Beruflich Dokumente
Kultur Dokumente
Unit objectives:
Create and secure user accounts
Configure security policies
Explain file system security
Topic A
Topic A: Users and authentication
Topic B: Windows security policies
Topic C: File system security
User accounts
Represent all of the information that defines
a user
First and last name
Password
Group membership information
Other data
Allow you to:
Require authentication for users connecting to
the computer
Control access to resources
Monitor access to resources by auditing user
actions
Privileges
Admin User Privilege
Run programs
Change password and account picture
Change account name and type
Manage files in My Documents and
Shared Documents
Manage files elsewhere
Manage other user accounts
Add programs
continued
Tasks needing admin. privileges
Restoring backups
Changing the configuration of UAC (by
editing the local group policy)
Changing system-wide settings or files
in %SystemRoot% or %ProgramFiles
%
Viewing or changing another users
folders and files
Running Disk Defragmenter
The Local Security Policy console
Local Security Policy console
Admin Approval Mode for the Built-in
Administrator account
Allow UIAccess applications to prompt for
elevation without using the secure desktop
(Windows 7)
Behavior of the elevation prompt for
administrators in Admin Approval Mode
Behavior of the elevation prompt for
standard users
Detect application installations and prompt
for elevation
continued
Local Security Policy console
Only elevate executable that are signed and
validated
Only elevate UI
Access applications that are installed in
secure locations
Run all administrators in Admin Approval
Mode
Switch to the secure desktop when
prompting for elevation
Virtualize file and registry write failures to
per-user locations
Windows 7 notification levels
continued
Default user names
Examples: Administrator, Guest
Represent security risk
Should be changed where possible
Disable Guest account in XP
1. Click Start
2. Select Control Panel
3. Click User Accounts
4. If Guest account is on, click Guest
5. Click Turn off
Disable Guest account in Vista and 7
1. Click Start
2. Select Control Panel
3. Click User Accounts
4. Select Manage another account
5. If the UAC box appears, click
Continue
6. If Guest account is on, click Guest
7. Click Turn off
Screensaver password
Ensures that a computer left
unattended becomes secure
Same password used to log on is
required to exit screensaver
Screensaver timeout as short as
tolerable to minimize window of
opportunity
6-28
Screen saver password in XP
1. In Control Panel, click Appearance
and Themes
2. Select Choose a screen saver
3. Check On resume, password protect
4. Click OK
Screen saver password in Vista/7
1. In Control Panel, double-click
Personalization
2. Click Screen Saver
3. Check On resume, display logon
screen
4. Click OK
Autoplay/Autorun
Autoplay: lets you choose which
program will run which type of media
Autorun: Allows Autoplay to run
automatically when the media is
inserted or attached
Disable Autoplay in XP
1. Click Start, choose Run
2. In the Open box, type gpedit.msc, press
Enter
3. Under Computer Configuration, expand
Administrative Templates
4. Click System, and double-click Turn off
Autoplay
5. Choose Enabled
6. Choose which drives you want Autoplay
disabled on
7. Click OK
Disable Autoplay in Vista and 7
1. Click Start and type gpedit.msc
2. Under Computer Configuration,
expand Administrative Templates,
Windows Components
3. Under Windows Components, click
Autoplay Policies
4. Double-click Turn off Autoplay
5. Choose Enabled
6. Choose which drives you want
Autoplay disabled on
7. Click OK
Topic C
Topic A: Users and authentication
Topic B: Windows security policies
Topic C: File system security
File system security
Full control
Modify
Read & execute
Read
Write
Special permissions
Moving vs. copying
Copied files and files moved between
partitions inherit the permissions from
the new location
Files moved within the same partition
keep their original permissions
Effective Permissions tool
Shared Folders console
View and manage shared folders
Reviewing share permissions
Calculating effective permissions
1. Use the Effective Permissions tool to
determine the users effective NTFS
permissions for a folder
2. Review the share permissions for the
folder
3. Compare the users effective NTFS
permissions to the users share
permissions
4. Check the file attributes
Sources of Access Denied errors
User doesnt have the necessary
share permissions
If the shared resource is a folder or
file, the user might have NTFS
permissions that prevent access
Does the file have the Read Only
attribute?
File attributes
Read-only
Hidden
System
Archive
Not content indexed
Unit summary
Created and secure user accounts
Configured security policies
Explained file system security