Windows Authentication and Authorization

Controlling Access to Computer Resources

• Controlling access to computer resources involves two key processes: Authentication and Authorization.

Authentication

• Defines the process of verifying an individual's identity to ensure they are who they claim to be.
• In a Windows domain, Active Directory (AD) is responsible for authentication.

Authorization

• Determines the actions an individual can perform within the system after successful authentication.

Password Management

• Each user account should be assigned a password for secure access.
• It's recommended to give users the ability to change their own passwords.

Creating Strong Passwords

• A strong password should be resistant to being guessed by both humans and computer programs
• Strong password criteria:
  • Must have at least 16 characters
  • Combination of:
    • Uppercase and lowercase letters
    • Numbers
    • Symbols
  • At least one symbol must be included
  • Avoid using:
    • Consecutive letters or numbers
    • Adjacent keyboard keys
    • Sign-in name
    • Words in any language
  • Do not reuse passwords across multiple systems

Windows Authentication Tools

• Three tools control user and computer privileges:
• Group Policy: works in Active Directory (AD) on a Windows domain
• Local Group Policy (gpedit.msc): applies only to local computer or user, contains a subset of Group Policy settings
• Local Security Policy (secpol.msc): applies only to local computer's Windows security settings, contains a subset of Local Group Policy settings

Availability of Local Policy Editors

• Local Group Policy and Local Security Policy editors available with:
• Business editions of Windows
• Professional editions of Windows

Windows Authentication Policy Management

• Two windows are used to manage security policies and settings: Local Group Policy editor and Local Security Policy editor.
• These windows have different available settings.
• The Local Security Policy editor is used to edit a subset of policies available in the Local Group Policy editor.
• The Local Group Policy editor has more comprehensive policy settings compared to the Local Security Policy editor.

Managing User Credentials in Windows

• To access Credential Manager, open the applet in Control Panel
• Credential Manager allows management of: • Web credentials • Windows credentials
• In Web Credentials, you can: • Edit user name and password to access websites • Delete website login credentials
• In Windows Credentials, you can: • Edit Windows user names • Edit Windows passwords • Edit and delete digital certificates installed on the system

BIOS/UEFI Passwords

• BIOS/UEFI firmware on the motherboard offers three types of power-on passwords:

Types of Power-on Passwords

• Supervisor password: required to change BIOS/UEFI setup, providing an additional layer of security
• User password: required to use the system or view BIOS/UEFI setup, restricting access to system and setup
• Drive lock password: required to access the hard drive, adding an extra layer of security to data stored on the drive

Securing Internet Explorer

• Internet Explorer 11 is the default browser in current releases of Windows 10/8/7
• Windows 10 features Microsoft Edge as a replacement browser for Internet Explorer

Internet Explorer 11 Tips

• To open the menu bar, press the Alt key or right-click a blank area in the title bar and check Menu bar in the shortcut menu
• Verify HTTPS (HTTP Secure) by looking for https and a padlock icon in the browser address box
• Troubleshooting IE 11 issues:
  • Install Windows updates
  • Apply a restore point
  • Refresh Windows 10/8
• Internet Explorer can be disabled by using Program and Features, Turn Windows features on or off

Deleting Browsing History

• Preserve Favorites website data: Allows cookies and temporary Internet files to retain preferences and display faster for favorite websites.
• Temporary Internet files and website files: Copies of webpages, images, and media saved for faster viewing.
• Cookies and website data: Files or databases stored on your computer by websites to save history, preferences, or improve website performance.
• Components of browsing history: Includes history, download history, form data, passwords, and tracking protection.
• History: A list of websites you have visited.
• Download History: A list of files you have downloaded.
• Form data: Saved information that you have typed into forms.
• Passwords: Stored passwords that are automatically filled in when you sign in to a website you have previously visited.
• Tracking Protection, ActiveX Filtering, and Do Not Track: A list of websites excluded from tracking data, used to detect when sites might automatically be sharing details about your visit, and exceptions to Do Not Track requests.

Internet Options Box

• General tab: allows changing the home page or adding a secondary home page tab, and protects identity and surfing records
• Security tab: enables setting a zone security level

Configuring Privacy and Security

• Privacy tab: blocks cookies that might invade privacy or steal identity

Network and Proxy Settings

• Connections tab: configures proxy server settings and creates a VPN connection

Managing Add-ons

• Programs tab: manages add-ons (also called plug-ins)

Miscellaneous Settings

• Advanced tab: contains various settings to control Internet Explorer

File and Folder Encryption in Windows

• Windows Encrypted File System (EFS) enables file and folder encryption
• EFS is compatible with NTFS file system and business/professional editions of Windows
• Encrypting a folder ensures all files created in or copied to the folder are automatically encrypted
• Encrypted files remain encrypted even when moved to an unencrypted folder

Encrypting a Folder or File

• Right-click the folder or file and open its Properties box
• Click Advanced on the General tab
• Check Encrypt contents to secure data and click OK in the Advanced Attributes box

Identifying Encrypted Files and Folders

• Encrypted file and folder names are displayed in green by default in File Explorer or Windows Explorer

BitLocker Drive Encryption

• Encrypts the entire Windows volume and any other volume on the drive
• Restricts access by requiring one or two encryption keys
• Works in partnership with file and folder encryption

Ways to Use BitLocker Encryption

• Computer Authentication

  • Requires a Trusted Platform Module (TPM) chip on the motherboard
  • Stores the BitLocker encryption key (startup key) in the TPM
  • Prevents access to the hard drive if it's stolen without the startup key

• User Authentication

  • Stores the startup key on a USB drive

• Computer and User Authentication

  • Requires a PIN or password at every startup
  • Example of multifactor authentication (MFA)

BitLocker Encryption Considerations

• BitLocker provides great security, but it comes with two significant risks: TPM failure and losing all copies of the BitLocker startup key.
• Use BitLocker only if the risks of data theft outweigh the risks of using the encryption.

Protecting BitLocker Keys

• Make extra copies of the startup key and/or password to mitigate the risk of losing access.
• Keep the extra copies in a safe and secure location.

Enabling BitLocker

• Enable the TPM chip in the BIOS/UEFI setup to start using BitLocker.
• Open the BitLocker Drive Encryption applet in Control Panel to access the encryption feature.

Firewall Types and Functions

• A router can serve as a hardware firewall
• A corporate firewall is a software firewall installed on a computer between the Internet and the network, often used by large corporations
• A personal firewall (also known as a host firewall) is software that protects an individual computer

Windows Firewall Settings

• Windows Firewall is a personal firewall that protects a computer
• Windows Firewall is automatically configured when setting up a new network connection
• Windows Firewall settings can be customized

Managing User Credentials

• The Credential Manager applet in Control Panel allows you to manage web credentials and Windows credentials.
• You can edit or delete user names and passwords to access websites.
• You can also edit and delete Windows user names, passwords, and digital certificates installed on the system.

Using BIOS/UEFI Passwords to Authenticate Users

• BIOS/UEFI firmware on the motherboard offers power-on passwords, including:
  • Supervisor password: required to change BIOS/UEFI setup.
  • User password: required to use the system or view BIOS/UEFI setup.
  • Drive lock password: required to access the hard drive, stored on the hard drive.

Securing Internet Explorer

• The Internet Options dialog box can be used to secure Internet Explorer.
• Tips for using Internet Explorer 11:
  • Press the Alt key or right-click a blank area in the title bar to open the menu bar.
  • Look for https and a padlock icon in the browser address box when HTTPS is used.
  • Try installing Windows updates, applying a restore point, or refreshing Windows 10/8 if you have a problem with IE 11.

Deleting Browsing History

• Options for deleting browsing history in Internet Explorer:
  • Preserve Favorites website data: keeps cookies and temporary Internet files for favorite websites.
  • Temporary Internet files and website files: copies of webpages, images, and media saved for faster viewing.
  • Cookies and website data: files or databases stored on your computer by websites.
  • History: list of websites you have visited.
  • Download History: list of files you have downloaded.
  • Form data: saved information typed into forms.
  • Passwords: stored passwords automatically filled in when signing in to a website.
  • Tracking Protection, ActiveX Filtering, and Do Not Track: list of websites excluded from tracking data.

File and Folder Encryption

• Windows Encrypted File System (EFS) can be used to encrypt files and folders.
• EFS only works with the NTFS file system and business/professional editions of Windows.
• An encrypted file remains encrypted if moved to an unencrypted folder.
• To encrypt a folder or file, right-click it, open its Properties box, and check Encrypt contents to secure data.

BitLocker Encryption

• BitLocker Drive Encryption encrypts the entire Windows volume and any other volume on the drive.
• BitLocker works in partnership with file and folder encryption.
• Three ways to use BitLocker Encryption:
  • Computer Authentication: uses a TPM chip on the motherboard to hold the BitLocker encryption key.
  • User Authentication: stores the startup key on a USB drive.
  • Computer and User Authentication: requires a PIN or password at every startup, an example of multifactor authentication.

Windows Firewall Settings

• A router can serve as a hardware firewall.
• A personal firewall, such as Windows Firewall, protects a computer.
• Windows Firewall is automatically configured when setting up a new network connection and can be customized.

Controlling Access to Folders and Files

• Managing shared resources is accomplished by:
  • Assigning permissions to user accounts.
  • Assigning permissions to folders, files, and printers.

Using Windows to Authenticate Users

• Controlling access to computer resources is done by:
  • Authentication: proves that an individual is who they say they are.
  • Authorization: determines what an individual can do in the system after authentication.
• Create strong passwords by using 16 or more characters, combining uppercase and lowercase letters, numbers, and symbols, and avoiding common patterns.

User Account Management

• The principle of least privilege is an approach to assigning users the minimum rights required to perform their job tasks.
• User rights or privileges are initially established during user account creation, which determines the account type.
• Privileges can be modified later by changing the user groups associated with the account.
• User accounts can be created using two methods:
  • Through the User Accounts applet in the Control Panel.
  • Through the Local Users and Groups utility in the Computer Management console.

Classifying User Accounts

• There are two main types of user accounts: Administrator account and Standard user account

Creating a User Account using Computer Management

• To create a user account, open the Computer Management console (compmgmt.msc)
• To create a new user, right-click Users under Local Users and Groups and select New User in the shortcut menu
• Enter required information for the new user and click Create to complete the process

Built-in User Groups

• There are three main built-in user groups in Windows: Administrators, Users, and Guests.
• The Guests group has limited privileges and is assigned a temporary profile that is deleted when the user logs off.
• The Power Users group is available in older editions of Windows and allows users to read from and write to parts of the system, install apps, and perform limited administrator tasks.
• In Windows 10, 8, and 7, the Power Users group is only available for backward compatibility.

Classifying User Accounts and User Groups

Built-in User Groups

• Windows automatically assigns built-in user groups to an account, including:
• Authenticated Users group, which includes all user accounts except the Guest account
• Everyone group, which includes the Authenticated Users group as well as the Guest account
• Anonymous users are users who have not been authenticated on a remote computer

Customized User Groups

• Custom user groups can be created using:
• Management Console
• Local Users and Groups console in business and professional editions of Windows
• Creating custom user groups makes it:
• Easier to assign permissions to user groups rather than to individual accounts
• Useful when several users need the same permissions

Managing Shared Folders and Files in Windows

• There are two general strategies for managing shared folders and files in Windows: Workgroup sharing and Domain Controlling
• Workgroup sharing offers better security than a homegroup
• Domain Controlling is used when a computer belongs to a domain, and all security is managed by the network administrator for the entire network

Organizing Shared Data

• Private data for individual users should be kept in the C:\Users folder for that user
• Data for all users to share should be placed in the C:\Users\Public folder
• For best security, create a folder outside of the above folders and assign permissions to that folder and its subfolders
• This allows control over access, granting permissions to:
  • All users
  • Certain users or user groups

Methods to Assign Permissions to Folders and Files

Workgroup Sharing Methods

• Windows offers two methods to share a folder using workgroup sharing

Share Permissions

• Grant permissions only to network users, not to local users
• Apply to a folder and its contents, not to individual files

NTFS Permissions

• Apply to both local users and network users
• Apply to both folders and individual files
• Work only on NTFS volumes
• Configured using the Security tab in a file or folder's Properties box

Implementing Permissions

• When both share and NTFS permissions are used, the most restrictive permission is applied.
• When NTFS permissions conflict, the more liberal permission is applied.

Permission Propagation

• Permission propagation occurs when permissions are passed from parent to child.

Inherited Permissions

• Inherited permissions are permissions attained from a parent object.

Moving and Copying Objects

• When an object is moved or copied to a folder, it takes on the permissions of that folder.
• Exception: When an object is moved (not copied) from one location to another on the same volume, it retains its original permissions from the original folder.