Previous posts
Security GroupsWindows Built-In User Accounts
Windows What Are User Accounts?
Windows Local vs. Domain Accounts
Workgroups vs. Domains
Managing Sessions and Open Files
Creating a New Share Although the easiest way to s...
Managing Administrative Shares
Managing Shared Folders
Assigning Permissions to a Shared Folder
Friends
mercredi 30 janvier 2008
Built-In Security Groups
Windows includes several built-in security groups, each with a predefined set of rights, permissions, and restrictions. Table 2-1 provides a brief description of the groups and specifies which ones are included in each version of Windows.
Table 2-1. Built-In Security Groups in Windows
Group Windows XP Professional Windows XP Home Edition Windows 2000 Description
Administrators
Yes
Yes
Yes
The most powerful group, with full control over the system.
Power Users
Yes
Yes
Includes many, but not all, privileges of the Administrators group.
Users
Yes
Yes
Yes
Limited privileges for users who don't need to administer the system.
Guests
Yes
Yes
Yes
Provides limited access for occasional users and guests.
Backup Operators
Yes
Yes
Provides the privileges needed restore folders and files, including ones that members aren't otherwise permitted to access.
Replicator
Yes
Yes
Members can manage file replication, a feature of domain-based networks.
Network Configuration Operators
Yes
Members can set up and configure network components. (For details, see Microsoft Knowledge Base article Q297938.)
Remote Desktop Users
Yes
Provides access to a computer via Remote Desktop Connection.
HelpServices Group
Yes
Yes
Allows technical support personnel to connect to your computer.
Roles of Security Group Members
Members of the Administrators group have total control of the computer. By default, administrators have full, unfettered access to all files and to all keys in the registry. And administrators can grant to themselves any right or permission they do not already have. Administrators' privileges include the ability to
Create, change, and delete user accounts and security groups
Install programs
Share folders
Set permissions
Access all files
Take ownership of files
Grant rights to other user accounts and security groups as well as to themselves
Install or remove hardware devices
Log on in Safe Mode
By default, the Administrators group includes all local user accounts that you create during setup. If you upgrade to Windows XP from Windows NT or Windows 2000, the Administrators group retains all its members from your previous operating system. If your computer is joined to a domain, the Domain Admins group is a member of the local Administrators group.
Members of the Power Users group hold most of the same privileges as users in the Administrators group. Power users cannot take ownership of files, back up or restore files, load or unload device drivers, or manage the security and auditing logs. Unlike ordinary users, however, Power users can share folders; create, manage, delete, and share local printers; and create local users and groups.
Members of the Users group should not be able to inflict damage on the operating system or installed programs. By default, members of the Users group are not allowed to do the following:
Modify machine-wide registry settings—those that affect all users (for example, anything in the HKEY_LOCAL_MACHINE hive).
Modify operating system files.
Modify files of programs installed by an administrator for all users.
Install programs that others can use or run programs that other members of the Users group have installed. This important restriction limits the effect of a Trojan horse, which can be run only when started by the user who (inadvertently) installed it.
TIP
--------------------------------------------------------------------------------
Use administrator accounts sparingly
Microsoft's security experts routinely recommend that anyone responsible for a computer running Windows avoid logging on for everyday use with an account that belongs to the Administrators group. Instead, they suggest using an account with fewer system privileges for everyday activities such as running applications and browsing the Web, and logging on as an administrator only on those infrequent occasions when you need to perform administrative tasks. In theory, at least, this practice helps you avoid the risk that you'll damage the system configuration or allow a virus or Trojan horse to infect it. In Windows 2000, you can easily assign your everyday account to the Power Users group without encountering many inconveniences in normal use. By contrast, restricting yourself to a limited account in Windows XP can be a frustrating experience because its set of built-in privileges interferes with many programs that weren't specifically written for Windows XP. Still, if you can work around the frustrations, you can significantly increase your security with this simple safeguard.
In addition to the groups just discussed, Windows automatically maintains a number of built-in security principals that are not shown in the Local Users And Groups list and whose membership cannot be managed by an administrator. Some of these groups exist for obvious special purposes. For instance, anyone who connects to a computer over a dial-up connection is automatically added to the Dialup group and is subject to any restrictions assigned to that group. Two built-in groups deserve special mention:
Everyone. This group includes all users who access the computer, including users in the Guests group. In Windows 2000, but not in Windows XP, this group also includes members of the Anonymous Logon group.
Authenticated Users. This group includes any user who logs on with an account that is authenticated locally. This group does not include guest accounts or members of the Anonymous Logon group.
With the exception of the Everyone group, built-in groups are not routinely used for assigning file access. Instead, their purpose is to control specific user rights, such as the right to access a computer over the Internet. An individual's right to access shared folders, however, will be controlled by a different set of file permissions.
Windows includes several built-in security groups, each with a predefined set of rights, permissions, and restrictions. Table 2-1 provides a brief description of the groups and specifies which ones are included in each version of Windows.
Table 2-1. Built-In Security Groups in Windows
Group Windows XP Professional Windows XP Home Edition Windows 2000 Description
Administrators
Yes
Yes
Yes
The most powerful group, with full control over the system.
Power Users
Yes
Yes
Includes many, but not all, privileges of the Administrators group.
Users
Yes
Yes
Yes
Limited privileges for users who don't need to administer the system.
Guests
Yes
Yes
Yes
Provides limited access for occasional users and guests.
Backup Operators
Yes
Yes
Provides the privileges needed restore folders and files, including ones that members aren't otherwise permitted to access.
Replicator
Yes
Yes
Members can manage file replication, a feature of domain-based networks.
Network Configuration Operators
Yes
Members can set up and configure network components. (For details, see Microsoft Knowledge Base article Q297938.)
Remote Desktop Users
Yes
Provides access to a computer via Remote Desktop Connection.
HelpServices Group
Yes
Yes
Allows technical support personnel to connect to your computer.
Roles of Security Group Members
Members of the Administrators group have total control of the computer. By default, administrators have full, unfettered access to all files and to all keys in the registry. And administrators can grant to themselves any right or permission they do not already have. Administrators' privileges include the ability to
Create, change, and delete user accounts and security groups
Install programs
Share folders
Set permissions
Access all files
Take ownership of files
Grant rights to other user accounts and security groups as well as to themselves
Install or remove hardware devices
Log on in Safe Mode
By default, the Administrators group includes all local user accounts that you create during setup. If you upgrade to Windows XP from Windows NT or Windows 2000, the Administrators group retains all its members from your previous operating system. If your computer is joined to a domain, the Domain Admins group is a member of the local Administrators group.
Members of the Power Users group hold most of the same privileges as users in the Administrators group. Power users cannot take ownership of files, back up or restore files, load or unload device drivers, or manage the security and auditing logs. Unlike ordinary users, however, Power users can share folders; create, manage, delete, and share local printers; and create local users and groups.
Members of the Users group should not be able to inflict damage on the operating system or installed programs. By default, members of the Users group are not allowed to do the following:
Modify machine-wide registry settings—those that affect all users (for example, anything in the HKEY_LOCAL_MACHINE hive).
Modify operating system files.
Modify files of programs installed by an administrator for all users.
Install programs that others can use or run programs that other members of the Users group have installed. This important restriction limits the effect of a Trojan horse, which can be run only when started by the user who (inadvertently) installed it.
TIP
--------------------------------------------------------------------------------
Use administrator accounts sparingly
Microsoft's security experts routinely recommend that anyone responsible for a computer running Windows avoid logging on for everyday use with an account that belongs to the Administrators group. Instead, they suggest using an account with fewer system privileges for everyday activities such as running applications and browsing the Web, and logging on as an administrator only on those infrequent occasions when you need to perform administrative tasks. In theory, at least, this practice helps you avoid the risk that you'll damage the system configuration or allow a virus or Trojan horse to infect it. In Windows 2000, you can easily assign your everyday account to the Power Users group without encountering many inconveniences in normal use. By contrast, restricting yourself to a limited account in Windows XP can be a frustrating experience because its set of built-in privileges interferes with many programs that weren't specifically written for Windows XP. Still, if you can work around the frustrations, you can significantly increase your security with this simple safeguard.
In addition to the groups just discussed, Windows automatically maintains a number of built-in security principals that are not shown in the Local Users And Groups list and whose membership cannot be managed by an administrator. Some of these groups exist for obvious special purposes. For instance, anyone who connects to a computer over a dial-up connection is automatically added to the Dialup group and is subject to any restrictions assigned to that group. Two built-in groups deserve special mention:
Everyone. This group includes all users who access the computer, including users in the Guests group. In Windows 2000, but not in Windows XP, this group also includes members of the Anonymous Logon group.
Authenticated Users. This group includes any user who logs on with an account that is authenticated locally. This group does not include guest accounts or members of the Anonymous Logon group.
With the exception of the Everyone group, built-in groups are not routinely used for assigning file access. Instead, their purpose is to control specific user rights, such as the right to access a computer over the Internet. An individual's right to access shared folders, however, will be controlled by a different set of file permissions.
0 Comments:
Funny Blogs
Blogger Roll
Free Software
