Working with Built-in Users and Groups
In addition to the standard local groups (Administrators and Users, for instance), Windows XP includes a number of special identities. These users and groups, which are built into the system and can't be deleted, are used to apply special permissions to system resources (including files and folders); in many cases, these identities are placeholders that apply to user accounts based on the way a given account uses the system.
Note Special identities are often referred to as well-known security identifiers (SIDs).
The most common special identity you're likely to encounter in everyday use is the Everyone group, which includes all users who log onto the system. On a drive that's been newly converted to NTFS, the Everyone group is assigned the Full Control permission. As you would expect, this has the effect of allowing anyone who logs on to the computer to do anything with files and folders on that drive, unless further restrictions are placed on subfolders and files.
Understanding these built-in accounts and groups is crucial to using advanced NTFS permissions effectively. Table below lists the most common special identities.
Special Identities Available in Windows XP
Special Identity | Description |
---|---|
Everyone | Includes every user who accesses the computer, including Guests. This group does not include Anonymous logons. |
Creator Owner | Identifies the user who created the selected file or folder or who has taken ownership of it since it was created. |
Authenticated User | Includes any user who logs on with a user name and password. Unlike the Everyone identity, this group does not include users who log on as Guest, even if the Guest account has been assigned a password. |
Interactive | Includes any user that logs on locally or through a Remote Desktop connection. |
Anonymous Logon | Identifies network logons for which credentials are not provided, such as connections to a Web server. Anonymous and Interactive logons are mutually exclusive. |
Dialup | Includes any user who accesses the computer over a dial-up connection. |
Network | Includes any user that logs on over the network. Does not include Interactive logons that use Remote Desktop over a network. |
Some of these special identities are esoteric, and the average user will never need to apply them. But others can be extremely powerful additions to your security toolkit. For instance, you can use the following combinations of permissions to tighten security on your computer:
- For shared data folders, assign the Read & Execute permission and the Write permission to the Users group, and the Full Control permission to the Creator Owner special identity. In this configuration, every user who creates a file or folder becomes that object's owner and has the ability to read, modify, and delete it. Other users can read and modify documents created by other users but can't accidentally delete them.
- If you have a second drive in your system and you want to prevent all access to files on that drive by anyone using the Guest account, change the default permissions on the root of the drive. Add the Authenticated Users group and give it Full Control, and then remove the default Everyone group.
Caution One of the most common mistakes made by users who are inexperienced with NTFS permissions is removing the Everyone group from the root of a drive-or worse, selecting the Deny box next to Full Control for this group. If you try to take either of these drastic measures in Windows XP Professional, the system displays a dialog box warning you that you're about to deny all access to all files on the drive to all users-which is almost certainly not the intended result! Remember, more restrictive permissions always override more lenient permissions. As a rule of thumb, the best strategy for the permissions on the toplevel folder for any drive is to make sure that all users who will access files on that drive have the proper level of access. After you've organized data on that drive, tighten up permissions on each subfolder so that it's accessible by the correct users and groups.
Windows XP includes three special identities that are reserved for software and system processes and are never used by human users. The Batch identity provides permissions for any batch process (such as a job launched via Task Scheduler) that needs to access a resource on the computer. The Service identity is used by system services and is controlled by the operating system. The System identity allows the operating system itself to access protected resources. As a general rule, permissions for these three groups are set by the operating system and should never be adjusted by users.
Caution Tampering with the default permissions on the drive that contains Windows system files is a bad idea. As part of the setup process, Windows XP applies specific permissions to the root of the system drive; to the Windows, System32, and Documents And Settings folders; and to specific subfolders within each of these locations. Changing the default permissions will not improve security and will almost certainly cause some users or programs to have problems. If you've made a mess of permissions in a system folder and you need to know how to put things right again, search the Microsoft Knowledge Base for a Windows XP-specific update to article 244600, "Default NTFS Permissions in Windows 2000."
In this tutorial:
- Securing Files and Folders
- How Setup Decisions Dictate Your Security Options
- Simple File Sharing vs. Advanced Permissions
- How Simple File Sharing Works
- Default Locations for Shared Files
- Keeping Your Own Files Private
- Controlling Access with NTFS Permissions
- Applying Advanced Security Settings
- Entering Group and User Names
- Working with Built-in Users and Groups
- Applying Permissions to Subfolders Through Inheritance
- Testing the Effect of Permissions
- Using Special Permissions
- Setting Permissions from a Command Prompt
- Taking Ownership of Files and Folders
- Troubleshooting Permissions Problems