Members of the Administrators group have the largest amount of default permissions and the ability to change their own permissions.

Adding users to the Users group is the most secure option, because the default permissions allotted to this group do not allow members to modify operating system settings or other user's data. However, user level permissions often do not allow the user to successfully run legacy applications. The members of the Users group are only guaranteed to be able to run programs that have been certified for Windows.

Ideally, administrative access should only be used to:

• Install the operating system and components (such as hardware drivers, system services, and so on).
• Install Service Packs and Windows Packs.
• Upgrade the operating system.
• Repair the operating system.
• Configure critical operating system parameters (such as password policy, access control, audit policy, kernel mode driver configuration, and so on).
• Take ownership of files that have become inaccessible.
• Manage the security and auditing logs.
• Back up and restore the system.

In practice, Administrator accounts often must be used to install and run programs written for versions of Windows prior to Windows XP.

Members of the Backup Operators group can back up and restore files on the computer, regardless of any permissions that protect those files. They can also log on to and shut down the computer, but they cannot change security settings.

Backup Operators

Members of the Backup Operators group can back up and restore files on the computer, regardless of any permissions that protect those files. They can also log on to the computer and shut it down, but they cannot change security settings.

 Caution

• Backing up and restoring data files and system files requires permissions to read and write those files. The same default permissions granted to Backup Operators that allow them to back up and restore files also make it possible for them to use the group's permissions for other purposes, such as reading another user's files or installing Trojan horse programs. Group Policy settings can be used to create an environment in which Backup Operators only can run a backup program.

Members of the Power Users group can create user accounts, but can modify and delete only those accounts they create. They can create local groups and remove users from local groups they have created. They can also remove users from the Power Users, Users, and Guests groups.

They cannot modify the Administrators or Backup Operators groups, nor can they take ownership of files, back up or restore directories, load or unload device drivers, or manage the security and auditing logs.

The Power Users group primarily provides backward compatibility for running non-certified applications. The default permissions that are allotted to this group allow this group's members to modify computer wide settings. If non-certified applications must be supported, then end users will need to be part of the Power Users group.

Members of the Power Users group have more permissions than members of the Users group and fewer than members of the Administrators group. Power Users can perform any operating system task except tasks reserved for the Administrators group. The default Windows XP Professional security settings for Power Users are very similar to the default security settings for Users in Windows NT 4.0. Any program that a user can run in Windows NT 4.0, a Power User can run in Windows XP Professional.

Power Users can:

• Run legacy applications, in addition to Windows XP Professional certified applications.
• Install programs that do not modify operating system files or install system services.
• Customize system wide resources including printers, date, time, power options, and other Control Panel resources.
• Create and manage local user accounts and groups.
• Stop and start system services which are not started by default.

Power Users do not have permission to add themselves to the Administrators group. Power Users do not have access to the data of other users on an NTFS volume, unless those users grant them permission.

Caution

• Running legacy programs on Windows XP Professional often requires you to modify access to certain system settings. The same default permissions that allow Power Users to run legacy programs also make it possible for a Power User to gain additional privileges on the system, even complete administrative control.
  
  Therefore, it is important to deploy certified Windows XP Professional programs in order to achieve maximum security without sacrificing program functionality. Programs that are certified can run successfully under the Secure configuration provided by the Users group.
   
• Since Power Users can install or modify programs, running as a Power User when connected to the Internet could make the system vulnerable to Trojan horse programs and other security risks.

Members of the Users group can perform most common tasks, such as running applications, using local and network printers, and shutting down and locking the workstation. Users can create local groups, but can modify only the local groups that they created. Users cannot share directories or create local printers.

The Users group is the most secure, because the default permissions allotted to this group do not allow members to modify operating system settings or other users' data.

The Users group provides the most secure environment in which to run programs. On a volume formatted with NTFS, the default security settings on a newly installed system (but not on an upgraded system) are designed to prevent members of this group from compromising the integrity of the operating system and installed programs.

Users cannot modify system wide registry settings, operating system files, or program files. Users can shut down workstations, but not servers. Users can create local groups, but can manage only the local groups that they created. They can run certified Windows XP Professional programs that have been installed or deployed by administrators. Users have Full Control over all of their own data files (%userprofile%) and their own portion of the registry (HKEY_CURRENT_USER).

However, user-level permissions often do not allow the user to successfully run legacy applications. Only the members of the Users group are guaranteed to be able to run Certified for Windows applications.

To secure a Windows XP Professional system, an administrator should:

• Make sure that end users are members of the Users group only.
• Deploy programs that members of the Users group can run successfully, such as certified Windows XP Professional programs.

Users will not be able to run most programs written for versions of Windows prior to Windows 2000, because they did not support file system and registry security (Windows 95 and Windows 98) or shipped with lax default security settings (Windows NT). If you have problems running legacy applications on newly-installed NTFS systems, then do one of the following:

1. Install new versions of the applications that are certified for Windows 2000 or Windows XP Professional.
2. Move end users from the Users group into the Power Users group.
3. Decrease the default security permissions for the Users group. This can be accomplished by using the Compatible security template.

The Guests group allows occasional or one-time users to log on to a workstation's built-in Guest account and be granted limited abilities. Members of the Guests group can also shut down the system on a workstation.

The Replicator group supports directory replication functions. The only member of the Replicator group should be a domain user account used to log on the Replicator services of the domain controller. Do not add the user accounts of actual users to this group.