Windows Security Settings – CompTIA A+ 220-802: 1.8

Data security is one of the most important considerations for a system administrator. In this video, you’ll learn about users and groups, shared files and folders, NTFS vs. share permissions, and user authentication.

<< Previous Video: Preventive Maintenance ToolsNext: Client-side Virtualization >>

When you start up your Windows operating system, if you don’t have the auto login capability enabled, then you’ll be presented with a view that allows you to put in your username and your password. That is accessing a list of users that’s defined in the operating system. On top of that, there’s a list of groups that these users can be members of. And if you need to set the administrative access to certain files, directories, or other resources, you can assign entire groups of people at one time by taking advantage of that functionality.

Inside of Windows, if we go our computer management, you can see there is a list of users and groups local to your computer. There are some users that are added automatically to the operating system. One is the administrator user. That is someone who is the super-user throughout the operating system. They can do anything to the OS.

There’s also a guest user that is configured automatically. Usually it’s also disabled by default. But it’s one that assigns just some basic access to your computer. Generally, it’s one that’s not often used. But if you need a generic login for users, that might be a good way to do it.

You also of course have regular users, usernames that might be logging onto your computer for instance, the user “professor,” that’s my login to log into my Windows environment. And that gives me the access to the resources that I need, but doesn’t give me for instance administrative access by default. If you have certain users you would like to also provide that administrative access, there are certain groups for administrators that you can add that access so that that is limited to just the people who need that capability.

You can of course create your own groups in the operating system. But there are a number of groups that are available. One common one that you’ll see is the power users, which generally sound very good. But there’s really not that much more access to your operating system than what a normal user might have. But if you wanted to create your own groups that provided access to a printer that’s on your operating system or to a particular shared directory that’s on your computer, that’s a great way to manage that process, especially for large groups of people.

If you wanted to provide access to a set of files or folders on your computer from somebody across the network, then you would configure something called a Windows share. There are some shares that are already pre-defined on your computer when you install the Windows operating system. These are administrative shares and they’re generally hidden. The way that you would see a hidden share is there’s dollar sign that’s right after the share. And those are shares that are created automatically during the installation of the operating system.

You may find, for instance, that your entire drive is configured as a share. C$, for instance, accesses everything on your drive. Another one is just for administrators. The ADMIN$ is for the Windows directory so that you can perform administrative tasks to everybody’s Windows system, regardless of where they might happen to be on the network.

You can see all of the shares and the configurations of those shares in your computer management under shared folders. You could also at the command line simply type in net share and you’ll get a summary of the shares, the resources associated with those shares, and any remarks that were created when that share was built.

The NTFS file system is very powerful and allows us a lot of flexibility for allowing or disallowing access to certain files or folders on the file system. If we were to look at the file system in NTFS, you can see all of these different permissions are available for the users on your computer. You can set full control, modify settings, read and execute list folder contents, read/write. There’s other permissions as well.

This is a very flexible permissions system that’s built into the file system. So if somebody was to sit down at your computer and log in with their username and password, they would have permission to those files configured in the NTFS file system. But of course, somebody doesn’t have to be sitting at your computer to access files. We’re connecting to the network and we’re building out these shares.

There is a completely different set of rights and permissions for shares. For instance, here’s the same directory and the share permissions for every one. And we can set full control, change, or read permissions. Notice that’s very different than the permissions we had available for NTFS. So now there becomes a question if we access these files through the network, we not only have share permissions, but we also have NTFS permissions that we have to take into account. And we have to take them both into account simultaneously.

NTFS permissions are part of the file system of the computer. That means if you’re sitting at the computer, those NTFS file permissions will apply to you. If you’re accessing those files from across the network, those NTFS permissions will also apply to you. Anybody accessing those files will have to go to file system and therefore the NTFS permissions will apply.

If you’re coming in from across the network, those share permissions will also apply to you. So you’re combining those two things together. So you not only have to think about all of the permissions for NTFS, but if you’re coming across the network you also have to look at those share permissions.

The most restrictive permission will always win. So if you set up access to a directory of completely wide open access to read and write in NTFS and somebody uses that share across the network and the share permission is set to only read, the default permission for everything is going to be read only across the network. You’d have to be on the local computer to be able to have full access. The share permission is more restrictive. Therefore, that is the one that’s going to apply.

When we’re organizing files and folders on our computer, we might put folders within folders within folders. And in those cases, the permissions are going to be inherited from the top object, all the way through all of the other folders. So if you define it at the top of the folder tree, you’re going to automatically see those permissions all the way through that particular tree. They’re all going to be based on that parent object.

If you take those files and you copy them to a different volume, all of those permissions are going to be reset to whatever is on that other volume. If you move them on the same volume, however, they maintain all of those permissions that you’ve set.

In Windows when you move something on the same volume, it’s simply resets a pointer. When you move to a different volume, it’s physically copying the files. So keep that in mind as you’re setting permissions. If you copy them to another folder and you realize your permissions were reset, that’s because you created a new copy of the file and therefore you have different permissions.

Those NTFS permissions and share permissions wouldn’t be useful if we didn’t have some way to authenticate people into the operating system. We want to be sure the people using these resources is the real person. So normally you have to have a username and password at a bare minimum.

You might have other authentication requirements as well. You might have to add a smart card to your computer or do a fingerprint scan just to prove that you are the person that you say you are.

There are a number of capabilities in the Windows operating system to also provide single sign on capabilities. And we generally see this on a Windows domain. When you log on to Windows domain, it knows that you’re you regardless of what resources you access. So if you go and access a printer, if you share files on one server, if you share files on the other server, you’re not constantly asked for that username and password process over and over and over again.

In a domain when you log in, it’s a single sign on. Once you log in, you are never prompted again. And that is the experience we want for end users. We want them to authenticate once and have access to all of the resources that are appropriate for them.