Module 2 Day 1: users, administrators, groups--supplemental readin for windows passwords Flashcards
What will I be responsible for with other people’s machines/
setup, troubleshootin
what will I learn how to manage multiple accounts on?
one machine
what are all users on a computer isolated from?
other users
what are the two different types of users on a computer?
standard and administrators
what kind of user is given access to a machine, but has restricted access to do things like install software or change certain settings?
a standard user
what kind of user has complete control over a machine?
an administrator
what kind of user can view anyone’s account, change and remove anyone on the computer, and view every single file?
administrator
can you have multiple admins on one mchine?
yes
who is the default admin on your personal machine?
you are
who is the administrator on a public machine?
the person who runs and maintains the machine, like an IT support specialist
who grants access for users?
admin
who installs software?
admin
who changes restricted settings?
admin
why don’t we let just anyone have admin permissions?
bloated computers, infected machines, lack of organization.
what are put in groups together according to levels of access and permission to carry out certain tasks?
users
who decides which users get what permissions for what tasks?
admin
what does an admin sometimes give permissions out according to?
the type of group a user is in
how do you know what kind of user you are?
By what the computer allows you to do.
what do you use to view user and group information in Windows?
Computer management tool
how do you navigate to the computer management tool?
search in the search application
in computer management, at the top of the sidebar, what does it say? if you are managing a single machine locally
Computer Management (Local)
A network of computers, users, files, etc that are added to a central database
windows domain
in an enterprise environment, what would I use to manage multiple machines?
a domain
what can I do if I am the admin of a domain?
view accounts in computers from any machine in it.
What menu in computer management is under computer management local?
System tools
in computer management system tools, what tool Let’s you schedule programs and tasks to run at certain times, like shutting the computer off at a certain time automatically?
Task scheduler
in computer management, what system tool shows the folders that different users on the machine share with each other?
Event viewer
if a user stores files on a shared folder who can view that folder?
anyone who has access to that folder
in the computer management system tools where do we do our user and group management?
local users and groups
in computer management system tools, what tool shows monitoring for the resources of our machine like CPU and RAM?
performance
in the computer management system tools, where do we go to manage devices on our computer like our network cards sound cards monitors and more?
Device manager
in computer management where do we have a submenu for disk management
under the storage menu
In computer management, what menu shows us the programs and services that we have available on the system, and allows us to enable or disable services like DNS here?
the services and applications menu
where do we find all the essential settings that we as administrators need to change?
computer management tool
what is more efficient, the computer management tool or the default settings application?
computer management
in computer management, where can we see what kind of user account we have and what groups we are part of?
local users and groups Tool
What are two built in accounts that you can see in computer management, local users and groups, users
administrator and guest
What account lets you log in using the administrator username and whatever the administrator password is on the computer, but is disabled by default?
the local administrator account
why would it be dangerous to have the local administrator account logged into at all times?
this account has unfettered access on the computer
in computer management, Under local users and groups, in users, if you double click on the user that you want to look at, what page is brought up?
username properties
what three tabs are on the user name properties page?
general, member of, profile
In the (username) properties page, where can you see some basic information about the users, as well as some options?
General tab
in the username properties page, where can I select an option to force a user to change their password the next time they log in?
General tab
why is it useful to require a user to change their password the next time that they log in
the password could be compromised and we don’t want to risk someone else logging into the account
in (username) properties, where can I force a user to be unable to change their password?
general tab
in (username) properties, where can I force a user to never have an expired password?
general tab
in (username) properties, where can I force an account to be disabled?
general tab
in (username) properties, where can I force an account to be locked out?
general ta b
What does enabling or disabling an account mean
making it active or inactive
What does it mean when a user cannot log in?
account is locked out
Why would you make an account locked out
I disgruntled employee could want to mess things up in the system
in (username) properties, where can you see which groups (username) is part of?
the Member of tab
What can you do instead of being logged into the administrator account all of the time?
you can be logged into your own account and use administrative powers when you need
what does UAC stand for?
User Account Control
what feature in windows prevents unauthorized changes to a system?
UAC
what does an administrator need to do to authorize changes?
enter password
in (username) properties, where can you change settings about your user profile, like where you want your home folder to be?
Profile
when does the profile tab of the (username) properties page come in handy?
when you are managing many users on a domain.
in Computer management, on the groups menu in the sidebars, what can you see?
which groups are available and who their members are.
What command in the windows PowerShell cli lets you view the list of users on the computer?
Get-LocalUser
For command in windows PowerShell lets you view the list of groups on the Local machine
Get-LocalGroup
What command on Windows PowerShell lists your user account, all users, and some default accounts that are just part of windows
Get-LocalUser
What’s the multitude of groups listed by the Get-LocalGroup?
Built in groups, important but not likely to change, except for administrators
Why is it important to control who is an administrator on a machine
administrators can do anything that they want to on a machine
How can you see who is in a specific group in PowerShell? Check the Administrators group.
Get-LocalGroupmember Administrators
what PowerShell version do you need to be running in order to run the Get-LocalUser and Get-LocalGroup commands?
PowerShell 5.1 or newer
If your organization has lot of machines what is commonly used to manage a lot of user accounts across those machines
active directory To manage user accounts in a central directory service
how does access management work in Linux?
like it does in Windows
What is the first user that gets automatically created when we install a Linux operating system?
root user
What user in Linux has all the privileges on the operating system and is the superuser?
Root user
what do you call someone who is granted access to use the superuser powers in a Linux system
a Super User
why don’t we want to be in root all of the time as a Linux user?
it can be really dangerous because it has unrestricted access on the machine. if you make just one mistake you can damage or delete or modify something important
what can we do in Linux instead of logging in as the root?
tell the shell we want to run one command as root, Sudo
what is sudo similar to on Windows?
UAC
what does sudo stand for?
super user do
where do you put sudo next to commands?
at the front
what can you use if you don’t want to run sudo every time you need to run a command that requires root privileges?
use the su command
what does su stand for?
substitute user
what does the su command allow you to do?
change to a different user, and defaults to root if you don’t specify a user.
how do you log in as root?
su sudo -
how do you exit out of root? linux
exit
how to view who has access to run sudo?
cat /etc/group
file. This is also how you view membership for all groups. One s, not plural.
what does each line represent in the /etc/group file?
a different group
on the sudo line in the /etc/group file, how many fields are there?
four, separated by :
what is the first field specified in each line of the /etc/group file?
group name
what is the second field specified in a line in the /etc/group file?
group password
What does the x that shows in the etc/group file in for the group password mean?
the password has been hashed, not encrypted.
What does it mean for a password to be hashed/
it was converted into a unique string of characters, called a hash, which is stored on the server
what is used to verify the password on Linux when a user attempts to join the group?
the hash
in the etc/group file, in the line, what is the third group?
the ID of the group. Group ID.
What does Linux OS use when it runs a task that involves a group instead of a group name?
group ID
What is the last field in a line in the /etc/group file ?
the list of users in a group.
how do you view the users on your machine?
/etc/passwd
in /etc/passwd, what are most accounts that are shown?
processes running on the computer that we need to associate with a user, so our system has users with different permissions that are needed to run these processes.
what is the first field in a line of the /etc/passwd file?
username
what is the second field in a line of the /etc/passwd file?
user password. not actually stored in this file, but hashed and stored in a different file.
what is the third field in a line of the /etc/passwd file?
UID, User ID. How our system identifies a user, not the username. two numbers separated by :
what is the UID of root?
0:0
What add security to our user accounts and machines
passwords
when I am setting up my own password who should know the password
only me
when I am managing other people’s accounts on a machine who should know what their password is
only them
who should enter the password themselves
the user who the account belongs to
How will I reset a password on the gui on Windows? Make a user named Sarah have to change her password the next time she logs in.
Open Computer management, go to Local Users and Groups, Right click on Sarah, click properties, check the box that says user must change password at next login. Apply, hit ok.
if a user forgot their password, how can you set one for them manually?
right click on the user’s name, select ‘set password’
what are the caveats for resetting a user’s password manually for them?
losing access to certain credentials, data, information, permanent access loss for files
how do you change a local password in PowerShell?
use the DOS style net command
Why not use the native PowerShell command to change a local password?
it’s complicated and requires scripting to use
what command changes local user passwords?
net
what does the /? parameter do?
gets help. Useful with net command and other DOS commands
how do you change a command for a user? PowerShell CLI
net user (username) ‘password’
for the command in PowerShell
net user username ‘password’, what is the best way to write the password part?
use asterisk instead of writing the password on the command line, so net will pause and ask you to enter your password
like:
net user username *
why is it better to use asterisk instead of entering your password on the command line?
the commands you run on the machine could be recorded in a log file that is sent to a central logging service. It is best that any kind of password is not logged like this.
what is the problem with the asterisk approach for doing it for another user?
if you do it for them, you’ll know their password. not good to know a user’s password if you are not the user.
what parameter will make it so that the user will have to change their password the next time they log into the system?
/logonpasswordchg:yes
in PowerShell, how would I force Victor to change his password on the next log on?
net user victor /logonpasswordchg:yes
how do most users log into their computer and remote computers?
combination of user name and password typed at the keyboard
what common attack method do attackers use to discover a password which involves attempting to log on by guessing likely words and phrases like kid names, city of birth, local sport teams?
Guessing.
what common attack method do attackers use to discover a password which involves using an automated program that includes a file of texts of words, and repeatedly attempts to log on to the target system using a different word from the text file on each try?
Online Dictionary Attack
what common attack method do attackers use to discover a password which involves getting a copy of the file where the hashed or encrypted copy of user accounts and passwords are stored and uses an automated program to determine what the password is for each account? very fast once the attacker gets the password file
Offline dictionary attack
what common attack method do attackers use to discover a password which involves determining passwords that may not be included in the text file used in attacks, and can be attempted online, but is usually offline using a copy of the target’s password file. The attacker uses an automated system that generates hashes or encrypted values for all possible passwords and compares them to the values in the password file
Offline Brute Force attack
what counts as a strong password?
a password that includes characters from at least three of the five Character classes
what are the five character classes for passwords?
lowercase letters, uppercase letters, numerals, non-alphanumerics, Unicode characters
what characters do not fall under the password groups and don’t count toward password complexity requirements?
space characters
what passwords should be composed of more groups?
admin account passwords
what passwords must be easily remembered?
passwords used by humans
how can you overcome the difficulty of making a strong password that is easy to remember?
make a pass phrase instead of passwords
how are passwords stored in Windows?
hashes. LAN manager, LM hash, NTM hash
what hash is not really a hash?
LM
what hash is very easy to break?
LM hash
what will most password cracking tools do for LM hashes?
start by cracking them and then vary the alpha characters int he cracked password to generate the case-sensitive passwords.
why is NTLM hash called unicode hash?
it supports full unicode character set.
what is a measure of disorder in a system?
entropy
what type of character can I use if I want to be super extra secure?
Alt characters, to access the whole unicode set.
how often should passwords be changed?
every 42 days, and old ones should never be reused
why do you need to change your password so often?
cracking takes time, but any hacker can crack any password given enough time and resources
steps in determining organization password policy
Identifying what computer operating systems are present on your organization’s network
Understanding what the limitations are for those operating systems
Defining what the technical requirements for passwords will be on your organization’s network.
Determining how much formality is appropriate regarding the documentation and communication of the password policy for your organization
Documenting the password policy in writing
Communicating the password policy to the users before implementing it on your systems
Implementing the password policy on your organization’s computer systems
Reminding users on an ongoing basis about importance of observing the password policy and other corporate security policies
Determines the number of unique new passwords a user must use before an old password can be reused. It can be set between 0 and 24; if set to 0, then enforce password history is disabled.
Enforce Password History: recommend set to 24 passwords
Determines how many days a password can be used before the user is required to change it. It can be set between 0 and 999; if set to 0, then passwords never expire. Setting this too low may cause a great deal of frustration for your users, setting it too high or disabling it will give potential attackers more time to try to break users’ passwords.
Maximum password age: set to 42 days for most organization
Determines how many days a user must keep their new password before they can change it. This setting is designed to work with the Enforce password history setting so that users cannot quickly reset their password 24 times and then change their password back to the old password. It can be set between 0 and 999; if set to 0, then users will be able to immediately change their password right after changing it.
Minimum Password age. set to 2 days for most organizations
Determines how short passwords can be. Although computers running Windows 2000, Windows XP, and Windows Server 2003 support passwords up to 128 characters, this setting can only be set between 0 and 14 characters. If it is set to 0, then users are allowed to have blank passwords; this value should never be used
Minimum password length: set to 8 characters
Determines whether or not password complexity is enforced.
When this setting is enabled user passwords will have the following requirements:
The password is at least six characters long.
The password contains characters from three of the following five categories: English uppercase characters (A - Z); English lowercase characters (a - z); base 10 digits (0 - 9); non - alphanumeric (For example: !, $, #, or %); Unicode characters.
The password does not contain three or more characters from the user’s account name. If the account name is less than three characters long then this check is not performed because the rate at which passwords would be rejected would be too high. When checking against the user’s full name several characters are treated as delimiters that separate the name into individual tokens: commas, periods, dashes/hyphens, underscores, spaces, pound-signs and tabs. For each token that is three or more characters long, that token is searched for in the password, and if it is present, the password change is rejected. For example, the name “Erin M. Hagens” would be split into three tokens: “Erin,” “M,” and “Hagens.” Since the second token is only one character long it would be ignored. Therefore, this user could not have a password that included either “erin” or “hagens” as a substring anywhere in the password. All of these checks are case insensitive.
Passwords must meet complexity requirements: enable this setting
what command do you need in Linux to change your password?
passwd
How would cindy change her password? What command would she use?
passwd cindy
when you change your password in LInux, what are the steps it walks you through?
changing password for (user)
current pass
enter new pass
retype new pass
passwd: password updated successfully
What happens when you set a Linux password?
it is securely scrambled, then stored in a special privileged file called /etc/shadow
who can read /etc/shadow?
root. only root .
even if you had access to /etc/shadow, would you be able to read it?
not really. It’s hashed.
how do you force a user to change their password in Linux?
use the -e flag,
sudo passwd -e username
what does the -e flag do after passwd?
immediately expires a user’s password