WINDOWS XP NETWORKING

WINDOWS XP NETWORKING

User Accounts

The first thing you need to do is create an account for each user who will access your Windows XP computer. To do this, log on to Windows XP as Administrator.

Windows XP Professional throws out Windows NT's old administrative tool, User Manager. And because there is no Active Directory, you won't find the Active Directory Users and Computers utility either. Instead, you use Control Panel to add, remove, and manage users. The revamped Control Panel's interface lets you more easily narrow your focus until you find the appropriate utility to accomplish a task. (You can click on Switch to Classic View if you prefer the traditional Control Panel.)

In Control Panel's Category View (the default), select User Accounts. In Figure 1, you see the available options for managing users. You can change an existing account, create a new account, and alter the way users log on or off. You'll be prompted for a new user name when you add a new account. If you want to modify an existing account, simply select the account name at the bottom of the window, and choose the task you want to perform.

Figure 1

Adding an account is simple: Just click on Create a new account and several dialog boxes will walk you through the process. You enter a user name for logging on to the system, and you specify whether this will be a Computer administrator account or a Limited account. As you'd guess, a computer administrator can do anything on the Windows XP computer; a limited account is restricted to accessing the Windows XP system and whatever resources have been granted to that particular account.

You'll probably create limited accounts for most users, though delegating authority to a few by making them administrators might be convenient. When you select the radio button for either type of account, text is displayed that tells you the main functions the account will be able to perform, such as installing programs or making system changes.

Note that some programs will not install unless an administrator account is used. Installation of software not specifically written for Windows XP may require an administrator account. This doesn't prevent users with limited accounts from running those programs, though.

After you select the type of account, click the Create Account button and you're almost finished. You may want to associate a picture with the account, and you'll definitely want to add a password. Windows XP lets you add a password hint to help a user who has forgotten a password, but this isn't a good idea, because the hint is displayed for anyone who tries to log on. You don't even have to know a user name; all the names are displayed in the welcome screen by default.

You may want to use groups to make management of multiple users who need the same access easier. Windows XP comes with several built-in groups, such as Administrators, which includes any account you create with administrator privileges, and Everyone, which encompasses all user accounts. Groups save you the trouble of managing users individually, but for a small LAN you'll probably find person-by-person administration easier. Groups can save you time, though, if you have more than a few users and several file shares. (A file share is a set of files or folders—often related—that users can access like a local drive and administrators can manage as a whole, rather than on a file-by-file basis.)

You can also create user accounts during the Windows XP installation process. A simple install, however, doesn't give you the opportunity to perform some important tasks, such as changing account privileges and assigning passwords. If you do this type of install, you will have to review the accounts and make changes using Control Panel. An account lacking a password is a very serious security breach; anyone who knows the user name can log on.

Managing a Little LAN

Sharing Folders

Once you've created user accounts, you can set restrictions on the resources each user can access (files, printers, and so forth). The most likely candidates for access restrictions are folders and the files they contain. You can decide which folders you want to make available and then set specific permissions for them. Note that if you want to set permissions on folders, the Windows XP computer must use NTFS instead of the older FAT format. Without NTFS, you are restricted to setting permissions on file shares only. This means that a user who is granted access to a file share on a FAT partition will have access to all of the files and folders that make up that share. By using NTFS file permissions and file shares together, you can fine-tune access, restricting the files and folders users can get to within a particular share.

Use Windows Explorer (or My Computer) and find the drive or folder you want to share. Right-click on the folder or drive; select Properties and then the Sharing tab (Figure 2). Click on New Share and enter a name, a comment, and the maximum number of users who can connect to the share. Click on OK. When you're done, you'll see that the bottom portion of the Sharing tab for most folders will now contain a checkbox labeled Share this folder.

(Figure 2)

If your Windows XP computer does not show the same choices, use the View tab in the Folder Options applet in Control Panel, and deselect the check box labeled Use Simple File Sharing.

By default, the group Everyone has permission to read and write to the files on the share. You can use the Permissions button to change which users or groups can access the entire share, or you can further customize access to files and folders on a user-by-user basis. Select the Security tab if you want to use NTFS permissions to customize restrictions for individuals (Figure 3).

(Figure 3)

Managing a Little LAN

Setting NTFS Permissions

On the Security tab, click the Advanced button. Use the Add button to bring up a dialog box that will let you enter the name of the user or group you want to grant or deny access. Click on OK. Now select that user or group and choose the permissions you want to allow or deny. The basic permissions are:

· Full Control. This allows the user to do anything to the folder and its contents, including changing permissions, creating and deleting files or folders, and taking ownership of files and folders.

· Modify. A user with this privilege can do anything to files and folders except delete subfolders and files, change ownership of files, or take ownership of files or folders.

· Read & Execute. A person assigned this right can see the files and execute the programs in the folder, see the attributes of files and folders, and synchronize files and folders.

· List Folder Contents. This lets the user see the contents of a folder and its subfolders, read the attributes of files and folders, and synchronize with folders.

· Read. When given this privilege, a user can see a folder's attributes and contents and can synchronize folders.

· Write. With write access, a user can create files and subfolders, see permissions applied to the created files and folders, synchronize the files and folders, and change the attributes of the folders.

Note that subfolders can inherit permissions from their parent folders, which can sometimes limit your ability to change permissions.

Because the Everyone group includes all users, you should remove this group from the permissions list and then give individual users or groups access to specific folders. Do not deny access to Everyone in lieu of removing the group from the permissions list, then try to add permissions back. This will result in no one having access—not even administrators—because Windows XP denies before it allows. And although allowing access to the Everyone group and then denying access to particular users or groups seems easier, if you do this you may forget to restrict accounts you create in the future.

Once you have set up a file share and perhaps set specific permissions on some of the folders within the share, users can then map the file share so that it appears as a drive letter on their computers. At that point, they should have no trouble accessing the appropriate files and folders.

Forget Your Password?

One of the most common problems a help desk faces is users forgetting their passwords. Windows XP alleviates this by letting users create a password-reset disk. To create such a disk, insert a blank floppy disk into your drive, open User Accounts in Control Panel, and double-click on your account name. On the left side of the window, under Related Tasks, select Prevent a forgotten password. A wizard will pop up and walk you through the process of creating the password recovery disk.

If you try several times to log on using the wrong password, Windows XP will prompt you to insert the password reset disk and will use it for authentication. You'll be allowed to log on to the system, but you'll have to select a new password. The floppy disk will be updated to reflect your new password.

Remember, anyone who has the password reset disk can access the system, so don't forget to store your disk in a safe place!

Win XP Home Networking: Two Steps Back

The number-one reason people set up home networks is to share an Internet connection, a capability supported by both the Professional and Home editions of Microsoft Windows XP. File sharing is another driving force, but one that can introduce complications. Although you want the convenience of being able to access your files from whichever PC is handy, you may also have some qualms about your kids playing around with your stock portfolio. What you need is a way to share files with some household users but not others. The Windows 9x platforms accommodate this need by letting you configure sharing with specific passwords. And you can set access privileges for specific users and groups in the Windows NT family of operating systems—with one unfortunate exception: Windows XP Home Edition.

Win XP Home Networking: Two Steps Back

Sharing Folders

Windows XP Home Edition uses a feature Microsoft calls Simplified Sharing (also called Simple File Sharing) for sharing folders. When you view the Sharing tab of a folder's Properties dialog, as seen in Figure 1, the available options are quite different from those presented by previous consumer versions of Windows. Although you can prevent users from changing files in a shared folder (including yourself, if you're working from a remote computer), the logical, useful permission options available in other Windows versions are missing.

Figure 1

Windows XP Home Edition's lack of support for passwords on shared folders creates an all-or-nothing paradigm that fails to meet the needs of most home network users. If you share a folder on the network, you cannot prevent specific users from gaining access to that folder. Password-protecting individual files is the workaround for securing shared folders. All Microsoft Office applications and many other Windows programs let you secure individual files with a password.

Simplified Sharing does let you lock folders that are part of your private profile (like My Documents) by selecting the option Make This Folder Private. But although this feature keeps other people who use your computer out, it requires NTFS—an important caveat that appears in only one of the operating system's help files. And if you install NTFS and mark your own folders as private, you cannot access them from a remote computer.

On a computer running Windows XP Home Edition and NTFS, you can set individual permissions similar to those available in Windows XP Pro or Windows 2000. The problem is, the Properties dialog for drives and folders on an NTFS system does not have a Security tab. The only way to set permissions is to log on as administrator, which you can do only from Safe Mode. (To boot into Safe Mode, press F8 after the graphical boot screen appears and select Safe Mode with Networking from the menu.) After logging on as administrator, open the Sharing tab of a shared folder's Properties dialog and click Permissions. As shown in Figure 2, you can set Full Control, Change, or Read permissions for the users and groups in your network. To set granular permissions for additional users, choose Add | Advanced | Find Now, and you'll see a display of user names (local users only). Select a name and click OK, then set the permissions.

Figure 2

You may run across articles that say you can follow this procedure even on a FAT32 system. And in fact, Windows XP will blithely let you work through the same steps and dialogs we've just discussed—but your settings won't take. You can't set granular permissions on a FAT32 system, but you'll see no error messages telling you so, and the help files offer little clear information.

Remote File Access: Denied

Here's the main obstacle to remote file access: Networking in the Home Edition of Windows XP is peer-to-peer, not domain-based. In the absence of a list of domain names, file permissions are limited to local user names, and those names are unique for each computer. For example, a user named Leah on a computer named Den has the username Den\Leah. But if Leah is accessing the den computer while logged on to the Kitchen system, she is Kitchen\Leah; she and Den\Leah are not recognized as the same user. There's no such thing as a networkwide user in a peer-to-peer network. For user permissions to work across a network, you need to have a global catalog of names, which is available only in domain-based networks.

Even if home users convert their Windows XP Home Edition machines to NTFS in order to configure access restrictions, the permissions are applied only locally. All network users log on remotely under the Guest account, and restricting that account prevents you from accessing your own files from a remote computer.

Internet Connection Firewall

Mindful of the dangers in always-on Internet connections, Microsoft built a firewall into Windows XP. When you run the Home Networking Wizard to set up your network and share your Internet connection, Internet Connection Firewall (ICF) is automatically enabled.

ICF blocks all unsolicited incoming traffic (but ignores outgoing traffic, which means a virus that sends information from an infected machine isn't stopped). Because the firewall doesn't differentiate between incoming traffic from the Internet and incoming traffic from other nodes on the LAN, ICF and networks don't play well together. No other computer on the network can access a computer that's running ICF. (You can configure ICF to open certain ports for specific operating-system services, but the process is complicated even for a knowledgeable user.)

One way to overcome the access problem caused by this primitive firewall is to use two network cards in the PC that is managing the broadband Internet connection sharing (usually the default setup for cable modems). One NIC connects to the cable or DSL modem and has ICF enabled. The other, connected to your network, has ICF disabled.

Another alternative, if the networked computers and the modem are all plugged into the same hub, is to install a protocol other than TCP/IP for home networking. NetBEUI is available on all the earlier consumer versions of Windows and takes only a few clicks to install. Windows XP doesn't list NetBEUI as an available protocol, but the Windows XP CD has the files you need in the Valueadd\MSFT\Net\NetBEUI subfolder. Copy Nbf.sys to the Windows\System32\Drivers folder and copy Netnbf.inf to the Windows\Inf folder. In the Control Panel, open Network Connections and then the Properties dialog for the network card. On the General tab, choose Install | Protocol | Add, and then select NetBEUI as the new protocol. ICF will continue to block TCP/IP traffic, but NetBEUI will handle local network communications.

The best option is to disable ICF and purchase a router with a built-in firewall or install a third-party firewall, such as Norton Internet Security 2002 or Sygate Personal Firewall PRO 4.2. You can configure these firewalls to allow access by other computers on the network.

Help Files?

Microsoft used essentially the same help files for the Home Edition and the Professional Edition of Windows XP and in many cases failed to note differences between the two. You may find suggestions for tweaking the OS that don't work under Home Edition. For example, we've had inquiries from people who follow the help instructions for implementing roaming profiles but can't find the necessary options. In our check of the help pages, none indicated that roaming profiles work only with Windows XP Professional running on a client/server network. Clarity suffers in a number of other sections because Microsoft failed to remove instructions that don't apply.

By: MRA - 06/2002