540 Chapter 11 • Understanding Windows XP Security
Figure 11.5); click Copy to copy the permissions that were inherited
from the parent object or click Remove to remove the inherited per-
missions and keep only explicitly set permissions.
7. The second option is Replace permission entries on all child
objects with entries show here that apply to child objects.This
option will remove the permissions on the subfolders and their contents
and cause them to inherit the permissions you are setting. Select this
option and click OK.As shown in Figure 11.6, a Security dialog box
asks you if you wish to continue. Click Ye s .
Auditing is an additional benefit of NTFS.Auditing is added per user or per
group as an access control entry for NTFS files or folders.You may enable
auditing of both successes and failures for each of the advanced NTFS permis-
sions. Each time a user accesses a file using a type of permission that you are
auditing, an entry is logged in the security log, which is accessible through Event
Viewer.As with any type of auditing, less is often more. If you wish to audit suc-
cessful use of user rights for Read access, for example, your security log may
grow very large, very quickly.You may be better off auditing only failure of Read
access.Additional overhead is associated with auditing, as each type of access that
you are auditing must be individually logged.When considering implementing
auditing, you may decide to audit only file deletion and changing of permissions,
or possibly Write if you are concerned with monitoring who last modified a file.
To add a user or group whose access to a file or folder you want to audit, go to
the Auditing tab within the Advanced Security Settings, as shown in Figure 11.7.
www.syngress.com
Figure 11.5 Removing Inheritance
Figure 11.6 Resetting Permissions on Child Objects Inheritance
189_XP_11.qxd 11/12/01 10:40 AM Page 540
Understanding Windows XP Security • Chapter 11 541
Click Add, type in the group name or username, and click OK.As you see in
Figure 11.8, you may then select the types of access and successes or failures. Click

OK when you’re finished.
Each file or folder has an owner. Generally the owner of a file is the user who
created the file or folder, however, the Administrators group owns the operating
system–created files and folders.The owner of a file or folder may change the per-
missions of the file or folder. Sometimes, files may become orphaned when their
owner’s account is deleted, and no user may have rights to access the files or
folders. However, the Administrators group always has the ability to take owner-
ship of a file or folder and then change the permissions.Additionally, users or
groups may be granted the permission to take ownership via NTFS permissions.
www.syngress.com
Figure 11.7 Auditing File System Access
Figure 11.8 Selecting the Types of Access to Audit
189_XP_11.qxd 11/12/01 10:40 AM Page 541
542 Chapter 11 • Understanding Windows XP Security
To take ownership of a file or folder, go to the Owner tab within the
Advanced Security Settings, as shown in Figure 11.9. Select the user account or
group under the Change Owner To section and click OK.
Windows XP includes a new tab within Advanced Security Settings called
Effective Permissions (see Figure 11.10). By selecting this tab, and choosing a
group or user, you may see what permissions will be granted to the user or group
based on all of the permissions that apply to that user or group.This is a great
tool for verifying that the access that you think you are granting a user or group
is really the effective access that they will have.
Generally, you should assign file and folder permissions to groups rather than
to users. Although you may assign permissions for individual user accounts if you
so desire, this is an inefficient manner of assigning permissions and an administrative
www.syngress.com
Enabling Auditing for File and Printer Access
Before you can audit file and printer access, you must first configure
Windows XP to perform this kind of auditing. Specifically, you must con-

figure “Audit object access” to audit for successes and failures in the
Local Policies of Security Settings configuration tool. You can find more
information on audit policies later on in this chapter.
Configuring & Implementing…
Figure 11.9 Changing Ownership of a File or Folder
189_XP_11.qxd 11/12/01 10:40 AM Page 542
Understanding Windows XP Security • Chapter 11 543
burden.Assigning permissions to groups is much more efficient and requires less
administrative effort. For each user right that you assign file and folder permis-
sions, an access control entry (ACE) is created, so it is more efficient to have 2
ACEs for 2 groups rather than 15 ACEs for 15 individual users.You should assign
permissions on a per-user basis as the exception rather than the norm.
www.syngress.com
Figure 11.10 Effective Permissions
Effect on Permissions of Moving or Copying Files
Depending on whether you are moving or copying a file may have an
effect on the permissions of the resulting file. If you move a file to a dif-
ferent folder on the same partition as the source folder, the file will
retain the original permissions it had in the source folder. This is true
regardless of whether or not the file’s original permissions were explicit
or inherited. As an example, assume that a group called “Editors” has
inherited Read permission to a file. If you were to move this file to a
folder on the same partition that had explicit Write permissions for the
Editors group, you would find that the inherited permissions on the file
in the target folder remain the same as they were in the source folder:
Editors would have Read permission. If you were, however, to copy this
file to the target folder, the file in the new folder would inherit the per-
missions of the parent folder. Furthermore, if you were to move the file
to a different folder on a different partition, the file would inherit the
permissions from the new parent folder.

Configuring & Implementing…
Continued
189_XP_11.qxd 11/12/01 10:40 AM Page 543
544 Chapter 11 • Understanding Windows XP Security
You should set permissions to be inheritable to child objects whenever pos-
sible.Assigning Full Control, if appropriate, is more efficient than assigning indi-
vidual permissions because each individual permission is an individual ACE.You
should only use Deny in special cases.You may need to use Deny permissions in
order to exclude part of a group that has Allow permissions.You may also use
Deny to exclude a special permission for a user or group that has full control.
The Access Control List (ACL) contains the individual ACEs.The ACL is eval-
uated from the top down, and Deny entries are evaluated first.All Allow ACEs are
added to any other Allow ACEs that may apply.The net effect of this is that Deny
permissions override any Allow permissions, and if a user has multiple Allow per-
missions (either expressly applied to her user account or from multiple group
memberships), these are added together to give all of the permissions granted.
You can also use the command line utility cacls to set NTFS permissions.
This utility is often helpful because you can incorporate it into a batch file to
easily modify ACLs for files or folders.You may want to create a batch file to
easily reapply a set of permissions or to add permissions for the user’s account
that the batch file is passed as a command-line variable. For example, the com-
mand cacls *.* /e /g Administrator:f /t would edit the existing ACL and
add Full Control permission for the Administrator account to all files, subfolders,
www.syngress.com
The reason for this behavior is twofold. First, Windows 2000 does
not calculate effective ACEs when you access a file. Rather, for reasons
of efficiency and speed, inherited ACEs are actually copied to the file
when you create the file. In other words, the inherited permissions are
actual properties that belong to the file. Second, when you move all files
from one folder to another on the same partition, you are only changing

a pointer in the Master File Table (MFT). You are not changing anything
in the file itself. You are not creating and then deleting the file. However,
this is what happens if you move the file to a folder on a different par-
tition. In this case, you are dealing with a separate MFT.
When you are moving the file to a folder on the same partition, you
will need to consider whether you want the file to retain its original per-
missions or inherit the permissions of the parent folder. If you want the
file to retain it original permissions, you should make those permissions
explicit. The reason you should do this is that if you were to change the
permissions on the new parent folder, the file would at that point inherit
these new permissions. If you want the file to inherit the permissions of
the target folder, you should copy the file to the target folder and then
delete it from the source folder.
189_XP_11.qxd 11/12/01 10:40 AM Page 544
Understanding Windows XP Security • Chapter 11 545
and folders.Typing cacls at a command prompt will display the syntax for the
command as shown here:
C:\>cacls
Displays or modifies access control lists (ACLs) of files
CACLS filename [/T] [/E] [/C] [/G user:perm] [/R user [ ]]
[/P user:perm [ ]] [/D user [ ]]
filename Displays ACLs.
/T Changes ACLs of specified files in
the current directory and all subdirectories.
/E Edit ACL instead of replacing it.
/C Continue on access denied errors.
/G user:perm Grant specified user access rights.
Perm can be: R Read
W Write
C Change (write)

F Full control
/R user Revoke specified user's access rights
(only valid with /E).
/P user:perm Replace specified user's access rights.
Perm can be: N None
R Read
W Write
C Change (write)
F Full control
/D user Deny specified user access.
Wildcards can be used to specify more that one file in a command.
You can specify more than one user in a command.
Abbreviations:
CI - Container Inherit.
The ACE will be inherited by directories.
OI - Object Inherit.
The ACE will be inherited by files.
www.syngress.com
189_XP_11.qxd 11/12/01 10:40 AM Page 545
546 Chapter 11 • Understanding Windows XP Security
IO - Inherit Only.
The ACE does not apply to the current file/directory.
Encrypting File System
The Encrypting File System of Windows XP allows you to store data securely
within files and folders by encrypting the data in the NTFS files and folders.The
encrypted files are accessible only by the user who has encrypted them and may
be recovered only by the designated recovery agent. Because EFS is integral to
the file system, it is transparent to your users when accessing files and difficult to
bypass.Your mobile computers are excellent candidates for using EFS because
laptops are often a target for theft, and your private data will be remain secure

and be inaccessible to the thief.
Files and folders can be encrypted or decrypted only on NTFS volumes. EFS
stores data securely on the local computer’s volumes, but when copying a file
over the network from an encrypted network folder to a local encrypted folder it
is decrypted, transferred, and then encrypted again.This means that the contents
of the file are transported over the wire and are susceptible to being sniffed by
Network Monitor or another protocol analyzer and being compromised. Because
of this, if you are working in a highly secure environment, such as a military or
governmental agency, or working remotely, you may want to consider combining
Internet Protocol security (IPSec) along with EFS to provide optimal security.
Although the encrypting and decrypting of files is mostly transparent to your
users, it is fairly complex process. Each file has a unique randomly generated file
encryption key created, which is used to encrypt the file and is needed to decrypt
the file’s data later.The file encryption key is then encrypted by your user’s public
key, and the public key of each of your recovery agents also encrypts the file
encryption key. (There are now at least two keys available to decrypt the file with).
To decrypt a file, the file encryption key has to be decrypted first.Your user,
who encrypted the file encryption key with his private key, decrypts the file
encryption key that is used to decrypt the original file.Alternatively, the desig-
nated recovery agents can also decrypt the file encryption key by using their own
private key and thereby recover the encrypted file.
The private key and EFS certificates used by EFS can be issued by a several
sources, including automatically generated certificates, certificates created by
Microsoft’s Certification Authority (CA), or third party CAs. Private keys are not
stored in the Security Accounts Manager (SAM) or in a separate directory, but
rather are stored securely in a protected key store.
www.syngress.com
189_XP_11.qxd 11/12/01 10:40 AM Page 546
Understanding Windows XP Security • Chapter 11 547
Users may access their certificates via the Certificates MMC snap-in.The file

recovery agent should, at least, export his private key and store a copy on floppy
disk or CD-RW, where it may be safely stored for security reasons. Remember
the following points about EFS:
■
Users can use EFS remotely only when both computers are members of
the same Windows XP forest.
■
Encrypted files are not accessible from Macintosh clients.
■
Storing EFS certificates and private keys on smart cards are not currently
supported.
■
Strong private key protection for EFS private keys is not currently
supported.
Before users are able to encrypt remote files on a server, an administrator
must designate the server as trusted for delegation.This permits all users to
encrypt server-based files.When a user accesses a server-based file, the file is
decrypted and transferred over the network. Moving an encrypted file to a non-
NTFS volume will result in the file becoming decrypted.
Files or folders that are compressed cannot also be encrypted. If you encrypt a
compressed file or folder, that file or folder will be uncompressed. Files that have
the System attribute cannot be encrypted. Files in the %systemroot% folder and
its subfolders also cannot be encrypted.
When you encrypt a single file, you are asked if you want to encrypt the
folder that contains it as well. If you choose to do so, all files and subfolders that
are added to the folder in the future will be encrypted when they are added.
When you encrypt a folder, you are asked if you want all files and subfolders
within the folder to be encrypted as well. If you choose to do so, all files and
subfolders currently in the folder are encrypted, as well as any files and subfolders
that are added to the folder in the future. If you choose to encrypt the folder

only, all files and subfolders currently in the folder are not encrypted. However,
any files and subfolders that are added to the folder in the future are encrypted
when they are added.
If you want to prevent your users from utilizing EFS, you may try deleting
the EFS recovery agent policy. If a system is reinstalled over an existing installa-
tion of Windows XP that was using local accounts and EFS, files will not be
accessible to the previous user.The original recovery agent’s certificate will be
needed to decrypt the files. It is always best to specify a domain account as the
recovery agent to avoid issues such as this.
www.syngress.com
189_XP_11.qxd 11/12/01 10:40 AM Page 547
548 Chapter 11 • Understanding Windows XP Security
EFS may be used with Web Folders or servers supporting the WebDAV pro-
tocol.With WebDAV, the encrypted file remains encrypted while it is being trans-
ferred over the network.
Creating an Encrypted File or Folder
To encrypt a file or folder, follow these steps:
1. Browse to the file or folder that you want to encrypt.
2. Right-click the file or folder and select Properties.
3. On the General tab, click Advanced.
4. Click the check box, as shown in Figure 11.11, to select Encrypt
contents to secure data. (Note: if Compress contents to save disk
space is selected, it will be unchecked because encryption and compres-
sion cannot both be used at the same time.)
5. Click OK in the Advanced Attributes window and then click OK in the
file or folder properties window.
6. If you are encrypting a folder, you will be prompted in the Confirm
Attribute Changes window to choose to Apply changes to this
folder only or Apply changes to this folder, subfolders and files
as shown in Figure 11.12. (Applying the changes to the folder only

means that the folder is marked so that every file added to that folder in
the future will be encrypted, whereas applying the changes to the folder,
subfolder, and files means that all future files will be encrypted when
added and all existing contents will be encrypted.)
7. If you are encrypting a file rather than a folder and the folder that the file
resides in is not encrypted, you will be prompted in the Encryption
Warning window to choose to Encrypt the file and the parent
www.syngress.com
Figure 11.11 Encrypting a File or Folder
189_XP_11.qxd 11/12/01 10:40 AM Page 548
Understanding Windows XP Security • Chapter 11 549
folder or Encrypt the file only, as shown in Figure 11.13.
Additionally, there is a check box to select Always encrypt only the
file to prevent this question in the future. (Encrypting the folder con-
taining the encrypted file is recommended because there is the possibility
that the file might become unencrypted when the file is modified.)
8. After you have encrypted the file or folder, you may click Details in the
Advanced Attributes window to bring up the Encryption Details
window shown in Figure 11.14. Here you see who may decrypt the file,
and who the designated recovery agents are.You may click Add to add
users who may decrypt the file.This is a new feature in Windows XP.
www.syngress.com
Figure 11.12 Confirmation Dialog Box while Encrypting a Folder
Figure 11.13 Encryption Warning
Figure 11.14 Encryption Details Window
189_XP_11.qxd 11/12/01 10:40 AM Page 549
550 Chapter 11 • Understanding Windows XP Security
Decrypting Files or Folders
To decrypt a file or folder, perform the following steps:
1. Browse to the file or folder that you want to decrypt.

2. Right-click the file or folder and select Properties.
3. On the General tab, click Advanced.
4. Click the check box to deselect Encrypt contents to secure data.
5. Click OK in the Advanced Attributes window and then click OK in the
file or folder properties window.
6. If you are decrypting a folder, you will be prompted in the Confirm
Attribute Changes window (see Figure 11.15) to choose to Apply
changes to this folder only or Apply changes to this folder,
subfolders and files and click OK. (Applying the changes to the
folder only means that the folder is marked so that every file added to
that folder in the future will be encrypted, whereas applying the changes
to the folder, subfolder, and files means that all future files will be
encrypted when added and all existing contents will be encrypted.)
Account Security
Account security involves attributes of user accounts such as group membership
and operating system behaviors that you may utilize to effect security within
your Windows XP installation. Security Groups and Security Policies are the pri-
mary forms of enforcing and utilizing account security in Windows XP.
You can use Security Groups for grouping your users into logical entities that
you may use to allow or deny certain types of access, including access to folders
and files or access to modify systemwide settings, such as changing the system
time or starting and stopping services. Groups are managed via the local users and
www.syngress.com
Figure 11.15 Decrypting a Folder Confirmation Dialog Box
189_XP_11.qxd 11/12/01 10:40 AM Page 550
Understanding Windows XP Security • Chapter 11 551
groups in the Computer Management Administrative Tool, or separately through
the Local Users and Groups MMC snap-in.
Security Policies define security settings for your computer, including such
settings as password policies, audit policies, and IPSec policies. Security Policies

are configured via Group Policy or Local Computer Policy and you may also
apply a Security Template via the Security Configuration and Analysis MMC
snap-in.
Security Groups
You may utilize groups within Windows XP for many purposes. Not only does a
domain have a Security Accounts Database, which contains users and groups, but
each workstation also has a local Security Accounts Database. Domain groups
contain only domain users, but the workstation’s groups may contain domain
groups, domain users, or local users.
By default, several built-in groups exist within Windows XP that define your
users’ levels of access to the file system and system services. Several groups are
built-in to Windows XP, but three primary groups exist, which are intended to
provide you with basic levels of predefined access for your users; they are
Administrators, Power Users, and Users.
The Administrators group is used to grant full system control to users and
groups of users that you intend to manage a system.When you join a domain,
the Domain Admins group is added to the local Administrators group.This group
is allowed to modify operating system settings and other user’s data. Ideally, mem-
bers of the administrators group should use normal user accounts for normal day-
to-day activities and log on only with administrative access (or use the runas
command) for certain activities that require this level of access. Here are some
examples of activities that require administrative access:
■
Installing the operating system and add-on components (such as hard-
ware drivers, system services, and so on).
■
Installing Service Packs.
■
Upgrading the operating system.
■

Repairing the operating system.
■
Volume maintenance (defrag or chkdsk).
■
Configuring vital operating system parameters (such as password policy,
access control, audit policy, driver configuration, and so on).
www.syngress.com
189_XP_11.qxd 11/12/01 10:40 AM Page 551
552 Chapter 11 • Understanding Windows XP Security
■
Taking ownership of files that have become otherwise inaccessible.
■
Managing the security and auditing logs.
■
Backing up and restoring the system (members of the Backup Operators
group may also do this).
■
Sometimes Administrator accounts are required to install and possibly
even run programs written for previous versions of Windows (noncerti-
fied application).
Members of the Power Users group have a higher level of permissions than
the members of your Users group, but not as high as members of the
Administrators group. Power Users can perform many operating system tasks,
except tasks reserved for the Administrators group. Running legacy programs
(and many noncertified applications) on Windows XP may require users to be in
the Power Users group. Because Power Users can install or modify programs,
your Power User could potentially install a Trojan or virus on the system, so this
can pose security risks. Examples of tasks that Power Users can perform are as
follows:
■

Installing programs, provided that they do not modify critical operating
system files or install system services.
■
Running legacy or noncertified applications that require higher levels of
access, as well Windows XP certified applications.
■
Customize systemwide resources such as printers, power options, system
date and time, and most Control Panel settings.
■
Create and manage local user accounts and groups.
■
Power Users have no permissions to add themselves to the Administrators
group. Power Users do not have access to the data of other users on an
NTFS volume, unless those users grant them permission.
■
Stopping and starting system services not started by default.
The Users group is the most secure; the permissions of this group do not
allow the group members to modify operating system settings or access other
users’ data.The Users group provides a secure environment for your users to run
programs. On NTFS formatted volumes, the default file and folder permission of
a freshly installed system are set to prevent your members in this group from
www.syngress.com
189_XP_11.qxd 11/12/01 10:40 AM Page 552
Understanding Windows XP Security • Chapter 11 553
compromising the integrity of your installed programs and the operating system
as a whole.
Users are prohibited from modifying systemwide Registry settings,Windows
XP operating system files, and installed program files. Users, by default, are
allowed to shut down and restart workstations, but not servers. Users are allowed
to create local groups (for purposes of assigning file and folder permissions to a

group), but your members of the Users group can only modify those groups that
they have created.They can run certified Windows XP programs but in many
cases may not install those programs; your Administrators or Power Users may
have to perform the installation. Users do have Full Control over all of their own
data files stored in their profile directory, as well as Registry permissions for their
user portion of the Registry (HKEY_CURRENT_USER). Users are allowed to
add printers.
WARNING
Running legacy (noncertified) applications in Windows XP Professional
requires permission to modify certain system settings. The same default
permissions that allow a Terminal Server User to run legacy programs
also make it possible for a Terminal Server User to gain additional privi-
leges on the system, even complete administrative control. Applications
that are certified for Windows 2000 or Windows XP Professional can run
successfully under the secure configuration provided by the Users group.
For more information, see the Microsoft Security page on the Microsoft
Web site (www.microsoft.com).
Local accounts created on the local computer are created without passwords
and are added to the Administrators group by default. If this is a concern,
Security Configuration Manager allows you control membership of the
Administrators (or any other group) with Restricted Groups policy.
www.syngress.com
189_XP_11.qxd 11/12/01 10:40 AM Page 553
554 Chapter 11 • Understanding Windows XP Security
Table 11.2 shows some of the built-in Security Principal Groups of Windows
XP.These are also referred to as Security Identifiers (SIDs) and can be thought of
as dynamic groups (we can not manually assign members to these groups), which
users are members of because of the type of access.You can use these groups to
assign permissions, however.There are several occasions when you may want to
use these groups. For example, assigning full control to Creator Owner on a

folder results in the user who creates a file within the folder receiving full con-
trol; or denying full control to Remote Interactive Logon denies access to a user
accessing the workstation via Remote Desktop Connection.
Table 11.2
Security Principal Groups
Security Principal Group Description
Anonymous Logon A network user connected to the system that has
not supplied a username and password.
Authenticated Users Includes all users and computers that have been
authenticated. Authenticated Users never
includes the Guest account.
Batch Includes all users who have logged on via a task
scheduler job or other batch queue.
Creator Owner A placeholder within an inheritable ACE. When
an object inherits an ACE, the operating system
replaces the Creator Owner SID with the SID of
the object’s current owner.
Creator Group A placeholder within an inheritable ACE. When
an object inherits an ACE, the operating system
replaces the Creator Group SID with the primary
group SID of the object’s current owner.
Dialup Includes those users logged on to the system
through a dial-up connection.
Everyone Everyone includes Authenticated Users and
Guest, but not Anonymous Logon.
www.syngress.com
Continued
189_XP_11.qxd 11/12/01 10:40 AM Page 554
Understanding Windows XP Security • Chapter 11 555
Interactive Includes all users logging on locally or through

a Remote Desktop connection.
Local System A service account that is used by the operating
system.
Network Includes all users who are logged on through a
network connection. Access tokens for inter-
active users do not contain the Network SID.
Self (or Principal Self) A placeholder in an ACE on a user, group, or
computer object in Active Directory. When you
grant permissions to Principal Self, you grant
them to the security principal represented by the
object. During an access check, the operating
system replaces the SID for Principal Self with
the SID for the security principal represented by
the object.
Service A group that includes all security principals that
have logged on as a service. Membership is
controlled by the operating system.
Creating a new group is a relatively straightforward process; you create the
group and add the users or groups that you want to be members. Each group
that is created is assigned a SID, and it is actually the SID, not the group name,
that Windows XP internally references when you assign permissions based on
the group.
Creating Groups
To create a new group, perform the following steps:
1. Go to Start | All Programs | Administrative Tools | Computer
Management. See Figure 11.16.
2. Expand Local Users and Groups.
3. Right-click Groups and select New Group.
www.syngress.com
Table 11.2 Continued

Security Principal Group Description
189_XP_11.qxd 11/12/01 10:40 AM Page 555
556 Chapter 11 • Understanding Windows XP Security
4. Type in a name for the group in the Group Name text box (see
Figure 11.17).
5. Type in a description in the Group Description text box.
6. Click Add to add users to the group.
7. In the Select Users or Groups dialog box, you may type in the usernames
(separated by semicolons) or click the Advanced to search for a user.
8. If you manually type the names, you should use the Check Names
button to verify that you have typed in the names correctly.
www.syngress.com
Figure 11.16 Computer Management—Groups
Figure 11.17 Creating a New Group
189_XP_11.qxd 11/12/01 10:40 AM Page 556
Understanding Windows XP Security • Chapter 11 557
9. Click OK.You will see a dialog box like the one shown in Figure 11.18.
10. Click Create.
11. Click Close.
If you need to modify a group to add or remove members of the group, you
may do so at any time, and this will not effect any permissions that you have
assigned to the group because the group’s SID does not change. Each member of
a group inherits the permissions of the groups that they are members of.When a
user is removed from a group, they simply cease to inherit the permissions
assigned to the group.
Adding or Removing Group Members
To add or remove group members, perform the following steps:
1. Go to Start | All Programs | Administrative Tools | Computer
Management.
2. Expand Local Users and Groups.

3. Click Groups.
4. In the right-hand pane, right-click the group that you want to modify
and select Add to Group.
5. Select the name of the user or group that you want to remove and click
Remove.
www.syngress.com
Figure 11.18 Adding Members to a Group
189_XP_11.qxd 11/12/01 10:40 AM Page 557
558 Chapter 11 • Understanding Windows XP Security
6. Click Add to add users to the group.
7. In the Select Users or Groups dialog box, you may type in the user-
names (separated by semicolons) or click Advanced to search for a user.
8. If you manually type the names, you should use the Check Names
button to verify that you have typed in the names correctly.
9. Click OK.
Deleting a group is an irreversible process. Each group is assigned a unique
SID, which is internally referenced when adding a group to an ACL entry. If you
accidentally delete a group and later re-create the group, it will be assigned a new
SID, and it will not maintain the permissions that the original group had.
Deleting Groups that Are No Longer Needed
To delete a group that is no longer needed, perform the following steps:
1. Go to Start | All Programs | Administrative Tools | Computer
Management.
2. Expand Local Users and Groups.
3. Click Groups.
4. Right-click the group to be deleted and select Delete.
5. Click Ye s in the warning (see Figure 11.19).
You may also rename a group with Windows XP, which was not an option in
Windows NT.To do so, right-click the group and select Rename.
Security Policies

Local Security Policies allow you to define a set of permissions and behaviors of
the operating system.The Local Security Policy corresponds to Group Policy in a
domain environment, but the Local Security Policy applies only to the local
machine. Group Policy objects that are applied via a domain take precedence
www.syngress.com
Figure 11.19 Delete Group
189_XP_11.qxd 11/12/01 10:40 AM Page 558
Understanding Windows XP Security • Chapter 11 559
over local security policies and prevent you from changing the local settings for
defined policy settings.The Local Security Policies include Account Policy, Local
Policies, Public Key Policies, Software Restriction Policies, and IP Security Policies.
To access and change an item within the Local Security Policies, perform the
following steps:
1. Go to Start | All Programs | Administrative Tools | Local
Security Policies.
2. Navigate to the appropriate policy.
3. Right-click the policy and click Properties.
4. Change the value of the policy and click OK.
Account Policy
Account Policy includes Account Lockout Policy and Password Policy (see Figure
11.20).These policies let you control several security settings for user accounts.
Within Password Policy, you may control minimum and maximum password
age to control how many days your users may go without changing their pass-
words and how many days must elapse after changing their passwords before they
may change them again. Passwords may be required to be different from previous
passwords by having the system remember a certain number of your user’s pre-
vious passwords and preventing them from reusing them.A minimum number of
www.syngress.com
Figure 11.20 Password Policy
189_XP_11.qxd 11/12/01 10:40 AM Page 559

560 Chapter 11 • Understanding Windows XP Security
characters may be specified for password length.A rarely used setting is also avail-
able to store passwords using reversible encryption.This setting should not nor-
mally be enabled, as it is very insecure and is roughly equivalent to saving a
password in plain text, unless a certain application requires it—such as the CHAP
authentication method.You may specify that passwords must meet complexity
requirements, which institutes the following restrictions:
■
May not contain all or part of the user’s account name
■
Must be at least six characters in length
■
Must use characters from three of the following four categories:
■
English uppercase characters (A through Z)
■
English lowercase characters (a through z)
■
Base 10 digits (0 through 9)
■
Nonalphanumeric characters (for example: !, @, #, $, %)
Account Lockout Policy (see Figure 11.21) lets you define three settings.
Account lockout threshold allows you to define a number of failed logon
attempts after which your user’s account will be locked. Account lockout
duration allows you to specify the number of minutes that the account will
remain locked. Reset account lockout counter after allows you to define
how many minutes elapse before the incorrect logon attempt count will be reset.
www.syngress.com
Figure 11.21 Account Lockout Policy
189_XP_11.qxd 11/12/01 10:40 AM Page 560

Understanding Windows XP Security • Chapter 11 561
Local Policies
Local Policies contains three groups of policies:Audit Policies, User Rights
Assignment, and Security Policy.
Audit Policies, shown in Figure 11.22, include several operating system events
and types of user access that you may set to be logged to the security log in
Event Viewer. Each of these entries may be set for logging success, failure, or no
logging.The items, which you may audit, include the following:
■
Account Logon Events Includes logging on or off, either locally or
via the network if authenticated by the local workstation.This event is
related to where the account lives (for example a domain logon would
not be logged).
■
Account Management Includes adding or deleting an account or
group or modifying any attributes of a user or group including group
membership.
■
Directory Service Access Is not applicable to a workstation.
■
Logon Events Includes logging on or off.This event is related to a logon
attempt, regardless of where the account is (local or domain logon).
■
Object Access Includes auditing the access of any object that has a
System Access Control List set (for example, printers, files, folders,
Registry keys, or removable storage devices).
■
Policy Change Includes modifying any of the settings within user
rights assignment policies, audit policies, or trust policies.
■

Privilege Use Includes exercising user rights such as Back Up Files
And Directories, Manage Auditing And Security Log, or Bypass Traverse
Checking.
■
Process Tracking Includes tracking program activation, process exits,
or indirect object access.
■
System Events Includes items such as computer restarts or shutdown.
You should keep in mind that these are systemwide entries as opposed to
auditing individual files or folders. If you enable logging for successes of common
events, which happen very frequently, your Security log may fill up very quickly.
You may want to consider auditing only logon event failures, for example, although
you may want to audit both successes and failures of account management. By
www.syngress.com
189_XP_11.qxd 11/12/01 10:40 AM Page 561
562 Chapter 11 • Understanding Windows XP Security
default, only the Administrators group has the Manage Auditing And Security Log
user right that allows adjusting auditing. Logging is key to a sound security policy.
User Rights Assignment as shown in Figure 11.23, contains entries for certain
types of rights that you may assign to your users or groups.These options include
such settings as which users may change the system time; who may perform
volume maintenance tasks, such as running defrag or chkdsk; and who may
shut down the system. Sometimes service accounts may require assignment of
certain user rights as well.
www.syngress.com
Figure 11.22 Audit Policies
Figure 11.23 User Rights Assignment
189_XP_11.qxd 11/12/01 10:40 AM Page 562
Understanding Windows XP Security • Chapter 11 563
The user rights assigned to the default groups actually define the abilities of

the groups. For example, three of the key rights assigned to the backup operators
group are Backup Files And Folders, Restore Files And Folders, and Bypass
Traverse Checking.A few of the more important user rights are Shut Down The
System, which allows a user or group to shut down Windows XP; Log On
Locally, which defines those users and groups who may log on at the physical
computer (as opposed to network access); Perform Volume Maintenance Tasks,
which defines those users and groups who may run chkdsk and defrag, or may
mount a volume; and Remove Computer From Docking Station, which defines
who may undock a portable system from a dock or port replicator. If you are not
using time servers in your environment, you may want to grant the Users group
the Change The System Time right.
The following is a list of rights available within the User Rights Assignment:
■
Access this computer from the network
■
Act as part of the operating system
■
Add workstations to domain
■
Adjust memory quotas for a process
■
Allow logon through Terminal Services
■
Back up files and directories
■
Bypass traverse checking
■
Change the system time
■
Create a pagefile

■
Create a token object
■
Create permanent shared objects
■
Debug programs
■
Deny access to this computer from the network
■
Deny logon as a batch job
■
Deny logon as a service
■
Deny logon locally
■
Deny logon through Terminal Services
■
Enable computer and user accounts to be trusted for delegation
www.syngress.com
189_XP_11.qxd 11/12/01 10:40 AM Page 563
564 Chapter 11 • Understanding Windows XP Security
■
Force shutdown from a remote system
■
Generate security audits
■
Increase scheduling priority
■
Load and unload device drivers
■

Lock pages in memory
■
Log on as a batch job
■
Log on as a service
■
Log on locally
■
Manage auditing and security log
■
Modify firmware environment values
■
Perform volume maintenance tasks
■
Profile single process
■
Profile system performance
■
Remove computer from docking station
■
Replace a process level token
■
Restore files and directories
■
Shut down the system
■
Synchronize directory service data
■
Take ownership of files or other objects
Security Policies (see Figure 11.24) include a group of settings for accounts,

auditing, devices, domain controllers (not applicable to workstations), domain
members, interactive logon, network client, network server, network access, net-
work security, recovery console, shutdown, system cryptography, and system
objects.These settings are a broad range of security settings including such
options as restricting the use of accounts with blank passwords from network
access, smart card removal behavior, and allowing access to the set command for
access to the floppy drive and all paths within the recovery console.
Note that if you are in a domain environment, these settings may be defined
via Group Policy Objects and applied to a group or container of users rather than
setting each machine.This is a more secure and thorough way of enforcing a
security policy.
www.syngress.com
189_XP_11.qxd 11/12/01 10:40 AM Page 564