• Choose a category
• All
• Classic-Fiction

Techs and Permissions

Techs, as a rule, hate NTFS permissions. You must have administrative privileges to do almost anything on a Windows machine, such as install updates, change drivers, and install applications; most administrators hate giving out administrative permissions (for obvious reasons). If one does give you administrative permission for a PC, and something goes wrong with that system while you’re working on it, you immediately become the primary suspect!

If you’re working on a Windows system administered by someone else, make sure he understands what you are doing and how long you think it will take. Have the administrator create a new account for you that’s a member of the Administrators group. Never ask for the password for a permanent administrator account! That way, you won’t be blamed if anything goes wrong on that system: “Well, I told Janet the password when she installed the new hard drive…maybe she did it!” When you have fixed the system, make sure the administrator deletes the account you used.

This “protect yourself from passwords” attitude applies to areas other than just doing tech support on Windows. PC support folks get lots of passwords, scan cards, keys, and ID tags. New techs tend to get an “I can go anywhere and access anything” attitude, and this is dangerous. I’ve seen many jobs lost and friendships ruined when a tape backup suddenly disappears or a critical file gets erased. Everybody points to the support tech in these situations. In physical security situations, make other people unlock doors for you. In some cases, I’ve literally asked the administrator or system owner to sit behind me, read a magazine, and be ready to punch in passwords as needed. What you don’t have access to can’t hurt you.

Sharing a Windows PC Securely

User accounts, groups, and NTFS work together to enable you to share a Windows PC securely with multiple user accounts. You can readily share files, folders, programs, and more. More to the point, you can share only what should be shared, locking access to files and folders that you want to make private. Each version of Windows handles multiple user accounts and sharing among those accounts differently, so let’s look at Windows 2000, Windows XP, and Windows Vista separately and then finish with a look at a few other sharing and security issues involving sharing.

Sharing in Windows 2000

Every user account on a Windows 2000 computer gets a My Documents folder, the default storage area for personal documents. That sounds great, but every account that’s a member of the Administrators group can view the contents of everybody’s My Documents folder, by default.

A typical way to create a secure shared Windows 2000 computer is to change the permissions on your My Documents folder to give yourself full control, but take away the permissions that allow other accounts access. You also should not create user accounts that go beyond Power Users or even Standard Users.

Finally, make a folder for people to share so that moving files to and from accounts is easy. A typical example would be to create a folder on the C: drive called Shared and then alter the permissions, giving full control to everyone.

To make changes to the permissions on folders, right-click and select Sharing to open the Properties dialog box with the Sharing tab already selected (Figure 16-28). Click the Share this folder check box and change the options to what you want.

Figure 16-28 Sharing tab on Properties for the Shared folder

Sharing in Windows XP

Microsoft tried to make Windows XP more shareable securely than previous versions of Windows. To this end, they included several features. First, just as with Windows 2000, each user account gets a series of folders in My Documents that the user can share and administrators can access. But Windows XP also comes with a set of pre-made folders called Shared Documents accessible by all of the users on the computer. Also, Windows XP comes with simple file sharing