Page 2 902 Security Study Guide for the CompTIA® A+ exam

Windows OS Security Settings

You will need to have an understanding of the various techniques Windows uses to secure the operating system. Be able to compare and contrast the various tools available to administer Windows based systems.

User and Groups

When you log in to Windows, you are logging in to your user account that is defined by the operating system. Groups can be set up that apply rights and privileges to members assigned to the group. As an example, the payroll department may have access to payroll records that are made available exclusively to members of that group.

  • Administrator: There are numerous user accounts each with specific privileges. The administrator account has the highest level of permissions, allowing the administrator the ability to manage the entire system.

  • Power User: The power user group is assigned to individuals who need additional control inside the operating system to perform their duties. An example would be to grant access to the system tape drive to the individual responsible for system backups.

  • Guest: Guest user accounts can be optionally assigned to users who only need temporary access to a device.

  • Standard user: A standard user is typically anyone who is not an administrator, power user, or guest.

NTFS vs. Share Permissions

On Windows operating systems, there are two types of permissions that can be applied: NTFS and share permissions. NTFS permissions are part of the operating system. When accessing a file on a local system or accessing it over the network, NTFS permissions will apply. Share permissions generally relate to a folder that has been shared over a network. Each can be set to limit access to a file or a folder; however, NTFS permissions will override any share permissions, unless the share permission has been set to deny access.

  • Allow vs. deny: Files and folders have permissions that can be set to allow or deny full control, modify, and/or read access to the contents.

  • Moving vs. copying files: When a user copies a file or a folder, the permissions associated with it may change if it is moved to a non-NTFS partition. When copied within the same or different partition, the copy inherits destination folder permissions. When a user moves a file or folder within the same partition, it retains its original permissions. When moved to a different partition, it inherits the destination folder’s permission.

  • File attributes: File attributes are what determine a user’s rights to read, write, modify, and hide files.

Shared Files and Folders

Files and folders can be shared by users on a network. This practice enables multiple users to view and/or work on the same material.

  • Administrative vs. local: Local shares are created by users that will be listed as available shares to the rest of the network. Administrative shares are created by the operating system and are designed to allow administrative access.

  • Permission propagation: Permissions set on a folder can be inherited by everything inside the folder. Child folders (subfolders) can override inherited permissions. This is referred to as permission propagation or inherited permissions.

  • Inheritance: Inheritance is associated with permissions. When permissions are set in a parent folder, they are inherited by child folders (subfolders); however, if permissions are changed in a child folder, they will have priority over inherited permissions.

System Files and Folders

Windows provides local administrative shares that allow access to key system files and folders. They appear as a share name, followed by a $, which makes the share invisible to users. They can be displayed on the command line with the net share command. Access is provided to the C: drive, C:\windows, and possibly the printer’s folder.

User Authentication

User authentication (login/password) is used to prove that you are a valid account holder on the system. If you are part of a Windows domain, you may have a single sign-on that provides all the credentials needed to access resources anywhere in the system.

Run as Administrator vs. Standard User

When you are logged in to your system, you are usually logged in as a standard user; however, there are occasions when you will need additional rights to administer the system. These occasions include: adding a new driver, installing new software, or editing a system file. To perform any of the administrative functions, users need to implicitly inform the operating system to do so. This is a security feature added to help prevent unauthorized software from being installed without the user’s knowledge.

BitLocker

BitLocker allows users to encrypt an entire volume. If the hard drive is lost or stolen, the data cannot be retrieved without the password.

BitLocker-To-Go

BitLocker-to-go, working in the same manner as BitLocker, allows you to encrypt a thumb drive.

EFS

An encrypted file system (EFS) allows you to selectively encrypt individual files, rather than the entire device. EFS is a feature of NTFS that uses your log name and password to encrypt and decrypt files.

Workstation Security

You will be expected to understand best practices relating to workstation security. Some of the questions will be presented in a user scenario format.

Passwords

Often, the only security a workstation has is the password assigned to it. For that reason, passwords must be strong and must be changed often.

  • Strength: A strong password is one that is at least eight characters long and utilizes special characters, numbers, and a mixture of upper and lower case letters. Avoid names, dates, pet names, and things that can be easily imitated by individuals attempting to break into your system.

  • Expiration: Passwords need to be changed often, so they are frequently set to expire in a certain period of time. This forces the user to create a new password.

  • Default usernames and passwords: Some system devices are preconfigured with default usernames and passwords. These must be changed by the administrator using the same guidelines as a user’s password for strength and expiration.

  • Screensaver required: When a system is left unattended for any period of time, a screensaver with a password needs to be applied. This not only prevents unauthorized access, but hides the contents being displayed on the screen.

  • BIOS/UEFI passwords: The system bios should have a password installed to prevent users from modifying system settings. Keep in mind that, if the system case can be opened, the bios password can be easily compromised.

  • Requiring passwords: All systems must be configured with strong passwords that are set to expire in a predetermined period of time. Blank passwords or automated logins should never be allowed.

Account Management

You need to be familiar with the following items relating to account management. Limit the number of individuals with administrative access and assign proper permissions based on user needs.

  • User permissions: Users should be given only privileges necessary to perform their jobs and restricted from unauthorized areas. Limit administrative privileges to only a few individuals. Assigning users to groups, when possible, simplifies the administration of large systems.

  • Login time: Limit system usage to certain times. After-hour access may not be necessary for everyone.

  • Guest account: Operating systems include miscellaneous accounts for guests, root, e-mail, etc. These optional accounts, if needed, should have the default logname modified to prevent unauthorized access. Any unnecessary account should be disabled in the operating system..

  • Failed attempts: Failed password attempts could be someone attempting to access your system using a brute force attack. The system should be set to disable a login (lockout) if there are an inordinate number of unsuccessful attempts. The login will remain locked out until the system administrator re-enables it.

  • Timeout/screen lock: Systems should be set up with a timeout screen lock that locks the system if it sits idle for a predetermined amount of time.

Disable Autorun

Autorun was a feature available with Windows Vista that would automatically load and run programs stored on a removable drive, such as a USB drive, a CD or DVD. This caused an obvious security concern and it has been eliminated on all Windows operating systems since Vista. Autorun should be disabled on Vista.

Data Encryption

To protect data from theft, it should be encrypted. BitLocker allows an entire volume to be encrypted and BitLocker-to-go will encrypt data on removable devices. NTFS supports a feature called EFS (encrypting file system) that allows encryption of individual files.

Patch/Update Management

Patches and security updates are critical to maintaining operating system integrity. New vulnerabilities occur frequently and patches are created to address these threats. Patch management is an important requirement for maintaining system security.