Windows 7 Sharing - Security vs Usability

PeteJB · 06 Mar 2014

Hi All,

I have a server running Windows 7 and wish to share out files to various users on my home network.

There is a mix of Windows 7 and OSX machines.

I have created local userid's on the server, and allocated the appropriate shares to the appropriate users. For ease of use I create local userid's with the same details as the user is using on their computer (ie: username and password).

This works ok, however, this means that my server security is now compromised in that the local userid's could be used for local access (or RDP access) to the server...also I prefer not to see the extra userid's on the windows login page.

I have considered using different passwords for the users on the server and me inputting the password when the share is first set up on the client machine and will do so if needs be, however, I was wondering if there is another solution that I may be missing. Tried setting the userid's to disabled, but that seemed to cause some issues with OSX clients.

Pete

UsernameIssues · 07 Mar 2014

Welcome to the Seven Forums.

> I have created local userid's on the server...
If those users are standard accounts (not admins), then they should not be able to use RDC/RDP to remote into the server unless you specifically tell the server to allow such. Let's user a user account named user1 as an example:

user1 can be a standard account on the server
user1 can be an admin account on the client
user1 cannot normally* use Remote Desktop Connections to RDP into the server.
By default, only admin accounts can do that.

*Give it a test and let us know what you see

> also I prefer not to see the extra userid's on the windows login page
You can hide them by modifying the registry.
But first, manually create a restore point: System Restore Point - Create

Then, create and merge a reg file using this content:

HIDE users.reg

Code:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"AutoAdminLogon"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
"user1"=dword:00000000
"user2"=dword:00000000

Change user1 to the name of the account that you wish to hide.
Repeat for each account name of interest.

UNHIDE users.reg

Code:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"AutoAdminLogon"="0"

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts]

Note: the AutoAdminLogon entry is to turn off automatically logging an admin account in. If no password was assigned to the admin account during the Windows installation, the AutoAdminLogon key is set to "1". Adding a password to that first admin account does not always set AutoAdminLogon to "0".

If AutoAdminLogon stays at "1", then a logon error may occur each time that the computer is restarted.