How to configure the Windows XP/2003 security settings to allow one computer to be administered from another computer
To administer Windows XP Professional and Windows 2003 computers from another computer on the network, e.g. with Sophos Control Center or Enterprise Console, the security setting 'Network access: Sharing and security model for local accounts' may need to be changed.
Using 'Network access: Sharing and security model for local accounts'
If the computer is not joined to a domain, i.e. it is a single computer or part of a workgroup, when you change this setting you will also modify the Sharing and Security tabs in Windows Explorer. These will then correspond to the new sharing and security model.
Guest only
- If 'Network access: Sharing and security model for local accounts' is set to 'Guest only', anyone connecting to the computer remotely will be given the same level of access as the Guest account. They will not be able to perform any administrative tasks remotely.
- If the computer is not joined to a domain, this sharing and security model will allow shared folders to be accessed by everybody, with either 'full' or 'read-only' access. Access to shared folders can be restricted to users of a computer.
Classic
- If 'Network access: Sharing and security model for local accounts' is set to Classic, anyone connecting to the computer remotely will be allocated a level of access according to their user credentials on the remote computer.
- If the computer is not joined to a domain, this sharing and security model will allow shared folders to be accessed either by everybody, or by specific users. If the file system is NTFS, file and folder permissions can give even greater control over shared resources.
What to do
To set the sharing and security model to Classic, do as follows. Reverse this change to set it to 'Guest only'.
Windows XP Professional
- go to Administrative Tools and select 'Local Security Policy'
- select 'Local Policies|Security Options|Network access: Sharing and security model for local accounts'
- select 'Classic - local users authenticate as themselves'
- click 'OK'.
Windows 2003 member server
- go to Administrative Tools and select 'Local Security Policy'
- select 'Local Policies|Security Options|Network access: Sharing and security model for local accounts'
- enable 'Define this policy setting:'
- select 'Classic - local users authenticate as themselves'
- click 'OK'.
Windows 2003 domain controller
- go to Administrative Tools and select 'Domain Controller Security Policy'
- select 'Local Policies|Security Options|Network access: Sharing and security model for local accounts'
- tick 'Define this policy setting:'
- select 'Classic - local users authenticate as themselves'
- click 'OK'.