Authentication and user security

Unit objectives:
Create and secure user accounts
Configure security policies
Explain file system security
Topic A
Topic A: Users and authentication
Topic B: Windows security policies
Topic C: File system security
User accounts
Represent all of the information that defines
a user
First and last name
Password
Group membership information
Other data
Allow you to:
Require authentication for users connecting to
the computer
Control access to resources
Monitor access to resources by auditing user
actions
Privileges
Admin User Privilege
Run programs
Change password and account picture
Change account name and type
Manage files in My Documents and
Shared Documents
Manage files elsewhere
Manage other user accounts
Add programs

Add hardware (other than printers)

Add local or network printers
Change system settings
Creating a user account in Windows 7

1. In the Control Panel, click User

Accounts and Family Safety
2. Click Add or remove user accounts
3. Enter administrator credentials
4. Click Create a new account
5. Enter a name for the new user
6. Select an account type
7. Click Create Account
Creating a user account in Vista
1. In the Control Panel, click User Accounts
2. Click Add or remove user accounts
3. Enter administrator credentials
4. Click Continue
5. Click Create a new account
6. Enter a name for the new user
7. Select an account type
Standard user
Administrator
8. Click Create Account
Creating a user account in XP
1. In the Control Panel, click User
Accounts
2. Click Create a new account
3. Enter a name for the new user
4. Click Next
5. Select an account type
Computer administrator
Limited
6. Click Create Account
Groups
Aggregate user accounts into entities
Recommended to assign permissions
to the group, not individual user
Common groups
Users
Administrators
Power Users
Password rules
Letters, numbers, punctuation
Case-sensitive
1-127 characters
Further restrictions might be enforced
by your company
Password recommendations
Match password strength with security
needs
Easy to remember, hard to guess
At least 8 characters long
More than 15 characters for strongest security
Mix of upper- and lowercase letters, plus
numbers
Memorize passwords
Use different passwords on all accounts
Change passwords frequently
60-90 days
Avoid repeating one within a year
Creating strong passwords
Balance easy to remember and hard
to guess/crack
Use a pass phrase
Dont use personal information
Dont use dictionary words
Multiple passwords
Use a password management tool
Stores password in encrypted format
Remember one password for tool
Software-based examples
Password Director
AnyPassword
Creating a user password in 7/Vista
1. In the Manage Accounts window,
click the desired user account
(enter administrator credentials)
2. Click Create a password
3. Enter and confirm the password
4. Enter a password hint
5. Click Create password
6. Close all open windows
The password creation screen
Creating a user password in XP
1. In Control Panel, User Accounts, click
the desired user account
2. Click Create a password
3. Enter and confirm the password
4. (Optional) Enter a password hint
5. Click Create password
6. Close all open windows
Requiring a new password
Authentication
Process by which your identity is
validated against a database that
contains your account
Grants or denies access to resources
Varies by environment
Domain
Local
Network
Authentication protocol
Kerberos version 5 (Kerberos v5)
Windows Server 2008
Windows 7 and Vista
Windows Server 2003
Windows XP
Windows 2000
Single sign-on
Examples
Windows Live ID
Microsoft Passport
Google Apps
Re-authentication sometimes required
Topic B
Topic A: Users and authentication
Topic B: Windows security policies
Topic C: File system security
Security policies
Supported by:
Windows 7 Professional, Ultimate,
Enterprise
Windows Vista Business, Ultimate, and
Enterprise
Windows XP Professional
Windows 2000 Professional
Configurable with Group Policy editor
Local account policies
Password
Account Lockout
Password policies
Control the complexity and lifetime
settings for passwords
Enforce password history
Minimum password age
Maximum password age
Minimum password length
Passwords must meet complexity
requirements
Store password using reverse encryption
for all users in the domain
Setting password policy values
Setting Default Possible/recommended
Enforce password 0 passwords 0 to 24
history remembered Set to 24 to limit password reuse

Maximum 42 days 0 to 999

password age Set to either 30 or 60 days

Minimum 0 days 0 to 998

password age Set to 2 days to disallow
immediate changes
Minimum 0 characters 0 to 14
password length Set to at least 6 to 8

Password must Disabled Enabled or disabled

meet complexity Set to enabled
requirements
Store password Disabled Enabled or disabled
using reverse Set to disabled
encryption
Account lockout policy
Secures the system against attacks
Disables user account after certain
number of failed logon attempts within a
specified period of time
Setting account lockout values
Setting Default Possible/recommended
Account lockout N/A 0 to 99,999 minutes
duration 30 minutes Set to at least 30 minutes

Account lockout 0 invalid 0 to 999

threshold attempts Set to at least 3

Reset account N/A 1 to 99,999 minutes

lockout counter 30 minutes Set to at least 30 minutes
after
Computer vs. domain
Domain computers inherit settings
from domain
Domain settings override local settings
User Account Control
Run as standard user
Enter administrator credentials to
manage system on demand
Reduces risk of accidental or
unwanted system changes
Elevation prompts
Consent vs.
credential
Prompt types
Windows needs
your permission to
continue
A program needs
your permission to
continue
An unidentified
program wants
access to your
computer
This program has
been blocked
User Account Control in
Windows 7
Tasks needing admin. privileges
Running an application as an administrator
Installing or removing applications
Installing a device driver, Windows updates,
or an ActiveX control
Configuring Windows Update
Configuring Windows Firewall
Creating, modifying, or deleting a local user
account
Configuring Parental Controls
Scheduling tasks

continued
Tasks needing admin. privileges
Restoring backups
Changing the configuration of UAC (by
editing the local group policy)
Changing system-wide settings or files
in %SystemRoot% or %ProgramFiles
%
Viewing or changing another users
folders and files
Running Disk Defragmenter
The Local Security Policy console
Local Security Policy console
Admin Approval Mode for the Built-in
Administrator account
Allow UIAccess applications to prompt for
elevation without using the secure desktop
(Windows 7)
Behavior of the elevation prompt for
administrators in Admin Approval Mode
Behavior of the elevation prompt for
standard users
Detect application installations and prompt
for elevation
continued
Local Security Policy console
Only elevate executable that are signed and
validated
Only elevate UI
Access applications that are installed in
secure locations
Run all administrators in Admin Approval
Mode
Switch to the secure desktop when
prompting for elevation
Virtualize file and registry write failures to
per-user locations
Windows 7 notification levels

continued
Default user names
Examples: Administrator, Guest
Represent security risk
Should be changed where possible
Disable Guest account in XP
1. Click Start
2. Select Control Panel
3. Click User Accounts
4. If Guest account is on, click Guest
5. Click Turn off
Disable Guest account in Vista and 7

1. Click Start
2. Select Control Panel
3. Click User Accounts
4. Select Manage another account
5. If the UAC box appears, click
Continue
6. If Guest account is on, click Guest
7. Click Turn off
 Screensaver password
Ensures that a computer left
unattended becomes secure
Same password used to log on is
required to exit screensaver
Screensaver timeout as short as
tolerable to minimize window of
opportunity

6-28
Screen saver password in XP
1. In Control Panel, click Appearance
and Themes
2. Select Choose a screen saver
3. Check On resume, password protect
4. Click OK
Screen saver password in Vista/7
1. In Control Panel, double-click
Personalization
2. Click Screen Saver
3. Check On resume, display logon
screen
4. Click OK
Autoplay/Autorun
Autoplay: lets you choose which
program will run which type of media
Autorun: Allows Autoplay to run
automatically when the media is
inserted or attached
Disable Autoplay in XP
1. Click Start, choose Run
2. In the Open box, type gpedit.msc, press
Enter
3. Under Computer Configuration, expand
Administrative Templates
4. Click System, and double-click Turn off
Autoplay
5. Choose Enabled
6. Choose which drives you want Autoplay
disabled on
7. Click OK
Disable Autoplay in Vista and 7
1. Click Start and type gpedit.msc
2. Under Computer Configuration,
expand Administrative Templates,
Windows Components
3. Under Windows Components, click
Autoplay Policies
4. Double-click Turn off Autoplay
5. Choose Enabled
6. Choose which drives you want
Autoplay disabled on
7. Click OK
Topic C
Topic A: Users and authentication
Topic B: Windows security policies
Topic C: File system security
File system security
Full control
Modify
Read & execute
Read
Write
Special permissions
Moving vs. copying
Copied files and files moved between
partitions inherit the permissions from
the new location
Files moved within the same partition
keep their original permissions
Effective Permissions tool
Shared Folders console
View and manage shared folders
Reviewing share permissions
Calculating effective permissions
1. Use the Effective Permissions tool to
determine the users effective NTFS
permissions for a folder
2. Review the share permissions for the
folder
3. Compare the users effective NTFS
permissions to the users share
permissions
4. Check the file attributes
Sources of Access Denied errors
User doesnt have the necessary
share permissions
If the shared resource is a folder or
file, the user might have NTFS
permissions that prevent access
Does the file have the Read Only
attribute?
File attributes
Read-only
Hidden
System
Archive
Not content indexed
Unit summary
Created and secure user accounts
Configured security policies
Explained file system security