With the computers being made available for the clients, it is necessary to introduce a security facility to prevent them access to our files, and to prevent them from being able to update the systems.

Windows 2000 allows you to define separate users and groups, and to assign certain permissions and rights to each user, or group of users. For instance, a member of the users group can perform most of the tasks necessary to do his or her job, such as logging on to the computer, creating files and folders, running programs, and saving changes to files. However, only a member of the Administrators group can add users to groups, change passwords, or modify system settings. 

Earls Court Set-up

User Security

When the Windows system is installed certain users are already defined with their permissions. These have not been modified but the passwords have been changed to prevent illegal use of these usernames. We have then created two new users Admin and Client. The former is for use by ECCP staff only. The latter for all other users.

The Admin User has been made a member of the administrators group with full permissions. As a result, the administrator can install programs and printers, modify the system settings and access files on other machines across the network using the default administrative shares. (For file sharing restrictions see File sharing Overview).

The Client user is a general user who has only guest facilities on the machine. This prevents non-ECCP staff from abusing the system. If users require any specific software, you will have to install it for them and amend the program start-up groups accordingly.

Each machine has also been modified to force a logon screen with the ctl/alt/del key. So you need to Logon every time. 

Start program Security

When you click on the start button and select programs the list of program groups displayed consists of the files, shortcuts and folders in the Documents and Settings\Start menu\All Users folder merged with those in the Documents and Settings\Start menu\<user logged on> Folder. What has been done here is to clear all the separate user folders and move all available functions to the 'All users' folder. Then specific Earls Court administrative functions have been created in the Documents and Settings\Start menu\Admin Folder. This means that only user Admin will see certain facilities such as web tools and Internet Management. (For details of how to add to these groups, please see the Software Installation section)

Folder security

Do not create network shares on any of the machine. If you are logged onto User admin you can access the other machine using the drive administrative shares, i.e. c$ for the C drive and d$ for the d drive. These are not seen in the attach network drive screen, but they do exist, and you will have to specify them manually.

The folder My documents for user Admin has a specific exclusion for user client. In Addition, a folder has been created within this folder called ECCP_Documents.  This has a similar exclusion. In both cases the user client when logged onto a machine can see the existence of these folders, but cannot open them. Please place any temporary files in the My documents folder, and any permanent files (these will eventually be backed up) in the My documents\ECCP_Documents folder.

There is additionally on the Administration machine in the office, i.e. that with the mail service and CD/RW drive a folder called ECCP_Backup. This is used for the periodic backup of files and is has a similar exclusion.