Default security settings
Before modifying any security settings, it is important to take into consideration the default settings.
There are three fundamental levels of security granted to users. These are granted to end users through membership in the Users, Power Users, or Administrators groups.
Adding users to the Users group is the most secure option, because the default permissions allotted to this group do not allow members to modify operating system settings or other user's data. However, user level permissions often do not allow the user to successfully run legacy applications. The members of the Users group are only guaranteed to be able to run programs that have been certified for Windows. For more information on the Certified for Windows Program, see the Microsoft Web site. As a result, only trusted personnel should be members of this group.
Ideally, administrative access should only be used to:
In practice, Administrator accounts often must be used to install and run programs written for versions of Windows prior to Windows 2000.
The Power Users group primarily provides backward compatibility for running non-certified applications. The default permissions that are allotted to this group allow this group's members to modify computerwide settings. If non-certified applications must be supported, then end users will need to be part of the Power Users group.
Members of the Power Users group have more permissions than members of the Users group and fewer than members of the Administrators group. Power Users can perform any operating system task except tasks reserved for the Administrators group. The default Windows 2000 and Windows XP Professional security settings for Power Users are very similar to the default security settings for Users in Windows NT 4.0. Any program that a user can run in Windows NT 4.0, a Power User can run in Windows 2000 or Windows XP Professional.
Power Users can:
Power Users do not have permission to add themselves to the Administrators group. Power Users do not have access to the data of other users on an NTFS volume, unless those users grant them permission.
The Users group is the most secure, because the default permissions allotted to this group do not allow members to modify operating system settings or other users' data.
The Users group provides the most secure environment in which to run programs. On a volume formatted with NTFS, the default security settings on a newly installed system (but not on an upgraded system) are designed to prevent members of this group from compromising the integrity of the operating system and installed programs. Users cannot modify systemwide registry settings, operating system files, or program files. Users can shut down workstations, but not servers. Users can create local groups, but can manage only the local groups that they created. They can run certified Windows 2000 or Windows XP Professional programs that have been installed or deployed by administrators. Users have Full Control over all of their own data files (%userprofile%) and their own portion of the registry (HKEY_CURRENT_USER).
However, user-level permissions often do not allow the user to successfully run legacy applications. Only the members of the Users group are guaranteed to be able to run Certified for Windows applications. (For more information, see the Certified for Windows Program on the Microsoft Web site.
To secure a Windows 2000 or Windows XP Professional system, an administrator should:
Users will not be able to run most programs written for versions of Windows prior to Windows 2000, because they did not support file system and registry security (Windows 95 and Windows 98) or shipped with lax default security settings (Windows NT). If you have problems running legacy applications on newly-installed NTFS systems, then do one of the following:
Members of the Backup Operators group can back up and restore files on the computer, regardless of any permissions that protect those files. They can also log on to the computer and shut it down, but they cannot change security settings.
Several additional groups are automatically created by Windows 2000 and Windows XP Professional.
When a Windows 2000 system is upgraded to Windows XP Professional, resources with permission entries for the Everyone group (and not explicitly to the Anonymous Logon group) will no longer be available to Anonymous users after the upgrade. In most cases, this is an appropriate restriction on anonymous access. you may need to permit anonymous access in order to support pre-existing applications that require it. If you need to grant access to the Anonymous logon group, you should explicitly add the Anonymous Logon security group and its permissions.
However, in some situations where it might be difficult to determine and modify the permission entries on resources hosted on Windows XP Professional computers, you can change the Network access: Let Everyone permissions apply to anonymous users security setting.
When Terminal Server is installed in remote administration mode, users logged on using Terminal Server will not be members of this group.