7.06 Manage and configure basic security settings in the Microsoft Windows OS

Introduction 

Think of your computer like a building with many rooms, each needing different levels of access. Some people have keys to just their own rooms, while others, like managers, can access multiple areas.

Managing security in Windows is similar—it's about controlling who gets access to certain files and settings. By learning how to set up user accounts, permissions, and other security measures, you’ll be able to secure the system, solve problems quickly, and help others protect their own "rooms" in the digital world. 

User and Group Accounts Overview 

A user account is the main way to control access to computer and network resources, and to assign rights or permissions. In Windows, there are two types of user accounts: local accounts and Microsoft accounts.

Types of User Accounts 

1. Local Account 

  • A local account is only recognized by the computer it’s created on.

    For example, PC1\David is a local account on a computer named PC1. 

  • Local accounts are stored in the Security Account Manager (SAM) database, which is part of the HKEY_LOCAL_MACHINE registry. 

  • Since each machine keeps its own SAM and Security Identifiers (SIDs) for accounts, a local account can’t be used to log into other computers or access files over the network. 

2. Microsoft Account 

  • A Microsoft account is managed online via account.microsoft.com and identified by an email address. 

  • Using a Microsoft account on a device creates a profile linked to a local account. Profile settings can be synced across multiple devices through the online portal. 

  • When setting up a new device, a Microsoft account is required initially, but you can switch between Microsoft and local accounts later through the Your info page in the Settings app. 

Security Groups 

A security group is a collection of user accounts. These groups simplify managing permissions because you can assign permissions to a group rather than to each user individually. 

You can create custom groups with limited permissions based on job roles, then assign users to the appropriate group(s).

Built-in Security Groups 

  • Administrators group: Users in this group can perform all system management tasks and generally have access to all files. The first user account created during setup is automatically added to this group. 

    • It’s more secure to limit membership of this group to as few accounts as possible. 

    • There is also a built-in Administrator account, but it’s disabled by default for security reasons. 

  • Users group: Standard user accounts belong to this group. Users can configure their profiles, shut down the computer, run apps, and use printers. It’s recommended that most accounts be standard users unless administrative access is necessary. 

  • Guest group: This group is only available for legacy purposes. It has the same permissions as the Users group. The Guest account is disabled by default and is no longer supported for logging into Windows, except for file sharing without passwords. 

  • Power Users group: This group was designed to give intermediate permissions between administrators and users, but it led to security risks. In Windows 10/11, the Power Users group has the same permissions as standard users.

Managing Local Users and Groups 

The Local Users and Groups management console allows you to manage both user and group accounts. You can: 

  • Create, disable, or delete accounts. 

  • Reset passwords. 

  • Modify group membership. 

  • Create custom groups. 

Key Features of Local Users and Groups: 

  • Create and Manage Accounts: You can add or remove users, change their roles, and reset passwords. 

  • Manage Group Memberships: Control which users belong to each group, like the Administrators group. 

Using net user Commands 

You can manage user accounts through the command line using net user. These commands must be run in an administrative command prompt

Common net user Commands: 

  • Add a New User and Force Password Change on First Login

net user dmartin Pa$$w0rd /add /fullname:"David Martin" /logonpasswordchg:yes 

  • Disable a User Account

net user dmartin /active:no 

  • View Account Properties:

net user dmartin 

  • Add a User to the Administrators Group

net localgroup Administrators dmartin /add

These commands provide a simple and efficient way to manage user accounts directly from the command prompt. 

User Account Control (UAC) Overview 

User Account Control (UAC) is a security feature in Windows that helps protect the system from malicious scripts and attacks by limiting the powerful privileges of accounts in the Administrators group. UAC ensures that even users with administrative rights must explicitly confirm any actions that require elevated privileges, following the principle of least privilege

How UAC Works 

When you try to perform a task that requires administrator privileges, UAC prompts you to confirm or enter credentials, ensuring the action is authorized. 

Tasks Protected by UAC: Tasks that need elevated privileges are marked with a Security Shield icon

Running Programs as Administrator: 

  • Some shortcuts are already set to run as administrator, like Windows PowerShell (Admin)

  • To manually run any program as administrator: 

  • Right-click the shortcut and choose More > Run as administrator

  • Or press CTRL + SHIFT + ENTER when opening the program

UAC Prompts and Confirmation 

Depending on the type of account you’re logged into, UAC handles privileges differently: 

  • Standard user accounts: When a standard user attempts to perform a task that requires admin rights, they must enter administrator credentials in the UAC dialog. 

  • Administrator accounts: Even if you’re logged in as an administrator, UAC still requires you to confirm the action, though no credentials are needed.

UAC and Malware Protection 

UAC prevents malware from running with elevated privileges unless explicitly authorized by the user. This is crucial for protecting the system from unauthorized changes.

Adjusting UAC Notifications: 

If you find the constant prompts inconvenient, you can adjust how often UAC notifies you by using the User Accounts applet. However, reducing the frequency of notifications increases the risk of malware gaining elevated privileges, so it's recommended to leave UAC settings at a higher level for better security. 

Important UAC Security Note 

The default Administrator account is not subject to UAC protections. For security reasons, it’s best to leave this account disabled to ensure your computer remains secure. 

Windows Login Options Overview 

Windows authentication uses a complex architecture, but there are three common login scenarios: 

  1. Windows local sign-in: The Local Security Authority (LSA) compares the entered credentials to those stored in the Security Accounts Manager (SAM) database, which is part of the registry. This is also called interactive logon

  2. Windows network sign-in: The LSA sends the credentials to a network service for authentication, typically using a system called Kerberos

  3. Remote sign-in: When the device isn’t connected to the local network, authentication happens via a virtual private network (VPN) or web portal. 

Username and Password Authentication 

The most basic form of Windows login uses a username and password. When creating a user account, you set up a password, which the user can later change by pressing CTRL+ALT+DELETE or through account settings. Administrators can also reset passwords using Local Users and Groups

Windows Hello 

Windows Hello is a subsystem that allows users to set up alternative authentication methods beyond just passwords. The following methods are available based on your device’s hardware: 

1. Personal Identification Number (PIN) 

  • A Windows Hello PIN is tied to the specific device and utilizes the Trusted Platform Module (TPM) to securely store the encryption key. This prevents the PIN from being accessed by external means. 

  • Unlike a regular password, the PIN doesn’t get stored on the device, making it safer from interception. 

  • Despite being called a "PIN," it can include letters and symbols

2. Fingerprint - Users can authenticate by scanning their fingerprint using a sensor on their device. 

3. Facial Recognition - A webcam with infrared (IR) technology scans the user's face to create a 3D image, reducing the risk of spoofing with photos. 

4. Security Key - This method uses a USB token, smart card, or trusted smartphone with an NFC sensor for authentication. 

Note: To use Windows Hello, a PIN must always be configured as a backup method in case other options, like fingerprint or facial recognition, fail. 

Single Sign-On (SSO) 

Single sign-on (SSO) allows users to authenticate once and gain access to multiple services without needing to log in repeatedly. In Windows, Kerberos handles SSO for Active Directory networks. For example, logging into Windows can also grant access to services like SQL Server and Exchange Server

SSO can also extend to cloud services. For instance, logging into Windows with a Microsoft account may automatically sign you into apps like OneDrive and Office365.

Advantages and Risks of SSO: 

  • Advantage: Users don’t need to manage multiple passwords and identities. 

  • Risk: If one account is compromised, multiple services are at risk. 

Passwordless SSO with Windows Hello for Business 

Windows Hello for Business aims to improve SSO security by eliminating the use of passwords. It works like this: 

  • The user device is registered on the network using an encryption key pair (public and private keys). 

    • The private key is stored in the device’s TPM and never transmitted or known by the user. 

    • The public key is registered on the network server. 

  • When the user logs in using Windows Hello, the device sends an encrypted message (using the private key) to the server. 

  • The server uses the public key to decrypt the message, proving the login request is genuine. The server then authenticates the user and grants access to network services.

This process enhances security by eliminating the need for passwords while maintaining robust encryption-based authentication. 

NTFS vs. Share Permissions 

Windows systems use two main types of permissions to control access to files and folders: NTFS permissions and Share permissions. Understanding how they work together is key to securing shared resources effectively.

Share Permissions Overview 

  • Share permissions apply only when a folder is accessed over a network

  • These permissions do not affect users logged in locally on the computer where the shared folder is hosted. 

NTFS Permissions Overview 

  • NTFS permissions apply to both local and network access. 

  • NTFS permissions can be assigned to both folders and individual files

  • Best practice is to assign permissions to security groups rather than directly to user accounts. Then, you add users to these groups. 

  • NTFS permissions are managed through the Security tab in the folder or file’s properties dialog.

NTFS Permissions 

When configuring NTFS permissions, you are working with Access Control Lists (ACLs), which are collections of Access Control Entries (ACEs). Each ACE assigns a set of permissions to a user or group, known as a principal.

The basic NTFS permissions are: 

  • Read/List/Execute: Allows the user to open and browse files and folders, and run executable files. 

  • Write: Lets the user create files, subfolders, and add data to existing files. 

  • Modify: Grants write permissions, plus the ability to change file data and delete files or folders. 

  • Full Control: Provides all permissions, including the ability to modify permissions and take ownership of files or folders. 

Deny Permissions 

  • Permissions can be set to Allow or Deny

  • A Deny permission explicitly prevents access, even if other permissions grant access. 

  • The implicit deny rule means that if no permission is granted, access is automatically denied. 

Combining Permissions 

A user can receive permissions from several sources, such as: 

  • Membership in multiple security groups

  • Direct permissions assigned to the user account

Windows evaluates these permissions to determine effective permissions. When permissions conflict:

  • The user receives the most permissive effective permission (e.g., Read + Modify = Modify). 

  • Explicit Deny permissions override all Allow permissions from any other source. 

Example 

  • If a user belongs to a "Sales" group with Read permission and a "Managers" group with Modify permission, the effective permission is Modify

Evaluating Effective Permissions 

Windows provides a tool within the Advanced settings of the Security tab to evaluate effective permissions for a specific user or group. 

Access Denied 

If a user lacks the proper permissions to view, modify, or save a file, Windows will display an Access Denied error message. 

Summary: 

In this lesson, you've learned how to manage and configure key security settings in Windows, focusing on user accounts, permissions, and advanced security controls like UAC and NTFS permissions. By understanding how to set up user accounts with the right privileges, configure permissions effectively, and use tools like Windows Hello for secure login, you'll be able to create a safer computing environment. These skills will help you not only protect your own system but also support others in managing security responsibly, ensuring data and systems remain secure in today's digital landscape.