How can I enable advanced file-system and sharing security for a Windows XP machine in a workgroup?

A. When an XP machine belongs to a domain with shared resources, a Security tab appears on the Properties dialog box for the file, folder, or share. You can use this tab to assign advanced sharing permissions. However, this tab is missing for XP machines that belong to a workgroup.

A new feature in XP effectively logs all remote logons in a workgroup as Guest, regardless of the account and password credentials that the remote computer passes. (This approach avoids the need for different machines in a workgroup to replicate local accounts, which is the method Windows 2000 uses to enable transparent sharing.) XP locks down the Everyone group (of which Guest belongs) permissions, which cuts down on the security problems that existed in Win2K as a result of enabling the Guest account. Because all machines in a workgroup are effectively Guest connections, the advanced security features aren't very useful, which is why Microsoft disabled them in XP.

If you want to enable advanced file-system and sharing security, you must disable the ForceGuest registry setting by performing the following steps:

  1. Start a registry editor (e.g., regedit.exe).
  2. Navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa registry subkey.
  3. Double-click forceguest, set it to 0, then click OK.
  4. Restart the computer for the change to take effect.

If you disable the Guest account but enable the ForceGuest setting, remote connections will fail, regardless of what username and password the user passes in--even if these credentials are valid.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.