Chapter 4. Configure access to resources

Users need access to resources, including but not limited to files, folders, network shares, and printers. Your job, at times at least, is to let those users access what they need, and nothing more. That’s how you keep resources secure and data in the right hands. This objective covers all aspects of this, from configuring shared resources to configuring file and folder (and printer) access, and on to configuring authentication and authorization for both workgroups and domains.

Objectives in this chapter:

Objective 4.1: Configure shared resources

There are multiple objectives in this lesson, and they all relate to how to share and manage resources on local networks. Here you’ll learn about homegroups, folder permissions, libraries, shared printers, and even SkyDrive. Regarding sharing, there are three ways to share discussed here: homegroup sharing, folder sharing, and public folder sharing. Folder sharing can be used in domain networks, too, although the way you handle it is a little different from simply sharing a few folders on a small, local network and letting users manage them as they like. (In an Active Directory Domain Services domain, network administrators manage authentication, authorization, and all aspects of sharing from the various servers they manage on the network.) SkyDrive can also be considered a sharing tool, although users might only use it to share data with themselves to have access to their files from anywhere.

This objective covers how to:

  • Configure HomeGroup settings

  • Configure shared folder permissions

  • Configure file libraries

  • Configure shared printers

  • Set up and configure SkyDrive

Note

The name SkyDrive is changing to OneDrive and at some point the exam will also make the terminology change.

A homegroup lets home users easily share documents, printers, and media with others on their private, local network. This is the simplest kind of sharing, but it is limited in what permissions and restrictions can be placed on the data shared. By default, all users who join a homegroup (and there can be only one homegroup per network) have read-only access to what’s already shared. Users can reconfigure this, though, allowing both read and write access if desired.

When opting for a homegroup, users can do the following:

Exam Tip

There are reasons why a homegroup can’t be created or enabled, and one is that IPv6 isn’t enabled on a particular computer on the network.

Although we could spend a few pages walking you through how to create and join a homegroup, because it’s done with a wizard, that isn’t really necessary. However, you should create a homegroup on your own local network to see how it’s done and let other computers join it so that you are familiar with the process. Note that users might already be joined to a homegroup, as Windows detects existing homegroups automatically during setup. Figure 4-1 shows a computer that is connected to a private network and has joined a homegroup.

Create, join, or view homegroup status from the Network And Sharing Center.
Figure 4-1. Create, join, or view homegroup status from the Network And Sharing Center.

Once a homegroup is configured, users can share data with the homegroup from File Explorer on the Share tab (among other places). Note the Stop Sharing option for the selected folder, shown in Figure 4-2, and the option to allow the entire homegroup to view or view and edit the selected data. You can see here that a specific user, , also has an option.

In File Explorer, use the Share tab to choose how to share selected data with homegroup participants.
Figure 4-2. In File Explorer, use the Share tab to choose how to share selected data with homegroup participants.

If you don’t want to share the data with everyone in the homegroup, you can opt to share it with only specific people. You can also set different permissions for the people you choose. This is a very simple way to share data, and it will work on small home networks but not too many other places. To do this, follow these steps:

  1. Open File Explorer and select any folder.

  2. Right-click the folder and from the shortcut menu, point to Share With, and then click Specific People.

  3. In the File Sharing window, click Homegroup and click Remove. See Figure 4-3.

    Remove Homegroup from the sharing list to set up sharing with only specific people.
    Figure 4-3. Remove Homegroup from the sharing list to set up sharing with only specific people.

  4. Click the down arrow to the left of the Add option, and select the person to add. Then click Add to complete the task.

  5. With that done, click the arrow beside the person you just added and choose Read or Read/Write.

  6. Repeat to add other network users, as desired.

There are two folder sharing options to discuss here: Public folder sharing and what we refer to as Any folder sharing. Any folder sharing is the more complex of the two and offers more options than Public folder sharing. You can also share from a command line, from a Microsoft Management Console (MMC), and using Windows PowerShell.

As you might guess, Public folder sharing involves the Public folders. There are several, including Public Documents, Public Music, Public Pictures, and Public Videos, and you can create your own. To use this kind of sharing you have to move the data to share to the applicable Public folder. (You could copy it, but this complicates document versioning and also creates duplicates on the computer.) The upside is that this is a very easy way to make data accessible to users who need it, at least after you’ve moved the data to share. The downside is that you have very little control of the level of sharing to configure.

Everyone with a user account and password on your computer can access the Public folder if Public folder sharing is enabled in this manner. You can make changes to Public Sharing from the Network And Sharing Center, Change Advanced Sharing Settings, and the All Networks option. There are two options:

More Info: Share permissions

Understand that in these sections we are talking about Share permissions. There are three: Read, Change, and Full Control. However, there are also New Technology File System (NTFS) permissions you can configure, which you’ll learn about in Objective 4.2: Configure file and folder access. If both Share and NTFS permissions are applied to a share for a specific user, the least restrictive is calculated for both and then the two results are compared. The final permission applied to the share is the more restrictive of the two. However, Deny always overrides Allow.

Any folder sharing

Any folder sharing has a lot more options than the other types you’ve seen so far. Any folder sharing lets users do the following:

  • Share files from any location in addition to their original location

  • Set different permissions for individual users

  • Protect data in domain networks

  • Protect data in local networks that require more security than the homegroup or public folder option can offer

To get started you must first choose or create a folder to share. Then, you can right-click the folder, click Properties, and click the Sharing tab to display the Properties dialog box shown in Figure 4-4. It’s important to note that if you click Share in the Properties dialog box, you are given the same sharing options you saw earlier for homegroups (Figure 4-3). That’s not where the power in Any folder sharing lies. Instead, click Advanced Sharing to access the Advanced Sharing dialog box, also shown in Figure 4-4.

More Info: Share Characteristics

Share permissions have the following characteristics:

With Any folder sharing you’re in complete control of what is shared and with whom.
Figure 4-4. With Any folder sharing you’re in complete control of what is shared and with whom.

Now you have several options. First, select the Share This Folder check box, which defaults to 20 simultaneous users. Next, click Permissions. Now you have access to the advanced sharing options shown in Figure 4-5. What you’ll likely want to do here is remove Everyone from the list (I’ve done this in Figure 4-5 already) and then add specific users or groups whom you want to have access (I’ve done that, too). The default permission is Read, but you can add Change or Full Control for the selected user or group. You could also opt to deny access, although this is not the generally accepted way to limit access to a share.

Remove the Everyone group and then add specific users or groups and apply permissions for them.
Figure 4-5. Remove the Everyone group and then add specific users or groups and apply permissions for them.

Exam Tip

No matter what share permissions are applied to a group or a user and no matter what combination of permissions one has, Deny always means deny. You might see a long question on an exam that gives lots of information about a user, what groups he is in, and so on, and there might be one lone Deny permission for a share he also has permission to access. If he’s denied access, that’s that. He’s denied access.

Table 4-1 shows the Share permissions and their limitations.

Table 4-1. Share permissions and their limitations

Share Permission

Limitations

Read

Display folder names; display file names, data, and attributes; execute program files; access other folders inside the shared folder

Change

Perform all read actions; create and add files to folders; change and append data to files; change file attributes; delete folders and files

Full Control

Perform all change permissions; change file permissions; take ownership of files

Here are a few more things to know about share permissions:

You don’t have to use the available end-user tools to create and manage sharing. You can share at a command line by using the Shared Folders snap-in inside an MMC and by using Windows PowerShell. Although you might not opt to use these tools for sharing, it’s likely you’ll see questions about them on the exam.

You can share folders at a command prompt. The command you use is net share, often in the form of net share [ShareName] to display information about a share and net share [ShareName=Drive:Path] to specify the path of the directory to be shared. You can also add these parameters:

Exam Tip

To create a share that is invisible to users who browse the network, add a dollar sign ($) to the share name (CTest$, DShare$, and so on).

To share using an MMC, add the Shared Folders snap-in. Click the Shares node in the left pane, right-click in the middle, and click New Share, as shown in Figure 4-6, to start the Create A Shared Folder Wizard. You can also view sessions and open files using the console.

Use an MMC to create and manage a share.
Figure 4-6. Use an MMC to create and manage a share.

You can use Windows PowerShell to create and manage shares. One command you’ll likely use is New-SmbShare followed by the share name and path to the folder to share. (SMB stands for Server Message Block.) There are additional commands for managing shares using Windows PowerShell:

View shares using Windows PowerShell.
Figure 4-7. View shares using Windows PowerShell.

Exam Tip

It’s highly likely you’ll see something on the exam that involves the SmbShare commands.

Windows 8.1 comes with its own library structure that includes libraries for Desktop, Documents, Downloads, Music, Pictures, and Videos. Anything you save to the related folder is available in the library with the same name. This means if you save a file to the Documents folder, you’ll have access to it in the Documents library. The library doesn’t actually hold the files though; it only keeps a record of where the files are stored. By default, libraries only offer access to data in the related personal folder. Libraries do not offer access to the related Public folders or any others, although you can add them if you like. (Note that libraries offered access to the Public folders in Windows 7.) There isn’t that much more to know about libraries except how to create your own libraries and add folders to existing ones.

Note: Show Libraries in File Explorer

To show or hide the Libraries option in the Navigation pane of File Explorer, click the View tab in any applicable window, click Navigation Pane, and in the resulting list, click Show Libraries.

To create your own library, follow these steps:

  1. Open File Explorer, and on the View tab, click Navigation Pane. Click Show Libraries.

  2. Right-click inside the Libraries pane, click New, and then click Library. See Figure 4-8.

    Create a new library.
    Figure 4-8. Create a new library.

  3. Name the library and press Enter.

  4. Double-click the new library and then click Include A Folder.

  5. Double-click the folder to add.

  6. To add more folders, click the Manage tab.

  7. Click Manage Library.

  8. Click Add and navigate to the folder to add.

  9. Select the folder and click Include Folder.

  10. Repeat as desired and click OK.

To add a location to an existing library, in File Explorer, double-click the library to which you’d like to add a folder and then click the Manage tab. From there, click Manage Library and add folders as desired.

If you’ve created a homegroup, your printers are already shared. Both the printer and the computer to which it’s connected must be turned on and ready for a request, but the sharing is done automatically. When a homegroup isn’t used, you have to share the printers manually. You might also have to enable file and print sharing in some instances, including if you’re sharing printers on a public network.

In a workgroup or domain setting, sharing is basically the same. You locate the printer and access the option to share it. You can share the printer with a mix of computers on your network, including x86-based and x64-based PCs. You only need to make sure the applicable drivers are available, and for the most part they are. You’ll likely need administrator approval to install drivers, though, so you need to keep that in mind if you think drivers are going to be an issue.

You can add a printer in Windows 8.1 from the Devices And Printers window, available in Control Panel. There, click Add A Printer and choose it from the list. If the printer you want isn’t listed, you can add it manually, which is likely what you’ll have to do if you have an old printer connected to an LPT port or if you need to add a printer using its TCP/IP address or host name. You can connect a wireless printer from this window, but you can also use the manual option to add a wireless printer if you need to. You can also use this option to type a path to the printer to locate it manually. See Figure 4-9.

Add a printer manually.
Figure 4-9. Add a printer manually.

Table 4-2 shows the basic printer permissions.

Table 4-2. Basic printer permissions

Permission

Limitations/capabilities

Default assignment

Print

Connect to a printer; print; control the user’s own print jobs

Everyone

Manage this printer

Cancel documents; share and delete printers; change printer properties; change printer permissions

Administrators

Manage documents

Pause, resume, restart, and cancel all documents; control job settings for all documents

Creator Owner

To manually share a printer, right-click the device in the Devices And Printers window and then click Printer Properties. From there, use the Sharing tab to share the printer and configure other options. If the computer is a member of an Active Directory domain, you’ll see the List In The Directory check box. Select this check box to create a new printer object in the Active Directory database. This will enable domain users to locate the printer by searching in the directory. In this dialog box you can also opt to add drivers, if necessary.

The other tabs offer additional options, including the option to configure when the computer is available and what types of users have access to the Print permissions: Print, Manage This Printer, Manage Documents, and Special Permissions. In Figure 4-10, you can see that the Everyone group has the ability to print. However, if you click Administrators in the Group Or User Names list, you’ll see that this group has Print, Manage This Printer, and Manage Documents set to Allow. Table 4-2 explains these options. Make sure you are comfortable with all of these graphical options available in Windows 8.1 before moving on.

Note: How to Assign Permissions

When assigning permissions in an Active Directory domain, you assign permissions for domain users, groups, and other objects. On a stand-alone computer, you select the local user and group accounts that should receive the permissions.

Use the printer’s Properties dialog box to share a printer and configure sharing options.
Figure 4-10. Use the printer’s Properties dialog box to share a printer and configure sharing options.

Exam Tip

Near Field Communication (NFC) is a radio-based communications technology (based on radio-frequency identification [RFID] standards) that lets users complete tasks with compatible objects, mostly to complete brief transactions without having to physically connect to the device or the network. In the case of printers, NFC allows mobile devices to submit print jobs to printers, provided compatible technologies exist between the two and the proximity between the devices is acceptable.

Beyond the end-user-friendly options, there are a few terms you need to know about printers and a few features that aren’t obvious to most users.

SkyDrive enables users to store data in the cloud almost seamlessly from their Windows 8.1 computers. SkyDrive is an app on the Start screen and an option on the File Explorer Navigation tab. When data is stored in SkyDrive, users can access that data from virtually any device that has an Internet connection. Users can also share any part of what they’ve stored there with others, allowing them to read or read and edit the data. Users need a Microsoft account and the applicable app or browser to access the data. Users can also access the files locally when a connection isn’t available.

Exam Tip

SkyDrive is a storage area that users can access to save data and manage data they’ve saved there. Be careful when SkyDrive is an answer for any scenario, because it doesn’t do much else for users. As an example, you can’t share, sync, or access apps from SkyDrive; syncing apps is part of the job of the Microsoft account and has nothing to do with SkyDrive.

Users can access SkyDrive in a number of ways:

  • Using a web browser. Browse to http://skydrive.com and log in to access, upload, share, and otherwise manage files and folders. You can also create and edit documents, presentations, notebooks, and so on here.

  • Using the SkyDrive app in Windows. Open the SkyDrive app from the Start screen to access, upload, open, and manage files and to create new folders.

  • Using the SkyDrive app on smartphones. This allows users to view and open files, view recently accessed files, view and access shared files, and upload files. Users can also create new folders and configure a few settings for uploading photos.

  • Through a desktop application. This method allows users to access SkyDrive from an application such as Microsoft Office 2013. See Figure 4-11.

Save to SkyDrive from a desktop application.
Figure 4-11. Save to SkyDrive from a desktop application.

Setting up SkyDrive only involves logging in to the Windows 8.1 computer with a Microsoft account. Windows does the rest. There are some configuration options to look at right away, though. You can configure the option to access all files offline from the Settings charm (click Options) from inside the SkyDrive app. See Figure 4-12. This might be the first thing you’ll want to configure if you have the available SkyDrive space.

The SkyDrive app offers the option to access all of your files offline.
Figure 4-12. The SkyDrive app offers the option to access all of your files offline.

Configuration options are available from PC Settings and on the SkyDrive website. Figure 4-13 shows what’s available in PC Settings. There are four tabs. On the File Storage tab you can buy more storage and configure your documents to save to SkyDrive by default. You can see that I have an enormous amount of space available on SkyDrive. That’s not typical. Make sure you explore all of the settings and options here as time allows.

Exam Tip

Know what can and can’t be saved to SkyDrive. You can save Windows settings, application settings, and some credentials, but you can’t save your Xbox music purchases, apps, or even entire folders (such as your Documents or Pictures folders). You must upload files one at a time, although you can upload compressed folders.

Configure SkyDrive settings from PC Settings in Windows 8.1.
Figure 4-13. Configure SkyDrive settings from PC Settings in Windows 8.1.

Finally, you can configure SkyDrive settings on the SkyDrive website. Once you log in at http://skydrive.com you can click the Tools icon in the top-right corner and click Options. See Figure 4-14. Note the options on the left side:

  • Manage Storage. This allows users to view available storage space and buy more.

  • Upgrade. Use this setting to view storage plans and select one.

  • Office File Formats. This allows users to choose a default format for Office documents: Microsoft Office Open XML Format (.docx, .pptx, .xlsx) or OpenDocumentFormat (.odt, .odp,. ods).

  • People Tagging. Use this option to state how people can tag you on SkyDrive (Your Friends or Just You) and to configure who can add people tags (Your Friends Who Can View Your Photo Album or Don’t Allow Anyone To Add People Tags).

  • Device Settings. Use this option to see all of your devices and the date those devices were last backed up.

Configure settings on the SkyDrive website.
Figure 4-14. Configure settings on the SkyDrive website.

More Info: Learn How to Set up a Microsoft Account

Refer to Objective 4.3: Configure authentication and authorization later in this chapter to learn more about setting up a Microsoft account.

Thought experiment: Configure sharing effectively

In this thought experiment, apply what you’ve learned about this objective. You can find answers to these questions in the “Answers” section at the end of this chapter.

Your client needs to share files and folders with others in his small business workgroup. He wants to set permissions for specific users so they can access sensitive data when they need to, but he wants to make sure that data can’t be accessed by anyone who is not specifically named. He has a few folders he’s created on his desktop (Accounts, Invoices, and SalesInformation) and others that are not in any default library (HumanResources, TaxInfo).

  1. What type of sharing would you suggest? Why?

  2. When assigning permissions to the folders named here, what should you do with the Everyone group that is given read access by default?

  3. How many simultaneous users can access the data in the shared folder by default?

  4. If you want users to be able to read and edit what’s in a folder but you don’t want them to be able to take ownership of the files in the folder or change the file permissions, what share permission should you assign?

Answer the following questions to test your knowledge of the information in this objective. You can find the answers to these questions and explanations of why each answer choice is correct or incorrect in the “Answers” section at the end of this chapter.

Q:

1. Which of the following is true regarding homegroups? (Choose all that apply.)

  1. A wizard is available to set it up, and a homegroup password is automatically generated.

  2. Shares can be configured to allow read or read/write access for all homegroup users, but you cannot configure specific users with specific permissions.

  3. Users can share their default libraries.

  4. Windows XP computers and users can join a homegroup.

  5. Homegroups can be created for public networks.

Q:

2. Which sharing option would you choose if you wanted to share files and folders that reside on your desktop and set permissions for select users and exclude others on a computer that was part of a public network?

  1. Any folder sharing

  2. Public folder sharing

  3. Homegroup sharing

  4. All of the above

Q:

3. You’ve shared a printer and need users to be able to print and control their own print jobs. How do you need to configure the Share permissions?

  1. Select the Share permission for Manage This Printer.

  2. Select the Share permission for Manage Documents.

  3. Select both Manage This Printer and Manage Documents.

  4. Do nothing; these permissions are already configured by default.

Q:

4. With regard to SkyDrive, where do you configure the option to access all of the files you save there offline so they will be available even if the user does not have access to the Internet?

  1. http://skydrive.com from Tools, Options

  2. From the SkyDrive app, from the Settings charm under Options

  3. From PC Settings, from Sync Settings

  4. From File Explorer, by right-clicking SkyDrive in the Navigation pane and selecting Properties

You learned about Share permissions in Objective 4.1: Configure shared resources. These permissions are applied when the operating system is configured with FAT or FAT32 or any time you share a folder on a computer. There are only three shared permissions: Read, Change, and Full Control, which are available on the Sharing tab of the resource’s Properties dialog box. These sharing options don’t offer a lot of control, but they do offer some. Share permissions help you manage access to resources by users over a network, but they offer no security when a user logs on locally.

Because NTFS permissions are so much more robust than Share permissions, when the file system is NTFS, administrators make the most of it. They generally set the Share permissions for Everyone to Full Control and configure the NTFS permissions as desired. You configure NTFS on the Security tab of the resource’s Properties dialog box. Remember, the more restrictive of the two types of permissions is applied to the resource when both exist, so it doesn’t matter that the Share permissions give everyone unlimited access as long as NTFS is configured, too. NTFS also offers the ability to assign disk quotas, encrypt files and folders, and audit object access. These features are not available on FAT or FAT32 drives.

This objective covers how to:

There’s a lot to learn about NTFS permissions, the Windows permission architecture, the differences between basic and advanced permissions, and how permissions are inherited, among other things, and there just isn’t enough room here to discuss all of it. However, we’ll try to cover the most important facts you’ll need to know for the exam and how to apply NTFS permissions to secure a resource.

Exam Tip

Make sure you read and study the additional resources listed on the Microsoft certification webpage for this exam so that you are familiar with the test objectives. Navigate to this page and click Show All to obtain that list of additional resources: http://www.microsoft.com/learning/en-us/exam-70-687.aspx.

There are four kinds of permissions. You already know a little about two: Share and NTFS. There are two others: Registry permissions and Active Directory permissions. You might not ever assign these two types, but they do exist. All of these permissions are independent of one another and can be combined if desired.

Permission terminology and rules

Any element or resource that is protected has an access control list (ACL). This is basically just a list of permissions that have been applied to it. The individual permissions applied are access control entries (ACEs). Every ACE has at least one security principal. A security principal is the user, group, or computer given permissions, along with the permissions that have been configured for it (them). This means that permissions are stored with the resource that is being protected. The permissions are not stored with the user, group, or computer that is granted access. This is why you configure permissions on the Security tab of the element’s Properties dialog box (see Figure 4-15). If you click Edit in the Test Properties dialog box, you gain access to the Permissions For dialog box shown on the right. There you can add or remove users, groups, and so on and apply the applicable NTFS permissions for those new entries.

Configure NTFS permissions from the element’s Properties and Permissions For dialog boxes.
Figure 4-15. Configure NTFS permissions from the element’s Properties and Permissions For dialog boxes.

You can use the basic permissions shown in Figure 4-15 to create very specific access options to a shared resource. You can grant a single user Full Control to a resource and at the same time grant all of the users in the Users group only Read access. You can configure it so that a specific person or persons can’t access the resource at all or so that an entire group, like HomeUsers, can read, write, list folder contents, and read and execute while using the resource, but can’t modify or take ownership of it. The scenarios are almost endless.

If a user is configured permissions to a resource from more than one place, the permissions granted are cumulative. As an example, if Bob is a member of the Users group and the Users group has only the NTFS permission Read, but Bob is also a member of the Sales group and the Sales group has the NTFS permission Modify, then Bob has both Read and Modify permissions. Remember, Share permissions are cumulative and NTFS permissions are cumulative, and if both exist, the more restrictive of the results of these are applied. Deny means deny though; if Deny is assigned to a user from anywhere, that user can’t access the resource.

Exam Tip

Allow permissions are cumulative. Deny permissions override Allow permissions. Explicit permissions take precedence over inherited permissions.

Basic permissions are combinations of advanced permissions. You can see the basic permissions on the Security tab of any NTFS resource’s Properties dialog box, as shown in Figure 4-15 earlier. There are six basic permissions:

  • Full Control. Modify, take ownership, delete items, and perform all other actions listed for the following permissions

  • Modify. Delete the folder, modify the file, delete the file, and perform other actions for Write and Read & Execute

  • Read & Execute. Navigate through folders, run applications, and perform actions for Read and List Folder Contents

  • List Folder Contents. View the names of the files and subfolders in a folder

  • Read. See files and subfolders, read the contents of a file, and view ownership, permissions, and attributes for a file or folder

  • Write. Create new files and subfolders inside a folder, modify folder attributes, view the ownership and permission for a folder or file, modify file attributes, and write over a file

There are 14 advanced permissions, and you can view these by navigating to the Advanced Security Settings For dialog box for any NTFS resource. You should know the names of these advanced permissions, how to find them, and how they protect the element. From this dialog box you can also view the assigned permissions, including Share permissions, and you can view the calculated effective access from the tab with the same name. To open this dialog box and view these settings and options, follow these steps:

  1. Right-click any shared folder and click Properties.

  2. Click the Security tab.

  3. Click Advanced.

  4. Click any permission entry (perhaps Administrators) and click View. See Figure 4-16. (Note the Disable Inheritance button. Keep this location in mind when you read the next section.)

    The Advanced Security Settings dialog box offers a list of security principals and their assigned access.
    Figure 4-16. The Advanced Security Settings dialog box offers a list of security principals and their assigned access.

  5. In the resulting Permissions Entry For dialog box you can view the basic permissions that are assigned to this group.

  6. Click Show Advanced Properties. The list of assigned advanced permissions is displayed, as shown in Figure 4-17.

    View Advanced permissions in the Permission Entry dialog box.
    Figure 4-17. View Advanced permissions in the Permission Entry dialog box.

    Note in Figure 4-17 that you can’t edit the permissions listed for Administrators in this example. However, if you had created your own entry (say the Users group, Sales group, and so on) in the Properties dialog box, you would be able to edit the advanced permissions shown here.

Inheritance

Permissions generally run from top to bottom of any folder hierarchy, so if you grant NTFS Read access to a folder for a group of users and then you create a subfolder there, the same permissions are applied to it for the same group of users. If it didn’t work this way, assigning permissions would be nearly impossible.

There might be times that you need to turn off inheritance for a folder or other element. As shown in Figure 4-16, Disable Inheritance is an option. If you’d rather not disable inheritance but do need to deny access to a specific person or group, you can assign the Deny permission as applicable.

Exam Tip

You can assign contradicting explicit permissions when inheritance causes a problem. As an example, if the entire Sales group is denied access to a folder but a single member of the Sales group should have access to it (perhaps the CFO), you can explicitly assign that one user account the Allow permission for Full Control on the resource. Explicit permissions like these override inherited permissions and thus resolve the problem quite easily.

Sometimes you need to copy or move an NTFS-protected element. When you do, depending on the circumstances, permissions are sometimes retained and sometimes not. In most cases, the resource inherits the NTFS permission assigned to the parent folder.

Here’s how inheritance and move and copy work.

The Icacls.exe command lets you configure basic and advanced permissions from an elevated command line. You can view all of the Icacls.exe parameters on TechNet at http://technet.microsoft.com/en-us/library/cc753525.aspx. You should be ready for exam questions based on this, so it’s a good idea to review it.

Exam Tip

If you lock yourself out of an element you can reset the permissions for it from an elevated command prompt. Navigate to the folder and use the command icacls.exe <file name>/reset along with additional parameters as desired (perhaps /C to ignore errors).

Succinctly, the Icacls.exe command is used as so: icacls.exe <file name> /grant or icacls.exe <file name> /deny with various parameters including but not limited to:

It’s possible to lock everyone out of a resource. The resource is said to be orphaned when this happens. A resource might also be orphaned if the user who originally created it is no longer available to provide access (perhaps to a confidential file or folder). To access the resource, as an administrator you need to take ownership of it. To do this, in the Advanced Security Settings For dialog box, shown earlier in Figure 4-16, click Change. Then you can take ownership of the resource yourself (as an administrator).

Configure disk quotas

Users will keep as much data and use as much server and storage space as you allow. Some users might never delete anything unless you force them to. As a network administrator you must be able to manage this, and you do so by configuring disk quotas.

Once you’ve enabled disk quotas (which you can do only on NTFS volumes, not on FAT volumes) you can also configure what happens when users meet those limits. You might want to give them a warning, or you might want to force them to delete data before they can save more. You configure NTFS disk quotas as follows:

  1. In File Explorer, navigate to the volume to protect with disk quotas.

  2. Right-click the volume and click Properties.

  3. Click the Quota tab; click Show Quota Settings. See Figure 4-18.

  4. Select the Enable Quota Management check box.

  5. Configure the options as desired, including:

    1. Deny Disk Space To Users Exceeding Quota Limit

    2. Limit Disk Space To

    3. Log Event When A User Exceeds Their Quota Limit

    4. Log Event When A User Exceeds Their Warning Level

  6. Click OK and click OK again to apply.

    Set a quota limit and desired action.
    Figure 4-18. Set a quota limit and desired action.

Exam Tip

The command-line tool Fsutil.exe can be used to set quota limits, too. Use the quota and enforce parameters to name the drive to which to apply the quota.

Encryption protects data from unauthorized access when other security measures fail. Much of the time failure has to do with someone gaining physical access to a machine and having the knowledge and time to figure out how to access the data on it. There are many ways this type of breach can occur. However, with Encrypting File System (EFS), the public and private keys that are generated during encryption ensure that only the user that encrypted the file can decrypt it. Technically, encrypted data can only be decrypted if the user’s personal encryption certificate is available, which is generated using the private key. Another user can’t access this key, and neither can a person who tries to access data to copy or move it who does not have the proper credentials.

Exam Tip

The public and private keys that are generated when data is encrypted are the basis of the Windows Public Key Infrastructure (PKI). For more information about PKI, refer to TechNet (search for PKI). Additionally, EFS uses the Advanced Encryption Standard (AES), which uses a 256-bit key algorithm (an industry standard) and can be used to encrypt nonsystem volumes or only selected files and folders.

Here’s a little more information about EFS:

To encrypt a folder, right-click the folder to share then click Properties. In the Properties dialog box, on the General tab, click Advanced. Select the Encrypt Contents To Secure Data check box for the folder, as shown in Figure 4-19. You can use this same Advanced Attributes dialog box to remove encryption if you want to later.

Enable encryption for a folder in the Advanced Attributes dialog box for the item to encrypt.
Figure 4-19. Enable encryption for a folder in the Advanced Attributes dialog box for the item to encrypt.

After you’ve performed your first encryption, you’ll be prompted to back up your file encryption certificate and key. This helps you avoid permanently losing access to the encrypted files if the original certificate and key (that were generated when you encrypted it) are lost or corrupted. If you miss the prompt, you can follow the steps given next to perform the backup, but it’s likely you’ll be prompted to back up the key each time you log on anyway. You can back up your personal certificates manually using the Certificate Manager MMC (you should keep the EFS recovery key stored away from the computer in a safe place).

  1. Use the Windows key+R to open a Run dialog box.

  2. Type certmgr.msc and press Enter.

  3. In the Certmgr window, expand Personal and click Certificates. See Figure 4-20.

  4. Select all of the certificates.

  5. Right-click the selected certificates, click All Tasks, and click Export.

  6. Work through the Certificate Export Wizard, making sure to select Yes, Export The Private Key when prompted and type a complex password when prompted.

Opt to export all selected certificates and work through the resulting wizard to complete the process.
Figure 4-20. Opt to export all selected certificates and work through the resulting wizard to complete the process.

You can use CertMgr to recover your EFS encrypted files, too, by importing your EFS certificate backup. As with exporting certificates, this is achieved using a wizard. To get started, select the Personal folder, click Action, and then click All Tasks. From there, select Import. Work through the prompts to import the required data.

You can use the command line to manage encryption, too. You use Cipher.exe to perform encryption and decryption tasks. You might see this command on the exam. For more information about Cipher, refer to this page on TechNet: http://technet.microsoft.com/en-us/library/cc771346.aspx. Here are a few of the most common parameters used with Cipher:

  • /d. Use this parameter to decrypt specified files and directories.

  • /s:<Directory>. Use this parameter to perform the specified operation on all subdirectories in the specified directory.

  • /c. Use this parameter to display information about an encrypted file.

  • /u. Use this parameter to find all of the encrypted files on the local drives.

  • /? Adding this parameter displays help.

More Info: BitLocker and BitLocker to Go

For information about other types of security, including BitLocker and BitLocker To Go, refer to Chapter 5, and specifically Objective 5.3: Configure security for mobile devices. BitLocker encrypts the entire disk; this is a different type of protection from EFS.

Configure object access auditing

Network administrators often audit events to see which have occurred, often for the purpose of maintaining security on a particular object, such as a secure folder. It can also be a file, printer, or almost any other resource available from a computer. It can even be as small as a Registry key. Most of the time this type of object access auditing is done to see how many attempts have been made to access an object and how many times those attempts failed. All audited events appear in Event Viewer as they are captured.

Administrators can audit specific events, too, such as successful or failed logon attempts. This isn’t object access auditing, but it deserves a mention because the option is part of the Audit Policy options you’ll explore here. Also, it could be that objects are being accessed when they should not be, due to successful logons that aren’t performed by the desired users. (See the Real World example for more information on how this can happen.)

In the following set of steps you enable the option to audit successful logon events. You also enable auditing of failures on objects you specify in the second set of steps here.

To enable auditing for successful logons and object auditing, follow these steps:

  1. Open a Run box and type gpedit.msc. Press Enter.

  2. Navigate to Computer Configuration, Windows Settings, Security Settings.

  3. Expand Local Policies and click Audit Policy.

  4. Double-click any policy to enable auditing for it. Figure 4-21 shows that Audit Account Logon Events is selected.

  5. Select the Success or Failure check box and click OK.

    Audit successful logons for a local computer.
    Figure 4-21. Audit successful logons for a local computer.

  6. Double-click Audit Object Access.

  7. In the Audit Object Access Properties dialog box, select the Failure check box.

  8. Click OK.

The successful logon attempts will appear in Event Viewer with no other configuration. However, to see events for object access you must specify which objects you want to watch for. You enable auditing on an object in its Properties dialog box, on the Security tab. On the Security tab, click Advanced. This opens the Advanced Security Settings For dialog box you used earlier to disable permission inheritance, view permissions, and learn the effective access when multiple permissions are applied. To enable auditing, click the Auditing tab and click Continue. From there you can add the objects to audit. See Figure 4-22.

Configure auditing by adding objects in the Advanced Security Settings For dialog box.
Figure 4-22. Configure auditing by adding objects in the Advanced Security Settings For dialog box.

In the Advanced Security Settings For dialog box, click Add. In the resulting window, click Select A Principal and type the name of the users or groups to be audited. (As an example, you might opt for Users.) Select the auditing option, perhaps Success. Finally, choose an option to which the auditing applies (perhaps This Folder Only) and configure the basic permissions. See Figure 4-23. Click OK and close the open dialog boxes.

Note: Beware of Auditing Sprawl

You can create thousands upon thousands of events in only a few days if you audit too many folders, subfolders, and other objects. Be careful how many objects you audit!

Configure auditing from the Auditing Entry For dialog box.
Figure 4-23. Configure auditing from the Auditing Entry For dialog box.

To view the audited events, open Event Viewer. Because the events will be entered into the Security logs, navigate to Windows Logs and then Security Logs. You’ll see the events listed there. Double-click any event to learn more. See Figure 4-24. (You have to trigger the event to have it appear in the Security log.)

Note: What to do if you don’t see any Events in Event Viewer

If you don’t see any events in Event Viewer after configuring auditing, make sure you’ve defined the group and what you want audited for each resource.

The Event Properties dialog box details the date and time of the audited event.
Figure 4-24. The Event Properties dialog box details the date and time of the audited event.

Exam Tip

If you are asked how to set an alert for an audited event, here is the process. In Event Viewer, right-click the event and click Attach Task To This Event. Use the wizard to choose a task and apply an action. You can opt to send an email, start a program, or display a message. Send an email and display a message are deprecated but are still options. (Deprecated means that the feature still works but is no longer considered the desired option and that Microsoft might remove the feature from future updates or newer products or editions.)

Real World: Auditing and the Overnight Shift

About five years ago a friend of mine worked for a company that had a cleaning crew come in during the night to clean offices, take out the trash, dust shelves, and vacuum floors. The work was acceptable at first, and the cleaning crew of five seemed quite responsible. As time passed, though, the work got sloppy. She knew the crew was arriving at the proper time and that they were there for the required number of hours because the security guard outside confirmed it.

She began to wonder what the cleaning crew was doing during their overnight shift if they weren’t working. She started auditing various events, including logon events for the computers in the main office. She suspected that the staff had figured out how to log on to a computer in the office and were spending time watching online videos, playing games, and so on instead of working. She was right; auditing showed that there were indeed successful logon events for a single computer in the main office during the night hours. The crew had found the user name and password taped to the underside of the keyboard tray and was using the computer during the night when no one was around. The problem was resolved quickly, the staff member was educated, and the cleaning crew was fired.

Thought experiment: Applying disk quotas

In this thought experiment, apply what you’ve learned about this objective. You can find answers to these questions in the “Answers” section at the end of this chapter.

You have several users who keep a large amount of data on a file server and are monopolizing the available storage there. You want to apply disk quotas to keep those users within a reasonable storage limit. All of the other users who access the file server don’t use much space at all, so you’re not worried about restricting their use in any way. You want to be sure that the problematic users never use more storage space than they are allowed; you’re not interested in sending a warning or managing the issue in any other way. They’ve been told on several occasions to delete unnecessary files but have yet to do so.

  1. Where do you go to enable disk quotas?

  2. Besides Enable Quota Management, which other two options should you configure so that users won’t ever exceed their quota limit?

  3. Will these settings affect other users who store data on the volume for which you’ve configured disk quotas?

Answer the following questions to test your knowledge of the information in this objective. You can find the answers to these questions and explanations of why each answer choice is correct or incorrect in the “Answers” section at the end of this chapter.

Q:

1. A(n) ________________ is the user, group, or computer that is given NTFS permissions and the permissions that have been configured for it (them).

  1. security principal

  2. access control entry

  3. access control list

  4. element, object, or resource

Q:

2. Which of the following tasks can you perform in an object’s Advanced Security Settings For dialog box? (Choose all that apply.)

  1. Add a new principal, allow or deny access, and set basic permissions

  2. View the Share and NTFS permissions assigned to the object

  3. Enable auditing for the object

  4. View the effective access for a user when multiple permissions are applied

Q:

3. Which command-line tool can you use to encrypt files and folders?

  1. Set-Acl

  2. Icacls.exe

  3. Cipher.exe

  4. You can’t configure encryption from a command line.

Q:

4. What happens if a hacker gains physical access to a machine, compromises the operating system to gain access to encrypted files and folders, and tries to copy those files and folders to a USB drive?

  1. The hacker will be able to copy the files because encryption doesn’t protect against copying data to a USB drive.

  2. There is no way that a hacker could get to any data in this manner as long as encryption is enabled and applied.

  3. The hacker can only copy the files after he removes the encryption attribute from each applicable file and folder.

  4. The hacker will receive an Access Denied message.

Authentication is the process of logging on to a computer, accessing a workgroup or networked computer, or logging on to a domain, which can be achieved using a Microsoft account, local user account, domain account, personal identification number (PIN), password, virtual or physical smart card, or biometrics, among other things. Authorization is what happens after authentication has been achieved; it is what enables authenticated users to access the data and perform the tasks they need to do their job.

In this objective, you learn the various ways users can be authenticated and how to configure user rights, manage credentials, and configure User Account Control (UAC) behavior.

This objective covers how to:

  • Set up and configure a Microsoft account

  • Configure authentication in workgroups and domains

  • Configure virtual smart cards and biometrics

  • Configure user rights

  • Manage credentials and certificates

  • Configure User Account Control behavior

Set up and configure a Microsoft account

The Microsoft account (what used to be called Windows Live ID) is a new way to log on to a computer running Windows 8. This type of account enables users to sync specific settings to the cloud for the purpose of having access to those settings from other computers that they can log on to using that same Microsoft account. With a Microsoft account, users can also access their own cloud space, called SkyDrive. Windows 8.1 comes with a SkyDrive app, and SkyDrive can be accessed from compatible applications, various web browsers, and File Explorer.

Users are prompted to set up a Microsoft account when they first set up their Windows 8 computers. They can opt to do that, or they can decline and create a local account instead. Users might also create a local account if the computer is unable to access the Internet during setup (because they won’t be able to create or confirm the Microsoft account if there is no Internet access). Child accounts can also be created. Users generally opt to create a Microsoft account later even when they start with a local account, because many apps are inaccessible if the user is logged in with a local account. Additionally, users cannot get apps from the Store without a Microsoft account.

Once a Microsoft account is created, the user doesn’t need to be connected to the Internet to log on in subsequent sessions. The account information is saved locally. If an Internet connection isn’t available, the last saved settings will also be applied because they are cached locally as well.

Exam Tip

Use this setting in Security Policy (local or domain) to block the use of Microsoft accounts: Block Microsoft Accounts. This setting is located here: Security Settings, Local Policies, Security Options.

You can switch from a local account to a Microsoft account from PC Settings. You can also create new users there and let them log on later with their own Microsoft account to finalize account creation. A wizard walks you through the process. To get started, in PC Settings, click Accounts. You switch from a local account to a Microsoft account on the Your Account tab, shown in Figure 4-25. You create additional users with the Other Accounts option by clicking Add An Account, also shown in Figure 4-25. Once the account is created you can return here later to change the account type if desired. (Control Panel is still an option for creating accounts, too.)

Add accounts easily in PC Settings.
Figure 4-25. Add accounts easily in PC Settings.

A Microsoft account can be used in a domain if it isn’t restricted through Group Policy. If it’s possible at your place of business, once connected you’ll see the same desktop background, app settings, browser history, and so on that you see on your main computer at home (or in another office). You make the change through PC Settings, from Users. Once there, click Connect Your Microsoft Account and work through the setup process.

Exam Tip

There are various ways to log on to a computer running Windows 8 beyond typing a Microsoft account name or local account name and password. You can also create a four-digit PIN or a Picture password. You can set these up from PC Settings, Accounts, and Sign-in Options. Make sure you know how to do this before taking the exam; you’ll likely be tested on it. Know that there are three gestures for a Picture password: tap, circle, and line.

The weakest link when protecting computers is most often the password applied to the user account. The password could be nonexistent, too short, too simple, or too predictable. In some cases, the user might simply never change it. Often, users create and use the same password for multiple user IDs, too. This is a secondary weak link. If a hacker finds a password for a user’s online bank account, she will try that same password elsewhere, including the user’s computer. To protect authentication in both workgroups and domains, administrators can create local and group policies defining how passwords should be created, how often they can or must be changed, and what happens when a user fails to log on after making the attempt a specific number of times.

In this section we look at the password and account policies available in the Local Security Policy for a stand-alone computer or computers in a workgroup, but the same policies exist in Group Policy Management Console for domains as well.

Because users likely won’t change their password every 30 days or use complex passwords just because you tell them to, administrators can force users to comply with the password policies through group policies. There are six policies that can be configured. To see these policies, open the Local Security Policy MMC. You can do this from a Run dialog box by typing secpol.msc. Expand Account Policies and click Password Policy. No policies are configured by default, but you can set them by double-clicking the policy to change. See Figure 4-26.

Create password policies.
Figure 4-26. Create password policies.

If you’re unsure what a particular policy does if enabled, click the Explain tab, also shown in Figure 4-26. There you can read a fairly lengthy description of the policy that includes the default settings, available parameters, and best practices, among other things. Briefly, these six policies are defined as follows:

If a hacker has enough time and enough information, he might be able to crack a user’s password and gain access to the computer. This can be done manually but is often done with programs designed for this purpose. You can configure Account Lockout policies to prevent this. Like Password policies, you configure Local Security Policy for stand-alone and workgroup computers, and you use Group Policy Management Console for Active Directory domain networks. Figure 4-27 shows the Local Security Policy MMC.

Configure Account Lockout policies in the Local Security Policy MMC.
Figure 4-27. Configure Account Lockout policies in the Local Security Policy MMC.

There are three Account Lockout policies to consider, and in most instances they must be configured together:

User names and passwords are inherently weak ways to protect a computer from unauthorized access. The user is generally the problem, because users can willingly give their password to a person, be tricked into it, or leave their password out on their desks or in a desk drawer. Smart cards can provide better security, especially if used with user names and passwords (or PINs) as part of a multifactor authentication policy (although it’s equally likely a user might give a coworker the card and the PIN willingly so that the coworker can access his workstation). Another option is also available: biometrics. This can be a fingerprint, eye scan, and so on.

A physical smart card often looks like a credit card, and users are expected to keep it with them. The smart card includes a chip that contains the user’s authentication information, which includes a personal certificate. The smart card is inserted into a card reader when the user wants access to the computer (or cash register, kiosk computer, medicine dispensary, and so on). Sometimes users secure their smart card in a wallet or purse, but more often they attach their smart card to a lanyard or smart card holder (which they then attach to a belt loop or article of clothing). Generally, a user knows when a smart card goes missing; in contrast, users don’t know when their passwords have been compromised.

Exam Tip

Windows 8 offers support for the Personal Identity Verification (PIV) standard. This makes it possible for Windows 8.1 to obtain the necessary drivers for PIV smart cards from Windows Update. The operating system also contains its own minidriver if Windows Update is not available.

More Info: There are policies available to manage smart cards

There are settings you can configure in Group Policy Management Console when using physical smart cards in an organization. You can configure these settings to require smart cards and to specify how Windows 8 should respond when the smart card is removed during a computer session. You can see these settings from Computer Configuration, Policies, Windows Settings, Security Settings, Local Policies, Security Options.

Virtual smart cards imitate the functionality of physical smart cards, but they are not physical cards. Instead, they are virtual and use the Trusted Platform Module (TPM) chip available on many newer computers to provide security. This eliminates the need for a card reader. To use virtual smart cards, you must have a personal computer running Windows 8.1 with an installed and fully functional TPM and a network configured to support the use of virtual smart cards.

For a worker in an organization that uses these kinds of virtual smart cards, it’s simply a smart card that is always available on the computer. At login, it shows as a user account and below it are options to sign in with the normal password or PIN. If a user needs to use more than one computer, a new virtual smart card must be issued for that computer. If multiple users share a computer, there are multiple virtual smart cards, one for each.

More Info: Understand virtual smart card technology

For more information, see Understanding and Evaluating Virtual Smart Cards at http://www.microsoft.com/en-us/download/details.aspx?displaylang=en&id=29076.

At sign in, Windows 8.1 detects whether a smart card reader was installed and if it was used to sign in the last time the computer was used. If a smart card was not installed and the user selects the smart card sign-in icon, the user is prompted to connect a smart card. Additionally, the Smart Card Service runs only when it needs to. The Smart Card Service (scardsvr) automatically starts when the user connects a smart card reader and automatically stops when a user removes a smart card reader and no other smart card reader is connected to the computer.

To configure Windows 8.1 virtual smart cards if you have the required technology and credentials available, follow these steps:

  1. Open an elevated command prompt.

  2. Type tpm.msc.

  3. Verify that a compatible TPM can be found and that it is at least a 1.2 or later. If you receive an error but are sure a compatible module is available, enable it in the system BIOS before continuing.

  4. Close the TPM management console.

  5. At the command prompt, type TpmVscMgr create /name MyVSC /pin default /adminkey random /generate and press Enter. To provide a custom PIN value when creating the virtual smart card, use /pin prompt instead.

Use biometrics

Windows 8.1 includes a component called Windows Biometric Framework. This makes it possible to use a physical characteristic like a fingerprint to identify a user without having to go to the great lengths required to do so in Windows 7 (and earlier versions). It’s important to use this with a secondary authentication method, though, because scanners can fail and it is theoretically possible for the biometric identification method to be compromised. For example, I was able to unlock my smartphone that I configured to use facial recognition using my cat’s face instead of mine. That is an issue with the manufacturer and could be an issue for you, too.

You need to make sure the Biometrics Service is running in the Services console to use the service. You also need to install the biometric hardware, generally a scanner of some sort. Device Manager supports these types of devices, as does Windows Update; there are settings available in Group Policy to manage them (see Figure 4-28) and there is a Biometric Devices item in Control Panel that allows users to control the availability of biometric devices and state whether they can be used to log on to a local computer or domain. You can use a biometric device to grant User Account Control elevation, too.

Configure Group Policy for biometrics.
Figure 4-28. Configure Group Policy for biometrics.

You can find Group Policy settings related to biometrics in the Group Policy Editor under Computer Configuration, Administrative Templates, Windows Components, Biometrics. There you can select from the following options:

More Info: Learn more about biometrics

For more information about biometrics, refer to this article on TechNet: http://technet.microsoft.com/en-us/library/dn308564.aspx.

Local security settings

In the exam for Windows 8, there was an additional entry for Objective 4.2: Configure file and folder access, Local security settings. This was removed for the Windows 8.1 exam update. However, some of the items previously tested are still important to know (and it’s possible you might see remnants of them on this exam). Make sure you understand how to configure Local Security Policy (which we’ve covered in various sections in this book) and how to configure Secure Boot and make the most of the Unified Extensible Firmware Interface (UEFI). Know that a TPM chip is not required to use Secure Boot, but it is required for BitLocker (discussed in Chapter 5). To use Secure Boot, the computer must use the GUID Partition Table structure as well. Also take a look at the SmartScreen filter; this security enhancement protects your computer (and you) from running malicious software unintentionally.

Configure user rights

User rights allow users to perform computer-related tasks, such as changing the system time or the time zone, shutting down a computer, and taking ownership of files, among other things. User rights are preconfigured for the groups available in Windows 8.1, including Users, Administrators, Guests, HomeUsers, Hyper-V Administrators, and so on. (You can view all groups in the Computer Management console under System Tools, Local Users And Groups, Groups.)

You can configure user rights and privileges through the Security Policy console. You can also get a feel for how user rights are assigned already by viewing the entries in the Security Settings pane for a particular policy. Figure 4-29 shows the Local Security Policy console with Change The System Time selected. Note that only the LOCAL SERVICE and Administrators groups can perform this task by default.

View defaults from Security Settings\Local Policies\User Rights Assessment.
Figure 4-29. View defaults from Security Settings\Local Policies\User Rights Assessment.

You can add (or remove) users or groups to any entry in the User Rights Assignment pane. To do so, double-click the entry to change (we’ll chose Deny Access To This Computer From The Network), click Add User Or Group, and then use the Select Users Or Groups dialog box to complete the addition. See Figure 4-30. However, before you do this, remember that administrators generally add users to groups first and then go from there. In the case of user rights, administrators traditionally either add the user who should have the rights to the group that already has those rights assigned or assign user rights to groups they create and then add users to those groups when necessary.

Configure User Rights Assignment in Local Security Policy.
Figure 4-30. Configure User Rights Assignment in Local Security Policy.

Exam Tip

User rights and user permissions are two different things. User rights provide a user the ability to do something. Permissions provide a user the ability to access something. User rights are assigned to users and groups. Permissions are applied to objects like files and folders. User rights can follow a user. Permissions are assigned to users and are generally fixed.

Credentials and certificates help secure the computer in different ways. Credentials are user names and passwords; certificates verify the security of a particular thing, like encrypted files or Internet downloads.

Credentials are user names and passwords. Windows 8.1 comes with Credential Manager to help manage and maintain them. Credential Manager saves the credentials users enter when they use their own computer to access network servers and resources on local networks (Windows Credentials) and can be used to back up and restore them. The user has to select the Remember My Credentials check box when prompted, though, or else the credential won’t be saved. Credential Manager also offers Credential Locker, which saves user names and passwords associated with websites and Windows apps (Web Credentials). It saves all of these in an area called the Windows Vault.

More Info: How credentials are saved

Credentials are saved in encrypted folders on the computer under the user’s profile. Applications that support this feature, such as web browsers and Windows 8 apps, can automatically offer up the correct credentials to other computers and websites during the sign-in process.

If the user name or password has been changed since the last time it was saved and access is unsuccessful, the user is prompted to type the new credentials. When access to the resource or website is successful, Credential Manager and Credential Locker overwrite what was there.

The saved user names and passwords follow the users when they move from one computer to another in a workgroup or homegroup, provided the user logs on with his or her Microsoft account. This feature isn’t enabled on domains, though, for security reasons. You can open Credential Manager from Control Panel. Figure 4-31 shows Credential Manager.

Open Credential Manager and Windows Credentials.
Figure 4-31. Open Credential Manager and Windows Credentials.

Here are a few more things to know about Credential Manager:

Exam Tip

To store a credential at a command line, use the command-line tool cmdkey /add.

Note in Figure 4-31 that options exist to back up and restore credentials, but these options are only available when Windows Credentials is selected. When you click Back Up Credentials you are prompted first to browse to a location to which to save the credentials, name the file (it has a .crd extension), and then press Ctrl+Alt+Del to continue the backup process on the Secure Desktop. There you create a password for the file so that only you can access it.

Exam Tip

It’s important to understand that you can’t back up credentials you’ve saved in your web browser from inside Credential Manager. Those credentials are saved as part of your Microsoft account and are synchronized with it. (Those credentials do roam, provided you’ve logged on with the Microsoft account you used to create them.)

Websites use certificates to verify that the site meets specific requirements for security. Executable files you download from the Internet often have certificates, too, to show they have not been tampered with since their creation. These generally come from verified certificate authorities if they are offerings from valid online entities that you can trust. Windows 8 creates its own certificates, including the self-signed certificates used with EFS, discussed earlier in this chapter. Although the use of certificates is invisible to the end user, you might want to manage them, specifically by backing them up. You might want to migrate them, for instance, or just provide one more tool for backup and recovery.

The only place to perform this particular backup task is from the Certificate Manager MMC. You can open it from a Run dialog box or the Start screen by typing certmgr.msc. You can see this in Figure 4-32. There are a lot of entries, and each represents a specific kind of certificate. Personal Certificates and Trusted Publishers are two of them. Figure 4-32 shows Trusted Root Certification Authorities expanded and Certificates selected. Look closely and you might recognize some of the names: VeriSign, Go Daddy, Microsoft, and Equifax.

The Certificate Manager MMC offers a listing of all the certificates available on the computer.
Figure 4-32. The Certificate Manager MMC offers a listing of all the certificates available on the computer.

To back up a single certificate, right-click the certificate to back up, click All Tasks, and then click Export. Work through the wizard to select the format to use. This is the only way to back up a certificate and have the options shown in Figure 4-33 available. If you select more than one certificate, you’ll have to choose Personal Information Exchange or Microsoft Serialized Certificate Store.

Select certificates to back up one at a time to have access to the three options shown here.
Figure 4-33. Select certificates to back up one at a time to have access to the three options shown here.

More Info: Supported file formats

Certificate import and export operations support four file formats:

You are likely familiar with the User Account Control (UAC) prompt that appears when elevated privileges are required to perform a task. When logged on as a Standard user, the user must input both an Administrator user name and password in the UAC dialog box and click Yes before continuing. When logged on as an Administrator, the user must click Yes or No to continue. When these prompts appear, they appear on a Secure Desktop. Nothing can happen until the proper credentials or answer is input or that task attempt is canceled. Secure Desktop keeps anything from happening behind the scenes while the user decides what to do.

Note: All about tokens

Although Microsoft recommends that users perform their everyday computing tasks using a Standard account, most don’t heed this advice. Because of this, Administrator accounts are given two tokens (one for a Standard user and one for an Administrator user). Tokens define the user’s access level at logon. By default, the Standard user token is used most of the time. Administrators are still prompted when particular activities are attempted.

You might also know how to change the level of UAC in Control Panel using the slider available for that purpose. You can access this from the Action Center by clicking Change User Account Control Settings.

Exam Tip

If you are questioned about how to configure a computer to require elevated privileges for a specific task to be performed, note that the answer probably has to do with the UAC settings.

There’s a lot more to UAC than that, though. One option is to use Local Security Policy to specifically define how UAC is configured. There are too many options to list here, but you can review them in the Local Security Policy window from Local Policies, Security Options. Double-click any User Account Control policy option and click the Explain tab to learn about it. Figure 4-34 shows this, with User Account Control: Behavior Of The Elevation Prompt For Standard Users selected.

Change options for the various UAC policies to suit your environment’s needs.
Figure 4-34. Change options for the various UAC policies to suit your environment’s needs.

Here are a few more things to know about the UAC prompt in Windows 8.1. The elevation prompt color-coding is as follows:

More Info: Learn more about UAC

Learn more about UAC at http://technet.microsoft.com/en-us/library/jj574202.aspx.

Thought experiment: Create a password and Account Lockout policy for a client

In this thought experiment, apply what you’ve learned about this objective. You can find answers to these questions in the “Answers” section at the end of this chapter.

You need to create a password policy for a company that wants to enforce these parameters: passwords must contain uppercase and lowercase letters, numbers, and special characters. Users can attempt to log on 10 times, but after the tenth time, they are locked out from trying to log on again for 15 minutes. Passwords must also be changed once a month.

  1. Which MMC do you use to access these settings?

  2. Which two entries do you need to access in the MMC?

  3. What four entries do you need to enable and configure?

Answer the following questions to test your knowledge of the information in this objective. You can find the answers to these questions and explanations of why each answer choice is correct or incorrect in the “Answers” section at the end of this chapter.

Q:

1. How do you block the use of Microsoft accounts on a stand-alone computer that is shared in the workplace? (Choose all that apply.)

  1. In Local Security Policy from Security Settings, Local Policies, Security Options

  2. In Local Group Policy Editor from Computer Configuration, Windows Settings, Security Settings, Local Policies, Security Options

  3. In Local Security Policy from Security Settings, Local Policies, User Rights Assignment

  4. In Local Security Policy from Security Settings, Account Policies, Password Policy

Q:

2. Where do you create a PIN or a Picture password?

  1. Control Panel, in User Accounts and Family Safety

  2. Control Panel, in Credential Manager

  3. In PC Settings, under Accounts and the Your Account tab

  4. In PC Settings, under Sign-in Options

  5. In PC Settings, under Other Accounts

Q:

3. Which two Password policies would you configure if you needed to make sure users changed their passwords every 42 days but could not make another password change for at least 21 days? (Choose two.)

  1. Enforce Password History

  2. Minimum Password Age

  3. Maximum Password Age

  4. Minimum Password Length

  5. Maximum Password Length

Q:

4. What makes it possible for Windows 8.1 to obtain the necessary drivers for PIV smart cards from Windows Update?

  1. You must enable the related setting from Computer Configuration, Policies, Windows Settings, Security Settings, Local Policies, Security Options.

  2. The Smart Card Service (scardsvr) makes this possible.

  3. At an elevated command prompt, you must type TpmVscMgr create /name MyVSC /pin default /adminkey random /generate.

  4. The Personal Identity Verification (PIV) standard makes this possible.

Q:

5. Which of the following is a user right?

  1. Allow log on locally

  2. Add workstations to a domain

  3. Change the system time

  4. Create global objects

  5. All of the above

Q:

6. Which command opens the MMC required to back up certifications for the purpose of migrating them to another computer?

  1. Gpedit.msc

  2. SecPol.msc

  3. CertMgr.msc

  4. Services.msc

This section contains the solutions to the thought experiments and answers to the objective review questions in this chapter.

  1. Any folder sharing is best because the client can protect files and folders by specifically configuring access for only those who need it.

  2. You must remove the Everyone group from all of the shares you want to configure.

  3. 20

  4. Read and Change. Do not give Full Control; if you do, the user can do the things listed (change file permissions and take ownership).

  1. Correct answers: A and C

    1. Correct: A wizard does walk you through the process of creating or joining a homegroup, and a password is generated for you.

    2. Incorrect: You can reconfigure shares to include specific permissions for people you select.

    3. Correct: Users can share their default libraries.

    4. Incorrect: Homegroups can only be configured with Windows 7 and Windows 8–based computers.

  2. Correct answer: A

    1. Correct: Any folder sharing offers these features.

    2. Incorrect: You’d have to move the data from the desktop to the applicable Public folder. Also, you could not have the control needed for this scenario.

    3. Incorrect: You can’t configure a homegroup on a public network, only on a private network.

    4. Incorrect: Any folder sharing is the correct answer.

  3. Correct answer: D

    1. Incorrect: Only the Print permission is required.

    2. Incorrect: Only the Print permission is required.

    3. Incorrect: Only the Print permission is required.

    4. Correct: When you share a printer, the Everyone group has the Print permission so nothing else needs to be done.

  4. Correct answer: B

    1. Incorrect: You must configure this from your Windows 8.1 computer, not from the website.

    2. Correct: This is where you configure this setting.

    3. Incorrect: Although you can configure many options here, the option in this question isn’t one of them.

    4. Incorrect: This does not offer the desired option.

  1. The Properties dialog box for the storage volume, on the Quota tab

  2. Deny Disk Space To Users Exceeding Quota Limit and Limit Disk Space To

  3. Probably not. As stated in the scenario, the other users don’t use much storage space. The only time this would become an issue is if one of those users suddenly needed more space.

  1. Correct answer: A

    1. Correct: A security principal is the user, group, or computer given permissions and the permissions that have been configured for it (them).

    2. Incorrect: Any element or resource that is protected has an access control list (ACL). This is basically a list of permissions that have been applied to it.

    3. Incorrect: The NTFS permissions in the ACL are access control entries (ACEs). Every ACE has at least one security principal.

    4. Incorrect: An element, object, or resource is what is being protected.

  2. Correct answers: A, B, C, and D

    1. Correct: This is a valid task that can be performed here.

    2. Correct: This is a valid task that can be performed here.

    3. Correct: This is a valid task that can be performed here.

    4. Correct: This is a valid task that can be performed here.

  3. Correct answer: C

    1. Incorrect: Set-Acl is a command, but it is used to set the NTFS ACL for a specified resource.

    2. Incorrect: Icacls.exe is used to apply permissions at a command line.

    3. Correct: Cipher is the proper command-line tool.

    4. Incorrect: You can configure encryption from a command line.

  4. Correct answer: D

    1. Incorrect: Encryption does protect against copy commands.

    2. Incorrect: A hacker can get to data in any number of ways, even if the data is encrypted.

    3. Incorrect: A hacker can’t remove the encryption attribute.

    4. Correct: An Access Denied message will appear.

  1. You can use Security Policy or Group Policy Management Console consoles.

  2. Password policy and Account Lockout policy

  3. To do the following:

  1. Correct answers: A and B

    1. Correct: You can access this policy from the Local Security Policy MMC.

    2. Correct: You can access this policy from the Local Group Policy Editor MMC from Local Policies\Security Options.

    3. Incorrect: This is not a valid path to the desired policy. User rights do not offer this option.

    4. Incorrect: This is not a valid path to the desired policy. Password policy can’t be set to exclude Microsoft accounts.

  2. Correct answer: D

    1. Incorrect: You can create accounts, change account types, remove user accounts, set up family safety, and more, but you cannot create a PIN or Picture password here.

    2. Incorrect: You use Credential Manager to manage and maintain Windows and Web credentials.

    3. Incorrect: You cannot make the desired change here.

    4. Correct: This is where you create a PIN or Picture password.

    5. Incorrect: This is where you create additional accounts or configure them.

  3. Correct answers: B and C

    1. Incorrect: This keeps users from reusing passwords they’ve previously created.

    2. Correct: This requires users to keep their password for a certain amount of time; in this instance, 21 days.

    3. Correct: This requires users to change their password after a specific amount of time has passed; in this case, 42 days.

    4. Incorrect: Length has to do with how many characters a password contains and not with a length of time.

    5. Incorrect: Length has to do with how many characters a password contains and not with a length of time.

  4. Correct answer: D

    1. Incorrect: This is where you configure policies for smart cards, but you do not have to enable any setting for the scenario stated.

    2. Incorrect: The Smart Card Service (scardsvr) automatically starts when the user connects a smart card reader and automatically stops when the user removes a smart card reader and no other smart card reader is connected to the computer.

    3. Incorrect: This is the command to configure a new virtual smart card.

    4. Correct: This standard makes the scenario possible.

  5. Correct answer: E

    1. Incorrect: All of the items are correct, so E is the correct answer.

    2. Incorrect: All of the items are correct, so E is the correct answer.

    3. Incorrect: All of the items are correct, so E is the correct answer.

    4. Incorrect: All of the items are correct, so E is the correct answer.

    5. Correct: All of the entries are user rights.

  6. Correct answer: C

    1. Incorrect: This opens the Group Policy Editor.

    2. Incorrect: This opens the Security Policy console.

    3. Correct: This opens the Certificate Manager console.

    4. Incorrect: This opens the Services console.