2.6 Compare and contrast the differences of basic Microsoft Windows OS security settings. Flashcards
• User and groups
Starter and Home editions of Windows allow the use of two groups only: • Limited/standard user. • Computer administrator.
For Windows Professional/Business, the principal built-in local groups include Administrators, Users, Guests, and Power Users.
A USER account is the principal means of controlling access to computer and network resources and rights or privileges. The User Accounts applet in Control Panel
GROUPS Built-in groups are given a standard set of rights that allow them to perform appropriate system tasks.
- Administrator
An Administrator account can perform all management tasks and generally has very high access to all files and other objects in the system.
The user created at installation is automatically added to this group. You should restrict use of this type of account, using a regular user account when appropriate, and only log in with administrative privileges for specific tasks.
When Windows is installed to a new computer, the account actually named “Administrator” is disabled by default. The setup procedure creates an account with administrative privileges in its place.
- Power user
The Power Users group still appears to support legacy applications, but its use is strongly deprecated.
The rights allocated to this account type can be abused to allow the user to obtain more powerful Administrator or System privileges.
- Guest
Guests group has only limited rights; for example, members can browse the network and Internet and shut down the computer but cannot save changes made to the desktop environment.
If a user attempting to access your computer who does not hold their own user account, will be connected using the Guest account credentials.
- Standard user
When a new user is created, they are typically added to the standard Users group. The group is able to perform most common tasks, such as shutting down the computer, running applications, and using printers.
Ordinary users can also change the time zone and install a local printer, provided there is a suitable driver already installed.
• NTFS vs. share permissions
NTFS and Share level permissions both provide a customizable level of security. Share level permissions are set on the share by the owner. NTFS permissions are set as a security property. NTFS and Share level permissions differ in some key aspects.
Share permissions manage access at the folder level. In contrast, NTFS allows every file to have individual and varying accessibility if desired. Share permissions are used for compatibility with the FAT32 file system and support three permissions:
Read, Change, and Full Control. NTFS can manage these attributes as well as others including Write, Modify, Read, Execute, and Special.
There are instances where share permissions and NTFS permissions are essentially the same, such as Change in share and Modify in NTFS. Since both permission types are independent and their values are combined, the more restrictive combination is applied in order to determine permissions. This is in contrast to an NTFS to NTFS cumulative result which is less restrictive.
- Allow vs. deny
Allow versus deny can be interpreted as allow versus not allow. The deny permission is the strongest and will take precedence regardless of the weaker permissions applied.
A group can be granted access to a folder and in NTFS, a specific user or users in that group can be given a deny permission. In this case even though the group is allowed access, that particular user’s deny permission overrides all others.
- Moving vs. copying folders and files
Should the content exist in both the source location and the destination?
Should the content be removed from the source and exist only at the destination.
As expected, copying the content results in the file being present at both locations while moving the content results in the file being only present at the destination.
- File attributes
A = Archive: This attribute is used by backup programs and other utilities to indicate that the file is ready for backup (archiving). After a file has been backed up, the Archive bit(value) is set to zero or off. When a program makes a change to a file, it will reset the bit to one indicating the need to include it in the next backup. This setting makes incremental backups possible by only archiving objects that have changed.
D = Directory: This setting indicates that the object is a directory, not a file.
H = Hidden: This setting indicates that the object is hidden from normal view. System files and folders are routinely hidden.
I = Not Content Indexed: This setting indicates that the object is not indexed. Indexing, which is off by default, allows the operating system to perform faster searches. Objects that have this bit turned off will be included in searches.
R = Read-Only: This setting indicates that the object cannot be altered without resetting this value to off. Interestingly, Read-only protects a file from being altered but does not protect it from deletion.
S = System: This setting indicates that the object is a system file or folder and coupled with the read-only setting, prevents tampering. Do not delete or modify these files.
- Allow vs. deny
The deny permission is the strongest and will take precedence regardless of the weaker permissions applied.
can be interpreted as allow versus not allow.
The deny permission is the strongest and will take precedence regardless of the weaker permissions applied.
A group can be granted access to a folder and in NTFS, a specific user or users in that group can be given a deny permission.
In this case even though the group is allowed access, that particular user’s deny permission overrides all others.
- Inheritance
Inheritance describes the way permissions are handled within a shared folder.
Depending on the settings, the Child folders, subfolders, and the original share folder may or may not receive the permissions applied to the Parent folder.
• System files and folders
System files and folders are always classified as Read-Only and are usually hidden. Doing this helps protect the system from deliberate or unintentional damage.
Standard users never see these files and folders, thereby keeping everything safe.
a hidden system folder is grayed out. That’s the first sign to stay out. In the properties, notice the read-only setting which applies to the files in the folder. (Show Hidden System Folders)
• User authentication/
- Single sign-on
Single Sign-On (SSO) identifies the practice of permitting a user and their programs to use a single set of credentials to automatically log into permitted sites and services.
Saves eu the trouble of entering their login
Corperate domain user/using Active directory
• Run as administrator vs. standard user
Running a windows system as an Admin allows the user to perform root level tasks. The individual is capable of doing anything they want on the system essentially.
A standard user will not be able to perform many functions. BU IT can be bypassedd by admin by right-clicking the program’s icon or the Start menu shortcut and choosing “Run as Administrator.” Attempting to run a program that requires administrative privilege will result in a UAC and possibly require a password.
• BitLocker
A form of full disk encryption in which even the swap file is encrypted. It requires overhead processing power but nowadays computers can handle the load.
