S 4.423 Use of the homegroup function under Windows 7

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator, User

In Windows 7, the new Homegroup function was implemented. It allows for easy access to files and printers of other IT systems within the local network. The data is accessed in a grouped manner via the library function (summary of files in different folders of the same type, for example music files, documents, image files, or video files) of Windows 7.

An existing homegroup can be accessed using all Windows 7 versions. A new homegroup can be created in the Home Premium version and higher.

While a homegroup is created, a password is generated that must be entered in all IT systems the homegroup is to comprise. Then, the existing shares can be accessed. The homegroup's password can be changed subsequently. While the password is being changed, all IT systems belonging to the homegroup must be switched on. Then, the new password must be entered on each of these IT systems. Alternatively, the authentication can be performed using existing user accounts of an IT system.

The homegroup is implemented based on IPv6 via the Microsoft Peer Name Resolution Protocol (PNRP), as well as using the share functions and the user administration of the operating system.

Every IT system can access the shared data of the other homegroup systems and can share data itself. The prerequisite for the homegroup function is to set the site type of the network to "home network". By default, a new user group called HomeUsers (it contains all local users of the computer) and the user HomeGroupUser$ are implemented on the IT systems of one homegroup.

IT systems connected to a domain

If an IT system (a laptop, for instance) is part of a domain, this IT system is not able to create a homegroup. Such IT systems can participate in existing homegroups, but no data from this IT system will be shared in the home network. This way, it is ensured that no confidential information can be read or edited by unauthorised third parties when using the homegroup. If using officially provided IT in domestic environments is prohibited in general by means of instructions, the homegroup functionality of the IT system should be disabled by means of a group policy.

Using the homegroup in an institution

Before using the homegroup function in an institution, it must be checked whether the functionality is required in order to achieve the objectives of the institution and if the related benefits outweigh the risks. Data access may also be performed by using other technical means (e.g. file servers with a connected directory service).

The decision regarding the use or non-use of this function should be defined in a policy. In so doing, it must be defined whether file and printer sharing via peer-to-peer functionality (see also S 5.152 Exchange of information and resources using peer-to-peer services) is to be permitted.

The participation in a homegroup can be configured in Computer Configuration | Administrative Templates | Windows Components | Homegroup in the group policy object editor. Within the group policy Prevent the computer from joining a homegroup, three conditions can be set: Not configured, Disabled, And Enabled. Joining the homegroup is allowed for the first two conditions.

If using the homegroup is allowed by the policy, its use must be planned carefully and operated securely afterwards.

Furthermore, S 2.442 Use of Windows Vista and Windows 7 on mobile systems and S 3.3 Laptop must be applied regarding affected mobile IT systems.

Since malware may penetrate the IT system when accessing shared data, it must be ensured that the safeguards of module S 1.6 Protection against malware are implemented in the entire institution and specifically for the computer located in the homegroup.

Furthermore, the users must be trained as to how they should handle shares so that they do not place confidential data of their laptop into the shared folders.

If the use of the homegroup is to be rescinded, the homegroup must be left. For this, the Control Panel must be opened, Homegroup must be entered into the search field, and this term must be clicked. Then, you must use the Homegroup dialogue to select the Leave homegroup link and then re-select Leave homegroup in the next window and click Finish.

Windows will then reset the corresponding rights to their status before participating in the homegroup and delete the HomeGroupUser$ user and the HomeUsers user group.

Training the users on how to handle the homegroup function

If the institution decides to use the homegroup function, the users must be informed about the possible risks occurring during the use of this function and trained on how to safely handle this function (see S 3.28 Training on security mechanisms for users on Windows client operating systems).

Review questions:

© Federal Office for Information Security. All rights reserved.