Differences in default security settings

The Anonymous Logon group is no longer a member of the Everyone group. This change will impact anonymous users attempting to access resources hosted on computers running Windows XP Professional.

Anyone who accesses a computer and its resources through the network without an account name, password, or domain is a member of the Anonymous Logon built-in security group. In previous versions of Windows, members of the Anonymous Logon security group had access to many resources due to membership of the Everyone group. Because Administrators did not realize that anonymous users were members of the Everyone group, they might have inadvertently granted them access to resources only intended for authenticated users.

When a Windows 2000 system is upgraded to Windows XP Professional, resources with permission entries for the Everyone group (and not explicitly to the Anonymous Logon group) will no longer be available to anonymous users after the upgrade. In most cases, this is an appropriate restriction on anonymous access. You may need to permit anonymous access in order to support pre-existing applications that require it. If you need to grant access to the Anonymous logon group, you should explicitly add the Anonymous Logon security group and its permissions.

However, in some situations where it might be difficult to determine and modify the permission entries on resources hosted on Windows XP Professional computers you can change the security setting, Network access: Let Everyone permissions apply to anonymous users

For more information, see To edit a security setting on a Group Policy object or To edit local computer security

Important differences between Windows NT 4.0 and Windows XP Professional

Windows XP Professional provides three groups whose membership is controlled by the administrator: Users, Power Users, and Administrators. The group whose membership is controlled by the operating system or domain is Authenticated Users. It is the same as the Everyone group, except that it does not contain anonymous users or guests.

Unlike the Everyone group in Windows NT 4.0, the Authenticated Users group is not used to assign permissions. Only groups controlled by the administrator--primarily Users, Power Users, and members of the Administrators group--are used to assign permissions.

By default, any authenticated user is a member of the Users group. Power Users have all the capabilities that Windows NT 4.0 Users had. This ensures backward compatibility with Windows NT 4.0. If an administrator wants to implement higher security on a computer, Authenticated Users should be made members of the Users group only.

When a Professional or Server computer joins a domain, the same domain groups are added to the computer that were added to a Windows NT 4.0 computer. Domain Administrators are added to the local Administrators group and Domain Users are added to the local Users group.

Default owner for objects created by members of the administrators group

You can set whether the Administrators group or an object creator will be the default owner of any system objects created. In Windows XP Professional, the default is that the creator is the owner.

Difference in default security settings

Groups and default security settings



© 2016 Microsoft Corporation. All rights reserved. Contact Us |Terms of Use |Trademarks |Privacy & Cookies