How to Use and Secure Windows 7 HomeGroup

Essential tips and techniques for small businesses

Russell Smith

January 16, 2012

8 Min Read
ITPro Today logo in a gray background | ITPro Today

New in Windows 7, HomeGroup makes it easy for novices and systems administrators to network Windows 7 PCs on a LAN without a domain controller (DC) andto share resources such as printers and files. Although intended primarily for consumers, HomeGroup is also useful in small-business situations, inwhich there might not be ready access to IT support.

HomeGroup Protocol

The Microsoft HomeGroup protocol is an open standard that relies on peer-to-peer (P2P) networking and the Web Services on Devices (WSD) protocol topublish and discover resources on a local subnet, without a client/server infrastructure. IPv6 P2P graphing, facilitated by the Peer Name ResolutionProtocol (PNRP), allows computers to locate one another without a DHCP version 6 (DHCPv6) server. PNRP also replaces the NetBIOS names and masterbrowser that were the mainstays of Windows for Workgroups (WFW) networking for years.

When Windows 7 creates a HomeGroup, it establishes a secure PeerGroup so that Windows 7 nodes on the local subnet can find and communicate securelywith one another. XML WSD messages of different types advertise the existence of the HomeGroup and other information, such as the peer IDs thatuniquely identify each computer in the PeerGroup, the credentials for the HomeGroupUser$ account, shared printers, and the MAC addresses that areregistered for a device. Messages are signed and information encrypted as required to help protect against rogue computers that might advertiseservices on the local subnet. A 256-bit Advanced Encryption Standard (AES) key is created by using a Secure Hash Algorithm (SHA)-256 hash of thePeerGroup name; this AES key is randomized (i.e., salted) by the HomeGroup password to make sure that the generated hash is unique. The AES key is usedto encrypt HomeGroup credentials messages and a 2048-bit RSA private/public key pair, which the initiator of the HomeGroup creates and uses to sign WSDmessages, ensuring their integrity. When a computer receives a HomeGroup WSD message, that message is kept so that the information doesn't need to berediscovered unless a change is advertised.

Server Message Block (SMB) 2.1, the standard protocol for Windows file servers, is used to transfer files between computers. Users don't need to entercredentials when accessing resources on other computers in a HomeGroup, because the HomeGroupUser$ account and a group called HomeUsers simplify accessto shared resources on behalf of the logged-on user.

Setting Up or Joining a HomeGroup

All editions of Windows 7 can join a HomeGroup, but only Windows 7 Home Premium, Professional, Enterprise, and Ultimate SKUs can create one. A simplewizard is activated when a user connects to a new home network; if an existing HomeGroup is not detected, the user is prompted to set up a newHomeGroup and share default libraries such as Documents and Videos. If the computer is joined to a domain, the user can opt to participate in anexisting HomeGroup, if one is detected on the local network.

HomeGroup is not available when Windows Firewall is set to Public, so the feature is no good for those who want to share files ad-hoc with users on apublic WiFi hotspot. (Apple's AirDrop feature has one up on Windows for the time being, providing an easy way to share files with unknown devices overpublic networks, similar to Bluetooth file sharing.) When setting the Windows Firewall profile to Home, you can skip joining a HomeGroup by clickingCancel on the Join a Homegroup screen (which Figure 1 shows), and the firewall profile will be set accordingly.


Figure 1: Joining a HomeGroup 

HomeGroup and ACLs

When a user shares a library, Windows modifies the ACLs on the folders that are part of that library. Figure 2 shows that the user (user) whojoins a HomeGroup has a new ACL for the HomeUsers group on his or her user folder. This ACL grants traverse permission to only the first level of thefolder.


Figure 2: HomeUsers ACL 

If you look at this user's Documents folder, you will see that the HomeUsers group has been given Read access. When a HomeGroup is created, all localuser accounts are added to the HomeUsers group. When a new local user account is created, it's automatically added to the HomeUsers group. Unless thedefault configuration is changed, all local users can access the folders of any other local users that have shared folders in a HomeGroup.

The HomeGroup setup wizard allows users to share their default libraries, but more granular configuration can be achieved by using Windows Explorer'sShare with menu. You can select single or multiple folders and then disable sharing (by selecting Nobody from the Share with menu) orenable Read or Read/Write access. Read access is the default permission given to libraries that are shared in a HomeGroup. If you choose to use theShare with menu to grant Read/Write access, be aware that HomeGroup users will actually get Full Control (i.e., they can also delete files).

When you create or join a HomeGroup, you should use Windows Explorer -- not the Security tab on a file's or folder's Properties dialog box -- to manageACLs. The Share with menu also has an option to share with Specific people. Under the default Windows configuration, only local useraccounts and groups can be selected. If you want to share with a specific remote user, then that user must have an account that is on the localcomputer and that mirrors the username and password that is set on the remote computer. As Figure 3 shows, the Advanced sharing settingsscreen in the Network and Sharing Center allows you to configure a HomeGroup to use a local user account instead of HomeGroupUser$.


Figure 3: Advanced sharing settings 

The HomeGroup system service is responsible for maintaining HomeGroup configuration, including ACLs on shared folders. When youremove a computer from a HomeGroup, all previously added ACLs are removed.

Domains and HomeGroup

Domain-joined computers cannot create HomeGroups but can participate in a HomeGroup that is set up on another Windows 7 computer. To join an existingHomeGroup, the user must first ensure that the Windows Firewall network profile is set to Home. In Windows 7, domain users don't need to elevateprivileges to change the network location. (You can alter this behavior by enabling theRequire domain users to elevate when setting a network's location Group Policy setting under Computer Configuration, Administrative Templates,Network, Network Connections in Group Policy Editor.)

For security reasons, domain users and local users of domain-joined computers cannot share resources. If a non-domain computer creates or participatesin a HomeGroup, any shared resources on that computer will be disabled if the computer later joins to a domain.

HomeGroup Troubleshooting Checklist

Only one HomeGroup can be present on a subnet, and a Windows 7 computer can be a member of only one HomeGroup. If you want to join a HomeGroup on adifferent LAN, you first need to remove the device from its existing HomeGroup. Only disks that are formatted with NTFS can be shared in a HomeGroup,so that excludes CD-ROMs or DVD-ROMs and FAT-based file systems. If you have trouble establishing a HomeGroup, take these steps:

· Ensure that Windows Firewall is correctly configured. Setting the firewall profile to Home should be enough for automatic configuration. (Youcan find full details of HomeGroup firewall requirements in the Microsoft document "HomeGroup and Firewall Interaction."

  • Check the local NIC settings to make sure that IPv6 is enabled.

  • Verify that multicast traffic is allowed on the local subnet and is supported by network adapters and other networking equipment, such asrouters and switches.

  • Determine whether third-party security software is blocking HomeGroup communications.

  • Have patience. It might take a minute or two after a device has booted for other machines in the HomeGroup to appear in Windows Explorer.

If you need to troubleshoot further, Netsh has some useful switches. For example, use the following command to establish whether your PeerGroup isaccessible:

netsh p2p pnrp cloud show names 


The output in Figure 4 shows two PeerGroups. The Global_ cloud group is of no interest; only LocalLink information is relevant to the HomeGroup. Thisoutput shows IPv6 addresses and P2P data for the local network adapter, and you can see that the PeerGroup is up and running. The contextnetsh p2p pnrp diag also contains useful ping and traceroute troubleshooting commands. But as long as your local network meets the basicrequirements for Windows HomeGroup, you'll seldom need to use the advanced troubleshooting commands that Netsh provides.


Figure 4: Troubleshooting with Netsh

Proceed with Caution

Anyone who has ever dealt with NetBIOS or WINS knows how frustrating even the simplest of networking jobs can be in a WFW scenario and howtroubleshooting such scenarios requires a fair amount of background technical know-how. Windows 7 HomeGroup is a welcome addition to the OS and shouldmake simple P2P networking an easy task for both administrators and non-technical users.

The implementation of HomeGroup using IPv6, WSD, and SMB is fundamentally secure. So long as your wireless router is set up to provide adequatesecurity, you can run a HomeGroup over a wireless network with confidence that you aren't increasing the risk of data being sniffed over the airwaves.However, you should watch out for local ACL issues, in which local computer users might gain access to other local users' files. HomeGroup isn'tintended to be a business-grade solution, so be sure that you fully understand the potential security implications if local user accounts are in use.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like