Windows Security Settings – CompTIA A+ 220-902 – 3.3

There are many techniques in Windows that can be used to secure the operating system. In this video, you’ll learn about file permissions, user authentication, full-disk encryption, and more.

<< Previous: Security AwarenessNext: Workstation Security Best Practices >>


When you log into your Windows desktop, you’re logging in with a user account. There are a number of different user accounts in your Windows configuration. The one that has the highest priority and the most number of permissions is the Administrator account. This is the super user account in Windows, and the Administrator is able to manage the entire operating system.

There are also guest users that can be configured in your system. If you have certain people they need access to use your computer but they’re not going to be permanently using this device, then maybe you just like to turn on a Guest account for them. Most people who are logging in who are not an Administrator or a Guest are usually logging in with a standard user login.

Inside of the Windows operating system you can create separate groups and you can add users to those groups. You would then apply certain rights and permissions to a group, and everybody who is a member of that group would then be given those rights and permissions. It’s a very common way to set rights and permissions for a large group of people at one time.

There are a number of different built-in groups inside of Windows. You can go into your Windows Computer Management and look through all the local users and groups that are part of your system. One common group you may find is one called the Power Users group. They get a little bit of extra control inside of the operating system. Generally, people are not part of the Power Users group unless they need additional rights and permissions to manage this local Windows configuration.

There are two types of permissions that can apply in the Windows operating system. One is NTFS permissions, and the other is share permissions. These work together to provide an overall rights and permissions for whoever is using the computer. NTFS permissions come directly from the file system of the computer. So, if you’re accessing a file locally on that computer, or you’re accessing the file from somewhere over the network, these NTFS permissions will always apply.

The other type of permissions are share permissions. Share permissions are applied to a Windows share, which means you’re accessing that share from across the network. So, if you’re accessing these files and folders from across the network, you have to examine both the share permissions and the NTFS permissions to determine if you have rights and permissions to those files.

You also have to keep in mind that if either the NTFS permission or the share permission restricts access to a file or folder, that particular restriction will always win. Even if the NTFS permission allows access to a file, if the share permission is denying that access, the deny is always going to take the priority.

When you’re setting NTFS permissions for a folder, everything inside of that folder is going to have those same permissions applied to it. Everything is inherited from that parent object. The only time that these permissions are not inherited is if you are moving a file from one folder to another on the same volume. This move retains the permissions that were there prior to the move.

There are a number of differences between the rights and permissions that are assigned through NTFS, and those assigned with a share. These are a comparison of those two things for exactly the same folder. You can see that the NTFS permissions allow a lot more options for the permissions, whereas the share allows you full control, change, and read, and then you can allow or deny those based on the user and group.

When you are specifically bringing up those dialog boxes for NTFS permissions or share permissions and you are setting some very specific permissions, we call those explicit permissions, which means you’re setting the defaults and defining exactly what those permissions might be. For example, if I was setting permissions for music, I would be defining exactly what the permissions are for that particular folder.

There’s also the concept of inherited permissions. These are propagated from the parent object, so once you set a permission on one folder, those permissions would apply for everything that happens to be inside of that folder. For example, if I set some permissions for a folder, all of the folders underneath that folder will inherit the permissions of the parent object.

If you are setting explicit permissions, they will take priority over any permissions that might have been inherited. For example, let’s set some explicit permissions for this folder that will restrict access to any of the objects within it. And, of course, since I’m explicitly setting these permissions, there will be a number of permissions that are inherited from that parent object.

But now let’s also decide that we would like to allow access to one of these folders. So, I’ll set some explicit permissions on a single folder underneath where, previously, an inherited permission existed. But because I’m now setting some explicit permissions, any of the permissions that were inherited no longer apply, and I can allow access to a single folder on this share.

Not only can you define shares on your system and allow people access to those particular shares, there are also a number of shares that have been administratively created by the operating system. These are very often hidden shares. You’ll know they’re hidden because they have a $ that is right after them. And they’re usually created during the installation of the operating system. If you’re creating shares locally on your computer, they probably don’t have the $ on them, although you could certainly add the $ to hide them from being listed from all of the available shares on your computer.

A very common example of some of these local administrative shares might be C$, which provides administrative access to the C drive. There is an ADMIN$ to the Windows folder, or PRINT$, which provides access to the Printers folder on the system. If you’d like to see what shares are available on your local computer, you can go to the Computer Management utility and look under Shared Folders. From the command line, you can get the same information by using the command -net share.

The way that you provide access to the resources on your computer are by requiring users to authenticate to your system. This authentication in Windows is usually done with a username and password, but there may be other factors of authentication that you can add to this as well. If you’re part of a Windows domain, you may find that you authenticate a single time with a username and password, and yet you have access to many different resources that are located in many places on the network.

This is provided through a process called single sign-on, or SSO, where you provide your credentials one time, and those credentials apply to all of the different resources in that Windows domain. Behind the scenes in Windows, the single sign-on process is managed through an authentication protocol called Kerberos, and this is what allows you to put your username and password in one time and Windows knows to allow you to access or not access the resources that are appropriate for your login.

During the normal use of your Windows operating system you’re not running as an Administrator. You’re instead running as a regular user. Administrators have additional rights and additional permissions that allow them to administer this particular system. So if you need to edit any system files or you need to install new applications or device drivers, then you need administrative rights. Even if you are a regular user who has been added to the administrators group in Windows, you still may not be able to perform a number of these administrative functions. This is a security mechanism that’s created by default so that malicious applications would not be able to perform these functions without you knowing about it.

This means that, if you do want to install an application or perform a function as an administrator, you need to explicitly tell Windows to run this application as an administrator. You can accomplish this by right clicking on the application and choosing Run as administrator, or you can type in the name of the application and simply use the keystrokes Control-Shift-Enter to launch the application in this administrator mode.

Some additions of Windows provide a feature called BitLocker. This allows you to encrypt an entire volume of information. This includes all of your data files, the operating system, and anything else that’s on this volume. That means if you lose your laptop or somebody takes your hard drive, they would not have access to this data unless they had your authentication credentials. Since you are encrypting everything on a volume, this means you could even remove the drive from a computer, put it into another computer, and still, all of that information would remain encrypted.

There’s also a version BitLocker that’s been created for USB flash drives. This is called BitLocker To Go and allows you to encrypt everything that might be on one of these portable USB keys.

If you don’t want to encrypt an entire volume, but there are still files on this device that you would like to encrypt, you can use a filesystem level encryption, called Encrypting File System. This is a feature of NTFS that allows you to encrypt at the file system level of the operating system. The encryption key that’s used by EFS is associated with your username and password, so it’s very important that you don’t forget your username and password or these files will not be accessible any longer. Even if someone was to administratively change your password, since it’s something that you did not change, the files would still be encrypted and unavailable to anyone.

In the Windows operating system, support for EFS is available in Vista Business, Enterprise and Ultimate, Windows 7 Professional, Enterprise and Ultimate, and in Windows 8 and 8.1 in the Pro and Enterprise editions.