to user accounts and groups affects access to a shared folder. Denyingpermission takes precedence over the permissions that are allowed. The following list describes theeffects of applying permissions.

Multiple Permissions Combine: A user can be a member of multiple groups, each with differentpermissions that provide different levels of access to a shared folder. When permission is assignedto a user for a shared folder, and that user is a member of a group that is assigned a different

permission, the user's effective permissions are the combination of the user and group permissions.For example, if a user has Read permission and is a member of a group with Change permission, theuser's effective permission is Change, which includes Read.

Denying Permissions Overrides other Permissions: Denied permissions take precedence overany permissions that are otherwise allowed for user accounts and groups. If a user is deniedpermission to a shared folder, the user will not have that permission, even if allowed the permissionfor a group of which the user is a member.

NTFS Permissions are Required on NTFS Volumes: Shared folder permissions are sufficient togain access to files and folders on a FAT volume but not on an NTFS volume. On a FAT volume,users can gain access to a shared folder for which they have permissions, as well as all of the folderscontents. When users gain access to a shared folder on an NTFS volume, they need the sharedfolder permission and also the appropriate NTFS permissions for each file and folder to which theygain access.

Copied or Moved Shared Folders are No Longer Shared: When a shared folder is copied, theoriginal shared folder is still shared, but the copy is not shared. When a shared folder is moved, it isno longer shared.

7/27/2019 Windows X

Windows XP Pro SP2 User's Guide 3.0

Documents

Transcript of Windows XP Pro SP2 User's Guide 3.0