1212 Ch5.2.-5.5: Computer User Accounts Quiz

Questions and Answers

What is the purpose of a user account on a computer?

To provide antivirus protection

To control internet speed

To identify a specific user and manage access rights (correct)

To store applications

Which type of user account has all rights and permissions on the computer?

Standard account

Guest account

Built-in administrator account (correct)

Microsoft account

What is a primary function of permissions in user accounts?

To control access to files, folders, and printers (correct)

To manage the installation of software

To increase internet connectivity

To define how a user can authenticate

What differentiates a standard account from a guest account?

Standard accounts have broader capabilities than guest accounts

What is the role of a domain controller in user account management?

It stores user accounts and permissions in a central database

What is one key feature of Azure Active Directory?

Provides cloud-based authentication

Which authentication protocols does Azure AD support?

SAML, OpenID, and OAuth 2.0

What does Azure AD DS provide?

Cloud-based managed domain service

What is a primary benefit of using Azure Active Directory?

Centralization of user management

What must organizations define for their privileged accounts?

What constitutes privileged data

Which feature is limited in Azure AD DS?

Group Policy object replication on-premises

What is a recommended practice for securing the built-in administrator account in Windows 10?

Set a strong, complex passphrase

What is the primary function of a domain account in Windows sign-in?

To manage users and groups through Active Directory

Which technology does Windows Defender Credential Guard use to enhance security?

Virtualization-based security

What key hardware feature must be enabled to implement Windows Defender Credential Guard?

Hyper-V

What is the purpose of Kerberos tickets in an Active Directory Domain Service?

To authenticate users and establish sessions with servers

Which of the following is a requirement for implementing Azure Active Directory?

Windows 10 Enterprise or Education edition

What is a critical security vulnerability associated with Kerberos tickets?

They can be exploited if malware accesses the Local Security Authority

What is the main limitation of standard user accounts in Windows?

They cannot change system-wide settings.

What does Azure Active Directory provide that on-premises Active Directory does not?

Cloud-based identity and access management

What is required to create a local user account using Windows Settings app?

Three security questions must be set.

What hardware feature is needed for a CPU to support Windows Defender Credential Guard?

Virtualization extensions

Which group allows complete and unrestricted access to the computer?

Administrators

What is the primary function of a workgroup in a Windows environment?

To share resources in a peer-to-peer manner.

Which of the following is a feature of a Microsoft account in Windows 10?

Provides synchronized access to Microsoft services.

Study Notes

User Accounts Overview

• User accounts control computer usage and identify specific users.
• Logon involves authenticating with a user account name and password.
• Windows rights dictate user actions (e.g., modifying settings), while permissions govern access to files, folders, and printers.

Account Types

• Built-in Administrator Account: Hidden account with full access to rights and permissions; doesn't appear on the login screen.
• User Account with Administrative Privileges: Granted administrative rights but typically used by non-default accounts.
• Standard Account: Basic account allowing internet browsing, software use, and file access, but lacking administrative powers.
• Guest Account: Limited capabilities; mainly for viewing files and running programs. Automatically disabled in Windows XP and later for security.
• Microsoft Account: Free account for accessing Microsoft services, requiring a valid email for setup and allowing sync across devices.

User Groups

• Users and groups are stored in three locations: Local accounts on individual computers, Domain accounts in Active Directory, and Online accounts by Microsoft.
• Default groups created in Windows include:
  • Administrators: Unlimited access to the computer and all system rights.
  • Power Users: Legacy group with limited administrative capabilities; not recommended for current use.
  • Users: Can use the system but lack admin privileges; cannot install drivers without prior installation.
  • Guests: Limited rights but can shut down the system.

Local User Accounts

• Local accounts created for signing into and accessing Windows devices.
• Administrator: Full system control, including installing applications and changing global settings.
• Standard User: Can use applications but cannot install them; settings change is restricted.
• Local accounts can be created via Windows Settings or Computer Management.

Workgroup Membership

• A workgroup allows resource sharing in peer-to-peer networking, suitable for small groups (2-8 computers).
• Offers sign-in security; requires user account creation on each remote system.
• Computers default to the "Workgroup" name unless changed in System Configuration.

Microsoft Account Sign In

• Preferred login method for Windows 10, enabling access to Microsoft services.
• Allows syncing of user settings across multiple devices using various identifiers (email or phone).

Domain Account Sign In

• Domain accounts managed centrally via Active Directory, enabling streamlined user and group management.

Azure Active Directory Account Sign In

• Cloud-based identity and access management service.
• Users can access both internal (corporate) and external (cloud applications) resources.

Windows Credential System

• Utilizes Kerberos tickets for user session validation, creating potential security vulnerabilities if malware accesses stored tickets.

Windows Defender Credential Guard

• Employs virtualization-based security (VBS) to protect sensitive user authentication credentials in the Local Security Authority (LSA).
• Requires specific system configurations, including 64-bit Windows 10 versions and Hyper-V.

Azure Active Directory Features

• Provides cloud-based authentication and user management with increased security.
• Supports single sign-on across multiple services and applications, minimizing credential management workloads.

Privileged Accounts

• Accounts with access to sensitive data (e.g., credit card info, health records).
• Organizations must define what constitutes a privileged user, often including built-in administrators and uniquely named local admin accounts.
• Securing privileged accounts involves practices like disabling or renaming accounts and setting strong passwords.### Privileged Accounts Management
• Strong, complex passwords are essential for securing shared accounts among network administrators.
• Close monitoring of privileged accounts includes tracking user access, access rights, and frequency of access requests.
• Emergency accounts (firecall/breakglass accounts) can grant temporary administrative access; restoring original access rights post-emergency is critical.
• Service accounts facilitate application or service interactions with Windows systems but cannot log in independently, holding high-level access.
• Changing service account passwords can disrupt critical services due to their high-level permissions and static nature.
• Application accounts are used for specific functions, often storing passwords in easily accessible configurations, posing a security risk.

Consequences of Compromised Privileged Accounts

• Data theft is a top threat, enabling attackers to sell or misuse sensitive information such as health data, login credentials, financial records, trade secrets, and personally identifiable information (PII).
• Ransomware attacks can lock all data, with two types: commodity ransomware (often spread via phishing) and human-operated ransomware (targeted access to exploit vulnerabilities).
• Maintained access attacks allow intruders to create legitimate accounts for continued network access, complicating detection.

Securing Privileged Accounts

• Traditional trust-by-default security is insufficient; a zero-trust model limits access based on strict, need-based protocols.
• Key principles of zero-trust include explicit verification, least privileged access, and assuming breaches to enhance security.
• Security policies should encompass six foundational elements, focusing on identity verification, endpoint security, application control, data protection, and network segmentation.

Digital Certificates and Authentication

• Digital certificates authenticate users and devices on local networks, utilizing asymmetric encryption and public key cryptography.
• The certificate process begins with a certificate signing request (CSR), requiring detailed organizational information for validation.
• A reputable Certificate Authority (CA) issues certificates, with the possibility of Third-Party Registration Authorities (RAs) aiding in validation.
• Invalidated certificates are added to Certificate Revocation Lists (CRLs) or managed via the Online Certificate Status Protocol (OCSP) for real-time validity checks.

Managing Certificates on Windows

• Two primary methods for managing certificates in Windows 10 are using the Microsoft Management Console (MMC) for viewing and handling certificates, or the Certificate Manager tool for local or current user certificates.

Description

Test your knowledge on user accounts in computing! This quiz covers the purpose and types of user accounts, including standard and guest accounts, as well as the concept of permissions and the role of domain controllers in user account management.