NTFS, Users, and Groups Chapter 7
Overview • In this chapter, you will learn how to • Create and administer Windows user accounts and groups • Define and use NTFS permissions for authorization • Share a Windows computer securely • Secure PCs with User Account Control
Authentication Authentication is the process by which you determine that the person at your computer is who he or she says they are. Simplest way is with a user name and password. Logging on to a valid user account provides authentication. Once in, NTFS permissions provide authorization: what you can do with the computer after authentication. Each version of Windows does user accounts differently, so we’ll look at them separately.
Windows and User Accounts • Windows requires each user to have a user account. This is the basic element of security, with each user required to present a valid user name and password to log on. • Every Windows computer has a database of user accounts—an encrypted list of user names with their associated passwords—that are allowed access to the system.
Windows and User Accounts (continued) • Each of these individual records is called a local user account. If you don’t have a local user account created on a particular system, you won’t be able to log on to that computer.
Windows and User Accounts (continued) Figure 1: Windows logon screen
Windows Tools • Each version of Windows has different tools used to manage users and their accounts. • Home editions of Windows (Windows XP Home Edition, Windows Vista Home Basic and Home Premium, and Windows 7 Home Premium) include a basic tool. • The Professional editions of Windows include an extra, more advanced utility.
Passwords • Passwords are the ultimate key to protecting your computer. • If someone learns your user name and password, they can log on to your computer. • Protecting passwords • Never give out passwords over the phone. • If a user forgets a password, the network administrator should reset it to a complex combination of letters and numbers. The user should then change the password to something he or she wants, according to the parameters set by the administrator.
Passwords (continued) • Protecting passwords (continued) • Make your users choose good passwords. They should be at least eight characters in length and include letters, numbers, and punctuation symbols. • Have users change passwords at regular intervals. • Create a Password Reset Disk—this enables users to fix or reset their own passwords. • Create a password hint (it appears after your first logon attempt fails).
Passwords (continued) Figure 2: Password hint on the Windows 7 logon screen
Groups • A group is a collection of accounts that share the same capabilities, thus making administration easier. • Permissions can be set for the group—whenever a new user is added to the group, that account has the same permissions as the group. • An account may belong to more than one group.
Groups (continued) • Groups in Windows XP • Windows XP Professional provides seven built-in groups that cannot be deleted. • Administrators: Any account that is a member of the Administrators group has complete administrator privileges. Administrator privileges grant complete control over a machine. • Power Users: Members of the Power Users group are almost as powerful as Administrators, but they cannot install new devices or access other users’ files or folders unless the files or folders specifically provide them access.
Groups (continued) • Groups in Windows XP (continued) • Users: Called limited users, members of the Users group cannot edit the Registry or access critical system files. They can create groups, but can manage only those they create. • Everyone: This group applies to any user who can log on to the system. You cannot edit this group. • Guests: The Guests group enables someone who does not have an account on the system to log on by using a guest account. • Windows XP Home Edition enables you to use only three groups: Administrators, Users, and Guests.
Groups (continued) • Groups in Windows Vista and Windows 7 • Windows Vista and 7 Professional editions (Professional/Business, Ultimate, Enterprise) offer the same groups as Windows XP Professional plus a lot more. • Windows Vista/7 Home editions (Home Basic and Home Premium) only offer three groups: Administrators, Users, and Guests. • The Users group in Windows Vista/7 offers a significant improvement over the Users group in Windows XP—called standard rather than limited users. In Windows Vista/7 users can accomplish all common tasks on the PC without resorting to an administrator.
Groups (continued) • Adding groups and changing group membership • Use the Local Users and Groups applet for managing groups in the Professional versions of Windows. • The applet is located in the Computer Management administrative tool.
Managing Users in Windows XP • Windows XP provides the User Accounts applet in the Control Panel for basic user and group management. • User Accounts uses a reference to account types that is actually a reference to the user account’s group membership. • An account that is a member of the local Administrators group is called a computer administrator; an account that belongs only to the local Users group is called a limited user account. • When an administrator is logged on, the administrator sees both types of accounts and the guest account. Limited users see only their own account in User Accounts.
Managing Users in Windows XP (continued) • To create a user account, you need to provide a user name (a password can and should be added later), and you need to know which type of account to create: computer administrator or limited. • To create a new user in Windows XP, open the User Accounts applet from the Control Panel and click Create A New Account. • On the Pick An Account Type page, you can create either type of account.
Managing Users in Windows XP (continued) Figure 3: User Accounts dialog box showing a computer administrator, a couple of limited accounts, and the guest account (disabled)
Managing Users in Windows XP (continued) Figure 4: The Pick An Account Type page showing both options available
Managing Users in Windows XP (continued) • You can also use the Change The Way Users Log On And Off option. Select it to see two check boxes: • If you select the Use The Welcome Screen check box, Windows brings up the friendly Welcome screen. • If this box is unchecked, you’ll get the classic logon screen.
Managing Users in Windows XP (continued) Figure 5: Select logon and logoff options.
Managing Users in Windows XP (continued) • Fast User Switching enables you to switch to another user without logging off the current user. • Use this option when two people actively share a system, or when someone wants to borrow your system for a moment but you don’t want to close all of your programs. • This option is active only if you have the Use The Welcome Screen check box enabled.
Managing Users in Windows XP (continued) Figure 6: Welcome screen with three accounts
Managing Users in Windows XP (continued) Figure 7: Classic logon screen, XP style
Managing Users in Windows XP (continued) Figure 8: Switching users on the Welcome screen
Managing Users in Windows Vista and Windows 7 • Three accounts are created at installation: • Guest, Administrator, and a local account that’s a member of the Administrators group • Tools used to manage user accounts differ among the versions of Vista • User Accounts (Professional, Business, and Ultimate in a domain) • User Accounts and Family Safety (all the other versions, including Ultimate not in a domain); offers Parental Controls
Managing Users in Windows Vista and Windows 7 (continued) Figure 9: User Accounts and Family Safety applet in the Control Panel in Windows Vista Home Premium
Managing Users in Windows Vista and Windows 7 (continued) Figure 10: User Accounts applet in the Control Panelin Windows Vista Ultimate
Managing Users in Windows Vista and Windows 7 (continued) Figure 11: User Accounts applet in Windows Vista Business
Managing Users in Windows Vista and Windows 7 (continued) Figure 12: User Accounts applet in Windows Vista Home Premium
Managing Users in Windows Vista and Windows 7 (continued) • Parental Controls • Parental Controls enable an administrator account to manage other accounts. Can manage usage, monitor and report activity, block specific applications, and set time limits.
Managing Users in Windows Vista and Windows 7 (continued) Figure 13: Parental Controls
Managing Users in Windows Vista and Windows 7 (continued) Figure 14: Manage Accounts
Managing Users in Windows Vista and Windows 7 (continued) Figure 15: Adding a new user
Advanced User Management • The Professional editions of Windows include the Local Users and Groups tool. • Located in Control Panel | Administrative Tools | Computer Management • Use it to create, modify, and remove users and groups. • Using multiple object types, Windows allows you to add more than just users to a group.
Advanced User Management (continued) Figure 16: Local Users and Groups in Windows Vista
Advanced User Management (continued) Figure 17: New Group dialog box in Windows Vista
Advanced User Management (continued) • Windows uses multiple object types to define what you can add • Object types include user accounts, groups, and computers • Each object type can be added to a group and assigned permissions • You can either add group membership to a user’s properties or add a user to a group’s properties.
Advanced User Management (continued) Figure 18: Select Users, Computers, Or Groups dialog box in Windows Vista
Advanced User Management (continued) Figure 19: Select Users, Computers, Or Groups dialog box with Advanced options expanded to show user accounts
Advanced User Management (continued) Figure 20: Properties dialog box of a user account, where you can change group memberships for that account
NTFS Permissions • NTFS permissions • Lists users and groups granted access to a file or folder • Lists the specific level of access allowed • Available only on volumes formatted as NTFS (Security tab) • NTFS security is effective whether a user . . . • Gains access at the computer • Gains access over the network
NTFS Permissions (continued) • Here are a few rules about NTFS permissions: • You can see the NTFS permissions on a folder or file by accessing the file’s or folder’s Properties dialog box and opening the Security tab. • NTFS permissions are assigned to both user accounts and groups, although it’s considered best practice to assign permissions to groups and then add user accounts to groups rather than add permissions directly to individual user accounts. • Whoever creates a folder or a file has control over that folder or file.
NTFS Permissions (continued) • Here are a few rules about NTFS permissions (continued): • Administrators do not automatically have complete control over every folder and file. If an administrator wants to access a folder or file they do not have permission to access, they can go through a process called Take Control.
NTFS Permissions (continued) • Ownership • When you create a new file or folder, you become the owner. • Owners have Full Control. • Owners can change permissions. • Take Ownership permission • Enables a user to take ownership of a file or folder. • Administrator account can take ownership of any files or folders. • Change Permission • Can give or take away permissions for other accounts.
NTFS Permissions (continued) Figure 21: The Security tab lets you set permissions.
NTFS Standard Permissions • Folder permissions • Apply to folders • File permissions • Apply to files
NTFS Folder Permissions • Full Control • Enables you to do anything you want • To deny all access, deny Full Control • Modify • Enables you to do anything except delete files or subfolders, change permissions, or take ownership • Read & Execute • Enables you to read files and run programs