Windows Authentication and Authorization

Questions and Answers

What is the primary function of authentication in computer security?

To prevent unauthorized access

To determine what users can do on the system

To prove an individual's identity (correct)

To assign passwords to user accounts

In a Windows domain, what is responsible for handling authentication?

Active Directory (AD) (correct)

Windows Defender

Windows Firewall

User Account Control (UAC)

What does authorization determine in a system?

The speed of the network

The type of antivirus software to use

The level of security required

What an individual can do in the system after authentication (correct)

Which of the following is advisable when creating user accounts?

Assigning a password to each account and allowing users to change them

What is the role of Active Directory (AD) in a Windows domain?

To handle authentication of users

Which of the following is a criterion for creating a strong password?

Use 16 or more characters

Which of the following is NOT advisable when creating a strong password?

Using consecutive letters or numbers

Which of these is a recommended element to include in a strong password?

At least one symbol

Which practice should be avoided when creating a strong password?

Using adjacent keyboard keys

What is one of the criteria for creating a strong password?

Combining letters, numbers, and symbols

Which tool works in Active Directory (AD) on a Windows domain to control the privileges of computers and users?

Group Policy

What is the primary function of the Local Security Policy (secpol.msc)?

To apply Windows security settings to the local computer

Which tool contains a subset of policies in Local Group Policy that specifically apply to Windows security settings?

Local Security Policy

Which editions of Windows provide access to Local Group Policy and Local Security Policy editors?

Business and Professional

What is the main difference between Group Policy and Local Group Policy?

Group Policy works domain-wide in AD; Local Group Policy applies only to the local computer or user

Which editor includes a broader set of policies for managing security and settings?

Local Group Policy editor

What is the primary function of the Local Security Policy editor?

To edit a subset of policies available in the Local Group Policy editor

In which scenario would you use the Local Security Policy editor instead of the Local Group Policy editor?

When modifying a limited set of security policies

Which of the following is NOT a function of the Local Group Policy editor?

Handling Active Directory user accounts

What does Figure 7-2 illustrate about the relationship between the Local Group Policy editor and the Local Security Policy editor?

The Local Security Policy editor contains a subset of policies from the Local Group Policy editor

What is the purpose of the Credential Manager applet in Control Panel?

To manage user credentials

Which of the following credentials can be managed using the Credential Manager?

Web credentials

What can be edited or deleted in the Windows Credentials section of Credential Manager?

Windows user names, passwords, and digital certificates

Which of the following actions can be performed with credentials for accessing websites using Credential Manager?

Edit user name and password

Where can you find the Credential Manager applet in a Windows system?

Control Panel

Which password is specifically required to change the BIOS/UEFI setup?

Supervisor password

What is the primary function of the drive lock password in BIOS/UEFI firmware?

To control access to the hard drive

Where is the drive lock password stored?

On the hard drive

Which BIOS/UEFI password is required to use the system?

User password

What happens to the drive lock password if the hard drive is removed?

It remains effective

Which key can be pressed to open the Internet Explorer menu bar?

Alt

What should you look for in the browser address box to confirm that HTTPS is being used?

A padlock icon and https

Which tool can be used to disable Internet Explorer?

Program and Features, Turn Windows features on or off

Which of the following can you try if you have a problem with Internet Explorer 11?

Installing Windows updates

Which version of Internet Explorer comes with Windows 10/8/7?

Internet Explorer 11

Which option in the Delete Browsing History settings allows you to keep cookies and temporary Internet files from your favorite websites?

Preserve Favorites website data

What is stored in the Temporary Internet files and website files option?

Copies of webpages, images, and media for faster viewing

Which setting should you delete if you want to clear the list of websites you have visited?

History

What type of data is stored under the 'Form data' option?

Information typed into forms

Which option specifically stores passwords to automatically fill in when signing into websites?

Passwords

Tracking Protection in Internet Explorer helps to:

Reduce the risk of automatic sharing of visit details by some websites

Which tab would you use to change the home page in Internet Explorer?

General tab

Where can you block cookies that might invade your privacy?

Privacy tab

Which tab is used for configuring proxy server settings in Internet Explorer?

Connections tab

Add-ons in Internet Explorer are managed through which tab?

Programs tab

If you need to access miscellaneous settings to control Internet Explorer, which tab would you use?

Advanced tab

Which file system is required for using Windows Encrypted File System (EFS)?

NTFS

How is the encryption status of files and folders visually represented in Windows Explorer?

Green text

What happens to an encrypted file if it is moved to an unencrypted folder?

It remains encrypted

Which editions of Windows support Windows Encrypted File System (EFS)?

Professional

What are the steps to encrypt a file or folder using EFS?

Right-click it, open Properties, click General tab, check Encrypt in Advanced Attributes

What component on the motherboard holds the BitLocker encryption key during computer authentication?

TPM

Which method of BitLocker authentication requires a USB drive?

User authentication

What is required during every startup in the Computer and User Authentication method?

A PIN or password

What is BitLocker primarily designed to encrypt?

The entire Windows volume and other volumes on the drive

What happens if a hard drive encrypted with BitLocker is stolen and the startup key is not available?

The data remains unreadable

What is one of the risks associated with using BitLocker?

TPM failure

What should you do to mitigate the risks when using BitLocker?

Store an extra copy of the startup key and/or password in a safe location

Where do you enable the TPM chip to start BitLocker Drive Encryption?

BIOS/UEFI setup

When is it advisable to use BitLocker?

When the benefit of encrypting data exceeds the risk of losing the BitLocker key

What is the first step in starting BitLocker Drive Encryption?

Enabling the TPM chip in BIOS/UEFI setup

What type of firewall is a router considered to be?

Hardware firewall

Which type of firewall might a large corporation use?

Corporate firewall

What is another name for a personal firewall?

Host firewall

What is Windows Firewall?

A personal firewall

What happens to Windows Firewall when you set up a new network connection?

It is automatically configured

What is one method of managing shared resources?

Assigning permissions to user accounts

In the context of folder and file management, what is assigned to control access?

User permissions

What else, besides user accounts, can be assigned permissions to manage shared resources?

Folders, files, and printers

Which of the following is a direct way to control access to shared folders?

Assigning permissions to folders, files, and printers

Which process involves assigning specific rights to users for accessing shared resources?

Permission assignment

What does the principle of least privilege entail?

Assigning computer users only the rights required to perform their job

How can privileges be altered after a user account is created?

By changing the user groups the account belongs to

Which tool can be used to create user accounts?

User Accounts applet in Control Panel

Where else can user accounts be managed apart from the User Accounts applet in Control Panel?

Local Users and Groups utility in the Computer Management console

When are rights or privileges for a user account first established?

When an account is created

Which console is used to create a user account in Windows?

Computer Management console

Which user account type in Windows has administrative privileges?

Administrator account

What is the first step to create a user account using Computer Management console?

Open the Computer Management console

Where do you right-click to add a new user in the Computer Management console?

Users

What must be done after entering the information for a new user in the Computer Management console?

Click Create

Which user group has limited privileges and gets a temporary profile that is deleted upon logoff?

Guests group

Which user group is retained in Windows 10/8/7 primarily for backward compatibility?

Power Users group

Which user group in older editions could install apps and perform limited administrator tasks?

Power Users group

What is a characteristic of the Guests group in built-in user groups?

Given a temporary profile that is deleted when user logs off

Which of the following describes the Power Users group?

Can read from and write to parts of the system and perform limited administrator tasks

Which user group includes all user accounts except the Guest account?

Authenticated Users group

What is the key advantage of using customized user groups?

Simplifies permission management for multiple users

In which console can custom user groups be created in business editions of Windows?

Management Console

Which group includes both the Authenticated Users group and the Guest account?

Everyone group

Who do anonymous users refer to?

Users who have not been authenticated on a remote computer

Which folder is recommended for placing data that all users can share?

C:\Users\Public

What is the primary benefit of workgroup sharing?

Offers better security than a homegroup

Where should private data for individual users be stored?

C:\Users folder for that user

Who manages security if a computer belongs to a domain?

Network administrator

Which practice offers the best security for shared data?

Creating a separate folder with assigned permissions

Which type of permissions in Windows only apply to network users and not to local users?

Share permissions

What types of permissions apply to both folders and individual files?

NTFS permissions

Where can NTFS permissions be configured in Windows?

Security tab in the Properties box

Which permissions apply to a folder and its contents but not to individual files?

Share permissions

On what type of volume do NTFS permissions work?

NTFS volumes

What happens to an object's permissions when it is moved to a different folder on the same volume?

The object retains its permissions from the original folder

If an object is copied to a new folder, what permissions does it inherit?

Permissions from the destination folder

How are conflicting NTFS permissions resolved?

The more liberal permission applies

What describes inherited permissions?

Permissions that come from a parent object

Which principle applies when both share and NTFS permissions are used?

The most restrictive permission applies

What is the main purpose of using the gpresult command?

To pull a list of all the groups a user belongs to

When troubleshooting Group Policy problems, which command can provide useful user group information?

gpresult

Which command retrieves information on a user other than the one signed in?

gpresult /scope user /user username /r

Which type of information does the gpresult command provide?

User group memberships

What can the information retrieved by gpresult help troubleshoot?

User group issues

What does the /r parameter in the gpresult command accomplish?

Requests a summary of the information

What is the function of the \v switch when using the gpresult tool?

Requests verbose output

Which command would you use to retrieve a summary of Group Policy results for a user named 'admin'?

gpresult /r /user admin

Which parameter would be used with gpresult to avoid excessive detail in the output?

/r

What is displayed in Figure 7-32?

Summary of gpresult information

Which tab do you select in the Properties box to access Advanced Sharing?

Sharing

What is the first action to perform when setting up share permissions for a folder?

Open the Properties box for the folder

After selecting the user account or user group, which button must you click to proceed?

OK

Which box appears after clicking Add in the Permissions settings?

Select Users or Groups

What should you do to remove the Everyone group from the Permissions box?

Select it and click Remove

Where can you find the option to use advanced permissions settings?

Security tab of a folder's Properties box

What happens to the permissions of subfolders by default?

They inherit the permissions of the parent folder

Which tab in the Advanced Security Settings box allows you to check effective permissions?

Effective Permissions

Why would you use advanced permissions settings?

To gain further control over user or group permissions

What should you do if you have problems accessing a shared resource?

Follow the troubleshooting steps outlined in the resource

What is a benefit of using only one workgroup for managing shared folders and files?

Enhanced performance

Who has full permissions over a folder?

The owner of the folder

What is one key recommendation to ensure security for user accounts?

Require passwords for all user accounts

What does taking ownership of a folder entail?

Allowing full permissions to the owner

Which of the following is advised for easier access to shared folders and files?

Using a mapped network drive

Which tab in the Advanced Security Settings window allows you to add or remove permissions for a folder or file?

Permissions

What is the purpose of the 'Auditing' tab in the Advanced Security Settings window?

To track changes made to files or folders

Which feature allows you to assign permissions to multiple child objects within a folder?

Inheritance

Which action can be performed from the 'Owner' tab in the Advanced Security Settings window?

Changing the ownership of a file or folder

Why might you use the 'Effective Access' tab in the Advanced Security Settings window?

To evaluate user access permissions based on current settings

What is the main advantage of using Network File System (NFS) over traditional file systems?

It allows files on a network to be accessed as if they are on a local computer.

What is mapping a drive in the context of a network share?

Making a network host appear as a local hard drive on another computer.

What type of system is Network File System (NFS) categorized as?

Distributed file system

Which of the following statements best describes a network share?

A versatile method of sharing storage space over a network.

What is a key characteristic of the Network File System (NFS)?

It makes network-stored files accessible as local files.

What is the first step to enable offline files using Sync Center?

Go to Control Panel and open Sync Center

Which menu in File Explorer allows you to force a manual sync of files?

Home

What should you do after right-clicking a shared folder to make it available offline?

Click Always available offline

What must be done to complete enabling offline files?

Restart your computer

Where do you find the option to enable offline files?

In the Control Panel under Sync Center

What feature allows users to access certain network files even when disconnected from the network?

Always available offline

Which context menu option would you select to configure a network share as an offline folder?

Always available offline

Where is the option 'Always available offline' located when configuring a folder?

In the right-click context menu

Which screenshot feature allows users to open previously saved states of a file?

Restore previous versions

What is the main purpose of the 'Sync' option in the right-click menu for an offline folder?

To synchronize the offline folder with the network share

Which option would you select to make a folder available when not connected to the network?

Always available offline

Which menu option should be selected to begin working with a folder that is currently available only online?

Work offline

When using Windows Sync Center, which option ensures that a folder's contents are automatically updated with the network share?

Sync

Which action should be taken to temporarily stop updates to a network folder while offline?

Work offline

What is one method to prevent users on the network from seeing a shared folder?

Add a $ to the end of the folder name

Why might you disable File and Printer Sharing on a network?

To enhance confidentiality of shared data

How can a user access a hidden shared folder on the network?

By entering the complete path to the folder including $

Which of the following statements correctly describes a local share?

Files and folders on a computer shared using local user accounts

Which of the following is NOT a method to protect confidential data on a network?

Enable guest user access

What is the main purpose of appending a dollar sign ($) at the end of a share name?

To create a hidden network share

Which of the following methods would allow access to a hidden share on a network?

Searching for its exact name

What is the consequence of not knowing the exact name of a hidden share?

The share cannot be located or accessed

Which character is used to hide administrative shares in a network?

$

What is the key difference between normal shares and hidden shares on a network?

Hidden shares are only accessible with the exact name

Which folder is shared by default for administrator accounts at the domain level?

%systemroot% folder

Which of the following is NOT an example of an administrative share?

Documents folder

What is a characteristic of administrative shares?

They are always hidden from regular users

What does an administrative share allow an administrator to do?

Gain remote access to default shared folders and drives

Which shared resource is identified by %systemroot%?

The operating system installation folder

Which command can be used to access an administrative share on a Windows domain?

\server\share$

What is indicated by a dollar sign ($) at the end of a shared folder name in Windows?

It is a hidden share

In the context of Windows domains, what is typically required to access administrative shares?

Administrative privileges

Why might an IT administrator use the path \ws14\admins?

To access a hidden share on a domain

Which folder in Windows File Explorer can often have quick access shortcuts?

Quick access

Which of the following is NOT one of the five groups of services in Active Directory (AD)?

AD Management Services (AD MS)

What is the primary role of Active Directory (AD) in Windows domains?

To handle domain access and user/computer activities

Which service is responsible for providing a more lightweight directory service within AD?

AD Lightweight Directory Services (AD LDS)

Which Active Directory service handles digital certificates?

AD Certificate Services (AD CS)

Which AD service can be used to manage single sign-on (SSO) capabilities?

AD Federation Services (AD FS)

In Active Directory, what is a forest?

The top-level container that holds domains and organizational units

What is the primary purpose of an organizational unit (OU) in Active Directory?

To simplify the assignment of privileges and management of resources

Which component in Active Directory contains the policies used to assign privileges?

Group Policy Objects (GPOs)

How are the domains organized within a forest in Active Directory?

Domains are organized into organizational units and sub-organizational units

Which of the following best describes the top-down hierarchical structure of Active Directory?

Forest > Domains > Organizational units > Users and computers

What component represents individual locations within a domain in an Active Directory forest?

Site

Which component in Active Directory establishes and manages trust relationships between forests?

AD Federation Services

Where are users and computers represented in the Active Directory organizational structure?

User Groups

What is the primary hierarchical level in an Active Directory organizational structure?

Forest

What is depicted by a house-shaped icon within a site in the Active Directory organizational structure?

Organizational Unit

How are distinct Active Directory forests represented graphically?

Triangles

What scope does Group Policy specifically apply to in a domain?

Organizational Units

Which of the following describes the role of NTFS and Share Permissions in a domain?

They control access to folders.

Which entity in an Organizational Unit typically holds the user accounts?

User Groups

How many users are typically included in the user groups in the explained diagram?

Two

What is the primary function of Organizational Units within a domain?

To organize users and apply Group Policies

Which of the following is NOT a method to access the domain controller?

Using a VPN connection

What tools are mentioned for creating a new user in Active Directory?

Server Manager

When sitting at the computer, which of the following can you use to access the domain controller?

Direct Interaction

Which method involves using command-line tools to manage Active Directory?

AD Administrative Center and PowerShell

What is a required tool to follow the steps to create a new user?

Server Manager

What is a requirement for passwords to meet AD's complexity requirements?

Password must contain at least 8 characters including lowercase and uppercase letters, numbers, and symbols

Which practice is NOT recommended when setting password options in AD?

Select 'Password never expires'

For which scenario might the 'Account is disabled' option be appropriate?

When setting up an account well in advance of its usage

Why should the option 'Password never expires' not be selected?

It poses a security risk

Which statement about password complexity in AD is correct?

Passwords require a mix of at least 8 lowercase and uppercase letters, numbers, and symbols

What is the first step to unlock a user account that has been locked due to too many failed sign-in attempts?

Locate the account and right-click it

Where do you need to navigate to check the 'Unlock account' option when unlocking a locked account?

Account tab in the Properties box

Which of the following actions can be performed from the Properties box of a user account?

Reset a forgotten password

To reset a forgotten password or disable/delete an account, what is the initial step after locating the account?

Right-click the account

What should you do after selecting 'Reset Password' to complete the process?

Note the options to disable and delete the account

What is the pre-Windows 2000 user logon name for Lucas Williams?

HOMERUN\lucas_williams

Which account option is NOT available when managing Lucas Williams' account?

Password must have a minimum length

Which option should be selected to require Lucas Williams to change his password the next time he logs in?

User must change password at next logon

On which date does Lucas Williams' account expire if the 'End of' option is selected?

Tuesday, November 6, 2018

What is indicated by the 'Unlock account' option?

The account is currently locked

Which of the following fields are required to reset a user's password in AD?

New password and Confirm password

What action must a user take for a password change to take effect after it is reset?

Log off and then log on again

Which checkbox needs to be selected to ensure a user changes their password at the next logon?

User must change password at next logon

What is the default status of the 'Account Lockout Status' during a password reset?

Unlocked

Which button should be clicked to confirm the password reset?

OK

Which account should be disabled in Active Directory for security reasons?

Guest account

What can be set to limit how long a session remains disconnected before it ends?

Timeout and screen lock

How can Active Directory change the Home folder location for a user?

Via folder redirection

Why is it important for an Administrator password to be strong?

To prevent unauthorized access

Why might logon time restrictions be implemented?

To perform routine maintenance

What is the primary use of Group Policy on a domain controller?

To create Group Policy Objects

What component contains policies that apply to an Organizational Unit (OU)?

Group Policy Object

Which task is beyond the scope of the mentioned book?

Using Group Policy to manage GPOs

Which step should be followed to understand how to create and edit a GPO?

Follow the steps outlined in the text

Is the process of using Group Policy to manage GPOs detailed in the book?

No, it is beyond the scope of the book

What is the first step to create a new Group Policy Object for the Domain Users OU?

Navigate to the Domain Users folder within the Group Policy Management Console

After navigating to the Domain Users folder, which action should be performed to start creating a new GPO?

Right-click the Domain Users OU and select New GPO

Which name should be entered in the Name box when creating the new GPO?

GPO user startup

What is the final action needed to create the new GPO after entering the name?

Click the OK button

What does the acronym GPO stand for in the context of Group Policy Management?

Group Policy Object

In what order are Group Policy Objects (GPOs) applied?

Local, Site, Domain, OU, Enforced

Which type of policy is applied last in the Group Policy Object (GPO) application order?

Enforced

Which level of Group Policy Object (GPO) is applied first?

Local

What happens if there is a conflict between a Site policy and an OU policy?

The OU policy wins

Which policy takes precedence if there is a conflict between a Domain policy and a Local policy?

Domain policy

Which policy source ultimately determines the 'Final Applied Policy' when a policy is enforced at the OU level?

OU Policy

In the conflict resolution of policies, which policy source gets overridden by a Domain policy?

Site

If 'Policy C' is applied at the Site level, what is the 'Final Applied Policy' for Policy C?

Site

What is the default final applied policy if no other policies (Site, Domain, OU) are specified or enforced?

Local

How does an enforced OU policy affect the hierarchy of policy application?

It overrides both site and domain policies.

Which command would you use to view the policies set for a computer or user in a drill-down window?

rsop.msc

What is displayed when using the gpresult /v command?

The policies currently applied to the computer and user

What initial action must be performed to view the Resultant Set of Policy (RSOP)?

Enter the rsop.msc command in a command prompt window

When analyzing policies applied to a computer, which command provides a verbose output?

gpresult /v

To find the detailed set policies resulting from Group Policy processing for a user, which of the following commands is appropriate?

rsop.msc

What is the minimum password age policy setting in the Default Domain Policy?

1 day

How many passwords are remembered by the 'Enforce password history' policy in the Default Domain Policy?

24 passwords

Which setting is applied to the 'Store passwords using reversible encryption' policy in the Default Domain Policy?

Disabled

What is the value for the 'Account lockout threshold' policy in the Default Domain Policy?

0 invalid logon attempts

What is the password complexity requirement status in the Default Domain Policy?

Enabled

Which tool is used to encrypt files and folders on an NTFS file system?

Encrypting File System (EFS)

What does applying the principle of least privilege entail?

Providing users only with the privileges necessary to perform their tasks

Which feature is responsible for encrypting an entire volume on a hard drive?

BitLocker Drive Encryption

To manage many settings for Internet Explorer, which dialog box is used?

Internet Options

What can be created to simplify the management of privileges for multiple user accounts?

Customized user groups

What are the two ways to share files and folders on a network?

Workgroup sharing and domain controllers

What is a mapped network drive used for?

Easier access to drives and folders on the network

How does Active Directory (AD) organize resources?

Top-down hierarchical structure

What is included in a forest in Active Directory (AD)?

A domain

What do managing resources in Active Directory (AD) mainly revolve around?

OU, user groups, and NTFS and share permissions

What is the term used when Active Directory changes the Home folder location to a share on the network?

Folder redirection

What is the correct sequence in which group policies are applied?

Local, site, domain, OU, enforced

Which policy takes precedence in cases of conflict?

The last policy applied

Which of the following is NOT part of the group policy application sequence?

Server

What does 'OU' stand for in the context of group policies?

Organizational Unit

Study Notes

Controlling Access to Computer Resources

• Controlling access to computer resources involves two key processes: Authentication and Authorization.

Authentication

• Defines the process of verifying an individual's identity to ensure they are who they claim to be.
• In a Windows domain, Active Directory (AD) is responsible for authentication.

Authorization

• Determines the actions an individual can perform within the system after successful authentication.

Password Management

• Each user account should be assigned a password for secure access.
• It's recommended to give users the ability to change their own passwords.

Creating Strong Passwords

• A strong password should be resistant to being guessed by both humans and computer programs
• Strong password criteria:
  • Must have at least 16 characters
  • Combination of:
    • Uppercase and lowercase letters
    • Numbers
    • Symbols
  • At least one symbol must be included
  • Avoid using:
    • Consecutive letters or numbers
    • Adjacent keyboard keys
    • Sign-in name
    • Words in any language
  • Do not reuse passwords across multiple systems

Windows Authentication Tools

• Three tools control user and computer privileges:
• Group Policy: works in Active Directory (AD) on a Windows domain
• Local Group Policy (gpedit.msc): applies only to local computer or user, contains a subset of Group Policy settings
• Local Security Policy (secpol.msc): applies only to local computer's Windows security settings, contains a subset of Local Group Policy settings

Availability of Local Policy Editors

• Local Group Policy and Local Security Policy editors available with:
• Business editions of Windows
• Professional editions of Windows

Windows Authentication Policy Management

• Two windows are used to manage security policies and settings: Local Group Policy editor and Local Security Policy editor.
• These windows have different available settings.
• The Local Security Policy editor is used to edit a subset of policies available in the Local Group Policy editor.
• The Local Group Policy editor has more comprehensive policy settings compared to the Local Security Policy editor.

Managing User Credentials in Windows

• To access Credential Manager, open the applet in Control Panel
• Credential Manager allows management of: • Web credentials • Windows credentials
• In Web Credentials, you can: • Edit user name and password to access websites • Delete website login credentials
• In Windows Credentials, you can: • Edit Windows user names • Edit Windows passwords • Edit and delete digital certificates installed on the system

BIOS/UEFI Passwords

• BIOS/UEFI firmware on the motherboard offers three types of power-on passwords:

Types of Power-on Passwords

• Supervisor password: required to change BIOS/UEFI setup, providing an additional layer of security
• User password: required to use the system or view BIOS/UEFI setup, restricting access to system and setup
• Drive lock password: required to access the hard drive, adding an extra layer of security to data stored on the drive

Securing Internet Explorer

• Internet Explorer 11 is the default browser in current releases of Windows 10/8/7
• Windows 10 features Microsoft Edge as a replacement browser for Internet Explorer

Internet Explorer 11 Tips

• To open the menu bar, press the Alt key or right-click a blank area in the title bar and check Menu bar in the shortcut menu
• Verify HTTPS (HTTP Secure) by looking for https and a padlock icon in the browser address box
• Troubleshooting IE 11 issues:
  • Install Windows updates
  • Apply a restore point
  • Refresh Windows 10/8
• Internet Explorer can be disabled by using Program and Features, Turn Windows features on or off

Deleting Browsing History

• Preserve Favorites website data: Allows cookies and temporary Internet files to retain preferences and display faster for favorite websites.
• Temporary Internet files and website files: Copies of webpages, images, and media saved for faster viewing.
• Cookies and website data: Files or databases stored on your computer by websites to save history, preferences, or improve website performance.
• Components of browsing history: Includes history, download history, form data, passwords, and tracking protection.
• History: A list of websites you have visited.
• Download History: A list of files you have downloaded.
• Form data: Saved information that you have typed into forms.
• Passwords: Stored passwords that are automatically filled in when you sign in to a website you have previously visited.
• Tracking Protection, ActiveX Filtering, and Do Not Track: A list of websites excluded from tracking data, used to detect when sites might automatically be sharing details about your visit, and exceptions to Do Not Track requests.

Internet Options Box

• General tab: allows changing the home page or adding a secondary home page tab, and protects identity and surfing records
• Security tab: enables setting a zone security level

Configuring Privacy and Security

• Privacy tab: blocks cookies that might invade privacy or steal identity

Network and Proxy Settings

• Connections tab: configures proxy server settings and creates a VPN connection

Managing Add-ons

• Programs tab: manages add-ons (also called plug-ins)

Miscellaneous Settings

• Advanced tab: contains various settings to control Internet Explorer

File and Folder Encryption in Windows

• Windows Encrypted File System (EFS) enables file and folder encryption
• EFS is compatible with NTFS file system and business/professional editions of Windows
• Encrypting a folder ensures all files created in or copied to the folder are automatically encrypted
• Encrypted files remain encrypted even when moved to an unencrypted folder

Encrypting a Folder or File

• Right-click the folder or file and open its Properties box
• Click Advanced on the General tab
• Check Encrypt contents to secure data and click OK in the Advanced Attributes box

Identifying Encrypted Files and Folders

• Encrypted file and folder names are displayed in green by default in File Explorer or Windows Explorer

BitLocker Drive Encryption

• Encrypts the entire Windows volume and any other volume on the drive
• Restricts access by requiring one or two encryption keys
• Works in partnership with file and folder encryption

Ways to Use BitLocker Encryption

• Computer Authentication

  • Requires a Trusted Platform Module (TPM) chip on the motherboard
  • Stores the BitLocker encryption key (startup key) in the TPM
  • Prevents access to the hard drive if it's stolen without the startup key

• User Authentication

  • Stores the startup key on a USB drive

• Computer and User Authentication

  • Requires a PIN or password at every startup
  • Example of multifactor authentication (MFA)

BitLocker Encryption Considerations

• BitLocker provides great security, but it comes with two significant risks: TPM failure and losing all copies of the BitLocker startup key.
• Use BitLocker only if the risks of data theft outweigh the risks of using the encryption.

Protecting BitLocker Keys

• Make extra copies of the startup key and/or password to mitigate the risk of losing access.
• Keep the extra copies in a safe and secure location.

Enabling BitLocker

• Enable the TPM chip in the BIOS/UEFI setup to start using BitLocker.
• Open the BitLocker Drive Encryption applet in Control Panel to access the encryption feature.

Firewall Types and Functions

• A router can serve as a hardware firewall
• A corporate firewall is a software firewall installed on a computer between the Internet and the network, often used by large corporations
• A personal firewall (also known as a host firewall) is software that protects an individual computer

Windows Firewall Settings

• Windows Firewall is a personal firewall that protects a computer
• Windows Firewall is automatically configured when setting up a new network connection
• Windows Firewall settings can be customized

Managing User Credentials

• The Credential Manager applet in Control Panel allows you to manage web credentials and Windows credentials.
• You can edit or delete user names and passwords to access websites.
• You can also edit and delete Windows user names, passwords, and digital certificates installed on the system.

Using BIOS/UEFI Passwords to Authenticate Users

• BIOS/UEFI firmware on the motherboard offers power-on passwords, including:
  • Supervisor password: required to change BIOS/UEFI setup.
  • User password: required to use the system or view BIOS/UEFI setup.
  • Drive lock password: required to access the hard drive, stored on the hard drive.

Securing Internet Explorer

• The Internet Options dialog box can be used to secure Internet Explorer.
• Tips for using Internet Explorer 11:
  • Press the Alt key or right-click a blank area in the title bar to open the menu bar.
  • Look for https and a padlock icon in the browser address box when HTTPS is used.
  • Try installing Windows updates, applying a restore point, or refreshing Windows 10/8 if you have a problem with IE 11.

Deleting Browsing History

• Options for deleting browsing history in Internet Explorer:
  • Preserve Favorites website data: keeps cookies and temporary Internet files for favorite websites.
  • Temporary Internet files and website files: copies of webpages, images, and media saved for faster viewing.
  • Cookies and website data: files or databases stored on your computer by websites.
  • History: list of websites you have visited.
  • Download History: list of files you have downloaded.
  • Form data: saved information typed into forms.
  • Passwords: stored passwords automatically filled in when signing in to a website.
  • Tracking Protection, ActiveX Filtering, and Do Not Track: list of websites excluded from tracking data.

File and Folder Encryption

• Windows Encrypted File System (EFS) can be used to encrypt files and folders.
• EFS only works with the NTFS file system and business/professional editions of Windows.
• An encrypted file remains encrypted if moved to an unencrypted folder.
• To encrypt a folder or file, right-click it, open its Properties box, and check Encrypt contents to secure data.

BitLocker Encryption

• BitLocker Drive Encryption encrypts the entire Windows volume and any other volume on the drive.
• BitLocker works in partnership with file and folder encryption.
• Three ways to use BitLocker Encryption:
  • Computer Authentication: uses a TPM chip on the motherboard to hold the BitLocker encryption key.
  • User Authentication: stores the startup key on a USB drive.
  • Computer and User Authentication: requires a PIN or password at every startup, an example of multifactor authentication.

Windows Firewall Settings

• A router can serve as a hardware firewall.
• A personal firewall, such as Windows Firewall, protects a computer.
• Windows Firewall is automatically configured when setting up a new network connection and can be customized.

Controlling Access to Folders and Files

• Managing shared resources is accomplished by:
  • Assigning permissions to user accounts.
  • Assigning permissions to folders, files, and printers.

Using Windows to Authenticate Users

• Controlling access to computer resources is done by:
  • Authentication: proves that an individual is who they say they are.
  • Authorization: determines what an individual can do in the system after authentication.
• Create strong passwords by using 16 or more characters, combining uppercase and lowercase letters, numbers, and symbols, and avoiding common patterns.

User Account Management

• The principle of least privilege is an approach to assigning users the minimum rights required to perform their job tasks.
• User rights or privileges are initially established during user account creation, which determines the account type.
• Privileges can be modified later by changing the user groups associated with the account.
• User accounts can be created using two methods:
  • Through the User Accounts applet in the Control Panel.
  • Through the Local Users and Groups utility in the Computer Management console.

Classifying User Accounts

• There are two main types of user accounts: Administrator account and Standard user account

Creating a User Account using Computer Management

• To create a user account, open the Computer Management console (compmgmt.msc)
• To create a new user, right-click Users under Local Users and Groups and select New User in the shortcut menu
• Enter required information for the new user and click Create to complete the process

Built-in User Groups

• There are three main built-in user groups in Windows: Administrators, Users, and Guests.
• The Guests group has limited privileges and is assigned a temporary profile that is deleted when the user logs off.
• The Power Users group is available in older editions of Windows and allows users to read from and write to parts of the system, install apps, and perform limited administrator tasks.
• In Windows 10, 8, and 7, the Power Users group is only available for backward compatibility.

Classifying User Accounts and User Groups

Built-in User Groups

• Windows automatically assigns built-in user groups to an account, including:
• Authenticated Users group, which includes all user accounts except the Guest account
• Everyone group, which includes the Authenticated Users group as well as the Guest account
• Anonymous users are users who have not been authenticated on a remote computer

Customized User Groups

• Custom user groups can be created using:
• Management Console
• Local Users and Groups console in business and professional editions of Windows
• Creating custom user groups makes it:
• Easier to assign permissions to user groups rather than to individual accounts
• Useful when several users need the same permissions

Managing Shared Folders and Files in Windows

• There are two general strategies for managing shared folders and files in Windows: Workgroup sharing and Domain Controlling
• Workgroup sharing offers better security than a homegroup
• Domain Controlling is used when a computer belongs to a domain, and all security is managed by the network administrator for the entire network

Organizing Shared Data

• Private data for individual users should be kept in the C:\Users folder for that user
• Data for all users to share should be placed in the C:\Users\Public folder
• For best security, create a folder outside of the above folders and assign permissions to that folder and its subfolders
• This allows control over access, granting permissions to:
  • All users
  • Certain users or user groups

Methods to Assign Permissions to Folders and Files

Workgroup Sharing Methods

• Windows offers two methods to share a folder using workgroup sharing

Share Permissions

• Grant permissions only to network users, not to local users
• Apply to a folder and its contents, not to individual files

NTFS Permissions

• Apply to both local users and network users
• Apply to both folders and individual files
• Work only on NTFS volumes
• Configured using the Security tab in a file or folder's Properties box

Implementing Permissions

• When both share and NTFS permissions are used, the most restrictive permission is applied.
• When NTFS permissions conflict, the more liberal permission is applied.

Permission Propagation

• Permission propagation occurs when permissions are passed from parent to child.

Inherited Permissions

• Inherited permissions are permissions attained from a parent object.

Moving and Copying Objects

• When an object is moved or copied to a folder, it takes on the permissions of that folder.
• Exception: When an object is moved (not copied) from one location to another on the same volume, it retains its original permissions from the original folder.

gpresult Command

• Use the gpresult command to retrieve a list of all groups a user belongs to
• The command provides information helpful for troubleshooting user group issues and Group Policy problems
• To retrieve information on a user other than the one signed in, use the command: gpresult /scope:user /username: /r

Methods to Assign Permissions to Folders and Files

• Two general strategies for managing shared folders and files in Windows: Workgroup sharing and Domain Controlling
• Workgroup sharing offers better security than a homegroup
• Domain Controlling is used when a computer belongs to a domain, and all security is managed by the network administrator for the entire network
• Tips on which folder to use to hold shared data:
  • Private data for individual users is best kept in the C:\Users folder for that user
  • Data for all users to share should be placed in C:\Users\Public folder
  • For best security, create a folder not in either of the above folders and assign permissions to that folder and its subfolders
    • Allow all users access or only certain users or user groups

Methods to Assign Permissions to Folders and Files (continued)

• Using workgroup sharing, Windows offers two methods to share a folder:
  • Share permissions: grant permissions only to network users and not to local users
    • Apply to a folder and its contents, not to individual files
  • NTFS permissions: apply to local users and network users
    • Apply to both folders and individual files
    • Work on NTFS volumes only
    • Configured using the Security tab in a file or folder's Properties box

Implementing Permissions

• Tips when implementing permissions:
  • If both share and NTFS permission are used, the most restrictive permission applies
  • If NTFS permissions are conflicting, the more liberal permission applies
  • Permission propagation: when permissions are passed from parent to child
  • Inherited permissions: permissions attained from a parent object
  • When you move or copy an object to a folder, the object takes on permissions of that folder
    • Exception: when you move (not copy) an object from one location to another on the same volume, the object retains its permissions from the original folder

Managing User Credentials

• Manage User Credentials using the Credential Manager applet in Control Panel
  • Allows you to manage web credentials and Windows credentials
  • You can edit or delete the user name and password to access websites
  • When you click Windows Credentials:
    • You can edit and delete Windows user names, passwords, and digital certificates installed on the system

BIOS/UEFI Passwords to Authenticate Users

• BIOS/UEFI firmware on the motherboard offers power-on passwords:
  • Supervisor password: required to change BIOS/UEFI setup
  • User password: required to use the system or view BIOS/UEFI setup
  • Drive lock password: required to access the hard drive
    • Stored on the hard drive, so it will still control access to drive in the event the drive is removed

Securing Internet Explorer

• The Internet Options dialog box can be used to secure Internet Explorer
  • Tips about using Internet Explorer 11:
    • To open the Internet Explorer menu bar, press the Alt key or right-click a blank area in the title bar and check Menu bar in the shortcut menu
    • Look for https and a padlock icon in the browser address box when HTTPS (HTTP Secure) is used
    • If you have a problem with IE 11, try installing Windows updates, applying a restore point, or refreshing Windows 10/8
      • You can disable Internet Explorer by using Program and Features, Turn Windows features on or off

Deleting Browsing History

• Preserve Favorites website data: keep cookies and temporary Internet files that enable your favorite websites to retain preferences and display faster
• Temporary Internet files and website files: copies of webpages, images, and media that are saved for faster viewing
• Cookies and website data: files or databases stored on your computer by websites to save history, preferences, or improve your website performance
• History: list of websites you have visited
• Download History: list of files you have downloaded
• Form data: saved information that you have typed into forms
• Passwords: stored passwords that are automatically filled in when you sign in to a website you have previously visited
• Tracking Protection, ActiveX Filtering, and Do Not Track: a list of websites excluded from tracking data used by tracking protection to detect when sites might automatically be sharing details about your visit, and exceptions to Do Not Track requests

Important Tabs in the Internet Options Box

• General tab: change the home page or add a second home page tab, protect your identity and surfing records
• Security tab: set a zone security level
• Privacy tab: block cookies that might invade your privacy or steal your identity
• Connections tab: allows you to configure proxy server settings and create a VPN connection
• Programs tab: used to manage add-ons (called plug-ins)
• Advanced tab: contains several miscellaneous settings used to control Internet Explorer

File and Folder Encryption

• In Windows, files and folders can be encrypted using Windows Encrypted File System (EFS)
  • Works only with the NTFS file system and business/professional editions of Windows
  • If a folder is marked for encryption, every file created in or copied to the folder will be encrypted
  • An encrypted file remains encrypted if moved to an unencrypted folder
• To encrypt a folder or file:
  • Right-click it and open its Properties box
  • On the General tab, click Advanced
  • In the Advanced Attributes box, check Encrypt contents to secure data and click OK

BitLocker Encryption

• BitLocker Drive Encryption encrypts the entire Windows volume and any other volume on the drive
  • Restricts access by requiring one or two encryption keys
  • Works in partnership with file and folder encryption
• Three ways to use BitLocker Encryption:
  • Computer Authentication: uses a chip on the motherboard called TPM (Trusted Platform Module) to hold the BitLocker encryption key
  • User Authentication: uses a startup key stored on a USB drive
  • Computer and User Authentication: requires a PIN or password at every startup
    • An example of multifactor authentication (MFA)

Windows Firewall Settings

• A router can serve as a hardware firewall
• In addition, a large corporation might use a software firewall (called corporate firewall) installed on a computer between Internet and the network
• A personal firewall (also called host firewall) is software on a computer to protect that computer
• Windows Firewall is a personal firewall that protects a computer
  • Automatically configured when you set up your security level for a new network connection
  • Can also customize the settings

Controlling Access to Folders and Files

• Managing shared resources is accomplished by:
  • Assigning permissions to user accounts
  • Assigning permissions to folders, files, and printers

Classifying User Accounts and User Groups

• Principle of least privilege: an approach where computer users are assigned the minimum rights required to do their job
• Rights or privileges are established when you first create a user account (when you decide the account type)
• Privileges can later be changed by changing the user groups to which the account belongs
• User accounts are created using the User Accounts applet in Control Panel
  • Or by using the Local Users and Groups utility in the Computer Management console

Type of User Account

• Administrator account
• Standard user account

Built-in User Groups

• Administrators and Users groups
• Guests group
  • Has limited privileges and is given a temporary profile that is deleted when user logs off
• Power Users group
  • Older editions offer this group that can read from and write to parts of the system, install apps, and perform limited administrator tasks
  • Windows 10/8/7 offers this group only for backward compatibility

Windows Might Automatically Assign One of These Built-in User Groups to an Account

• Authenticated Users group: includes all user accounts except the Guest account
• Everyone group: includes the Authenticated Users group as well as the Guest account
• Anonymous users: users who have not been authenticated on a remote computer

Customized User Groups

• Use Management Console or the Local Users and Groups console in business and professional editions of Windows to create custom user groups
• Easier to assign permissions to user groups rather than to individual accounts
  • User groups work well when several users need the same permissions

Sharing Folders and Files

• For NTFS volumes, it is recommended to use NTFS permissions whenever possible.

Using Share Permissions

• To share a folder, follow these steps:
  • Open the folder's Properties box, select the Sharing tab, and click Advanced Sharing.
  • Check the "Share this folder" option and click Permissions.
  • Click Add to add a new user or group.
  • In the Select Users or Groups box, enter a user account or a user group and click OK.
  • To remove the Everyone group, select it in the Permissions box and click Remove.

Managing Shared Folders and Files

• Troubleshoot access issues by following the steps outlined in the text
• Use advanced permissions settings to gain further control of a user or group
  • Access advanced permissions by clicking Advanced on the Security tab of a folder's Properties box

Inheritance and Permissions

• Subfolders inherit permissions of the parent folder
• Manage permissions using the parent folder

Effective Permissions

• Check the Effective Permissions tab of the Advanced Security Settings box to determine the actual permissions in effect

Sharing Folders and Files

• Folder Ownership: The owner of a folder always has full permissions.
• Workgroup Optimization: Using only one workgroup improves performance, as it ensures all users are in the same workgroup.
• Password Security: Require passwords for all user accounts to maintain security.
• Mapped Network Drive: Use a mapped network drive for convenient access and management of shared folders and files.

Methods to Assign Permissions to Folders and Files

• Two strategies for managing shared folders and files in Windows:
  • Workgroup sharing offers better security than a homegroup
  • Domain Controlling manages security for the entire network if the computer belongs to a domain
• Tips for choosing a folder to hold shared data:
  • Private data: C:\Users folder for each user
  • Shared data: C:\Users\Public folder or a custom folder with assigned permissions

Share Permissions

• Two methods to share a folder using workgroup sharing:
  • Share permissions grant permissions only to network users, not local users
  • NTFS permissions apply to both local and network users, work on NTFS volumes only
• Share permissions apply to folders and their contents, not individual files
• NTFS permissions can be configured using the Security tab in a file or folder's Properties box

Implementing Permissions

• Important tips:
  • Most restrictive permission applies when both share and NTFS permissions are used
  • Inherited permissions: permissions attained from a parent object
  • Permission propagation: permissions passed from parent to child
  • When moving an object, it takes on permissions of the new folder, except when moving within the same volume

Sharing Folders and Files

• Tips for managing shared folders and files:
  • Take ownership of a folder (owner always has full permissions)
  • Use only one workgroup for better performance
  • Require passwords for all user accounts
  • Use a mapped network drive

Authenticating Users

• Manage User Credentials:
  • Use Credential Manager applet in Control Panel
  • Manage web credentials and Windows credentials
• BIOS/UEFI firmware offers power-on passwords:
  • Supervisor password (required to change BIOS/UEFI setup)
  • User password (required to use the system or view BIOS/UEFI setup)
  • Drive lock password (required to access the hard drive)

File and Folder Encryption

• Windows Encrypted File System (EFS):
  • Works only with NTFS file system and business/professional editions of Windows
  • Encrypts files and folders to secure data
• BitLocker Drive Encryption:
  • Encrypts entire Windows volume and any other volume on the drive
  • Restricts access by requiring one or two encryption keys

Windows Firewall Settings

• Windows Firewall:
  • A personal firewall that protects a computer
  • Automatically configured when setting up a new network connection
  • Can be customized for better security

Controlling Access to Folders and Files

• Managing shared resources:
  • Assigning permissions to user accounts
  • Assigning permissions to folders, files, and printers
• Principle of least privilege: an approach where users are assigned minimum rights required to do their job

Classifying User Accounts and User Groups

• Types of user accounts:
  • Administrator account
  • Standard user account
• Built-in user groups:
  • Administrators and Users groups
  • Guests group
  • Power Users group (older editions, for backward compatibility)
• Customized user groups:
  • Use Management Console or Local Users and Groups console to create custom groups
  • Easier to assign permissions to user groups rather than individual accounts

Network Shares

• A network share allows a client computer to access hard drive space on another host computer as if it were a local hard drive
• Mapping the drive makes the remote hard drive space appear as a new local drive (e.g. drive E)

Network File System (NFS)

• Enables access to files on the network as easily as if they were stored on the local computer
• A type of distributed file system (DFS) that shares files on a network

Sync Center

• Sync Center enables synchronization of shared folders or volumes between two computers
• Located in Control Panel as an applet

Enabling Sync Center and Offline Files

• To enable Sync Center and offline files, follow these steps:
  • Go to Control Panel, open Sync Center, and click Manage offline files
  • Click Enable offline files and then click OK (requires a computer restart)
  • Right-click a shared folder in File/Windows Explorer and select Always available offline
  • The folder will sync on both local and remote computers

Manual Sync

• To force a manual sync of files in a folder:
  • Open File Explorer, select the folder, and open the Home menu
  • Click Easy access and then click Sync

Windows File Explorer

• Windows File Explorer displays a list of drives and folders on the left, including local disks, network drives, and computer names.
• The drives and folders listed include Local Disk (C), Local Disk (D), Netwerk, ANDRDAS, BMC-DESKTOP7777, LENOVOLAPTOP, and Camtasia.

Folder Options

• The Resources folder has a right-click menu with options, including:
  • Open and open in new window
  • Pin to Quick access and Pin to Start
  • Scan with Windows Defender and Map network drive
  • Always available offline (configure a network share as an offline folder)
  • Restore previous versions and Include in Library
  • Copy, Paste, Create shortcut, and Properties

Sync Center and Offline Files

• A Windows File Explorer folder is displayed, titled "LENDVOLAPTOP", containing various files and folders.
• The folder contains files and folders such as Lamtosa, Data, Data2, dlme, Downloads, Financial, Resources, and Users.
• A right-click menu is open, providing options:
  • Easy access
  • Include in library
  • Map as drive
  • Always available offline
  • Sync
  • Work offline

Protecting Confidential Data

• Disable File and Printer Sharing to prevent unauthorized access to confidential data on the network
• Hide a shared folder by adding a $ to the end of the folder name to conceal it from other users

Hidden Shared Folders

• To access a hidden shared folder, users must enter the complete path to the folder, including the $, in the search box
• Hidden shared folders are not visible to other users, but can still be accessed by those who know the complete path

Local Shares

• Local shares refer to folders and files on a computer that are shared with others using local user accounts

Hidden Network Resources and Administrative Shares

• A hidden share can be created by adding a dollar sign ($) at the end of the share name.
• The hidden share will not be visible unless the exact name is used to locate it.
• To access a hidden, shared folder on the network, you need to search for its exact name.

Administrative Shares

• Administrative shares are folders shared by default, accessible to administrator accounts at the domain level.
• There are two types of administrative shares:

Types of Administrative Shares

• One type is the %systemroot% folder, which is a critical system directory.
• The other type includes any volume or drive, providing broad access to administrator accounts.

Accessing Administrative Shares

• An administrative share can be accessed through a Windows File Explorer window.
• The address bar in the File Explorer window is set to a specific format, in this case, "\ws14\admins".
• This format is used to access the administrative share on a domain.
• The File Explorer window displays various folders, including "Quick access", "Desktop", and "Downloads", when accessing the administrative share.

Active Directory Overview

• Active Directory (AD) is a suite of services and databases provided by Windows Server.
• AD is used to manage Windows domains, including access to the domain and what users and computers can do in the domain.

Active Directory Components

• Active Directory incorporates five groups of services:
• Active Directory Domain Services (AD DS)
• Active Directory Certificate Services (AD CS)
• Active Directory Federation Services (AD FS)
• Active Directory Rights Management (AD RMS)
• Active Directory Lightweight Directory Services (AD LDS)

Active Directory Hierarchy

• Active Directory organizes resources in a top-down hierarchical structure
• The highest level of this hierarchy is the forest, which represents the entire enterprise

Domains and Organizational Units

• A forest contains one or more domains, which are organized into organizational units (OUs)
• OUs are further divided into sub-organizational units

Organizational Units (OUs)

• OUs are created to simplify the assignment of privileges to users and computers within the OU
• Privileges are assigned using policies created by Group Policy
• These policies are contained in Group Policy Objects (GPOs)

Active Directory Organizational Structure

• An Active Directory organizational structure consists of multiple components, forming a hierarchical relationship between them.
• A Forest is a collection of one or more domains, represented by blue triangles.
• Trust Relationships between forests are managed by AD Federation Services, depicted by an arrow connecting the two forests.
• A Domain is a part of a forest, containing Sites, represented by a blue triangle with two circles labeled "Site".
• Sites are individual circular shapes within a domain.
• An Organizational Unit (OU) is represented by a house-shaped icon within a site.
• User Groups are two boxes inside the OU, containing users and computers.
• Users and Computers are represented by icons inside the user groups.
• The Active Directory organizational structure is depicted in Figure 7-47.

Applying Group Policy and Permissions

• Group Policy applies to Organizational Units (OUs) in a domain.
• An Organizational Unit typically contains user groups, with each user group having multiple users.
• User groups within an Organizational Unit can have two or more users.
• NTFS and Share Permissions are used to control access to resources in a domain.
• These permissions apply to folders, managing access to resources within them.

Accessing the Domain Controller

• Three methods to access the domain controller: sitting at the computer, remote access to Windows Server, and using AD Administrative Center and PowerShell

Creating a New User

• Use Server Manager to create a new user
• Follow the outlined steps to complete the new user creation process

Best Practices for Password Options in AD

• Always require a password for user accounts

Password Complexity Requirements

• Minimum of 8 characters in length
• Must contain a mix of:
  • Lowercase letters
  • Uppercase letters
  • Numbers
  • Symbols
• Cannot contain any three consecutive letters found in the:
  • User name
  • Display name

Password Management Options

• Require users to change their password at next logon
• Avoid checking "Password never expires" for security reasons
• "Account is disabled" option is useful for setting up accounts in advance of their actual use

Managing User Accounts in AD

• An account may get locked due to excessive failed sign-in attempts
• To unlock a locked account:
  • Locate the account, right-click it, and select Properties
  • In the Properties box, select the Account tab, check Unlock account, and click Apply
• To reset a forgotten password:
  • Locate the account, right-click it, and select Properties
  • Click Reset Password
• Options to disable and delete an account are available in the Reset Password section

User Account Properties

• A user account can have various properties, including Member Of, Password Replication, Address, Account, Dialin, and Environment.
• The Member Of property can have values such as Sessions and General.
• The Password Replication property can have values such as Remote control and Profile.
• The Address property can have values such as Remote Desktop Services and Telephones.
• The Account property can have values such as Profile and COM-.
• The Dialin property can have values such as Organization.

User Logon Name

• A user logon name can be in the format of an email address, such as [email protected].
• A user logon name can also be in the pre-Windows 2000 format, such as HOMERUN\lucas_williams.

Logon Hours and Log On To

• Logon hours and log on to options can be configured for a user account.

Account Options

• Options can be set to control password behavior, such as:
  • User must change password at next logon
  • User cannot change password
  • Password never expires
  • Store password using reversible encryption

Account Expiration

• An account can be set to expire at a specific time, such as the end of a specific date (e.g. Tuesday, November 6, 2018).
• An account can also be set to never expire.

Resetting a User Password

• The password reset dialog window contains four fields: New password, Confirm password, User must change password at next logon, and Unlock the user's account.
• The dialog window displays a message reminding the user to log off and log on again for the change to take effect.
• The "Account Lockout Status" is set to Unlocked after resetting the password.
• The dialog window has two buttons: OK and Cancel.
• The window is used to reset a user's password in Active Directory (AD).

Managing User Accounts in Active Directory

• Disable the Guest account to prevent unauthorized access
• Implement logon time restrictions to schedule routine maintenance during off-peak hours
• Set timeout and screen lock policies to limit the duration of disconnected sessions and require users to log back in
• Ensure administrators use strong passwords to protect against unauthorized access
• Configure home folders to redirect to a network share using folder redirection
• Utilize logon scripts to execute specific tasks or settings during user logon

Group Policy Objects

• Group Policy can be used to create Group Policy Objects (GPOs) on a domain controller
• GPOs contain policies that apply to a specific Organizational Unit (OU)
• Creating and editing a GPO is possible, but managing GPOs using Group Policy is beyond the scope of this book
• This book provides a brief overview of the process of creating and editing a GPO

Creating a new GPO for the Domain Users OU

• To create a new GPO, navigate to the Domain Users folder within the Group Policy Management Console.
• Right-click the Domain Users OU and select New GPO to initiate the creation process.
• The new GPO requires a name, which in this case is GPO user startup.
• Selecting OK after naming the GPO completes the creation process.

Policy Application Order

• Policy conflicts can arise when policies overlap
• The order of policy application is crucial in resolving conflicts
• The last policy applied takes precedence in case of conflicts

Policy Application Hierarchy

• The order of policy application is as follows:
  • Local policies
  • Site policies
  • Domain policies
  • OU policies
  • Enforced policies

How Group Policies Are Applied

• When conflicting policies exist, the final applied policy is determined by the policy source.
• Local policies have the highest priority and are applied first.
• If there is no local policy, site policies are applied, and if there is no site policy, domain policies are applied.
• OU policies are applied last, and if they are enforced, they override other policies.
• When a policy is enforced, it means that it cannot be overridden by other policies.
• The resulting policy is the combination of all policies applied in the following order: Local, Site, Domain, OU.

Determining Resulting Policies

• To find out the resulting policies for a computer or user, there are two methods:
• Method 1: Open a command prompt window and enter the rsop.msc command, which opens the Resultant Set of Policy (RSOP) window.
• In the RSOP window, you can drill down to see the policies set for the computer or user.
• Method 2: Open a command prompt window and enter the gpresult /v command, which displays the policies currently applied to the computer and user.

Security Settings

• The Default Domain Policy enforces a password history of 24 previously used passwords.
• The minimum password age is set to 42 days in the Default Domain Policy.
• There is a conflicting policy setting for minimum password age, which is set to 1 day in the Default Domain Policy.
• The minimum password length is set to 7 characters in the Default Domain Policy.
• Passwords must meet complexity requirements, as enabled in the Default Domain Policy.
• Storing passwords using reversible encryption is disabled in the Default Domain Policy.
• The account lockout threshold is set to 0 invalid logon attempts in the Default Domain Policy.

Password Security

• A long password is considered a strong password, providing better security.

Windows Computer Security

• Local Group Policies and Local Security Policies are used to secure a Windows computer.

Internet Explorer Settings

• The Internet Options dialog box is used to manage various Internet Explorer settings.

File Encryption

• Encrypting File System (EFS) is used to encrypt files and folders on an NTFS file system.
• BitLocker Drive Encryption is used to encrypt an entire volume on a hard drive.

Network Access Control

• Access to folders and files on a network is controlled by:
  • Assigning privileges to user accounts.
  • Assigning permission to folders and files.
• The principle of least privilege should be applied when assigning privileges to users.
• Customized user groups can be created to simplify the management of privileges for multiple user accounts.

File Sharing on the Network

• There are two ways to share files and folders on the network: workgroup sharing and domain controllers.
• Mapped network drives enable users to access drives and folders on the network more easily.

Active Directory (AD)

• AD is a suite of services and databases provided by Windows Server to manage Windows domains.
• AD organizes resources in a top-down hierarchical structure.

AD Structure

• A forest contains a domain.
• Domains can contain sites.
• Domains are organized into organizational units (OUs) and sub-organizational units.

Resource Management in AD

• Managing resources in AD revolves around Organizational Units (OUs), user groups, and NTFS and share permissions.

Active Directory Features

• Active Directory allows changing the Home folder location to a share on the network, a feature known as folder redirection.

Group Policy Application

• Group policies are applied in a specific order: local, site, domain, OU, and enforced.
• In the event of a conflict between policies, the last policy applied takes precedence.

Description

Learn about the basics of controlling access to computer resources, including authentication and authorization, and how Windows Active Directory handles user authentication.