How do I 'safely' make WindowsXP Pro LESS secure?

[Jeff7]

I recently botched my PC up trying to do this; reinstalling Windows - I needed an excuse to do so anyway.
The problem I was having is that some folders on the drive would give "Access Denied" errors when other people on the network here at home tried to view them. I'm the Computer Person here, so I like to be able to access my PC from any system in the house, but NTFS's security is making that very difficult. Is there a safe way to just remove all security settings from the filesystem? I obviously did something wrong in my first attempt, as the system was denied access to its own system files - couldn't boot.

 

[n0cmonkey]

Use a lesser file system. Set privledges for everybody to full control. Just a warning though: THIS IS A DUMB IDEA. There are FAQs here that can get your network working properly if you would rather go that route instead of compromising the security of your less than perfect OS

 

[n0cmonkey]

Oh yeah, and and make sure there is either no connection to the net or other users, or that you have a great firewall setup on the perimeter and atleast one IDS system with someone watching it anytime that one machine is connected to the net

Ooooh, you will also need that machine in a locked room with the only keys going to yourself and anyone else you trust ith full acces to that machine. Maybe a nice survelience system.

 

[Nothinman]

Learn how to use the ACLs properly instead of just disabling them, they're not that complicated.

 

[Jeff7]

I've been looking for quite awhile. I am trying to allow free access on the LAN here to my own system, the way it used to be with Win98. Windows XP didn't seem to like that. I didn't much like the "simple file sharing" option either - it disables the Security tab in Explorer's folder views. I did finally get Windows to open up a bit and let the computer be visible on the network; then it kept asking for a password for the IPC$ share. I checked around the Internet awhile and found that this is a fairly common problem; finally got that taken care of. I'm now back to my good old network.
I have a router in place, though I suppose that it's not exactly the most secure device in existence. I guess a firewall would be nice; I had tried Zonealarm, but it didn't have any expert features like allowing specific ports Internet access - it would block Quake III completely, even though I had given that program free reign in Zonealarm's settings.

Use a lesser file system. Set privledges for everybody to full control.

I wanted to finally move to NTFS and get accustomed to it; plus I read that there was a ~32GB limit on FAT32, but I don't remember if that was XP or just Win2k.
Set Privelages to full control - I had tried that; that's what somehow locked me out of the system.

This is a home LAN too; not too many people here really to break into my system. Main problem might be outside attackers from the web; not like I've really got anything sensitive here anyway.

Learn how to use the ACLs properly instead of just disabling them, they're not that complicated.

ACL's? Like the Users and Groups settings you mean? I tried those things in several configurations - I just tried at one point giving EVERYONE Admin access (yeah, yeah, dumb) and that wouldn't even let everyone in. I'm still learning this stuff; I 'grew up' on Win9x. And I hope I'm making any sense, as it's a few hours later than I thought.

 

[n0cmonkey]

Read the FAQs and see if those help.

 

[igiveup]

Well, with security its kind of hard to know sometimes what in the hell you actually FUBAR, short of making the mistake and learning the hard way. If you are dealing with the Local Security Policy at all, those don't take effect until you reboot. A little primer on file system security in windows:

There are two basic types of security in Windows NT based systems: folder and share.

SHARE: When you share a folder the first thing you access when you try to view it across the network is the share level security. This is set to the EVERYONE group (wide open) by default. If you remove the everyone group and then specify another group to allow access to your share it will block anyone that is not a member of that group from accessing the share. Once they authenticate with that share however, there is nothing further that share security can do for you. Think of it simply as a wall: once by, nothing stops you.

FOLDER: With folder security (only available in NTFS) you can specify what a user can or cannot do. If you click on the security tab of any folder's properties you will see two columns of boxes and rows of security options. It can get complicated, but its worth figuring it out. One thing to remember is that DENY permissions overrule allow permissions.

The main idea is to set the default permissions that most everybody would need to have to allow, starting at the root of the share. This makes it easy since the folders by default enherit their settings from the folder directly above. Once you get down into a folder that you want just one user to be able to use, you can uncheck the inherit folder permission and then delete out or simply deny any user or group the access to that folder.

ONE SIDE ISSUE: There is a setting in the secpol.msc template (local security settings in administrative tools, control panel) that reads something like "bypass traverse checking". What this setting allows a user to do is to step over a folder, even if you deny them access to that folder, and look into folders below it if they have permission. By default the EVERYONE user is in there so you will have to remove it if you want to make your system a bit more secure.

Be really careful with SECPOL.MSC, aka Local Security Settings, and in particular the Deny Logon Locally setting. This doesn't mean you are giving somebody permission to specify who can log onto your computer. This is actually a list of users who CANNOT log on locally. I had a guy punch in Administrator as a user in this field, and reboot the computer. The result is a format and reinstall. This setting forbid the administrator from even logging into the recovery console.

 

[Codewiz]

Turn off "Simple File Sharing" It doesn't allow you to have control over anything.

 

[cct]

I wanted to finally move to NTFS and get accustomed to it; plus I read that there was a ~32GB limit on FAT32, but I don't remember if that was XP or just Win2k.

I think i had this problem a while ago and concluded it was either XP/2K's installer that was preventing FAT32 partitions over 32GB.
It should be possible to just create your partition as FAT32 over 32GB with a 98SE boot disks FDISK or Partitionmagic, Linux Disk Druid etc and then choose this partion for install when you run the XP/2K installer.

Warm Regards,

Chris

 

[Nothinman]

I think i had this problem a while ago and concluded it was either XP/2K's installer that was preventing FAT32 partitions over 32GB.

It's Windows Disk Manager that enforces the false 32G FAT32 limit.

It should be possible to just create your partition as FAT32 over 32GB with a 98SE boot disks FDISK or Partitionmagic, Linux Disk Druid etc and then choose this partion for install when you run the XP/2K installer.

It's possible, just a bad idea. FAT32 sucks, it needs to die. People need to move on to a half-decent filesystem. MS put that limit in there for a reason.