670 likes | 837 Vues
Securing Windows Resources. Chapter 16. Overview. In this chapter, you will learn how to Create and administer Windows users and groups Define and use NTFS permissions for authorization Describe how to share a Windows computer securely. Essentials. CompTIA A+ Essentials.
E N D
Securing Windows Resources Chapter 16
Overview • In this chapter, you will learn how to • Create and administer Windows users and groups • Define and use NTFS permissions for authorization • Describe how to share a Windows computer securely
Essentials CompTIA A+Essentials Authentication with Users and Groups
Authentication Authentication is the process where you show you’re permitted to access the computer Simplest way is with a user name and password Logging in to a valid user account provides authentication Once in, NTFS permissions provide authorization: what you can do with the computer after authentication Each version of Windows does user accounts differently, so we’ll look at them separately
Managing Users in Windows 2000 • Administrator account • Not recommended forregular use • Additional account created for regular use • Users and Passwords applet is the tool in Windows 2000 • Can force user logon • Users must enter a user name and password
Create New Users (2000) • Access Users and Passwords applet from Control Panel • Create user name and password • Can add users to groups • Standard User makes account part of the Power Users and Local Users groups
Managing Users in Windows XP • Two possible logon screens • Log On to Windows (requires valid user name and password) • Welcome screen
Log In Options Classic Style Windows XP Professional (optional) Windows XP Professional in a domain (automatic) Welcome Screen Windows XP Professional not in a domain (default) Windows XP Home Windows XP Media Center This chapter assumes a standalone machine and thus the Welcome Screen
Managing Users in Windows XP • User Accounts applet in Control Panel • Replaces Users and Passwords applet • Although Windows XP has the same accounts available as Windows 2000, User Accounts applet simplifies everything
Managing Users in Windows XP (continued) • Account types • Computer administrator (member of administrators group) • Limited account (member of local users group) • Accounts can be changed
Managing Users in Windows XP (continued) • User Accounts applet • Computer administrator will see both types of accounts and users • Limited account sees only his or her account • To create a user account • Provide a user name • Pick an account type • Select log on/log off settings • Enable/disable fast user switching
Lab – Create a New User (1) Go to Start | Control Panel Select Create a new account Type a name for the account and click Next Make the account a Computer administrator
Lab – Create a New User (2) Secure the new account Select the new account Select Create a password Type in an appropriate password Retype it to confirm Type in a password hint Customize the new account Select Change the picture Select a picture Click Change Picture button
Lab – Create a New User (3) Create a new user account, but this time make it a Limited user Follow the same steps Select the Limited radio button under the Pick an account type option Secure the user account with a password Customize the Welcome Screen picture as before
Fast User Switching • Enables users to switch between sessions • One user doesn’t need to log off while another user logs on • Both sessions active (though only one visible at a time)
Freeform Lab – Viewing Users Use Fast User Switching to move between the new accounts Explore the differences between the accounts Try accessing Documents and Settings for each account What differences do you see? Open User Accounts What differences do you see?
Managing Users in Windows Vista Three accounts created when installing Guest Administrator Local account that’s a member of the Administrators group Tool used to create and modify accounts differs among the versions of Vista User Accounts (domain-focused versions) User Accounts and Family Safety (Other versions) Latter offers parental controls Options differ a little within the applets as well
Lab – Create a New User In Control Panel, open the User Accounts applet Try User Accounts and Family Safety Click Add or remove user accounts Click Continue on the UAC message Click Create a new account Enter an account name Make the account a Standard user Follow wizard through to the end
Managing Users in Windows Vista User Account Control Designed to enable standard users to install software Puts controls in place to stop malicious code Standard users must enter an administrator user name and password to do administrator things Administrators prompted as well, “Are you sure?”
Managing Users in Windows Vista (continued) Parental Controls Gives nice set of tools to manage usage Can also justmonitor andreport Blocks specificapplications Sets time limits
Managing Users in General • Never give out passwords over the phone • Use strong passwords • At least 6 to 8 characters • Include letters (both cases), numbers, symbols • Change passwords at regular intervals • Don’t write down passwords • Password reset disk can be created in Windows XP and Windows Vista
Resetting Forgotten Passwords in Windows XP and Windows Vista • Windows XP/Vista enables the currently logged-on user to create a password reset disk • Use if the password is forgotten • Can access any encrypted files after resetting password • If an administrator resets your password, you lose access to encrypted files • User Accounts: in Control Panel, select your user account, choose Prevent a forgotten password under Related Tasks and follow the wizard • Requires a removable disk, such as a floppy disk or thumb drive
Managing Users Through Groups • Groups • A group is a collection of user accounts that share the same access capabilities • Assign access to a group and then put users into the group • Users will inherit the access assigned to the group • Windows provides several built-in groups
Default Groups in Windows 2000 • Administrators • May perform all administrative tasks on the computer • Backup Operators • May use Windows Backup • Guests • May perform only specific tasks that are granted • Power Users • May create and modify local user accounts and share resources on the local computer • Replicator • Supports file replication in a domain • Users • May perform only tasks specifically assigned • Local user accounts that are created become members • Everyone
Groups in Windows XP/Vista Professional versions in a domain All the groups found in Windows 2000 A lot of other groups for specialized tasks Home versions and Professional versions in a workgroup Windows XP Computer administrator, limited user, guest Windows Vista Computer administrator, user, guest
Limited User versus User Limited Windows XP Must use simple file sharing Share or not Cannot run all programs Cannot install applications or make system changes User Windows Vista Standard User account Can run most applications UAC prompts for administrator credentials for installing or changing system settings
Adding Groups Use Local Users and Groups applet Available in professional versions of Windows Computer Management administrative tool Right-click a blank spot and select New Group
Lab – Adding a Group (1) Right-click Computer and select Manage In Computer Management, click Local Users and Groups Right-click Groups and select New Group
Lab – Adding a Group (2) Type in a group name Add a description if desired Click the Add User button to open the Select Users dialog box Click the Advancedbutton to continue
Lab – Adding a Group (3) In the Select Users dialog box, click the Find Now button to create a list of user accounts Select the new user account you added and click OK Click OK again Click Close Select Group to see the new group you created
Changing Group Membership Use Local Users and Groups applet Select user account Select Member Of tab Click Add or Remove tochange membership
Lab – Add User to Group (1) Navigate to the Local Users and Groups in Computer Management Click on Users Right-click the user you just created and select Properties Select the Member Of tab
Lab – Add User to Group (2) Click the Add button to open the Select Groups dialog box Click the Advanced button to see the listof groups available
Lab – Add User to Group (3) Click the Find Now button to display the list of available groups Select Backup operators and click OK Backup Operators is now in the queue Click OK Click OK again Right-click the useraccount and checkthe Member Of tab to verify
NTFS Permissions • NTFS permissions • Lists users and groups granted access to a file or folder • Lists the specific level of access allowed • Available only on volumes formatted as NTFS (Security tab) • NTFS security is effective whether a user . . . • Gains access at the computer • Gains access over the network
NTFS Special Permissions • Ownership • When you create a new file or folder you become the owner • Owners have Full Control • Owners can change permissions • Take Ownership permission • Enables a user to take ownership of a file or folder • Administrator account can take ownership of any files or folders • Change Permission • Can give or take away permissions for other accounts
NTFS Standard Permissions • Folder permissions • Apply to folders • File permissions • Apply to files
Lab – Follow Along with Vista In Vista Ultimate go here Start | Computer Right-click on Local Disk (C:)and select Properties Select the Security tab Click through screens,users, permissions Click the Advancedbutton to see otheroptions such as takeownership
NTFS Folder Permissions • Full Control • Enables you to do anything you want • To deny all access, deny Full Control • Modify • Cannot delete files or subfolders, but may modify them • Read & Execute • Enables read files and run programs
NTFS Folder Permissions (continued) • List Folder Contents • Enables you to see the contents of the folder and subfolders, but not read or change files • Read • Enables you to read any files in the folder • Write • Enables you to write to files and create new files and folders
NTFS Folder Permissions (continued) • By default, permissions are inherited from parent folders • This may be prevented by removing the check mark at the bottom
NTFS File Permissions • Full Control • Enables you to do anything • Modify • Enables you to do anything except take ownership or change permissions • Read & Execute • If the file is a program, you can run it • Read • If the file is data, you can read it • Write • Enables you to write to the file
Combining Permissions • User’s effective permissions are the cumulative permissions resulting from a combination of user and group permissions. • Sally is in Administrator group • Sally has Read permission on a folder • Administrator has Full Control on the folder • Sally’s effective permission is Full ControlCumulative from Full Control and Read • Deny permission overrides all other permissions. Deny always becomes the effective permission.
Permission Propagation Permissions are retained or changed when files and folders are moved or copied Propagation differs when files and folders are Copied or moved within an NTFS partition Copied or moved between two NTFS partitions Copied or moved between an NTFS and FAT or FAT32 partition
Permission Propagation (continued) Within one NTFS partition Copy Creates two copies of object Original retains permissions New copy inherits permissions of new container Move Creates one copy of object Object retains permissions
Permission Propagation (continued) Between two NTFS partitions Copy Creates two copies of object Original retains permissions New copy inherits permissions of new container Move Creates one copy of object Object inherits permission of new container
Permission Propagation (continued) Between an NTFS partition and a FAT or FAT32 partition Copy Creates two copies of an object Original retains permissions New copy loses all permissions Move Creates one copy of object Object loses all permissions FAT32 offers no permissions at all!
Techs and Permissions Need administrative privileges to work Don't ask for password – make the Administrator log you in Avoids false accusations