Securing Windows Resources

© 2010 The McGraw-Hill Companies, Inc. All rights reserved

Mike Meyers’ CompTIA A+® Guide to

Managing and Troubleshooting PCs

Third Edition

Securing Windows Resources

Chapter 16




Third Edition

• In this chapter, you will learn how to

– Create and administer Windows users and groups

– Define and use NTFS permissions for authorization

– Describe how to share a Windows computer securely

Overview




Third Edition

Authentication with Users and Groups

CompTIA A+Essentials

Essentials




Third Edition

Authentication

• Authentication is the process where you show you’re permitted to access the computer

• Simplest way is with a user name and password– Logging in to a valid user account provides

authentication– Once in, NTFS permissions provide authorization: what

you can do with the computer after authentication

• Each version of Windows does user accounts differently, so we’ll look at them separately




Third Edition

Managing Users in Windows 2000

• Administrator account– Not recommended for

regular use– Additional account created for

regular use

• Users and Passwords applet is the tool in Windows 2000

• Can force user logon– Users must enter a user name

and password




Third Edition

Create New Users (2000)

• Access Users and Passwords applet from Control Panel– Create user name and password– Can add users to groups– Standard User makes account part of the Power

Users and Local Users groups




Third Edition

Managing Users in Windows XP

• Two possible logon screens– Log On to Windows (requires valid user name and

password)– Welcome screen




Third Edition

Log In Options

• Classic Style– Windows XP Professional (optional)– Windows XP Professional in a domain (automatic)

• Welcome Screen– Windows XP Professional not in a domain (default)– Windows XP Home– Windows XP Media Center

• This chapter assumes a standalone machine and thus the Welcome Screen




Third Edition

Managing Users in Windows XP

• User Accounts applet in Control Panel– Replaces Users and

Passwords applet

• Although Windows XP has the same accounts available as Windows 2000, User Accounts applet simplifies everything




Third Edition

Managing Users in Windows XP (continued)

• Account types– Computer administrator (member of administrators

group)– Limited account (member of local users group)– Accounts can be changed




Third Edition

Managing Users in Windows XP (continued)

• User Accounts applet– Computer administrator will see both types of

accounts and users– Limited account sees only his or her account

• To create a user account– Provide a user name– Pick an account type– Select log on/log off settings– Enable/disable fast user switching




Third Edition

Lab – Create a New User (1)

1. Go to Start | Control Panel

2. Select Create a new account

3. Type a name for the account and click Next

4. Make the account a Computer administrator




Third Edition


5. Secure the new account– Select the new account– Select Create a password– Type in an appropriate password– Retype it to confirm – Type in a password hint

6. Customize the new account– Select Change the picture– Select a picture– Click Change Picture button




Third Edition


1. Create a new user account, but this time make it a Limited user– Follow the same steps– Select the Limited radio button under the Pick an

account type option

2. Secure the user account with a password

3. Customize the Welcome Screen picture as before




Third Edition

Fast User Switching

• Enables users to switch between sessions– One user doesn’t need to log off while another

user logs on– Both sessions active (though only one visible at

a time)




Third Edition

Freeform Lab – Viewing Users

• Use Fast User Switching to move between the new accounts

• Explore the differences between the accounts– Try accessing Documents and Settings for each

account• What differences do you see?

– Open User Accounts• What differences do you see?




Third Edition

Managing Users in Windows Vista

• Three accounts created when installing– Guest– Administrator– Local account that’s a member of the

Administrators group

• Tool used to create and modify accounts differs among the versions of Vista– User Accounts (domain-focused versions)– User Accounts and Family Safety (Other versions)

• Latter offers parental controls

– Options differ a little within the applets as well




Third Edition

Lab – Create a New User

1. In Control Panel, open the User Accounts applet– Try User Accounts and Family Safety

2. Click Add or remove user accounts

3. Click Continue on the UAC message

4. Click Create a new account– Enter an account name– Make the account a Standard user– Follow wizard through to the end




Third Edition

Managing Users in Windows Vista

• User Account Control– Designed to enable standard users to

install software– Puts controls in place to stop malicious

code– Standard users must enter

an administrator user name and password to do administrator things

– Administrators prompted as well, “Are you sure?”




Third Edition

Managing Users in Windows Vista (continued)

• Parental Controls– Gives nice set of tools to manage usage

– Can also justmonitor andreport

– Blocks specificapplications

– Sets time limits




Third Edition

Managing Users in General

• Never give out passwords over the phone

• Use strong passwords– At least 6 to 8 characters– Include letters (both cases), numbers, symbols

• Change passwords at regular intervals

• Don’t write down passwords

• Password reset disk can be created in Windows XP and Windows Vista




Third Edition

Resetting Forgotten Passwords in Windows XP and Windows Vista

• Windows XP/Vista enables the currently logged-on user to create a password reset disk

– Use if the password is forgotten– Can access any encrypted files after resetting

password– If an administrator resets your password, you lose

access to encrypted files– User Accounts: in Control Panel, select your user

account, choose Prevent a forgotten password under Related Tasks and follow the wizard

– Requires a removable disk, such as a floppy disk or thumb drive




Third Edition

Managing Users Through Groups

• Groups– A group is a collection of user accounts that

share the same access capabilities

– Assign access to a group and then put users into the group

– Users will inherit the access assigned to the group

– Windows provides several built-in groups




Third Edition

• Administrators– May perform all

administrative tasks on the computer

• Backup Operators– May use Windows Backup

• Guests– May perform only specific

tasks that are granted

• Power Users– May create and modify

local user accounts and share resources on the local computer

• Replicator– Supports file replication in

a domain

• Users– May perform only tasks

specifically assigned– Local user accounts that

are created become members

• Everyone

Default Groups in Windows 2000




Third Edition

Groups in Windows XP/Vista

• Professional versions in a domain– All the groups found in Windows 2000– A lot of other groups for specialized tasks

• Home versions and Professional versions in a workgroup– Windows XP

• Computer administrator, limited user, guest

– Windows Vista• Computer administrator, user, guest




Third Edition

Limited User versus User

• Limited – Windows XP– Must use simple file

sharing • Share or not

– Cannot run all programs

– Cannot install applications or make system changes

• User– Windows Vista– Standard User

account– Can run most

applications– UAC prompts for

administrator credentials for installing or changing system settings




Third Edition

Adding Groups

• Use Local Users and Groups applet– Available in professional versions of Windows– Computer Management administrative tool– Right-click a blank spot and select New Group




Third Edition

Lab – Adding a Group (1)

1. Right-click Computer and select Manage

2. In Computer Management, click Local Users and Groups

3. Right-click Groups and select New Group




Third Edition


4. Type in a group name

5. Add a description if desired

6. Click the Add User button to open the Select Users dialog box

7. Click the Advanced button to continue




Third Edition


8. In the Select Users dialog box, click the Find Now button to create a list of user accounts

9. Select the new user account you added and click OK

10. Click OK again

11. Click Close

12. Select Group to see the new group you created




Third Edition

Changing Group Membership

• Use Local Users and Groups applet– Select user account– Select Member Of tab– Click Add or Remove to

change membership




Third Edition

Lab – Add User to Group (1)

1. Navigate to the Local Users and Groups in Computer Management

2. Click on Users

3. Right-click the user you just created and select Properties

4. Select the Member Of tab




Third Edition


5. Click the Add button to open the Select Groups dialog box

6. Click the Advanced button to see the listof groups available




Third Edition


7. Click the Find Now button to display the list of available groups

8. Select Backup operators and click OK– Backup Operators is

now in the queue

9. Click OK

10.Click OK again

11.Right-click the useraccount and checkthe Member Of tab to verify




Third Edition

Authorization Through NTFS




Third Edition

NTFS Permissions

• NTFS permissions– Lists users and groups granted access to a file

or folder

– Lists the specific level of access allowed

– Available only on volumes formatted as NTFS (Security tab)

– NTFS security is effective whether a user . . .

• Gains access at the computer• Gains access over the network




Third Edition

NTFS Special Permissions

• Ownership– When you create a new file or folder you become the

owner– Owners have Full Control– Owners can change permissions

• Take Ownership permission– Enables a user to take ownership of a file or folder– Administrator account can take ownership of any files or

folders

• Change Permission– Can give or take away permissions for other accounts




Third Edition

NTFS Standard Permissions

• Folder permissions– Apply to folders

• File permissions– Apply to files




Third Edition

Lab – Follow Along with Vista

• In Vista Ultimate go here– Start | Computer– Right-click on Local Disk (C:)

and select Properties– Select the Security tab

• Click through screens,users, permissions

• Click the Advanced button to see otheroptions such as takeownership




Third Edition

NTFS Folder Permissions

• Full Control– Enables you to do anything you want– To deny all access, deny Full Control

• Modify– Cannot delete files or subfolders, but may

modify them

• Read & Execute– Enables read files and run programs




Third Edition

NTFS Folder Permissions (continued)

• List Folder Contents– Enables you to see the contents of the folder

and subfolders, but not read or change files

• Read– Enables you to read any files in the folder

• Write– Enables you to write to files and create new files

and folders




Third Edition

NTFS Folder Permissions (continued)

• By default, permissions are inherited from parent folders

– This may be prevented by removing the check mark at the bottom




Third Edition

NTFS File Permissions

• Full Control– Enables you to do anything

• Modify– Enables you to do anything except take ownership

or change permissions

• Read & Execute– If the file is a program, you can run it

• Read– If the file is data, you can read it

• Write– Enables you to write to the file




Third Edition

• User’s effective permissions are the cumulative permissions resulting from a combination of user and group permissions.

– Sally is in Administrator group

– Sally has Read permission on a folder

– Administrator has Full Control on the folder

– Sally’s effective permission is Full ControlCumulative from Full Control and Read

– Deny permission overrides all other permissions. Deny always becomes the effective permission.

Combining Permissions




Third Edition

Permission Propagation

• Permissions are retained or changed when files and folders are moved or copied

• Propagation differs when files and folders are – Copied or moved within an NTFS partition– Copied or moved between two NTFS partitions– Copied or moved between an NTFS and FAT or

FAT32 partition




Third Edition

Permission Propagation (continued)

• Within one NTFS partition– Copy

• Creates two copies of object• Original retains permissions• New copy inherits permissions of new container

– Move• Creates one copy of object• Object retains permissions




Third Edition


• Between two NTFS partitions– Copy

• Creates two copies of object• Original retains permissions• New copy inherits permissions of new container

– Move• Creates one copy of object• Object inherits permission of new container




Third Edition


• Between an NTFS partition and a FAT or FAT32 partition– Copy

• Creates two copies of an object• Original retains permissions• New copy loses all permissions

– Move• Creates one copy of object• Object loses all permissions

• FAT32 offers no permissions at all!




Third Edition

Techs and Permissions

• Need administrative privileges to work

• Don't ask for password – make the Administrator log you in

• Avoids false accusations




Third Edition

Sharing a Windows PC Securely




Third Edition

Sharing in Windows 2000

• Secure your My Documents folder– Remove all accounts other than your own

• Don’t create administrator accounts– Use power user or standard user instead

• Create a folder on a drive that every account can access– Provides a convenient spot to share files among the

accounts




Third Edition

Sharing in Windows 2000 (continued)

• To share, right-click a file or folder and select Sharing

• Click the Share this folder radio button and set permissions




Third Edition

Sharing in Windows XP

• New features added to make sharing easier

• But as you had to dowith Windows 2000, make sure to lock down My Documents




Third Edition

Lab – Lock it Down

1. Start | Right-click My Documents

2. Select Properties from the context menu

3. Select Sharing tab

4. Select the Make this folder private check box

5. Click OK

6. Use Fast User Switching to log in as another Computer Administrator user account– Can you access the My Documents folder for the

user account you just locked down?




Third Edition

Sharing in Windows XP

• Shared Documents make sharing among user accounts simple

• All accounts can access Shared Documents and their subfolders




Third Edition

Sharing in Windows XP (continued)

• Simple file sharing offers share or don’t share as the only options

• Does not take advantage of complex sharing options available with NTFS




Third Edition

Sharing in Windows XP (continued)

• Windows XP Professional allows you to turn simple file sharing off

• This unlocks NTFS permissions

• Windows XP Professional in a domain disables simple file sharing




Third Edition

Lab – Sharing in Windows XP

• Right-click a folder in My Computer and select the Security tab– What? Not there?

• Select the Sharing tab instead– Share or don’t share . . .– I thought NTFS offered better security!

• So, turn off simple file sharing– In Windows Explorer go to Tools | Folder Options– On the View tab, deselect Use simple file sharing

• Now right-click a folder again in My Computer and select the Security tab




Third Edition

Sharing in Windows Vista

• Sharing works well in Windows Vista

• Simple file sharing is gone, replaced with targeted sharing– Reader– Contributor– Co-owner




Third Edition

• Reader gives the user Read-only permission

• Contributor gives the user Read and Write permissions, plus permission to delete anything created by that user

• Co-owner can do anything with that shared resource

Sharing in Windows Vista (continued)




Third Edition

Sharing in Windows Vista (continued)

• Public folder makes sharing very easy• Works both locally and across a network




Third Edition

Locating Shared Folders

• Important to know what folders are shared on a computer

• Computer Management is your friend




Third Edition

Administrative Shares

• Shares with names like C$ or E$– Not user created but rather shares added by

default– Administrative shares include

• All drives• %systemroot%

– Administrative shares are created every time you boot, so don’t bother deleting

– Administrative shares enable administrators to access everything




Third Edition

Protecting Data with Encryption

• Take Ownership means even non-shared folders and files are not safe

• Encryption scrambles data within a file or folder– Only the account that encrypts can read contents

• Two tools in Windows– Encrypting File System (EFS) encrypts files and

folders– BitLocker encrypts drives




Third Edition

Encrypting File System

• Available in all Professional versions

• Based on specific user account and password– Password reset makes

the encrypted files unreadable

– Make a password reset disk!




Third Edition

BitLocker

• Available in Windows Vista Ultimate and Enterprise only

• Locks the drive• Requires a Trusted

Platform Module (TPM) chip on the motherboard

• Make sure you store the recovery key securely




Third Edition