NOTE Authentication is the process of giving a user access to a system. Authorization is how we determine what an authenticated user can do to a system.
In this chapter, you will learn how to
• Create and administer Windows users and groups
• Define and use NTFS permissions for authorization
• Share a Windows computer securely
• Secure PCs with User Account Control
Through the combination of user accounts, groups, and NTFS permissions, Windows provides incredibly powerful file and folder security. This user/group/NTFS combination scales from a single computer up to a network of computers spanning the world.
When learning about users, groups, and NTFS permissions, it’s helpful to think about a single PC. To that end, this chapter focuses on Windows security from the point of view of a single, or standalone, machine. Chapter 21, “Local Area Networking,” takes over where this chapter stops and will revisit these topics in more detail and show you how the same tools scale up to help you protect a computer in a networked environment.
This chapter begins by examining user accounts, passwords, and groups, then turns to the high level of granular security afforded by NTFS. The third section describes methods for sharing and accessing shared content. The chapter wraps with a look under the hood at User Account Control.
Security begins with a user account, a unique combination of a user name and an associated password, stored in some database on your computer, that grants the user access to the system. Although we normally assign a user account to a human user, user accounts are also assigned to everything that runs programs on your computer. For example, every Windows system has a SYSTEM account that Windows uses when it runs programs. Two mechanisms enable user account security: authentication and authorization.
Authentication is the process of identifying and granting access to some user, usually a person, who is trying to access a system. In Windows, authentication is most commonly handled by a password-protected user account. The process of logging into a system is where the user types in an active user name and password.
NOTE Authentication is the process of giving a user access to a system. Authorization is how we determine what an authenticated user can do to a system.
Once a user authenticates, he or she needs authorization: the process that defines what resources an authenticated user may access and what he or she may do with those resources. Authorization for Windows’ files and folders is controlled by the NTFS file system, which assigns permissions to users and groups. These permissions define exactly what users may do to a resource on the system. Let’s start with authentication.
Every user account has a user name and a password (although that password may be blank). A user name is a text string that identifies the user account assigned to a system. Three examples of possible user names are “Mike1” or “john.smith” or “some.person@somedomain.com.” Associated with every user name is a password: a unique key known only by the system and the person using that user name. This user name and password are encrypted on the system—and only those with a user name and password are allowed access to the system via the login process.
Every Windows system stores the user accounts as an encrypted database of user names and passwords. Windows calls each record in this database a local user account. If you don’t have a local user account created on a particular Windows system, you won’t be able to log on to that computer (see Figure 14-1).
Figure 14-1 Windows logon screen
Creating a user account generates a number of folders on a computer. In Windows, for example, each user account gets unique personal folders, such as Documents, Desktop, Pictures, Music, and more. By default, only a person logged in as a specific user can access the personal folders for that user account. So the next step is to secure that user account.
Passwords help secure user accounts. If someone learns your user name and password, he or she can log on to your computer. Even if the user account has only limited permissions—perhaps it can only read files, not edit them—you still have a security breach.
Make your users choose good passwords. I once attended a security seminar, and the speaker had everyone stand up. She then began to ask questions about our passwords—if we responded yes to the question, we were to sit down. She began to ask questions such as
“Do you use the name of your spouse as a password?” and
“Do you use your pet’s name?”
By the time she had asked about 15 questions, only 6 people out of some 300 were still standing. The reality is that most of us choose passwords that are amazingly easy to hack. Make sure users have a strong password: at least eight characters in length, including letters, numbers, and punctuation symbols.
Using non-alphanumeric characters makes any password much more difficult to crack, for two reasons. First, adding non-alphanumeric characters forces the hacker to consider many more possible characters than just letters and numbers. Second, most password crackers use a combination of common words and numbers to hack passwords.
Because non-alphanumeric characters don’t fit into common words or numbers, a character such as an exclamation point defeats these common-word hacks. Not all systems allow you to use characters such as @, $, %, or \, however, so you need to experiment.
CompTIA also recommends that you should have users change passwords at regular intervals; this can be enforced with a password expiration policy that forces users to select a new password periodically. Although this concept sounds good on paper, it is a hard policy to maintain in the real world. For starters, users tend to forget passwords when they change a lot. This can lead to an even bigger security problem because users start writing passwords down.
If your organization forces you to change passwords often, one way to remember the password is to use a numbering system. I worked at a company that required me to change my password at the beginning of each month, so I did something very simple. I took a root password—let’s say it was “m3y3rs5”—and simply added a number to the end representing the current month. So when June rolled around, for example, I would change my password to “m3y3rs56.” It worked pretty well.
NOTE Every secure organization sets up various security policies and procedures to ensure that security is maintained. Windows has various mechanisms to implement such things as requiring a strong password, for example. Chapter 28, “Securing Computers,” goes into detail about setting up Local Policies and Group Policy.
Windows enables you to create a password hint for your accounts. This clue appears after your first logon attempt fails (see Figure 14-2).
Figure 14-2 Password hint on the Windows 7 logon screen
CAUTION Blank passwords or passwords that are easily visible on a sticky note provide no security. Always insist on non-blank passwords, and do not let anyone leave a password sitting out in the open.
A group is a container that holds user accounts and defines the capabilities of its members. A single account can be a member of multiple groups. Groups are an efficient way of managing multiple users, especially when you are dealing with a whole network of accounts. Standalone computers rely on groups too, though Windows obscures this a little, especially with home users.
Groups make Windows administration much easier in two ways. First, you can assign a certain level of access for a file or folder to a group instead of to just a single user account. You can make a group called Accounting, for example, and put all user accounts for the accounting department in that group. If a person quits, you don’t need to worry about assigning all of the proper access levels when you create a new account for his or her replacement. After you make an account for the new person, just add her account to the appropriate access group! Second, Windows provides numerous built-in groups with various access levels already predetermined.
While all versions of Windows come with a large number of these built-in groups, Windows editions aimed at home users handle these very differently than more advanced versions. For starters, make sure you are aware of the following groups for the exam:
• Administrators Any account that is a member of the Administrators group has complete administrator privileges. Administrator privileges grant complete control over a machine. It is common for the primary user of a Windows system to have her account in the Administrators group.
When you create the Jane user account, in other words, and make Jane an administrator, you actually place the Jane account in the Administrators group. Because the Administrators group has all power over a system, Jane has all power over the system.
• Power Users Members of the Power Users group are almost as powerful as members of the Administrators group, but they cannot install new devices or access other users’ files or folders unless the files or folders specifically provide them access.
• Users Members of the Users group cannot edit the Registry or access critical system files. They can create groups but can manage only those they create. Members of the Users group are called standard users.
If you change the Jane account from administrator to standard user, you specifically take the Jane account out of the Administrators group and place it into the Users group. Nothing happens with her personal files or folders, but what the Jane account can do on the computer changes rather dramatically.
• Guests The Guests group enables someone who does not have an account on the system to log on by using a guest account. You might use this feature at a party, for example, to provide casual Internet access to guests, or at a library terminal. Most often, the guest account remains disabled.
Configuring local user accounts and local groups requires tools in Windows for creating and managing users and groups. Every version of Windows includes either one or two users and group management tools. Most editions of Windows include a Control Panel applet called User Accounts (see Figure 14-3).
Figure 14-3 User Accounts
The more advanced Windows editions include a second, more advanced utility called Local Users and Groups (see Figure 14-4). You’ll find Local Users and Groups in the Computer Management console in Administrative Tools. (Remember from Chapter 3 how to access Administrative Tools?)
Figure 14-4 Local Users and Groups
NOTE To create and manage users, you must have administrator privileges.
You create three accounts when you set up a computer: guest, administrator, and a local account that’s a member of the Administrators group.
To add or modify a user account, you have numerous options depending on which Control Panel view you select and which edition and update of Vista you have installed. If your machine is on a workgroup, you’ll see the User Accounts and Family Safety applet (see Figure 14-5). If you connect to a domain (discussed in Chapter 21), the default Control Panel Home view offers the User Accounts applet (see Figure 14-6). The options in each applet differ as well, as you can see in the screenshots.
Figure 14-5 User Accounts and Family Safety applet in the Control Panel Home in Windows Vista Home Premium
Figure 14-6 User Accounts applet in the Control Panel Home in Windows Vista Ultimate
Most techs almost immediately change the Control Panel view to Classic, but even there the different versions of Windows—and whether you’re logged on to a workgroup or a domain—give you different versions of the User Accounts applet. Figure 14-7 shows the User Accounts applet in Windows Vista Business in a domain environment. Figure 14-8 shows the applet in Windows Vista Home Premium.
Figure 14-7 User Accounts applet in Windows Vista Business
Figure 14-8 User Accounts applet in Windows Vista Home Premium
The Tasks links on the left are similar between editions of Windows (with the addition of Parental Controls in the Home Premium edition), but the main options differ a lot. This chapter focuses on standalone machines, so we’ll look more closely at the options included with Vista Home Premium.
Windows Vista Home Premium uses Vista’s version of the Welcome screen for logging on, so each user account has a picture associated with it. You can change the picture from the User Accounts applet. You can also change the name of the user account here and alter the account type, demoting an account from administrator to standard user, for example.
To add a user in Windows Vista, open the User Accounts applet. You may need to open User Accounts and Family Safety first. Click Manage another account and select Create a new account. Give the account a user name and select a user account type. Then click Create Account.
NOTE At least one account must be an administrator account. If you try to demote the sole administrator account, you’ll find the option dimmed.
User Account Control Windows makes it too easy to make your primary account on a computer an administrator account. Because limited users can’t do common tasks, such as running certain programs, installing applications, updating applications, updating Windows, and so on, most users simply create an administrator-level account and log on. Such accounts have full control over the computer, so any malware or any simple user mistake that slips in through the account can do a lot of harm.
Microsoft addressed this problem with User Account Control (UAC), a feature that enables standard users to do common tasks and provides a permissions dialog box when standard users and administrators do certain things that could potentially harm the computer (such as attempt to install a program). We’ll discuss UAC in detail at the end of this chapter.
Parental Controls With Parental Controls, an administrator account can monitor and limit the activities of any standard user in Windows, a feature that gives parents and managers an excellent level of control over the content their children and employees can access (see Figure 14-9). Activity Reporting logs a user’s successful and blocked attempts to run an application, visit a Web site, download a file, and more. You can block various Web sites by type or specific URL, or you can allow only certain Web sites, a far more powerful option.
Figure 14-9 Parental Controls
Parental Controls also enable you to limit the time that standard users can spend logged on. You can specify acceptable and unacceptable times of day when standard users can log on. You can restrict access both to types of games and to specific applications. If you like playing rather gruesome games filled with monsters and blood that you don’t want your kids to play, for example, you can simply block any games with certain ESRB (Entertainment Software Rating Board) ratings, such as E for Everyone, T for Teen, or M for Mature.
Windows 7 handles user creation in a manner very similar to Windows Vista, continuing the use of the User Accounts Control Panel applet. The User Accounts applet is virtually identical to the one used in Windows Vista. To create a user account, open the User Accounts applet and select Manage another account to see something like Figure 14-10.
Figure 14-10 Manage Accounts
Click on Create a new account to see your options for making a new account (see Figure 14-11). Note that this applet only enables you to make administrator accounts (in the Administrators group) or standard users (in the Users group).
Figure 14-11 Adding a new user
Starting with Windows 8, Microsoft shifted the focus of user accounts from local accounts to Internet-wide Microsoft accounts. Windows 8 debuted the Settings charm (see Figure 14-12). Select Change PC settings from the initial charm screen to open PC settings (see Figure 14-13) and get access to the Accounts option. Note that the User Accounts applet in Control Panel enables you to make changes to current accounts (local or global), and gives you access to the Settings charm (or app in Windows 10) when you opt to add a new account.
Figure 14-12 Settings charm
Figure 14-13 PC settings
When you first set up a Windows 8/8.1/10 PC, you’re prompted either to sign in to your Microsoft global account or create one at that time. Although the language of the sign-up option for the new account suggests a Microsoft-sponsored e-mail address (like user@hotmail.com), any valid e-mail address can serve as a Microsoft account. You can opt to create a local user account instead and that will function like any local account on previous versions. But if you opt for a global Microsoft account, you’ll synchronize photos, files, and Desktop settings (like the background picture and colors).
Note that creating an account—global or not—creates a local user account. If you create an account tied to your global account, the local account gets created and then Windows applies the settings from your global profile.
Once you have a valid user account set up and have a functioning system, the Accounts area of the Settings app enables you to sign out, sign in, modify your profile picture, and so on. Figure 14-14 shows a typical Accounts default screen.
Figure 14-14 Accounts screen in Windows 8.1
To create a new account, click on the Other accounts option. This opens the Manage other accounts page (see Figure 14-15). From this page you can modify the status or group of any current local user account. Click the + symbol next to Add an account to get started.
Figure 14-15 Manage other accounts
On the How will this person sign in? screen (see Figure 14-16), you’ll see options to use a valid Microsoft account, get a Microsoft account, add a child’s account, or create a local account only. The Add a child’s account option creates an account with parental controls enabled, as you probably suspected.
Figure 14-16 Options for a new account
Once you’ve opted to do either a global or local account, Windows creates that account on the local machine. This process takes a while; Windows creates all the folder structures and updates the local profile. Eventually, you’ll have a new account ready to roll (see Figure 14-17).
Figure 14-17 Shiny new account
The professional editions of Windows include the Local Users and Groups tool, a more powerful tool for working with user accounts. You can create, modify, and remove users and groups. Keep in mind, however, that this advanced tool will not hold your hand like the Control Panel applets. Think of the Local Users and Groups tool as a bike without the training wheels of the User Accounts applet. Figure 14-18 shows the Local Users and Groups tool in Windows 8.1 with Groups selected.
Figure 14-18 Local Users and Groups in Windows 8.1 Pro
To add a group, simply right-click on a blank spot in the Groups folder and select New Group. This opens the New Group dialog box, where you can type in a group name and description in their respective fields (see Figure 14-19).
Figure 14-19 New Group dialog box in Windows 8.1 Pro
To add users to this group, click the Add button. The dialog box that opens varies a little in name among the three operating systems, though they all contain the same functionality (see Figure 14-20).
Figure 14-20 Select Users dialog box in Windows 8.1 Pro
You can add more than just users to a group. Windows uses multiple object types to define what you can add. Object types include user accounts, groups, and computers. Each object type can be added to a group and assigned permissions. The short version of how to add a user account is: click the Advanced button to expand the dialog box and then click the Find Now button (see Figure 14-21).
Figure 14-21 Select Users dialog box in Windows 8.1 Pro with advanced options expanded to show user accounts
You can either add group membership to a user’s properties or add a user to a group’s properties.
• To add group membership to a user account, select the Users folder, right-click a user account you want to change, and select Properties from the context menu. Then select the Member Of tab on the user account’s Properties dialog box (see Figure 14-22). Click Add to add group membership.
Figure 14-22 Properties dialog box of a user account, where you can change group memberships for that account
• To add users via the group’s properties, select the Groups folder. Right-click on a group and select Properties. Beneath the Members list, click the Add button to search for and add user accounts to the group.
You can also use either method to remove users. This level of flexibility makes the Local Users and Groups tool much more powerful and useful than the User Accounts Control Panel applets.
NOTE Home editions of Windows do not have the Local Users and Groups utility. You must use the User Accounts applet or the Settings charm.
User accounts and passwords provide the foundation for securing a Windows computer, enabling users to authenticate with a PC. After you’ve created a user account, you need to determine what the user can do with the available resources (files, folders, applications, and so on). We call this process authorization. Windows uses the powerful NT File System (NTFS) as the primary tool for providing authorization. Let’s delve into NTFS to see how this powerful file system protects folders and files.
In Windows, every folder and file on an NTFS partition has a list that contains two sets of data. First, the list details every user and group with access to that file or folder. Second, the list specifies the level of access each user or group has to that file or folder. The level of access is defined by a set of restrictions called NTFS permissions. NTFS permissions define exactly what any particular account can or cannot do to the file or folder and are thus quite detailed and powerful. You can, for example, set up NTFS permissions allowing a user account to edit a file but not delete it. You could also configure NTFS permissions to enable any member of a user group to create a subfolder for a particular folder.
NTFS file and folder permissions are so complicated that entire books have been written on them! Fortunately, the CompTIA A+ 220-902 exam tests your understanding of only a few basic concepts of NTFS permissions: Ownership, Take Ownership permission, Change permission, folder permissions, and file permissions.
• Ownership When you create a new file or folder on an NTFS partition, you become the owner of that file or folder. Owners can do anything they want to the files or folders they own, including changing the permissions to prevent anybody, even administrators, from accessing them.
• Take Ownership permission With the Take Ownership permission, anyone with the permission can seize control of a file or folder. Administrator accounts have Take Ownership permission for everything. Note the difference here between owning a file and accessing a file. If you own a file, you can prevent anyone from accessing that file. An administrator whom you have blocked, however, can take that ownership away from you and then access that file!
• Change permission Another important permission for all NTFS files and folders is the Change permission. An account with this permission can give or take away permissions for other accounts.
• Folder permissions Folder permissions define what a user may do to a folder. One example might be “List folder contents,” which gives the permission to see what’s in the folder.
• File permissions File permissions define what a user may do to an individual file. One example might be “Read and Execute,” which gives a user account the permission to run an executable program.
The primary way to set NTFS permissions is through the Security tab under the folder or files Properties (see Figure 14-23). The Security tab contains two main areas. The top area shows the list of accounts that have permissions for that resource. The lower area shows exactly what permissions have been assigned to the selected account.
Figure 14-23 The Security tab lets you set permissions.
You add or remove NTFS permissions by first selecting the user or group you wish to change and then clicking Edit to open a Permissions dialog box. To add an NTFS permission, select the Allow checkbox next to the NTFS permission you want to add. You remove an NTFS permission by deselecting the Allow checkbox next to the NTFS permission you want to remove. The Deny checkbox is not used very often and has a very different job—see the next section, “Inheritance.” For now, let’s see what all the NTFS permissions are for folders and files.
Here are the standard NTFS permissions for a folder:
• Full Control Enables you to do anything you want
• Modify Enables you to read, write, and delete both files and subfolders
• Read & Execute Enables you to see the contents of the folder and any subfolders as well as run any executable programs or associations in that folder
• List Folder Contents Enables you to see the contents of the folder and any subfolders
• Read Enables you to view a folder’s contents and open any file in the folder
• Write Enables you to write to files and create new files and folders
File permissions are quite similar to folder permissions, with the main difference being the Special Permissions option, which I’ll talk about a bit later in the chapter.
• Full Control Enables you to do anything you want
• Modify Enables you to read, write, and delete the file
• Read & Execute Enables you to open and run the file
• Read Enables you to open the file
• Write Enables you to open and write to the file
Here are a few important points about NTFS permissions:
• You may see the NTFS permissions on a folder or file by accessing the Properties dialog box for that file or folder and opening the Security tab.
• NTFS permissions are assigned both to user accounts and groups, although it’s considered a best practice to assign permissions to groups and then add user accounts to groups instead of adding permissions directly to individual user accounts.
• Permissions are cumulative. If you have Full Control on a folder and only Read permission on a file in the folder, you get Full Control permission on the file.
• Whoever creates a folder or a file has complete control over that folder or file. This is called ownership.
• Administrators do not automatically have complete control over every folder and file. If an administrator wants to access a folder or file they do not have permission to access, they may go through a process called Take Control.
Take some time to think about these permissions. Why would Microsoft create them? Think of situations where you might want to give a group Modify permission. Also, you can assign more than one permission. In many situations, we like to give users both the Read and Write permissions.
NOTE Windows editions for home use have only a limited set of permissions you can assign. As far as folder permissions go, you can assign only one: Make This Folder Private. To see this in action, right-click on a file or folder and select Sharing and Security from the options. Note that you can’t just select Properties and see a Security tab as you can in the professional-oriented editions of Windows. Windows Home editions do not have file-level permissions.
Inheritance is the process of determining the default NTFS permissions any newly introduced files or subfolders contained in a folder receive. Inheritance is a huge issue as we tend to make lots of folder and file changes on a system. We need to let NTFS know what we want it to do when new files and folders suddenly appear (see Figure 14-24).
Figure 14-24 What permissions do I get?
The base rule of Windows inheritance is that any new files or folders placed into a folder automatically get all the NTFS permissions of the parent folder. So if, for example, you have Read and Execute access to a folder and someone else copies a file to that folder, you will automatically get Read and Execute permissions (see Figure 14-25).
Figure 14-25 Here are your permissions!
All versions of Windows have inheritance turned on by default, which most of the time is a good idea. If you access a folder’s Properties dialog box, click on the Security tab, and then click the Advanced button, you’ll see a little checkbox that says Include inheritable permissions from this object’s parent. If you wanted to turn off inheritance, you would just uncheck this box. Don’t do that. Inheritance is good. Inheritance is expected.
If you look closely at Figure 14-26, you’ll see that there are a number of grayed-out NTFS Allow permissions! That’s how Windows tells you that the permissions here are inherited. Grayed-out checkboxes can’t be changed, so what do you do if you need to make a change here?
Figure 14-26 Inherited permissions
In rare situations you may want to turn off inheritance for a specific folder or file. Instead of shutting down inheritance completely, use the Deny checkbox. Clicking the Deny checkbox for a particular NTFS permission (see Figure 14-27) tells Windows to overrule inheritance and stop that particular NTFS permission.
Figure 14-27 Special permissions
NOTE The Deny checkbox always overrides the NTFS inheritance.
Permission propagation is the process of determining what NTFS permissions are applied to files that are moved or copied into a new folder. Be careful here! You might be tempted to think, given you’ve just learned about inheritance, that any new files/folders copied or moved into a folder would just inherit the folder’s NTFS permissions. This is not always true, and CompTIA wants to make sure you know it. It really depends on two issues: whether the data is being copied or moved, and whether the data is coming from the same volume or a different one. So we need to consider four situations:
• Copying data within one NTFS-based volume
• Moving data within one NTFS-based volume
• Copying data between two NTFS-based volumes
• Moving data between two NTFS-based partitions
Let’s look at our list of four things techs need to know to see what happens when you copy or move an object, such as a file or folder.
1. Copying within a volume creates two copies of the object. The copy of the object in the new location inherits the permissions from that new location. The new copy can have different permissions than the original.
2. Moving within a volume creates one copy of the object. That object retains its permissions, unchanged.
3. Copying from one NTFS volume to another creates two copies of the object. The copy of the object in the new location inherits the permissions from that new location. The new copy can have different permissions than the original.
4. Moving from one NTFS volume to another creates one copy of the object. The object in the new location inherits the permissions from that new location. The newly moved file can have different permissions than the original.
From a tech’s standpoint, you need to be aware of how permissions can change when you move or copy files, and if you’re in doubt about a sensitive file, check it before you sign off to a client (Table 14-1).
Table 14-1 Permission Propagation
EXAM TIP Current versions of Windows refer to groupings of cylinders or transistors on an HDD or SSD as volumes, as you’ll recall from Chapter 10. Earlier versions—and many techs and exams in your near future—refer to such groupings as partitions. Be prepared for either term.
You need local administrative privileges to change almost anything on a Windows machine, such as install updates, change drivers, and install applications; most administrators hate giving out administrative permissions (for obvious reasons). If an administrator does give you administrative permission for a PC and something goes wrong with that system while you’re working on it, you immediately become the primary suspect!
If you’re working on a Windows system administered by someone else, make sure she understands what you are doing and how long you think it will take. Have the administrator create a new account for you that’s a member of the Administrators group. Never ask for the password to a permanent administrator account! That way, you won’t be blamed if anything goes wrong on that system: “Well, I told Janet the password when she installed the new hard drive…maybe she did it!” When you have fixed the system, make sure the administrator deletes the account you used.
This “protect yourself from passwords” attitude applies to areas other than just doing tech support on Windows. PC support folks get lots of passwords, scan cards, keys, and ID tags. New techs tend to get an “I can go anywhere and access anything” attitude, and this is dangerous. I’ve seen many jobs lost and friendships ruined when a backup suddenly disappears or a critical file gets erased. Everybody points to the support tech in these situations. In physical security situations, make other people unlock doors for you. In some cases, I’ve literally asked the administrator or system owner to sit behind me, read a magazine, and be ready to punch in passwords as needed. What you don’t have access to can’t hurt you.
While the CompTIA A+ 902 exam concentrates hard on Windows users, groups, and permissions, this is a good time to consider that Linux and Mac OS X also have their own concepts pertaining to users, groups, and permissions. Let’s take a short jaunt into Linux/Mac OS X users, groups, and permissions. In particular, we’ll take a look at the chmod and chown commands because they are listed as objectives for the CompTIA A+ 902 exam.
NOTE Understanding this section requires some understanding of the Linux command line. You may need to refer to Chapter 16, “Working with the Command-Line Interface,” to practice some of the commands shown here.
Just as in Windows, every file and folder on a Linux/Mac OS X system has permissions. You can easily see this if you go to a Linux terminal and type this command: ls –l. This shows a detailed list of all the files and folders in a particular location. Chapter 16 discusses the ls command in a lot more detail, but this is enough for our present discussion.
Let’s zero in on one line of this output:
In particular, note the string -rwxrwxrwx—each of those letters represents a permission for this file. Ignore the dash at the beginning. That is used to tell us if this listing is a file, directory, or shortcut. What we have left are three groups of rwx. The three groups, in order, stand for:
• Owner Permissions for the owner of this file or folder
• Group Permissions for members of the group for this file or folder
• Everyone Permissions for anyone for this file or folder
The letters r, w, and x represent the following permissions:
• r Read the contents of a file
• w Write or modify a file or folder
• x Execute a file or list the folder contents
Figure 14-28 shows the relationships.
Figure 14-28 Linux file permissions
Let’s look at another example:
• This file is called launch codes. The owner of this file is me. This file is in the users group.
• The owner, mikemyers, has read and write privileges (rw-).
• The group users has read and write privileges (rw-).
• Everyone can read the launch codes (r--). We should probably fix that.
The chown command enables us to change the owner and the group with which a file or folder is associated. The chown command uses the following syntax:
To change the group, use the following syntax:
So to change the owner of launch_codes to m, type
To change the group to mi6, type
If you retype the ls –l command, you would see the following output:
Be aware that the chown command needs superuser privileges (sudo or su). Refer to Chapter 16 for details.
The chmod command is used to change permissions. Sadly, it uses a somewhat nonintuitive numbering system that works as follows:
For example, we can interpret the permissions on
as follows:
• Owner’s permissions are 6: 4+2 (rw-)
• Group’s permissions are 6: 4+2 (rw-)
• Everyone’s permissions are 4: 4 (r--)
The chmod command uses the following syntax to make permission changes:
Using this nomenclature, we can make any permission change we want using only three numbers. The current permissions can be represented by 664. If we want to keep the launch codes out of the wrong hands, we just change the 4 to a 0: 660. To make the change, we use the chmod command as follows:
Windows uses NTFS to make the folders and files in a specific user’s personal folders (Documents, Music, Pictures, and so on) private. In other words, only the user who created those documents can access those documents. Members of the Administrators group can override this behavior, but members of the Users group (standard users) cannot. On a shared Windows machine, you’ll need to take extra steps and actively share resources to make them available to multiple users.
Here’s a scenario. The Snyder family has a computer in the media room that acts as a media server. It has accounts for each family member. The family could be smart and run something that makes sharing music easy, like iTunes, but they stuck with Windows Media Player. Each user needs access to the shared collection of MP3 files.
Windows Vista and 7 make sharing with everyone very simple through the Public libraries for Documents, Music, Pictures, and Videos. Open Windows Explorer and click the down arrow next to one of the Libraries folders; for example, click the down arrow next to Music to see My Music and Public Music (see Figure 14-29). Every user can access anything saved in the Public Music folder.
Figure 14-29 Public Libraries
Windows 8/8.1 versions have the same Libraries as Windows Vista/7, but they are not visible by default. Right-click on some white space in File Explorer and select Show libraries (see Figure 14-30). The Libraries folders show up just fine.
Figure 14-30 Showing libraries in File Explorer on Windows 8.1
Windows 10 does not work this way, and, in fact, all modern versions of Windows give you much more granular options for securely sharing specific folders with specific users.
NOTE Sharing gets more interesting and complicated when you put a computer into a network setting. We’ll cover network sharing and accessing of shared resources in depth in Chapter 21.
So the next obvious question follows: How do you share non-library folders with one or more users on a single computer? The next sections walk through the details.
Probably the easiest part of the whole securely sharing process is the sharing itself. There’s more than one way to do this, so let’s first look at the most tedious way. Select the folder you wish to share, right-click on it, and select Properties | Sharing tab. From here, select Advanced Sharing. Click on the Share this folder checkbox and give the folder a network share name (see Figure 14-31).
Figure 14-31 Advanced Sharing dialog box
Next, click on the Permissions button. By default, all new Windows shares only have Read permission. Here is where you set your share to Full Control, as shown in Figure 14-32. Note that the Change checkbox automatically gets checked. Click OK twice to get back to the Properties folder, and let’s go to step two.
Figure 14-32 Setting the share to Full Control
It’s now time to add users and groups and set their NTFS permissions. Head over to the Security tab. You’ll notice it has two sections: the top section is a list of users and groups that currently have NTFS permissions to that folder, and the bottom section is a list of NTFS permissions for the currently selected users and groups (see Figure 14-33).
Figure 14-33 Folder Security tab
To add a new user or group, click the Edit button. In the Permissions dialog box that opens, you can not only add new users and groups but also remove them and edit existing NTFS permissions (see Figure 14-34).
Figure 14-34 Permissions dialog box
While the method just shown works for all versions of Windows, it’s a tad old fashioned. Windows provides yet another method for sharing that’s less powerful but easier to use. To use this method, pick anything you want to share (even a single file) in Windows Explorer/File Explorer. Then simply right-click on it and select Share (or Share with) | Specific people. This opens the File Sharing dialog box, shown in Figure 14-35, where you can select specific user accounts from a drop-down list.
Figure 14-35 File Sharing dialog box
Once you select a user account, you can then choose what permission level to give to that user. You have two choices: Read and Read/Write (see Figure 14-36). Read simply means the user has read-only permissions. Read/Write gives the user read and write permissions and the permission to delete any file the user contributed to the folder.
Figure 14-36 Permissions options
NOTE If the computer in question is on a Windows domain, the File Sharing dialog box differs such that you can search the network for user accounts in the domain. This makes it easy to share throughout the network. See Chapter 21 for the details.
Before you walk away from a computer, you should check for any unnecessary or unknown (to you) shared folders on the hard drives. This enables you to make the computer as secure as possible for the user. When you look in Windows Explorer/File Explorer, shared folders don’t just jump out at you, especially if they’re buried deep within the file system. A shared C: drive is obvious, but a shared folder all the way down in D:\temp\backup\Simon\secret share would not be obvious, especially if none of the parent folders were shared.
Windows comes with a handy tool for locating all of the shared folders on a computer, regardless of where they reside on the drives. The Computer Management console in the Administrative Tools has a Shared Folders option under System Tools. Under Shared Folders are three options: Shares, Sessions, and Open Files. Select Shares to reveal all of the shared folders (see Figure 14-37).
Figure 14-37 Shared Folders tool in Computer Management
You can double-click on any share to open the Properties dialog box for that folder. At that point, you can make changes to the share—such as users and permissions—just as you would from any other sharing dialog box.
A close look at the screenshot in Figure 14-37 might have left some of you with raised eyebrows and quizzical looks. What kind of share is ADMIN$ or C$?
Every version of Windows since Windows NT comes with several default shares, notably all hard drives—not optical drives or removable devices, such as thumb drives—plus the %systemroot% folder (usually C:\Windows) and a couple of others, depending on the system. These administrative shares give local administrators administrative access to these resources, whether they log on locally or remotely. (In contrast, shares added manually are called local shares.)
Administrative shares are odd ducks. You cannot change the default permissions on them. You can delete them, but Windows will re-create them automatically every time you reboot. They’re hidden, so they don’t appear when you browse a machine over the network, though you can map them by name. Keep the administrator password safe, and these default shares won’t affect the overall security of the computer.
NOTE Administrative shares have been exploited by malware programs, especially because many users who set up their computers never give the administrator account a password. Starting with Windows XP Home, Microsoft changed the remote access permissions for such machines. If you log on to a computer remotely as administrator with no password, you get guest access rather than administrator access. That neatly nips potential exploits in the bud.
The scrambling of data through encryption techniques provides the only true way to secure your data from access by any other user. Administrators can use the Take Ownership permission to seize any file or folder on a computer, even those you don’t actively share. Thus, you need to implement other security measures for that data that needs to be ultra secure. Depending on the version of Windows, you have between zero and three encryptions tools: Windows Home editions have basically no security features. Advanced editions of Windows add a system that can encrypt files and folders called Encrypting File System. Finally, the most advanced editions feature drive encryption through BitLocker.
The professional editions of Windows offer a feature called the Encrypting File System (EFS), an encryption scheme that any user can use to encrypt individual files or folders on a computer.
You can encrypt a file or folder in seconds. Just right-click on the file or folder you want to encrypt and select Properties. In the Properties dialog box for that object, select the General tab and click the Advanced button (see Figure 14-38) to open the Advanced Attributes dialog box. Click the checkbox next to Encrypt contents to secure data (see Figure 14-39). Click OK to close the Advanced Attributes dialog box and then click OK again on the Properties dialog box, and you’ve locked that file or folder from any user account aside from your own.
Figure 14-38 Click the Advanced button on the General tab
Figure 14-39 Selecting encryption
NOTE Encryption is just one possible attribute of a file. You can also make files hidden, read-only, and more, all from a file or folder’s Properties dialog box. You’ll learn more about attributes in Chapter 16.
As long as you maintain the integrity of your password, any data you encrypt by using EFS is secure from prying eyes. That security comes at a potential price, though, and your password is the key. The Windows security database stores the password (securely, not plain text, so no worries there), but that means access to your encrypted files is based on that specific installation of Windows. If you lose your password or an administrator resets your password, you’re locked out of your encrypted files permanently. There’s no recovery. Also, if the computer dies and you try to retrieve your data by installing the hard drive in another system, you’re likewise out of luck. Even if you have an identical user name on the new system, the security ID that defines the user account will differ from what you had on the old system.
NOTE If you use EFS, you simply must have a valid password reset disk in the event of some horrible catastrophe.
And one last caveat. If you copy an encrypted file to a drive formatted as anything but NTFS, you’ll get a prompt saying that the copied file will not be encrypted. If you copy to a drive with NTFS, the encryption stays. The encrypted file—even if on a removable disk—will only be readable on your system with your login.
Windows Ultimate and Enterprise editions, and Windows 8/8.1 Pro, offer full drive encryption through BitLocker Drive Encryption. BitLocker encrypts the whole drive, including every user’s files, so it’s not dependent on any one account. The beauty of BitLocker is that if your hard drive is stolen, such as in the case of a stolen portable computer, all of the data on the hard drive is safe. The thief can’t get access, even if you have a user on that system who failed to secure his or her data through EFS.
BitLocker requires a special Trusted Platform Module (TPM) chip on the motherboard to function. The TPM chip validates on boot that the computer has not changed—that you still have the same operating system installed, for example, and that the computer wasn’t hacked by some malevolent program. The TPM also works in cases where you move the BitLocker drive from one system to another.
If you have a legitimate BitLocker failure (rather than a theft) because of tampering or moving the drive to another system, you need to have a properly created and accessible recovery key or recovery password. The key or password is generally created at the time you enable BitLocker and should be kept somewhere secure, such as a printed copy in a safe or a file on a network server accessible only to administrators.
To enable BitLocker, double-click the BitLocker Drive Encryption icon in the Classic Control Panel, or select Security in Control Panel Home view and then click Turn on BitLocker (see Figure 14-40).
Figure 14-40 Enabling BitLocker Drive Encryption
BitLocker to Go enables you to apply BitLocker encryption to removable drives, like USB-based flash drives. Although it shares a name, BitLocker to Go applies encryption and password protection, but doesn’t require a TPM chip. Still, every little bit counts when it comes to securing data.
As you’ve just seen, users and groups are powerful tools for authenticating users to systems as well as authorizing NTFS permissions, but that’s not where their power ends. There are two more areas where we use users and groups to go beyond logging on to a system or sharing folders and files: security policies and User Account Control. Let’s discuss security policies first and then cover User Account Control.
Security policies are just rules we apply to users and groups to do, well, just about everything but NTFS permissions. Would you like to configure your system so that the Accounting group can only log on between 9 A.M. and 5 P.M.? There’s a security policy for that. How about forcing anyone who logs on to your system to use a password that’s at least eight characters long? There’s a security policy for that as well. Windows provides thousands of preset security policies that you may use simply by turning them on in a utility called Local Security Policy.
All versions of Windows have the Local Security Policy utility. You may access this tool through Control Panel | Administrative Tools | Local Security Policy, but all of us cool kids just open a command line and run secpol.msc. However you choose to access this tool, it will look something like Figure 14-41.
Figure 14-41 Local Security Policy utility
EXAM TIP Local security policies are incredibly powerful—so powerful that one could make a career out of understanding all they can do. We’re covering just enough on the Local Security Policy editor to cover a few basic questions on the CompTIA A+ 220-902 exam.
Local Security Policy has a number of containers that help organize the many types of polices on a typical system. Under each container are subcontainers or preset policies. As an example, let’s set a local security policy that causes user passwords to expire every 30 days—better known as account password expiration or password age. To do this, open up the Account Policies container and then open the Password Policy subcontainer.
Look at the Maximum password age setting. On almost all versions of Windows your local user accounts passwords expire after 42 days. You can easily change this to 30 days just by double-clicking on Maximum password age and adjusting the setting in the Properties dialog box, as shown in Figure 14-42. You can also set the value to 0 and the password will never expire.
Figure 14-42 Local Security Policy editor
NOTE This setting only works for your local user accounts.
When picking the poster child for the “327 Reasons We Hated Vista” list, I’ll bet most folks put Vista’s User Account Control (UAC) at the very top. Vista’s UAC manifested as a pop-up dialog box that seemed to appear every time you tried to do anything on a Windows Vista system (see Figure 14-43).
Figure 14-43 UAC in action. Arrgh!
It’s too bad that UAC got such a bad rap. Not only is UAC an important security update for all versions of Windows, it is also a common feature in both Mac OS X and Linux/Unix. Figure 14-44 shows the equivalent feature on a Mac.
Figure 14-44 UAC equivalent on a Mac
If every other major operating system uses something like UAC, why was Microsoft slammed so hard when they unveiled UAC in Windows Vista? The reason was simple: Windows users are spoiled rotten, and until UAC came along, the vast majority of users had no idea how risky their computing behavior was.
The problem started years ago when Microsoft created NTFS. NTFS uses robust user accounts and enables fine control over how users access files and folders—but at a cost: NTFS in its pure form is somewhat complicated.
User accounts have always been a bit of a challenge. The only account that can truly do anything on a Windows system is the administrator. Sure, you can configure a system with groups and assign NTFS permissions to those groups—and this is commonly done on large networks with a full-time IT staff—but what about small offices and home networks? These users almost never have the skill sets to deal with the complexities of users and groups, which often results in systems where the user accounts are all assigned administrator privileges by default—and that’s when it gets dangerous (see Figure 14-45).
Figure 14-45 The danger of administrator privileges in the wrong hands!
User Account Control enables users to know when they are about to do something that has serious consequences. Here are some examples of common actions that require administrator privileges:
• Installing and uninstalling applications
• Installing a driver for a device (e.g., a digital camera driver)
• Installing Windows Updates
• Adjusting Windows Firewall settings
• Changing a user’s account type
• Browsing to another user’s directory
Before Vista, Microsoft invented the idea of the Power Users group to give users almost all of the power of an administrator account (to handle most of the situations just described) without actually giving users the full power of the account. Assigning a user to the Power Users group still required someone who knew how to do this, however, so most folks at the small office/home level simply ignored the Power Users group (see Figure 14-46).
Figure 14-46 Power Users group—almost never used at the small office/home level
Clearly, Microsoft needed a better method to prevent people from running programs that they should not run. If users have the correct privileges, however—or the ability to “escalate” their privileges to that of an administrator—then they should be able to do what they need to do as simply as possible. Microsoft needed to make the following changes:
• The idea of using an administrator account for daily use needed to go away.
• Any level of account should be able to do anything as easily as possible.
• If a regular account wants to do something that requires administrator privileges, the user of the regular account will need to enter the administrator password.
• If a user with administrator privileges wants to run something that requires administrator privileges, the user will not have to reenter his or her password, but the user will have to respond to an “Are you sure?”-type dialog box so he or she appreciates the gravity of the action—thus, the infamous UAC dialog box.
NOTE Both Linux and Mac OS X have been using a UAC function for a long time—it’s called sudo. Check it out in Chapter 16.
Sorry, but if you want to talk about UAC, you have to see how it all started with Vista. Since Vista was the first Windows OS with UAC, it has some of the classic “version 1.0” problems. Forgive me for the Vista references, but you need to see the Vista way of UAC to appreciate why it works the way it does in the most modern versions of Windows.
UAC works for both standard user accounts and administrator accounts. If a standard user attempts to do something that requires administrator privileges, he or she sees a UAC dialog box that prompts for the administrator password (see Figure 14-47).
Figure 14-47 Prompting for an administrator password in Vista
If a user with administrator privileges attempts to do something that requires administrator privileges, a simpler UAC dialog box appears, like the one shown in Figure 14-48.
Figure 14-48 Classic UAC prompt
NOTE The official name for the UAC dialog box is the “UAC consent prompt.” When the UAC consent prompt appears in Vista, the rest of the desktop darkens and you cannot take any other action until you respond to the consent prompt.
Interestingly, Vista has not one but four different UAC prompts, depending on the program/feature you wish to run, as outlined in Table 14-2.
Table 14-2 UAC Prompts in Windows Vista
In all versions of windows, blocked programs generate a scary-looking, red-bannered dialog box like the one shown in Figure 14-49. Note you can click OK in Windows Vista (or Close in Windows 7/8/8.1/10) or look at more details (if available).
Figure 14-49 Blocked program
Unverified programs lack any form of certificate to validate. In this case, you get a yellow-bannered dialog box warning you the application is unsigned and giving you two options: allow the program to run (Yes) or not (No). See Figure 14-50 for an example of this.
Figure 14-50 Unverified program
Verified programs aren’t part of the core of Vista and are usually written by third parties. These programs do have valid, verified certificates. You can identify the dialog box by its gray-blue banner (see Figure 14-51).
Figure 14-51 Verified program
Published by Vista programs are written as part of the core of Vista and show up with a teal-bannered dialog box (see Figure 14-52).
Figure 14-52 Published by Vista
UAC uses small shield icons to warn you ahead of time that it will prompt you before certain tasks, as shown in Figure 14-53. Microsoft updated this somewhat redundant feature in subsequent versions of Windows, as you’ll soon see.
Figure 14-53 Shield icons in the Control Panel
UAC gives users running a program an opportunity to consider their actions before they move forward. It’s a good thing, but spoiled Windows users aren’t accustomed to something that makes them consider their actions. As a result, one of the first things everyone learned how to do when Vista came out was to turn off UAC.
You can turn off UAC in a number of ways in Windows. Here are the two most common ways:
1. In the User Accounts Control Panel applet, you’ll see an option to Turn User Account Control on or off (see Figure 14-54). Select this option and uncheck the checkbox to turn UAC off. Check the checkbox to turn it on again.
Figure 14- 54 Turning User Account Control on or off
2. You can also configure UAC from the Tools tab in the System Configuration utility (msconfig); Figure 14-55 shows how to accomplish this in Windows Vista.
Figure 14-55 Disabling UAC in the System Configuration utility
UAC in Windows Vista worked well, but it startled users. Suddenly, users had to deal with UAC, and they didn’t like that. Most users simply turned UAC off and added it to the reasons to not like Windows Vista.
Microsoft may be a huge company, but it still knows how to react when its customers speak out about features they don’t like. Windows 7 unveiled a more refined, less “in-your-face” UAC that makes the feature much easier to use. This is the version of UAC used in all later versions of Windows as well.
Microsoft did some research on why UAC drove users nuts, concluding that the problem wasn’t UAC itself but the “I’m constantly in your face or you can turn me off and you get no help at all” aspect. To make UAC less aggressive, Microsoft introduced four UAC levels. To see these levels, go to the User Accounts applet and select Change User Account Control settings, as shown in Figure 14-56. When you select this option, you see the dialog box in Figure 14-57.
Figure 14-56 Change User Account Control settings option
Figure 14-57 Four levels of UAC
In Figure 14-57, you can see a slider with four levels. The top level (Always notify) means you want UAC to work exactly as it does in Vista, displaying the aggressive consent form every time you do anything that typically requires administrator access. The bottom option (Never notify) turns off UAC. The two levels in the middle are new and are very similar. Both of them do the following:
• Don’t notify me when I make changes.
• Notify me only when programs try to makes changes.
The only difference is in how they show the change. The second-from-top level will display the typical consent form, but only when programs try to make changes. The third-from-top level displays a consent form, but where the normal consent form dims your desktop and doesn’t allow you to do anything but address the form, this consent form just pops up like a normal dialog box.
EXAM TIP Make sure you know what each of the four UAC levels does.
So what’s the difference between a program making a change and you making a change? Take a look at Figure 14-58. In this case, Windows 7 is set to the second-from-top option. A program (the very safe and, judging by the color of the banner, verified) Adobe Download Manager is attempting to install a feature into Internet Explorer. Because this is a program trying to make changes, the UAC consent form appears and darkens the desktop.
Figure 14-58 Darkened UAC
If you lower the UAC to the third-from-top option, you still see a consent form, but now it acts like a typical dialog box, as shown in Figure 14-59.
Figure 14-59 Non-darkened UAC
EXAM TIP The default behavior for UAC in Windows 7 is the second-from-top option, which results in a screen similar to Figure 14-58.
A program such as the Adobe program described earlier is very different from a feature you want to change. Notice the shields, as shown in earlier figures.
Each of these options isn’t a program—each is merely a feature built into Windows. Those shields tell you that clicking the feature next to a shield will require administrator privileges. If you were to pick the Vista-strength UAC option, you’d get a UAC consent prompt when you click one of those features. If you set UAC to any of the three lower settings, however, you’d go straight to that feature without any form of UAC consent prompt. Of course, this isn’t true if you don’t have administrator privileges. If you’re a standard user, you’ll still be prompted for a password, just as in Vista.
Overall, the improvements to UAC in Windows 7 show that it has a place on everyone’s computer. UAC might cause an occasional surprise or irritation, but that one more “Are you sure?” could mean the difference between safe and unsafe computing. So go ahead, turn UAC back on in Windows! It’s well worth the small inconvenience.
1. Which tool or mechanism defines what resources a user may access and what he or she may do with those resources?
A. Authentication through user accounts and passwords
B. Authorization through user accounts and passwords
C. Authentication through NTFS
D. Authorization through NTFS
2. Which is the best password for the user Joy, who has a pet named Fido and a birth date of January 8, 1982?
A. joy1982
B. joylovesfido
C. 1982cutie
D. oddvr88*
3. How can you encrypt an entire drive, including files and folders belonging to other users?
A. EFS
B. User Account Control
C. Administrative Shares
D. BitLocker
4. What feature in Windows 7 opens a consent prompt for standard users to enter administrator credentials to accomplish various tasks reserved for the latter group?
A. User Access Command
B. User Access Control
C. User Account Command
D. User Account Control
5. Which permission enables an administrator to change the ownership of a file without knowing the user account password for that file?
A. Change permission
B. Change Ownership permission
C. Ownership permission
D. Take Ownership permission
6. You copy a file from a folder on a hard drive formatted as NTFS, with permissions set to Read for everyone, to a USB thumb drive formatted as FAT32. What effective permissions does the copy of the file have?
A. Read-only for everyone
B. Full Control for everyone
C. None
D. You can’t copy a file from an NTFS drive to a FAT32 drive.
7. Which of the following commands is used to change file permissions in Linux?
A. chmod
B. chown
C. users
D. pwn
8. Which tool in Windows 8.1 enables you to create a new user account based on a global Microsoft account?
A. User Accounts in Control Panel
B. Users and Groups in Control Panel
C. Settings charm
D. Users charm
9. Which option enables you to share files easily among multiple users on a single Windows 8 system?
A. Place the files in the Public Libraries.
B. Place the files in the Public Shares.
C. Place the files in the EFS folders.
D. You cannot. Windows locks down sharing on a single system.
10. Which of the following file systems enables you to encrypt files, thus making them unviewable by any account but your own?
A. EFS
B. FAT
C. FAT32
D. OSR
1. D. Authorization through NTFS defines resources a user may access and what he or she can do with those resources.
2. D. Of the choices listed, oddvr88* would be the best password; it has a non-alphanumeric character, which makes it more difficult for a hacker to crack.
3. D. BitLocker Drive Encryption enables you to encrypt an entire drive, including files and folders belonging to other users.
4. D. The User Account Control feature in Windows 7 provides a consent prompt for standard users to enter administrator credentials to accomplish various tasks normally reserved for the Administrators group.
5. D. The Take Ownership permission enables an administrator to change the ownership of a file without knowing the user account password for that file.
6. C. The key here is that you are copying from an NTFS hard drive to a FAT32 USB drive. Copying from an NTFS-based partition to a FAT- or FAT32-based partition creates two copies of the object; the copy of the object in the new location has no effective permissions at all.
7. A. The chmod command enables you to change file permissions in Linux.
8. C. The Settings charm in Windows 8.1 enables you to create a new user account based on a global Microsoft account.
9. A. The Public Libraries make it easy to share files among multiple users of a single system.
10. A. The Encrypting File System (EFS) enables you to encrypt files, making them unviewable by any account but your own.
