MOAC 70-687 L17 Authentication and Authorization

8/10/2019 MOAC 70-687 L17 Authentication and Authorization

1/65

Lesson 17: ConfiguringAuthentication and

AuthorizationMOAC 70-687: Configuring Windows 8


2/65

Working with Usersand Groups

Lesson 17: Configuring Authentication

and Authorization

2013 John Wiley & Sons, Inc. 2


3/65

User Accounts The user account is the fundamental unit of

identity in the Windows operating system.

As an operating system element, the user

account and its properties are vitalcomponents in two of the most importantWindows functions:

o Authentication

o Authorization



4/65

Groups A group is another type of entity that

Windows uses to represent a collection ofusers.

System administrators can create groups, forany reason and with any name, and thenuse them just as they would a user account.

Any permissions or user rights that an

administrator assigns to a group areautomatically inherited by all members ofthe group.



5/65

Understanding Local andDomain Users

The concept of users and groups iscomplicated in Windows because there aretwo completely separate user account

systems:o Local users

o Domain users

Which user account system a Windowscomputer uses depends on whether it is amember of a workgroup or an ActiveDirectory Domain Services domain.



6/65


7/65

Workgroup A workgroup is a collection of computers

that are all peers.

A peer network is one in which every

computer can function as botho A server: By sharing its resources with other

computers.

o A client: By accessing the shared resources on

other computers.



8/65

Domain A domain is a collection of computers that all

utilize a central directory service forauthentication and authorization.

A directory service is a collection of logical

objects that represent various types of networkresources, such aso Computerso Applicationso Users

o Groups Each object consists of attributes that contain

information about the object.



9/65

Differentiating Local andDomain Users

Local and domain users are different inseveral important ways.

You use different tools to create and

manage the two types of users, and the useraccounts themselves are different incomposition.

A user account consists of attributes, which

contain information about the user. Domainusers have many more attributes than localusers.



10/65


The Properties sheet for a local user



11/65


The Properties sheet for a domain user



12/65

Frequently Asked Questions

About Local and Domain Users


Quest ion Lo cal Users Domain Users

What tools do

you use to

manage the

user accounts?

The User Accounts

control panel applet or

the Local Users and

Groups snap-in for

Microsoft Management

Console (MMC)

The Active Directory Users and

Computers MMC snap-in

Where are the

user accounts

stored?

In the Security Accounts

Manager (SAM) on the

local computer

On the Active Directory Domain

Services domain controllers

What can you

access with theuser account?

Local computer

resources only

All domain and network

resources

What

restrictions are

there on the

user name?

Each user name must be

unique on the computer

Each user name must be

unique in the directory


13/65

Built-In Local UsersThe following user accounts are built-in on Windows 8: Administrator:During a typical Windows 8

installation, the Setup program creates anAdministrator account and makes it a member ofthe Administrators group, giving it complete accessto all areas of the operating system.

New User:During the operating system installationprocess, the installer must specify the name for anew user account, which the Setup programcreates and adds to the Administrators group.

Guest:This account is designed for users that requireonly temporary access to the computer, and whodo not need high levels of access.



14/65

Local and DomainGroups

Whether local or domain, a group isessentially just a collection of users and, insome cases, other groups.

By assigning rights and permissions to agroup, you assign those rights andpermissions to all of its members.



15/65

Using Local GroupsLocal groups are subject to the following restrictions: You can only use local groups on the computer where you

create them. Only local users from the same computer can be members of

local groups.

When the computer is a member of an AD DS domain, localgroups can have domain users and domain global groups asmembers.

Local groups cannot have other local groups as members.However, they can have domain groups as members.

You can only assign permissions to local groups when you are

controlling access to resources on the local computer. You cannot create local groups on a Windows servercomputer that is functioning as a domain controller.



16/65

Windows 8 Built-In Local

Groups and Their Capabilities


Bu il t- In Local

Group

Group Funct ion

Access Control

Assistance

Operators

Members can remotely query authorization permissions for

resources on this computer.

Administrators Members have full administrative access to the entire operating

system. By default, the Administrator user and the user accountcreated during the operating system installation are both members

of this group.

Backup Operators Members have user rights enabling them to override permissions

for the sole purpose of backing up and restoring files, folders, and

other operating system elements.

CryptographicOperators

Members are capable of performing cryptographic operations.

Distributed COM

Users

Members are capable of launching, activating, and using

distributed COM objects.

Event Log Readers Members can read the computers event logs.

Wi d 8 B il I L l


17/65




Buil t - In Local Group Group Funct ion

Guests Members have no default user rights. By default, the Guest user account

is a member of this group.

Hyper-V

Administrators

Members have full control of all Hyper-V features.

IIS_IUSRS Group used to provide privileges to dedicated Internet InformationServices users.

Network

Configuration

Operators

Members have privileges that enable them to modify the computers

network configuration settings.

Performance Log

Users

Members have privileges that enable them to schedule the logging of

performance counters, enable trace providers, and collect event traces on

this computer, both locally and from remote locations.

Performance Monitor

Users

Members have privileges that enable them to monitor performance counter

data on the computer, both locally and from remote locations.

Power Users Members possess no additional capabilities in Windows 8, In previous

Windows versions, the Power Users group provided privileges for a limited

number of administrative functions, but in Windows 8, the group is

included solely for reasons of backwards compatibility.


18/65




Bu il t- In Local

Group

Group Funct ion

Remote Desktop

Users

Members can log on to the computer from remote locations,

using Terminal Services or Remote Desktop.

Remote

Management

Users

Members can access Windows Management Instrumentation

(WMI) resources using management protocols.

Replicator When the computer is joined to a domain, this group provides the

access needed for file replication functions. The only member

should be a user account dedicated solely to the replication

process.

Users Members can perform most common tasks, such as running

applications, using local and network printers, and locking the

server. However, members are prevented from making many

system-wide configuration changes, whether they do so

accidentally or deliberately.

WinRM

RemoteWMIUsers

_

Members can access Windows Management Instrumentation

(WMI) resources using management protocols.


19/65

Special Identities A special identity is a placeholder for a

collection of users with a similarcharacteristic.

For example, the Authenticated Usersspecial identity represents all the users thatare logged on to the computer at a giveninstant.

You can assign rights and permissions to aspecial identity just as you would to a group.



20/65

Creating and ManagingLocal Users and Groups

Lesson 17: Configuring Authentication

and Authorization


C


21/65

Creating a NewUser Account

New to Windows 8 is the ability to create a localuser account based on an existing WindowsLive ID.

The User accounts control panel applet

provides access to existing local accounts, butwhen creating new accounts, the systemtransfers you to the Users page of the PCSettings app.

Adding a user through this interface takes youthrough the same procedure as the new usercreation process in the Windows 8 installation.



22/65

Create a New User Account

The User accounts control panel applet



23/65


The Choose the user you would like to change page



24/65


The Users page in the PC Settings screen



25/65


The Add a user screen



26/65


The Add a user form



27/65

Manage User Accounts

The Make changes to [users] account page



28/65


The Type a new account name for [users]account page



29/65


The Choose a new account type for [user] page


d A


30/65

Creating a Windows 8 Account

from a Microsoft Account When you specify your email address on the

Add a user screen, the system searches for aMicrosoft account that uses that address.

Then it either prompts you for the accountpassword or, if it fails to find one, displays aSet up a Microsoft account form with whichyou can create a new account.



31/65

Creating a Windows 8 Accountfrom a Microsoft Account

The Set up a Microsoft Account page


U i th L l U d


32/65

Using the Local Users andGroups Snap-In

By default, the Local Users and Groups snap-in ispart of the Computer Management console.

You can open the Local Users and Groups

snap-in using one of three basic ways:o Open the Control Panel, select System and Security >

Administrative Tools > Computer Management

o Launch Microsoft Management Console (Mmc.exe),choose File > Add/Remove Snap-In, and then select

the Local Users and Groups snap-in.

o Open the Run dialog box and type Lusrmgr.msc in theOpen text box.



33/65

Create a New User

The Computer Management console



34/65

Create a New User

The Local Users and Groups snap-in



35/65

Create a New User

The New User dialog box



36/65

Manage a User

The Member Of tab of a users Properties sheet



37/65

Manage a User

The Select Groups dialog box



38/65

Manage a User

The Profile tab of a users Properties sheet



39/65

Create a Local Group

The New Group dialog box


Working with Domain


40/65

Working with DomainUsers and Groups

To create and manage AD DS domain usersand groups on a Windows 8 workstation:

o Install the Remote Server Administration Tools

o Turn on the Active Directory Users and Computersnap-in under Turn Windows features on or off

o Have the appropriate Active Directorypermissions



41/65

Authenticating and

Authorizing UsersLesson 17: Configuring Authentication

and Authorization



42/65

Working with Passwords Potential intruders can obtain passwords in two

possible ways: cracking them or discoveringthem.

These methods are possible only when users

compromise their passwords in some way. Some of the ways in which users can weaken

the security of their passwords are:o Short passwords

o Simple passwordso Unchanging passwords

o Predictable passwords



43/65

Configure Password Policies

The Local Security Policy console



44/65


Password Policies in the Local Security Policy console



45/65


The Properties sheet of a password policy



46/65


Password Policies in an AD DS Group Policy object


Configuring Account


47/65

Configuring AccountLockout Policies

Windows 8 can protect against brute forcepassword penetration techniques by limitingthe number of unsuccessful logon attemptsallowed by each user account.

When a potential infiltrator exceeds thenumber of allowed attempts, the systemlocks the account for a set period of time.

To impose these limits, you can use LocalSecurity Policy for standalone computers, orGroup Policy for AD DS networks.


Co figu e Accou t


48/65

Configure AccountLockout Policies

Account Lockout Policies in the Local SecurityPolicy console


Configure Account


49/65

Configure AccountLockout Policies

The Properties sheet of an account lockout policy


Using Credential


50/65

Using CredentialManager

Credential Manager is a Windows 8 tool thatstores the user names and passwords peoplesupply to servers and websites in a protectedarea called the Windows Vault.

When a user selects the Remember mycredentials check box while authenticating inWindows Explorer, Internet Explorer, or RemoteDesktop Connection, the system adds thecredentials to the Windows Vault.

It is also possible to add credentials directly tothe vault using Credential Manager, by clickingAdd a Windows credential, or one of the similarlinks.



51/65

Using Credential Manager

The Remember my credentials control



52/65


Credential Manager



53/65


The Add a Windows Credential window


Using PIN and Picture


54/65

Using PIN and PicturePasswords

On the Users page of the PC Settings screenyou can change the password of your localuser account, and you can also replace thepassword entirely, with either a numerical PIN ora picture and a sequence of gestures.

A PIN password is a four-digit number that auser can employ to log on in place of apassword.

Picture passwords are designed to take

advantage of touch interfaces by replacing thestandard alphanumeric password with apicture.



55/65

Using PIN and Picture Passwords

The Users page of the PC Settings screen



56/65

Using PIN and Picture Passwords

The Create a PIN screen



57/65

Using Smart Cards A smart card is a credit card-like device that

contains a chip, on which is stored a digitalcertificate that serves as an identifier for a

particular user. On a computer equipped with a card

reader, a user can authenticate him- orherself by specifying a user name and

inserting the smart card.



58/65

Managing Certificates Windows 8 uses digital certificates for a variety

of authentication tasks, internally, on the localnetwork, and on the Internet.

Every user account has a certificate storecontaining a variety of certificates obtained byvarious means.

To access the Certificates snap-in, click theSearch charm, select Settings, and type cert inthe search box.

In the Results list, click Manage user certificatesto load the snap-in and point it at the currentuser account.



59/65

Managing Certificates

The Certificates snap-in



60/65


A Certificate dialog box



61/65


The Export File Format page in the

Certificate Export Wizard



62/65

Using Biometrics Biometric authentication uses a scan of a

physical characteristic to confirm the identity ofa user.

There are a great many third-party biometric

authentication solutions available, most ofwhich take the form of finger print scanners forlaptop computers.

Windows 8 now includes a new component

called the Windows Biometric Framework,which provides a core biometric functionalityand a Biometric Device control panel.



63/65

Elevating Privileges The preferred mechanism for performing

tasks that require administrative privileges isto use the Run As feature to execute aprogram using another account.

Shortcuts in the Start menu have a Run asadministrator option in their context menus.

This option causes standard users to receivea credential prompt and administrators toreceive an elevation prompt, according tothe systems normal User Account Control(UAC) practices.



64/65

Authorizing Users Authentication confirms a users identity.

Authorization grants the user access tocertain resources.

The most commonly-used mechanisms forauthorizing users in Windows 8 are the NTFS,share, and registry permission systems.



65/65

Configuring User Rights

User Rights Assignments

Documents

MOAC 70-687 L17 Authentication and Authorization