1. Lesson 15: Configuring Authentication and Authorization MOAC 70-687: Configuring Windows 8.1

2. Overview Exam Objective 4.3: Configure authentication and authorization o Configure user rights o Manage credentials o Manage certificates o Configure biometrics o Configure picture password o Configure PIN o Set up and configure Microsoft account o Configure virtual smart cards o Configure authentication in workgroups or domains o Configure User Account Control (UAC) behavior © 2013 John Wiley & Sons, Inc. 2

3. Working with Users and Groups Lesson 15: Configuring Authentication and Authorization © 2013 John Wiley & Sons, Inc.3

4. User Accounts The user account is the fundamental unit of identity in the Windows operating systems. As an operating system element, the user account and its properties are vital components in two of the most important Windows functions: o Authentication o Authorization © 2013 John Wiley & Sons, Inc. 4

5. Groups A group is another type of entity that Windows uses to represent a collection of users. System administrators can create groups for any reason and with any name, and then use them just as they would a user account. Any permissions or user rights that an administrator assigns to a group are automatically inherited by all members of the group. © 2013 John Wiley & Sons, Inc. 5

6. Understanding Local and Domain Users The concept of users and groups is complicated in Windows because there are two completely separate user account systems: local users and domain users. Which user account system a Windows computer uses depends on whether it is a member of a workgroup or an Active Directory Domain Services domain. © 2013 John Wiley & Sons, Inc. 6

7. Homegroup A homegroup is a simplified networking paradigm that enables users connected to a home network to share the contents of their libraries without the need for creating user accounts and permissions. © 2013 John Wiley & Sons, Inc. 7

8. Workgroup A workgroup is a collection of computers that are all peers. A peer network is one in which every computer can function as both a server, by sharing its resources with other computers, and a client, by accessing the shared resources on other computers. © 2013 John Wiley & Sons, Inc. 8

9. Domain A domain is a collection of computers that all utilize a central directory service for authentication and authorization. A directory service is a collection of logical objects that represent various types of network resources, such as computers, applications, users, and groups. Each object consists of attributes that contain information about the object. © 2013 John Wiley & Sons, Inc. 9

10. Differentiating Local and Domain Users Local and domain users are different in several important ways. You use different tools to create and manage the two types of users, and the user accounts themselves are different in composition. As mentioned earlier, a user account consists of attributes, which contain information about the user. Domain users have many more attributes than local users. © 2013 John Wiley & Sons, Inc. 10

11. Differentiating Local and Domain Users The Properties sheet for a local user © 2013 John Wiley & Sons, Inc.11

12. Differentiating Local and Domain Users The Properties sheet for a domain user © 2013 John Wiley & Sons, Inc.12

13. Frequently Asked Questions About Local and Domain Users © 2013 John Wiley & Sons, Inc. 13 QuestionLocal UsersDomain Users What tools do you use to manage the user accounts? The User Accounts control panel applet or the Local Users and Groups snap-in for Microsoft Management Console (MMC) The Active Directory Users and Computers MMC snap-in Where are the user accounts stored? In the Security Accounts Manager (SAM) on the local computer On the Active Directory Domain Services domain controllers What can you access with the user account? Local computer resources only All domain and network resources What restrictions are there on the user name? Each user name must be unique on the computer Each user name must be unique in the directory

14. Built-In Local Users The following user accounts are built-in on Windows 8: Administrator – During a typical Windows 8 installation, the Setup program creates an Administrator account and makes it a member of the Administrators group, giving it complete access to all areas of the operating system. New User – During the operating system installation process, the installer must specify the name for a new user account, which the Setup program creates and adds to the Administrators group. Guest – This account is designed for users that require only temporary access to the computer, and who do not need high levels of access. © 2013 John Wiley & Sons, Inc. 14

15. Local and Domain Groups Whether local or domain, a group is essentially just a collection of users and, in some cases, other groups. As mentioned earlier, by assigning rights and permissions to a group, you assign those rights and permissions to all of its members. © 2013 John Wiley & Sons, Inc. 15

16. Using Local Groups Local groups are subject to the following restrictions: You can only use local groups on the computer where you create them. Only local users from the same computer can be members of local groups. When the computer is a member of an AD DS domain, local groups can have domain users and domain global groups as members. Local groups cannot have other local groups as members. However, they can have domain groups as members. You can only assign permissions to local groups when you are controlling access to resources on the local computer. You cannot create local groups on a Windows server computer that is functioning as a domain controller. © 2013 John Wiley & Sons, Inc. 16

17. Windows 8.1 Built-in Local Groups and Their Capabilities © 2013 John Wiley & Sons, Inc. 17 Built-In Local Group Group Function Access Control Assistance Operators Members can remotely query authorization permissions for resources on this computer. AdministratorsMembers have full administrative access to the entire operating system. By default, the Administrator user and the user account created during the operating system installation are both members of this group. Backup OperatorsMembers have user rights enabling them to override permissions for the sole purpose of backing up and restoring files, folders, and other operating system elements. Cryptographic Operators Members are capable of performing cryptographic operations. Distributed COM Users Members are capable of launching, activating, and using distributed COM objects. Event Log ReadersMembers can read the computer’s event logs.

18. Windows 8.1 Built-in Local Groups and Their Capabilities © 2013 John Wiley & Sons, Inc. 18 Built-In Local GroupGroup Function GuestsMembers have no default user rights. By default, the Guest user account is a member of this group. Hyper-V Administrators Members have full control of all Hyper-V features. IIS_IUSRSGroup used to provide privileges to dedicated Internet Information Services users. Network Configuration Operators Members have privileges that enable them to modify the computer’s network configuration settings. Performance Log Users Members have privileges that enable them to schedule the logging of performance counters, enable trace providers, and collect event traces on this computer, both locally and from remote locations. Performance Monitor Users Members have privileges that enable them to monitor performance counter data on the computer, both locally and from remote locations. Power UsersMembers possess no additional capabilities in Windows 8.1, In previous Windows versions, the Power Users group provided privileges for a limited number of administrative functions, but in Windows 8.1, the group is included solely for reasons of backwards compatibility.

19. Windows 8.1 Built-in Local Groups and Their Capabilities © 2013 John Wiley & Sons, Inc. 19 Built-In Local Group Group Function Remote Desktop Users Members can log on to the computer from remote locations, using Terminal Services or Remote Desktop. Remote Management Users Members can access Windows Management Instrumentation (WMI) resources using management protocols. ReplicatorWhen the computer is joined to a domain, this group provides the access needed for file replication functions. The only member should be a user account dedicated solely to the replication process. UsersMembers can perform most common tasks, such as running applications, using local and network printers, and locking the server. However, members are prevented from making many system-wide configuration changes, whether they do so accidentally or deliberately. WinRM RemoteWMIUsers _ Members can access Windows Management Instrumentation (WMI) resources using management protocols.

20. Special Identities A special identity is essentially a placeholder for a collection of users with a similar characteristic. For example, the Authenticated Users special identity represents all of the users that are logged on to the computer at a given instant. You can assign rights and permissions to a special identity just as you would to a group. © 2013 John Wiley & Sons, Inc. 20

21. Creating and Managing Local Users and Groups Lesson 15: Configuring Authentication and Authorization © 2013 John Wiley & Sons, Inc.21

22. Creating a New User Account New to Windows 8.1 is the ability to create a local user account based on an existing Windows Live ID. The User accounts control panel applet provides access to existing local accounts, but when creating new accounts, the system transfers you to the Users page of the PC Settings app. Adding a user through this interface takes you through the same procedure as the new user creation process in the Windows 8.1 installation. © 2013 John Wiley & Sons, Inc. 22

23. Create a New User Account The User accounts control panel applet © 2013 John Wiley & Sons, Inc.23

24. Create a New User Account The Accounts page in the PC Settings screen © 2013 John Wiley & Sons, Inc.24

25. Create a New User Account The Add a user form © 2013 John Wiley & Sons, Inc.25

26. Manage User Accounts The Make changes to [user’s] account page © 2013 John Wiley & Sons, Inc.26

27. Creating a Windows 8.1 Account from a Microsoft Account When you specify your email address on the Add a user screen, the system searches for a Microsoft account that uses that address, and either prompts you for the account password or, if it fails to find one, displays a Set up a Microsoft account form with which you can create a new account. © 2013 John Wiley & Sons, Inc. 27

28. Creating a Windows 8.1 Account from a Microsoft Account The Create a Microsoft account page © 2013 John Wiley & Sons, Inc.28

29. Using the Local Users and Groups Snap-in By default, the Local Users and Groups snap-in is part of the Computer Management console. You can open the Local Users and Groups snap-in in one of three basic ways, as follows: o Open the Control Panel, select System and Security > Administrative Tools > Computer Management o Launch Microsoft Management Console (Mmc.exe), choose File > Add/Remove Snap-In, and then select the Local Users and Groups snap-in. o Open the Run dialog box and type Lusrmgr.msc in the Open text box. © 2013 John Wiley & Sons, Inc. 29

30. Create a New User The Local Users and Groups snap-in © 2013 John Wiley & Sons, Inc.30

31. Create a New User The New User dialog box © 2013 John Wiley & Sons, Inc.31

32. Manage a User The Select Groups dialog box © 2013 John Wiley & Sons, Inc.32

33. Manage a User The Profile tab of a user’s Properties sheet © 2013 John Wiley & Sons, Inc.33

34. Create a Local Group The New Group dialog box © 2013 John Wiley & Sons, Inc.34

35. Working with Domain Users and Groups To create and manage AD DS domain users and groups on a Windows 8.1 workstation, you must install the Remote Server Administration Tools, turn on the Active Directory Users and Computer snap-in under Turn Windows features on or off, and have the appropriate Active Directory permissions. © 2013 John Wiley & Sons, Inc. 35

36. Authenticating and Authorizing Users Lesson 15: Configuring Authentication and Authorization © 2013 John Wiley & Sons, Inc.36

37. Working with Passwords These methods are possible only when users compromise their passwords in some way. Some of the ways in which users can weaken the security of their passwords are as follows: o Short passwords o Simple passwords o Unchanging passwords o Predictable passwords © 2013 John Wiley & Sons, Inc. 37

38. Configuring Account Lockout Policies Windows 8.1 can protect against brute force password penetration techniques by limiting the number of unsuccessful logon attempts allowed by each user account. When a potential infiltrator exceeds the number of allowed attempts, the system locks the account for a set period of time. To impose these limits, you can use Local Security Policy for standalone computers, or Group Policy for AD DS networks. © 2013 John Wiley & Sons, Inc. 38

39. Using Credential Manager Credential Manager is a Windows 8.1 tool that stores the user names and passwords people supply to servers and web sites in a protected area called the Windows Vault. When a user selects the Remember my credentials checkbox while authenticating in Windows Explorer, Internet Explorer, or Remote Desktop Connection, the system adds the credentials to the Windows Vault. It is also possible to add credentials directly to the vault using Credential Manager, by clicking Add a Windows credential, or one of the similar links. © 2013 John Wiley & Sons, Inc. 39

40. Using Credential Manager Credential Manager © 2013 John Wiley & Sons, Inc.40

41. Using Credential Manager The Add a Windows Credential window © 2013 John Wiley & Sons, Inc.41

42. Using PIN and Picture Passwords On the Users page of the PC Settings screen you can change the password of your local user account, and you can also replace the password entirely, with either a numerical PIN or a picture and a sequence of gestures. A PIN password is a four-digit number that a user can employ to log on in place of a password. Picture passwords are designed to take advantage of touch interfaces by replacing the standard alphanumeric password with a picture. © 2013 John Wiley & Sons, Inc. 42

43. Using PIN and Picture Passwords The Users page of the PC Settings screen © 2013 John Wiley & Sons, Inc.43

44. Using PIN and Picture Passwords The Create a PIN screen © 2013 John Wiley & Sons, Inc.44

45. Using Smart Cards A smart card is a credit card-like device that contains a chip, on which is stored a digital certificate that serves as an identifier for a particular user. On a computer equipped with a card reader, a user can authenticate him- or herself by specifying a user name and inserting the smart card. © 2013 John Wiley & Sons, Inc. 45

46. Using Virtual Smart Cards Virtual smart cards provide the security of a smart card without the additional expense. A virtual smart card is a solution that utilizes the hardware already built into the computer to duplicate the capabilities of an external, physical smart card. In Windows 8.1, virtual smart cards use the Trusted Platform Module (TPM) found in many of today’s computers to encrypt the user’s certificate and other information before storing it on the hard disk. © 2013 John Wiley & Sons, Inc. 46

47. Managing Certificates Windows 8.1 uses digital certificates for a variety of authentication tasks, internally, on the local network, and on the Internet. Every user account has a certificate store containing a variety of certificates obtained by various means. To access the Certificates snap-in, click the Search charm, select Settings, and type cert in the search box. In the Results list, click Manage user certificates to load the snap-in and point it at the current user account. © 2013 John Wiley & Sons, Inc. 47

48. Managing Certificates The Certificates snap-in © 2013 John Wiley & Sons, Inc.48

49. Managing Certificates The Certificate dialog box © 2013 John Wiley & Sons, Inc.49

50. Using Biometrics Biometric authentication uses a scan of a physical characteristic to confirm the identity of a user. There are a great many third-party biometric authentication solutions available, most of which take the form of finger print scanners for laptop computers. Windows 8.1 now includes a new component called the Windows Biometric Framework, which provides a core biometric functionality and a Biometric Device control panel. © 2013 John Wiley & Sons, Inc. 50

51. Configuring User Account Control (UAC) User Account Control (UAC) is a Windows 8.1 feature that prevents unauthorized changes to your computer. When a user logs on to Windows 8.1, the system issues a token, which indicates the user’s access level. Whenever the system authorizes the user to perform a particular activity, it consults the token to see whether the user has the required privileges. On a Windows 8.1 computer running UAC, a standard user still receives a standard user token, but an administrative user receives two tokens: one for standard user access and one for administrative user access. By default, the standard and administrative users both run using the standard user token most of the time. © 2013 John Wiley & Sons, Inc. 51

52. Performing Administrative Tasks with a Standard User Account When a standard user attempts to perform a task that requires administrative privileges, the system displays a credential prompt, requesting that the user supply the name and password for an account with administrative privileges. © 2013 John Wiley & Sons, Inc. 52

53. Performing Administrative Tasks with a Standard User Account Receiving a credential prompt © 2013 John Wiley & Sons, Inc.53

54. Performing Administrative Tasks with an Administrative Account When an administrator attempts to perform a task that requires administrative access, the system switches the account from the standard user token to the administrative token. This is known as Admin Approval Mode. An elevation prompt is the message box shown in the figure on the next slide. This confirmation prevents unauthorized processes, such as those initiated by malware, from accessing the system using administrative privileges. © 2013 John Wiley & Sons, Inc. 54

55. Performing Administrative Tasks with an Administrative Account Receiving an elevation prompt © 2013 John Wiley & Sons, Inc.55

56. Using Secure Desktop The secure desktop is an alternative to the interactive user desktop that Windows normally displays. When Windows 8.1 generates an elevation or credential prompt, it switches to the secure desktop, suppressing the operation of all other desktop controls and permitting only Windows processes to interact with the prompt. The object of this is to prevent malware from automating a response to the elevation or credential prompt and bypassing the human reply. © 2013 John Wiley & Sons, Inc. 56

57. Configuring User Account Control Reviewing UAC settings options © 2013 John Wiley & Sons, Inc.57

58. Elevating Privileges The preferred mechanism for performing tasks that require administrative privileges is to use the Run As feature to execute a program using another account. Shortcuts in the Start menu have a Run as administrator option in their context menus, which causes standard users to receive a credential prompt and administrators to receive an elevation prompt, according to the system’s normal User Account Control (UAC) practices. © 2013 John Wiley & Sons, Inc. 58

59. Authorizing Users Authentication confirms a user’s identity. Authorization grants the user access to certain resources. The most commonly-used mechanisms for authorizing users in Windows 8.1 are the NTFS, share, and registry permission systems. © 2013 John Wiley & Sons, Inc. 59

60. Configuring User Rights User Rights Assignments © 2013 John Wiley & Sons, Inc.60

61. Lesson Summary The user account is the fundamental unit of identity in the Windows operating systems. A group is an identifying token that Windows uses to represent a collection of users. A workgroup is a collection of computers that are all peers. A peer network is one in which every computer can function as both a server, by sharing its resources with other computers, and a client, by accessing the shared resources on other computers. A domain is a collection of computers that all utilize a central directory service for authentication and authorization. © 2013 John Wiley & Sons, Inc. 61

62. Lesson Summary Windows 8.1 provides two separate interfaces for creating and managing local user accounts: the User Accounts (or user Accounts and Family Safety) control panel and the Local Users and Group snap-in for the Microsoft Management Console (MMC). Windows 8.1 supports a number of Group Policy settings that administrators can use to enforce password security practices on individual computers or on Active Directory Domain Services (AD DS) networks. Credential Manager is a Windows 8.1 tool that stores the user names and passwords people supply to servers and web sites in a protected area called the Windows Vault. © 2013 John Wiley & Sons, Inc. 62

63. Lesson Summary The User Account Control (UAC) feature is designed to protect your computer from settings being changed accidentally and stop malware from gaining system-wide access to your system. In Windows 8.1, you cannot fully disable UAC without resorting to a registry edit, which is not recommended. The UAC feature displays two types of prompts. The credential prompt requests a user name and password when a standard user attempts to perform a task that requires administrative privilege. The elevation prompt prevents unauthorized processes, such as those initiated by malware, from accessing the system using administrative privileges. © 2013 John Wiley & Sons, Inc. 63

64. Copyright 2013 John Wiley & Sons, Inc.. All rights reserved. Reproduction or translation of this work beyond that named in Section 117 of the 1976 United States Copyright Act without the express written consent of the copyright owner is unlawful. Requests for further information should be addressed to the Permissions Department, John Wiley & Sons, Inc.. The purchaser may make back-up copies for his/her own use only and not for distribution or resale. The Publisher assumes no responsibility for errors, omissions, or damages, caused by the use of these programs or from the use of the information contained herein.