One of the struggles in building Windows Home Server has been trying to figure out a simple and easy way to deal with usernames (or "Logon names") and passwords, so that accessing information within your home and from outside your home is easy yet secure.
It seems that everybody has an opinion, from the simple -"I don't use passwords" to the complex - "the first thing my daughter learned was how to type her complex password into the password prompt". So how do you strike a balance between these extremes?
Windows Home Server enables you to define 10 users in the Windows Home Server Console. These users can be granted permissions (Read/Write, Read/Only and No Access) to the Shared Folders on your home server. Additionally, you can decide which of these users can remotely login to the home server if you enable remote access to your home server.
The key thing to remember is that you should create usernames (or "Logon names") on your home server that are the exact same usernames that you use on your home computers. If you have a username "Todd" on your home PC, then you should create a user with a logon name of "Todd" on the Users tab of the Windows Home Server Console. Initially, you should use the same password for "Todd" on the PC and "Todd" on the home server, and Windows Home Server has the ability to help you keep the password on a home computer "in synch" with the password defined on the home server.
There are a few missing pieces to Windows Home Server Beta 2, in that we have heard that a few people would like to set a default password policy - eg. either "Simple" or "Complex" with a 3rd setting somewhere in the middle. "Simple" probably means just that - either no password is required or perhaps the minimum is a single character. My password for many years was simply the tilde character (~) until all of this complex password stuff became the norm. And what is a complex password? You will probably have some sort of minimum length (7 or 8 characters) and use a combination of UPPER CASE, lowercase, number5, and symbols!!!. For example, my current password is "WindowsHomeServerBeta2isGreat!!!!butIwishIcouldsetaPasswordPolicy?" (now if you only knew the IP address of my home server ....)
We feel that usernames and passwords are important, especially if you choose to enable remote access on your home server. We know it may be a little bit of a hurdle for someone to figure out the usernames on all of their home computers, but hopefully not to big of a hurdle.
Might want to require accounts with Remote Access rights to always have complex passwords.
As long as the console dialogs make reference to the administrator or server password rather than "your password" then I'll be happy.
I think another problem is, that you have to create a username at your computer and at your homeserver. here i would wish a active directory in a small version for home use with a small group policy management for password policies.
You're missing another trick, which I put in as a feature request. More granularity.
At the moment, as far as I can see anyone logging into the web site can see the remote control tab. This is a "bad thing" (tm). Whilst I realise that they need local usernames and passwords on the machines that are remote controllable (and please, please, allow us to add Win2003 servers to that list) showing the option is not reducing the surface area for attack.
I think that you guys are on the right track with your setup, but I think you need to make a few tweaks here. First, please have remote access disabled by default. Make it a check box when the user account is setup but with a default of no-access.
Secondly, set your basic password options, and then have an advanced tab. (This should be implemented for many areas including sharing.)
With a good user manual and excellent help system, the basic user could have a basic set of security policies. The medium skilled user could up the granularity based on the help manuals. Those who administer 2003 R2 at work might want the full (or most of the) feature set. This could be enabled by a special switch. Maybe each screen defaults to basic access, but has a switch box to up the level to medium and advanced.
As long as you are targeting hobbiests, you might as well target them. :-)
But I certainly wouldn't show the advanced options by default. Don't scare off the basic users.
My take is strong passwords, strong passwords, strong passwords. People should be getting used to using them at home, at work or on their bank websites. I'm also not clear as a new WHS user, if they expire, which I want as well. I know my kids will remember them, especially if they want to get to their games! Otherwise I see Infoworld headlines bashing WHS security weaknesses (they will anyway, but why not make them work for it???).
But what user account are you looking for. I'm one of those running SBS and finding it somewhat overkill. Is WHS looking for local users or domain users (which can have the same "name"). I tried putting domain\username when creating a user in WHS - but it wouln't accept the \ --- It seems to be looking for the local user (but I haven't tested this enough) -