Tweaking security on XP Pro machine

[Wowbagger]

My XP Pro sp2 machine is doing double duty as a file server for a small
workgroup. No domains are involved. I have created a local user that is
used when I map the shared drive from the other machines but have two
questions:

1. How can I prevent anybody from using this username/password to log on
locally

2. From time to time I'd like to be able to change/reset the password. When
I try to do so I get the message indicating that if I change the password
all of the EFS files will forever be locked, etc - how can I relax the
security settings to allow the admin (me) to reset/change the password at
will and not create any of those issues?

Thanks

 

[Miha Pihler [MVP]]

Hi,

You can edit local policy and add a user account into "Deny logon locally"
policy. Be careful with groups here since you can lock yourself out.
You might also want to add that username to the policy named "Deny logon
through Terminal Services"

Deny logon locally
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/537.mspx

Deny log on through Terminal Services
http://technet2.microsoft.com/Windo...dd7c-4882-ab58-dcf663d2dea21033.mspx?mfr=true

Since you are not going to use EFS with this username / account you can
disregard that message when reseting the password. For all other accounts
use "Change Password" instead of "Reset Password" if you plan to use EFS.
You will find change password option if you logon with user account and then
e.g. hit ALT+CTRL+DEL and there will be a "Change Password" button.

 

[Kerry Brown]

My XP Pro sp2 machine is doing double duty as a file server for a
small workgroup. No domains are involved. I have created a local
user that is used when I map the shared drive from the other machines
but have two questions:

1. How can I prevent anybody from using this username/password to log
on locally

2. From time to time I'd like to be able to change/reset the
password. When I try to do so I get the message indicating that if I
change the password all of the EFS files will forever be locked, etc
- how can I relax the security settings to allow the admin (me) to
reset/change the password at will and not create any of those issues?

Thanks

1) You would be better security wise to have a different user account for
each user with a strong password. Using XP for a "server" you would then
need to create the same accounts and passwords on the server. Next create a
security group on the server (e.g. Network Users) then add all the accounts
to the group. Then only allow the "Network Users" group to access the
shares. Do not add individual user accounts to the share permissions or NTFS
permissions. This allows you to add/remove users easily from accessing the
share by adding/removing them from the group. You can then setup groups for
special access (e.g Accounting, Temp Users, etc.) It is more administrative
overhead but this is one of the pitfalls of peer to peer networking. To
prevent users from logging on to the server, the server should have
restricted physical access. If this can't be done you can edit the local
policy to deny logon for the Network Users group. Be careful not to include
the administrator account in the group denied local logon.

2) EFS is almost impossible to administer in a workgroup. I recommend you
use the local policy on each computer to disable it. Then if a particular
user wants to use it they will have to ask about it and can be warned about
the possibilities of data loss etc.