Essential tips and techniques for small businesses
The Microsoft HomeGroup protocol is an open standard that relies on peer-to-peer (P2P) networking and the Web Services on Devices (WSD) protocol to publish and discover resources on a local subnet, without a client/server infrastructure. IPv6 P2P graphing, facilitated by the Peer Name Resolution Protocol (PNRP), allows computers to locate one another without a DHCP version 6 (DHCPv6) server. PNRP also replaces the NetBIOS names and master browser that were the mainstays of Windows for Workgroups (WFW) networking for years.
When Windows 7 creates a HomeGroup, it establishes a secure PeerGroup so that Windows 7 nodes on the local subnet can find and communicate securely with one another. XML WSD messages of different types advertise the existence of the HomeGroup and other information, such as the peer IDs that uniquely identify each computer in the PeerGroup, the credentials for the HomeGroupUser$ account, shared printers, and the MAC addresses that are registered for a device. Messages are signed and information encrypted as required to help protect against rogue computers that might advertise services on the local subnet. A 256-bit Advanced Encryption Standard (AES) key is created by using a Secure Hash Algorithm (SHA)-256 hash of the PeerGroup name; this AES key is randomized (i.e., salted) by the HomeGroup password to make sure that the generated hash is unique. The AES key is used to encrypt HomeGroup credentials messages and a 2048-bit RSA private/public key pair, which the initiator of the HomeGroup creates and uses to sign WSD messages, ensuring their integrity. When a computer receives a HomeGroup WSD message, that message is kept so that the information doesn't need to be rediscovered unless a change is advertised.
Server Message Block (SMB) 2.1, the standard protocol for Windows file servers, is used to transfer files between computers. Users don't need to enter credentials when accessing resources on other computers in a HomeGroup, because the HomeGroupUser$ account and a group called HomeUsers simplify access to shared resources on behalf of the logged-on user.
Setting Up or Joining a HomeGroup
All editions of Windows 7 can join a HomeGroup, but only Windows 7 Home Premium, Professional, Enterprise, and Ultimate SKUs can create one. A simple wizard is activated when a user connects to a new home network; if an existing HomeGroup is not detected, the user is prompted to set up a new HomeGroup and share default libraries such as Documents and Videos. If the computer is joined to a domain, the user can opt to participate in an existing HomeGroup, if one is detected on the local network.
HomeGroup is not available when Windows Firewall is set to Public, so the feature is no good for those who want to share files ad-hoc with users on a public WiFi hotspot. (Apple's AirDrop feature has one up on Windows for the time being, providing an easy way to share files with unknown devices over public networks, similar to Bluetooth file sharing.) When setting the Windows Firewall profile to Home, you can skip joining a HomeGroup by clicking Cancel on the Join a Homegroup screen (which Figure 1 shows), and the firewall profile will be set accordingly.
HomeGroup and ACLs
When a user shares a library, Windows modifies the ACLs on the folders that are part of that library. Figure 2 shows that the user (user) who joins a HomeGroup has a new ACL for the HomeUsers group on his or her user folder. This ACL grants traverse permission to only the first level of the folder.
If you look at this user's Documents folder, you will see that the HomeUsers group has been given Read access. When a HomeGroup is created, all local user accounts are added to the HomeUsers group. When a new local user account is created, it's automatically added to the HomeUsers group. Unless the default configuration is changed, all local users can access the folders of any other local users that have shared folders in a HomeGroup.
The HomeGroup setup wizard allows users to share their default libraries, but more granular configuration can be achieved by using Windows Explorer's Share with menu. You can select single or multiple folders and then disable sharing (by selecting Nobody from the Share with menu) or enable Read or Read/Write access. Read access is the default permission given to libraries that are shared in a HomeGroup. If you choose to use the Share with menu to grant Read/Write access, be aware that HomeGroup users will actually get Full Control (i.e., they can also delete files).
When you create or join a HomeGroup, you should use Windows Explorer -- not the Security tab on a file's or folder's Properties dialog box -- to manage ACLs. The Share with menu also has an option to share with Specific people. Under the default Windows configuration, only local user accounts and groups can be selected. If you want to share with a specific remote user, then that user must have an account that is on the local computer and that mirrors the username and password that is set on the remote computer. As Figure 3 shows, the Advanced sharing settings screen in the Network and Sharing Center allows you to configure a HomeGroup to use a local user account instead of HomeGroupUser$.
The HomeGroup system service is responsible for maintaining HomeGroup configuration, including ACLs on shared folders. When you remove a computer from a HomeGroup, all previously added ACLs are removed.
Domains and HomeGroup
Domain-joined computers cannot create HomeGroups but can participate in a HomeGroup that is set up on another Windows 7 computer. To join an existing HomeGroup, the user must first ensure that the Windows Firewall network profile is set to Home. In Windows 7, domain users don't need to elevate privileges to change the network location. (You can alter this behavior by enabling the Require domain users to elevate when setting a network's location Group Policy setting under Computer Configuration, Administrative Templates, Network, Network Connections in Group Policy Editor.)
For security reasons, domain users and local users of domain-joined computers cannot share resources. If a non-domain computer creates or participates in a HomeGroup, any shared resources on that computer will be disabled if the computer later joins to a domain.
HomeGroup Troubleshooting Checklist
Only one HomeGroup can be present on a subnet, and a Windows 7 computer can be a member of only one HomeGroup. If you want to join a HomeGroup on a different LAN, you first need to remove the device from its existing HomeGroup. Only disks that are formatted with NTFS can be shared in a HomeGroup, so that excludes CD-ROMs or DVD-ROMs and FAT-based file systems. If you have trouble establishing a HomeGroup, take these steps:
· Ensure that Windows Firewall is correctly configured. Setting the firewall profile to Home should be enough for automatic configuration. (You can find full details of HomeGroup firewall requirements in the Microsoft document "HomeGroup and Firewall Interaction."
- Check the local NIC settings to make sure that IPv6 is enabled.
- Verify that multicast traffic is allowed on the local subnet and is supported by network adapters and other networking equipment, such as routers and switches.
- Determine whether third-party security software is blocking HomeGroup communications.
- Have patience. It might take a minute or two after a device has booted for other machines in the HomeGroup to appear in Windows Explorer.
If you need to troubleshoot further, Netsh has some useful switches. For example, use the following command to establish whether your PeerGroup is accessible:
netsh p2p pnrp cloud show names
The output in Figure 4 shows two PeerGroups. The Global_ cloud group is of no interest; only LocalLink information is relevant to the HomeGroup. This output shows IPv6 addresses and P2P data for the local network adapter, and you can see that the PeerGroup is up and running. The context netsh p2p pnrp diag also contains useful ping and traceroute troubleshooting commands. But as long as your local network meets the basic requirements for Windows HomeGroup, you'll seldom need to use the advanced troubleshooting commands that Netsh provides.
Proceed with Caution
Anyone who has ever dealt with NetBIOS or WINS knows how frustrating even the simplest of networking jobs can be in a WFW scenario and how troubleshooting such scenarios requires a fair amount of background technical know-how. Windows 7 HomeGroup is a welcome addition to the OS and should make simple P2P networking an easy task for both administrators and non-technical users.
The implementation of HomeGroup using IPv6, WSD, and SMB is fundamentally secure. So long as your wireless router is set up to provide adequate security, you can run a HomeGroup over a wireless network with confidence that you aren't increasing the risk of data being sniffed over the airwaves. However, you should watch out for local ACL issues, in which local computer users might gain access to other local users' files. HomeGroup isn't intended to be a business-grade solution, so be sure that you fully understand the potential security implications if local user accounts are in use.