Windows Tips

Introducing Windows XP Security
The Windows XP approach to security is discretionary. That is, each securable system resource-each file or printer, for example-has an owner, who has discretion over who can and cannot access the resource. Usually, a resource is owned by the user who created it. If you create a file, for example, you are the file's owner under ordinary circumstances. (Computer administrators, however, can take ownership of resources they didn't create.)

To determine which users have access to a resource, Windows assigns a security ID (SID) to each user account. Your SID (a gigantic number guaranteed to be unique) follows you around wherever you go in Windows. When you log on, the operating system first validates your user name and password. Then it creates a security access token. You can think of this as the electronic equivalent of an ID badge. It includes your user name and SID, plus information about any security groups to which your account belongs. (Security groups are described later in this chapter.) Any program you start gets a copy of your security access token.

Whenever you attempt to walk through a controlled "door" in Windows (for example, when you connect to a shared printer), or any time a program attempts to do that on your behalf, the operating system examines your security access token and decides whether to let you pass. If access is permitted, you notice nothing. If access is denied, you see an unavailable menu or dialog box control or, in some cases, you get to hear a beep and read a refusal message.

In determining whom to pass and whom to block, Windows consults the resource's access control list (ACL). This is simply a list of SIDs and the access privileges associated with each one.
Every resource subject to access control has an ACL.


Permissions and Rights
Windows distinguishes two types of access privileges: permissions and rights. A permission is the ability to access a particular object in some defined manner-for example, to write to an NTFS file or to modify a printer queue. A right is the ability to perform a particular systemwide action, such as logging on or resetting the clock.

The owner of a resource (or an administrator) assigns permissions to the resource via its properties dialog box. For example, if you are the printer owner or have administrative privileges, you can restrict someone from using a particular printer by visiting the properties dialog box for that printer. Administrators set rights via the Local Security Policy console in the Administrative Tools folder. If you have an administrative account, you can use Local Security Policy to grant someone the right to load a device driver.


In Depth: Security Identifiers

Windows XP security relies on the use of a security identifier (SID) to identify a user. When you create a user account, Windows assigns a unique SID to that account. The SID remains uniquely associated with that user account until the account is deleted, whereupon the SID is never used again-for that user or any other user. Even if you re-create an account with identical information, a new SID is created.

A SID is a variable-length value that contains a revision level, a 48-bit Identifier Authority value, and a number of 32-bit subauthority values. The SID takes the form S-1-x-y1-y2-.. S-1 identifies it as a revision 1 SID; x is the value for the IdentifierAuthority; and y1, y2, and so on are values for subauthorities.

You'll sometimes see the SID in a security dialog box (for example, on the Security tab of a file's properties dialog box while Simple File Sharing is not enabled) before Windows has had time to look up the user account name. If a SID on a Security tab doesn't change to a name, it's because it's a SID for an account that has been deleted; you can safely delete it from the permissions list because it'll never be used again. You'll also see SIDs in the hidden \Recycler folder (each SID you see in this folder represents the Recycle Bin for a particular user), in the registry (the HKEY_USERS hive contains a key, identified by SID, for each user account on the computer), and deep in the %UserProfile%\Application Data\Microsoft folder structure, among other places.

Not all SIDs are unique. A number of commonly used SIDs are constant among all Windows XP installations. For example, S-1-5-18 is the SID for the built-in System account, a hidden member of the Administrators group that is used by the operating system and by services that log on using the System account. Microsoft Windows XP Professional Resource Kit Documentation (Microsoft Press, 2001) contains a complete list of such SIDs, called well-known SIDs.



User Accounts

The backbone of Windows XP security is the ability to uniquely identify each user. During setup-or at any time later-a computer administrator creates a user account for each user.The user account is identified by a user nameand (optionally) a password,which the user provides when logging on to the system. Windows then controls, monitors, and restricts access to system resources based on the permissions and rights associated with each user account by the resource owners and the system administrator.
In addition to such "normal" user accounts, Windows provides two special accounts that have predefined sets of permissions and rights associated with them: the Administrator account and the Guest account.

Administrator account.
Every computer running Windows XP has a special account named Administrator. This account has full rights over the entire computer. It can create other user accounts and is generally responsible for managing the computer. Many system features and rights are off limits to accounts other than Administrator (or another account that belongs to the Administrators group).

Guest account.
The Guest account resides at the other end of the privilege spectrum. It is designed to allow an infrequent or temporary user such as a visitor to log on to the system without providing a password and use the system in a restricted manner. (By default, the Guest account is disabled on a clean install of Windows XP; no one can use an account that's disabled.) The Guest account is also used for access to shared network resources on your computer when Simple File Sharing is enabled.

Account Types

Account type is a simplified way-new in Windows XP-of describing membership in a security group, a collection of user accounts. Groups allow a system administrator to create classes of users who share common privileges. For example, if everyone in the accounting department needs access to the Payables folder, the administrator can create a group called Accounting and grant the entire group access to that folder. If the administrator then adds all user accounts belonging to employees in the accounting department to the Accounting group, these users will automatically have access to the Payables folder. A user account can belong to one group, more than one group, or no group at all.

Groups are a valuable administrative tool. They simplify the job of ensuring that all members with common access needs have an identical set of privileges. Although youcan grant privileges to each user account individually, doing so is tedious and prone to errors-and usually considered poor practice. You're better off assigning permissions and rights to groups, and then adding user accounts to the group with the appropriate privileges.
Permissions and rights for group members are cumulative. That means that if a user account belongs to more than one group, the user enjoys all the privileges accorded to all groups of which the user account is a member.

Windows XP classifies each user account as one of four account types:
Computer administrator. Members of the Administrators group are classified as computer administrator accounts. The Administrators group, which by default includes the Administrator account and all accounts you create during Windows XP setup, has more control over the system than any other group. Computer administrators can
Create, change, and delete user accounts and groups
Install programs
Share folders
Set permissions
Access all files
Take ownership of files
Grant rights to other user accounts and to themselves
Install or remove hardware devices
Log on in Safe Mode
Limited. Members of the Users group are classified as limited accounts. By default, limited accounts can
Change the password, picture, and associated .NET Passport for their own user account
Use programs that have been installed on the computer
View permissions (if Simple File Sharing is disabled)
Create, change, and delete files in their document folders
View files in shared document folders

Guest.
Members of the Guests group are shown as guest accounts. Guest accounts have privileges similar to limited accounts. A user logged on with the Guest account (but not any other account that is a member of the Guests group) cannot create a password for the account.

Unknown.
The account type for a user account that is not a member of the Administrators, Users, or Guests group is shown as Unknown. Because accounts you create with User Accounts in Control Panel are automatically assigned to the Administrators group or the Users group, you'll see the Unknown account type only if you upgraded your computer from an earlier version of Windows (for example, new users in Windows 2000 are assigned by default to the Power Users group) or if you use the Local Users And Groups console or the Net Localgroup command to manage group membership.




Backup Operators.
Members of the Backup Operators group have the right to back up and restore folders and files-even ones that they don't otherwise have permission to access. Backup operators also have access to the Backup Utility program.

HelpServicesGroup.
This group is used by Microsoft and computer manufacturers for Remote Assistance, enabling technical support personnel to connect to your computer.

Network Configuration Operators.
Members of this group have administrative privileges in areas that relate to setting up and configuring networking components.

Power Users.
The Power Users group is intended for those who need many, but not all, of the privileges of the Administrators group. Power Users can't take ownership of files, back up or restore files, load or unload device drivers, or manage the security and auditing logs. Unlike ordinary users, however, Power Users can share folders; create, manage, delete, and share local printers; and create local users and groups.

Remote Desktop Users.
Users in this group can connect to the computer via the Remote Desktop feature, if it is enabled.

Replicator.
Members of the Replicator group can manage the replication of files on the domain, workstation, or server. (File replication, a feature of Windows .NET Server and its predecessors, Windows 2000 Server and Windows NT Server, is beyond the scope of this book.)