2.5 – Windows Security - Windows Security Settings

Questions and Answers

When accessing a file over the network, which combination of permissions determines the effective access rights?

• The most restrictive combination of share and NTFS permissions. (correct)
• Share permissions only.
• The least restrictive combination of share and NTFS permissions.
• NTFS permissions only.

What is the primary purpose of User Account Control (UAC) in Windows?

• To limit the capabilities of users and require approval before elevated functions are run. (correct)
• To encrypt the entire Windows volume.
• To install applications without requiring administrator approval.
• To automatically grant administrator rights to all users.

Which of the following is a characteristic of inherited permissions in NTFS?

• They override explicit permissions.
• They can only be assigned to individual files, not folders.
• They are automatically associated with an object based on the parent object's permissions. (correct)
• They are only applicable to network shares.

In Windows, what does it mean to 'run as administrator'?

To execute an application with elevated rights and permissions. (B)

Which of the following is true regarding EFS (Encrypting File System) in Windows?

EFS uses an encryption key based on the user's username and password. (C)

If a user has 'full control' share permissions to a folder but 'read' NTFS permissions, what is their effective permission level when accessing the folder over the network?

Read (D)

When moving a file to a different folder on the same NTFS volume, what happens to its permissions?

It retains its original permissions. (B)

Which type of Windows account is primarily associated with accessing resources within an organizational network domain?

Windows domain account (A)

Which of the following is NOT a method for logging into a Windows device?

Bluetooth pairing (C)

What is the function of BitLocker To Go?

Encrypting data on USB flash drives. (B)

What is the name of the screen that appears when UAC prompts for elevation?

Secure Desktop (B)

Which feature can be used to encrypt an entire Windows volume, including the operating system and personal files?

BitLocker (D)

What is the purpose of adding a user to the 'Administrators' group on a Windows system?

To provide the user with administrative access on the device. (C)

Which of the following best describes 'explicit permissions' in NTFS?

Permissions assigned directly to a file or folder. (D)

If a user's password is administratively reset, what is a potential consequence regarding their EFS-encrypted data?

The user might lose access to their EFS-encrypted data. (D)

Which type of permission applies when a user connects to a shared folder over the network?

Share Permissions (B)

Which permission level is NOT a standard option for share permissions?

Modify (B)

A user has been granted both share and NTFS permissions to a network folder. The share permissions allow 'Change' access, while the NTFS permissions grant 'Read & Execute'. What is the user's effective permission level?

Read & Execute (A)

If a user wants to encrypt individual files within a folder, rather than the entire volume, which technology should they use?

EFS (Encrypting File System) (B)

For a standard user account, what action might trigger a User Account Control (UAC) prompt?

Changing the system time (B)

What type of Windows account is configured on the Microsoft Cloud?

Microsoft Account (B)

What is one of the most common login credentials?

Username and Password (A)

Which of the following is required to edit system files?

Elevated Account (A)

Once you log into Windows with one set of credentials, you can connect to other resources without having to input the credential again. What is this called?

Single Sign On (C)

Which log in option uses a USB connection?

Security Key (C)

Flashcards

Local Accounts

Accounts stored on the local device for logging in to that specific Windows device.

Microsoft Account

An account configured on the Microsoft Cloud that can be used to log in to your local device.

Windows Domain Credentials

Usernames and passwords used to access a Windows domain.

Personal Identification Number (PIN)

A number used instead of a password for logging into Windows.

Biometrics login

Using facial recognition or fingerprint to log into Windows.

Single Sign-On (SSO)

Once logged in, you can connect to other resources without re-entering credentials.

Share Permissions

Permissions associated with the access to a share across the network.

NTFS Permissions

Permissions assigned to files and folders on an NTFS volume that determine access rights.

Inherited permissions

Permissions inherited from a parent folder.

Explicit Permissions

Permissions explicitly assigned to an object, overriding inherited permissions.

Elevated Account

Requiring administrator rights to perform enhanced functions.

User Account Control (UAC)

A Windows function that limits capabilities for users, requiring approval before running certain features.

Secure Desktop

A secured prompt that requires you to understand what changes are to be made to the operating system.

BitLocker

A Windows utility that encrypts everything on your Windows system, including your personal files and the operating system itself.

BitLocker To Go

A BitLocker option that encrypts all of the data that you're writing to a USB flash drive.

Encrypting File System (EFS)

A capability built in to NTFS which encrypts individual files or folders.

Study Notes

• Most operating systems require a login, including Windows.
• There are numerous options for logging in.

Login Options

• Local accounts are stored on the device and only log in to that specific Windows device.
• Microsoft accounts are configured on the Microsoft Cloud and can be used to log in to the local device and integrate Microsoft technologies like Skype, Office, and OneDrive.
• Windows domain credentials are used in office or enterprise environments.

Account Storage

• Local account details are stored under local users and groups.
• This contains a list of all users who can log in and their rights and permissions.
• Users can be added to groups to provide rights and permissions, such as the administrators group for administrative access or the event log readers group.

Login Credentials

• Username and password are the most common login credentials.
• Other options include a personal identification number (PIN) and biometrics (facial recognition).
• Windows domains offer single sign-on

Modifying Login Methods

• Adjustments to login methods can be found under accounts and sign-in options.
• Available options are facial recognition, fingerprint recognition, PIN, security key, password, or picture password.

NTFS Permissions

• Rights and permissions on a local device are based on the permissions associated with NTFS.
• Every file or folder in NTFS has a Security tab to specify group or user access rights and permissions.

Share Permissions

• Connecting across a network involves share permissions.
• These permissions are associated with access to the share across the network.
• NTFS permissions for that user must also be considered.
• The most restrictive access takes priority.

Permission Inheritance

• NTFS permissions are inherited from the parent folder.
• Moving an NTFS file or folder to a different folder on the same volume retains the original permissions.

NTFS vs. Share Permissions

• NTFS permissions offer a large number of configurable permissions.
• Full control, modify, read and execute, and list folder contents.
• Share permissions allow assignment of users and groups.
• Limited permission options, full control, change, and read.

Explicit vs. Inherited Permissions

• Explicit permissions are those assigned to objects in the file system.
• Inherited permissions are automatically associated with an object.
• Based on the parent of that particular object.
• Assigning or denying access to a folder affects all subfolders.
• Explicit permissions override inherited permissions.

Elevated Accounts

• Normal users have restricted access to certain parts of the operating system.
• Elevated accounts or administrator rights are needed to edit system files, install services, and provide enhanced functions.
• Right-clicking an application and choosing "Run As Administrator" starts it with elevated rights.

User Account Control (UAC)

• UAC limits capabilities for users.
• Requires approval before certain features are run.
• UAC windows may appear for standard users when using the network or changing passwords.
• Administrators may see UAC windows when installing applications or updating device drivers.
• The secure desktop screen allows users to understand changes and potential risks.
• Unexpected UAC prompts should be carefully examined to determine if elevated permissions are appropriate.

BitLocker

• BitLocker encrypts everything on a Windows system, including personal files and the operating system.
• Protects data if a laptop is lost or stolen.
• BitLocker To Go encrypts data written to USB flash drives.

Encrypting File System (EFS)

• EFS encrypts specific files or folders.
• It is built into NTFS
• Works in all Windows editions except the home editions.
• Encryption key is based on the user's username and password.
• Resetting the password may result in losing access to all EFS encrypted data.