U indows Users, Groups and ecurity P P onna arren
nstalling opics for this Unit Homegroups, workgroups, and domains reate user and group accounts User Account ontrol panel User authentication and authorization Malware Protection for sensitive data P P onna arren
User Accounts dentify users to the system and to each other Allow authentication proving they are who they say they are Allow authorization - used to grant access to resources such as iles and printers omputer systems etwork esources elegation of authority ollect information about users P P onna arren
Local User Accounts reated on workstations and servers that are not either members of a domain or domain controllers Provides access to the local computer through user rights and access permissions eside in the local security database called the security access manager (AM) You can logon to local machine or the domain but they are mutually exclusive P P onna arren
User ights versus Permissions Permissions - define what objects a user is allowed to access and what actions they can perform on an object such as modify on a file or print on a printer User rights - define what actions a user can take on the operating system such as shut down the system or take ownership of an object P P onna arren
Account Properties Logon is mandatory User length 20 characters max, blank allowed nvalid user characters - \ / [ ] : ;,. + *? < > User s AE case sensitive Passwords AE AE EVE Password complexity use uppercase, lowercase and numbers or symbols an enforce with group policy P P onna arren
Built-in Local User Accounts onfigured during setup Accounts that can log on interactively Administrator basically the computer god or goddess Guest provides limited access and is disabled by default ew User Account - Built-in accounts can be renamed but not deleted ystem Account used by the operating system has full control access and all assignable user rights by default but cannot logon interactively P P onna arren
ther Accounts ervice Accounts - Grant services access to system resources ervice used by the operating system Local ervice used by local services etwork ervice used by network services ncluded built-in and user-defined accounts APE used by asp.net services U_computer-name anonymous user account for the web server AM_computer-name account used to run threads for and AP.net P P onna arren
Managing Local Users omputer Management ontrol Panel user Accounts et.exe command P P onna arren
User Accounts ontrol Panel ntended for users with less experience implified interface Limited access annot create or manage groups P P onna arren
User Profiles Profiles are configuration files that store all of the users preferences Local user profile stored locally and applies to the local machine only oaming user profile stored on a server and applies to any machine that logs into the domain Mandatory user profile has to be used by the user when they logon P P onna arren
User Account ontrol (UA) ecurity measure to prevent users from always being logged on as an administrator Administrators are issued two access tokens 1 standard token 1 administrative token Best Practice is to logon as a standard user Use the runas command to perform administrative tasks P P onna arren
Performing Administrative asks tandard User Account - ystem displays a credential prompt where administrative account information must be entered Administrative Account - witches from standard user token to administrative token Generates an elevation prompt P P onna arren
onfiguring User Account ontrol P P onna arren
ached redentials an store domain credentials locally to allow logon when the domain controller is not available P P onna arren
Groups ollections of user accounts implify access to resources Members receive permissions given to the groups of which they are members Users can be members of multiple groups Groups can be members of other groups (called nested groups) an be used for security and messaging in Active irectory P P onna arren
Built-in Local Groups Built-in groups cannot be removed but can be renamed Administrators have all user rights and access permissions Backup perators can bypass security to backup files Power Users have limited administrative permissions and rights emote esktop Users allowed to connect to others using remote desktop Users all new account are added to users by default Guests group with very limited and usually temporary access P P onna arren
mplicit Groups Membership can change dynamically etermined by the user s activities Used to grant permissions based on circumstances o not appear in user administration tools nteractive all users logged on locally etwork all users who access the system over a etwork Everyone includes absolutely everyone Authenticated Users been authenticated by system s security manager reator wner the user who creates an object P P onna arren
Using Local Groups Valid only on the computer where you create them nly local users from the same computer can be members of local groups. hen the computer is a member of an A domain, local groups can have domain users and domain global groups as members. Local groups cannot have other local groups as members. However, they can have domain groups as members. You can only assign permissions to local groups when you are controlling access to resources on the local computer. You cannot create local groups on a indows server computer that is functioning as a domain controller. P P onna arren
ecurity Boundaries P P onna arren
Homegroup implified networking Allows users on a home network to share the contents of their libraries without creating user accounts and permissions on each of the other machines P P onna arren
Peer-to-peer network Each computer can function as both a server and a client Each computer has its own set of users and groups to control access to its own resources mall networks only Very little security required orkgroup P P onna arren
Active irectory omain ollection of computers that utilize a central directory service for authentication and authorization At least one omain ontroller is required P P onna arren
omain Accounts Added when a computer joins a domain omain Admins placed in administrators group by default when the computer joins a domain omain Users allows domain users to have the same access permissions as local users omain Guests member of local guest group Provide logon and resource access to local system an be placed into other local groups as well P P onna arren
Users Best Account Practices Place users into groups reate a standard naming convention Accounts Give administrators a limited account for non administrative use Limit the number Administrators ename or disable the Administrator account ename and leave the Guest account disabled bserve the principle of least privilege P P onna arren
he nternet he nternet - A global network connecting thousands of individual networks and millions of users by means of the P/P protocol nternet - a web based network connecting separate individual networks ntranet - a web based internal network used within a single company Both internet and intranets are accessed using web browsers P P onna arren
nternet erminology orld ide eb () - he nternet Hypertext ransport Protocol (HP) A communications protocol that obtains HML formatted documents and that works with P to transport files over the nternet supports HP through windows socket services (winsock) Hypertext Markup Language (HML) programming language used to read and enable documents and graphics images on the orld ide eb P P onna arren
eb Browser eb browser - oftware used to communicate with eb sites Uniform esource Locator (UL) A convention for locating an nternet site Private virtual network - An intranet that basically tunnels though the nternet to provide secure network access for individual organizations P P onna arren
Microsoft nternet ools nternet Assistant - orks within ord to format a document with HML tags and to save document as a text file rontpage - ull-scale eb site development tool Microsoft nternet Explorer - Microsoft's free web browser Microsoft nternet nformation erver - Microsoft's web server shipped with all versions of windows but not installed P P onna arren
eatures runs as a service on windows upports all HP protocol features an be administered over the internet Provides all of the operating system security features to web pages an restrict server bandwidth allocated to web services P P onna arren
ecurity P P onna arren
Authentication Authentication is the process of proving who you are here are several common methods of authentication hat you know (password or P) ho you are (retinal scan or thumb print) hat you have (smart card) ome of these methods can be used so that users no longer need to remember passwords P P onna arren
hould be trong Passwords At least eight characters in length ontain uppercase, lowercase letters, and numbers or symbols ifferent from other previously used passwords an be up to 12 characters in length hould EVE be Blank Your user name or real name hildren s or pet s names ompany name A complete dictionary word P P onna arren
Local ecurity Policy Used on individual computers to enforce restrictions P P onna arren
Password Policy Used to enforce good password security practices P P onna arren
Account Lockout Policies P P onna arren
redential Manager tores usernames and passwords for servers and eb sites in the indows Vault emember my credentials checkbox adds credentials to the indows Vault P P onna arren
mart ards Users no longer have to remember passwords ince stored on smart card, user ids and passwords are hard to steal ecurity operations such as cryptographic functions are performed on the smart card, rather than on the network server or local computer an be used from remote locations to provide authentication services Brute force attacks are usually less successful P P onna arren
Using Biometrics cans a physical characteristic of a user to confirm identity ingerprints humbprint etina indows Biometric ramework provides core biometric functionality and a Biometric evice control panel P P onna arren
ertificates Used for authentication tasks nternally n the local network n the nternet indows automatically maintains a certificate store for each Users can manage their certificate stores directly using the ertificates snap-in P P onna arren
ertificate Manager P P onna arren
Elevating Privileges Use un As Administrator context menu option Use command line runas.exe command: runas /user:dpw\administrator notepad.exe P P onna arren
ommon Problems Password lost or forgotten - the most common problem Passwords are encrypted which makes them unrecoverable Passwords must be reset Users can change their own password if they know their old password Administrators can reset password without supplying the old password A Password reset isk is a better option P P onna arren
Authorization Authorization grants the user access to resources or allows specific actions Permissions - define what objects a user is allowed to access and what actions they can perform on an object such as modify on a file or print on a printer User rights - define what actions a user can take on the operating system such as shut down the system or take ownership of an object P P onna arren
Malware Malicious software created specifically for the purpose of infiltrating or damaging a computer system without the user s knowledge or consent Viruses self replicating files that need an executable to spread themselves to other computers rojan horses designed to collect user ids, passwords orms self replicating program that does not need assistance to replicate pyware designed to steal private user information such as credit card numbers, etc. Adware designed to collect information on a users web surfing habits P P onna arren
Action enter tarts and runs automatically, to provide automatic notifications to alert the user of security vulnerabilities P P onna arren
ntroducing indows irewall A software program that protects a computer by opening or closing logical ports based on P addresses - pecific computers Protocol numbers - ransport layer protocol Port number - Application running on computer ules are used to filter traffic Admit all traffic, except that which applies to the rules Block all traffic, except that which applies to the rules P P onna arren
indows irewall P P onna arren
indows irewall Advanced ecurity efault profile settings can be modified nbound and outbound rules can be created P P onna arren
indows efender P P onna arren
Malicious oftware emoval ool A single user virus scanner supplied with monthly updates emoves any potentially damaging software it finds here are no controls and is not permanently installed hould install a full-featured antivirus program on indows P P onna arren
Encrypting ile ystem (E) E is a feature of that encrypts files on a computer he system is keyed to a specific user account. Uses public key encryption (PK). he user who creates the file is the only person who can read it. P P onna arren
Parental ontrols Enable parents to limit their children s access to specific nternet sites, games, and applications Based on user accounts Every family member must have their own account mpose restrictions on accounts ilter eb sites users are allowed to access Limit downloads from nternet sites Enforce time limits for computer use estrict access to games by rating, content, or title Allow or block specific applications P P onna arren
ummary User accounts help manage resource access User groups simplify administration. aming conventions uniquely identify users omplex passwords strengthen security ached credentials allow access when the domain is unavailable A workgroup is a collection of computers that are all peers, and can act as a client or server A domain is a collection of computers that all utilize a central directory service for authentication and authorization P P onna arren
ummary Built-in local groups are equipped with the permissions and rights needed to perform certain tasks. indows provides two separate interfaces for creating and managing local user accounts: the User Accounts control panel and the Local Users and Group snap-in he three profile types are local, roaming, and mandatory User Account ontrol (UA) allows an administrative user to perform regular user tasks as a standard user, and switches to an administrative token to perform administrative tasks P P onna arren
ummary Password Policies - enforce password security practices redential Manager - tool that stores the user names and passwords in a indows Vault. Permissions and user rights are used to authorize users access to resources and tasks Action enter - a centralized console used to configure indows security indows irewall - protects a computer by opening and closing logical ports indows efender - helps to defend against spyware he Malicious oftware emoval ool - a single user virus scanner he Encrypting ile ystem (E) encrypts files on the hard drive P P onna arren
EM reating Users & Groups Managing Users Assigning User ights Policies Joining a domain P P onna arren
Lab reate Users and Groups Join a omain Assign User right nstall nternet nformation ervice ownload and install Malware bytes ownload and install Avg antivirus program onfigure windows firewall P P onna arren