Case Scenarios CHAPTER 8 473 Chapter Review To further practice and reinforce the skills you learned in this chapter, you can perform the following tasks: n Review the chapter summary. n Review the list of key terms introduced in this chapter. n Complete the case scenarios. These scenarios set up real-world situations involving the topics of this chapter and ask you to create a solution. n Complete the suggested practices. n Take a practice test. Chapter Summary n HomeGroups allow for the sharing of resources on home networks. n You can manage shared folders centrally using the Computer Management console. n Libraries are virtual collections of folders that host similar content. n NTFS permissions determine which files a user or group can access on a computer. n Print permissions determine what rights a user has to manage a printer or documents. n BranchCache is a technology that speeds up branch office access to files in remote locations through the caching of previously accessed files on the branch office network. Key Terms Do you know what these key terms mean? You can check your answers by looking up the terms in the glossary at the end of the book. n BranchCache n Encrypting File System (EFS) n HomeGroup n library Case Scenarios In the following case scenarios, you apply what you’ve learned about subjects covered in this chapter. You can find answers to these questions in the “Answers” section at the end of this book. 4 7 4 CHAPTER 8 BranchCache and Resource Sharing Case Scenario 1: Permissions and Encryption A computer running Windows 7 Enterprise named Waverley has two NTFS-formatted volumes, volume C and volume D. The folder C:\Share is shared and has 15 subfolders and hundreds of files. Many of these folders have unique NTFS permissions. You want to move this folder so that it is hosted on volume D because volume C is running out of space. One of the users of computer Waverley will be changing to computer Warrandyte. This user has copied a large number of EFS-encrypted files onto a NTFS-formatted USB flash device. With these facts in mind, answer the following questions: 1. What steps can you take so that the user is able to read the encrypted files on the USB flash device on computer Warrandyte? 2. What steps can you take to ensure that it is possible to recover all files that are encrypted in future? 3. What steps can you take to move the shared folder to volume D? Case Scenario 2: Configuring Contoso Branch Offices You are trying to make the use of WAN bandwidth between Contoso’s head office in Melbourne and branch offices in Wangaratta and Traralgon more efficient. All client computers at Contoso have Windows 7 Enterprise installed. Users turn their computers on and off during the day. If possible, you want to store any BranchCache data so that it is always available. There is a Windows Server 2008 R2 RODC at the Traralgon site named rodc.traralgon.contoso.internal, and there is a Windows Server 2008 RODC named rodc. wangaratta.contoso.internal at the Wangaratta site. You do not plan on upgrading any server operating systems in the near future. With these facts in mind, answer the following questions: 1. Which BranchCache mode should you use at the Wangaratta branch office? 2. Which BranchCache mode should you use at the Traralgon branch office? 3. What steps do you need to take to prepare server rodc.traralgon.contoso.internal to support BranchCache? Suggested Practices To help you master the exam objectives presented in this chapter, complete the following tasks. Configure Shared Resources Perform this practice when logged on to computer Canberra with the Kim_Akers user account. Take a Practice Test CHAPTER 8 475 n Configure a shared printer. Create a local group named PrinterManagers and assign the Manage Printers permission to this group. Configure File and Folder Access Perform both of these practices when logged on to computer Canberra with the Kim_Akers user account. n Practice 1 Use Gpedit.msc and Cipher.exe to configure and assign an EFS recovery agent certificate. n Practice 2 Create a file named Gamma.txt. Use Icacls.exe to assign the Modify (Deny) permission to the file. Use Robocopy.exe to copy Gamma.txt to a new folder while retaining its original permissions. Configure BranchCache Perform this practice when logged on to computer Canberra with the Kim_Akers user account. n Configure computer Canberra using the Netsh command to use local caching only. Take a Practice Test The practice tests on this book’s companion DVD offer many options. For example, you can test yourself on just one exam objective, or you can test yourself on all the 70-680 certification exam content. You can set up the test so that it closely simulates the experience of taking a certification exam, or you can set it up in study mode so that you can look at the correct answers and explanations after you answer each question. More Info PRACTICE TESTS For details about all the practice test options available, see the section entitled “How to Use the Practice Tests,” in the Introduction to this book. CHAPTER 9 477 CHAPTER 9 Authentication and Account Control U ser Account Control (UAC) is a tool for administrators that alerts you to the fact that what you are trying to do requires administrator privileges. You should not be surprised to encounter a UAC prompt when modifying firewall rules. You would be justifiably wary if you encounter a UAC prompt when trying to open a picture of a cat eating a cheeseburger sent to you by your aunt. One of these tasks should require administrator privileges and one of them should not. UAC can protect your computer from malware because it allows you to notice when a program or document that should not require administrative privileges requests them. UAC rarely affects normal users because, by definition, normal users should not be doing anything that requires administrator privileges. In the first part of this chapter, you learn how to configure UAC for your environment so that it warns you when necessary but keeps out of your way the rest of the time. Passwords are the primary method through which you secure a computer running Windows 7. The strength of a password is directly proportional to the strength of the security it provides. If passwords are not secure enough for your environment, you can configure Windows 7 to require a smart card before it allows users to log on. Privileges allow users to perform tasks. You can assign privileges, such as allowing a user to back up a computer in its entirety by adding them to the appropriate group or by configuring the appropriate Group Policy. In the second part of this chapter, you learn how to configure password policies, resolve authentication problems, assign privileges, and back up and restore saved credentials. Exam objectives in this chapter: n Configure User Account Control (UAC). n Configure authentication and authorization. Lessons in this chapter: n Lesson 1: Managing User Account Control 479 n Lesson 2: Windows 7 Authentication and Authorization 493 4 7 8 CHAPTER 9 Authentication and Account Control Before You Begin To complete the exercises in the practices in this chapter, you need to have done the following: n Installed Windows 7 on a stand-alone client PC named Canberra, as described in Chapter 1, “Install, Migrate, or Upgrade to Windows 7.” real World Orin Thomas T he UAC prompt doesn’t appear capriciously. UAC lets you know if software is doing something suspicious. If you are messing around with the guts of your operating system, you should expect a couple of UAC prompts. This is because you are making substantive changes to the operating system, and you need administrator privileges to do that. However, if you are doing something normal with your computer, such as playing a game or running a word processor (something that shouldn’t require administrative privileges), and you are prompted by UAC, your first thought shouldn’t be “Oh, not that annoying prompt again!” You should be thinking, “Now what on Earth made it do that?” Normal programs do not require administrative privileges to run. This is the key thing to understand about UAC. If UAC does interrupt when you are doing something that isn’t related to your computer configuration, you should get suspicious. UAC is a red flag, a warning you should pay attention to. UAC is the computer’s way of asking you, “Are you sure you want to let this program have administrative rights?” The answer to this question is important. To take control of your computer, malware needs to elevate its privileges so that it can run with administrative rights. Malware authors have a whole bag of tricks that they use to try to get you to run their programs. Sometimes malware try to get you to execute it by piggybacking on another program that you run on a regular basis. You run the program, thinking it is something else and then bang, pwnd! UAC cannot stop you from running the malware, but it warns you when the program tries to do something that requires admin privileges. If you do get prompted when you are doing something that you should be able to do without administrator rights, UAC lets you proceed if you so choose. Of course, if your computer does end up infected with malware, you won’t be able to say that you weren’t warned. Lesson 1: Managing User Account Control CHAPTER 9 479 Lesson 1: Managing User Account Control User Account Control (UAC) is a tool that you will likely use only if your user account is a member of the local administrators group. This is because UAC is disabled by default for standard users, which means that standard users do not, by default, encounter a UAC prompt. UAC settings can be tailored to better meet the needs of your organization. In this lesson, you learn how to configure UAC so that it does not have to run on the Secure Desktop, how to require administrators to enter their credentials rather than just clicking OK, and to configure UAC so that administrators assisting standard users can access elevated privileges. After this lesson, you will be able to: n Configure local security policies related to UAC. n Configure behavior of the User Account Control elevation prompt. n Configure the behavior of Secure Desktop. Estimated lesson time: 40 minutes User Account Control (UAC) UAC is a security feature of Windows 7 that informs you when the action that you want to undertake requires an elevation of privileges. If you logged on with a user account that was a member of the local administrators group in previous versions of Microsoft Windows, such as Windows XP, you automatically had administrator-level access at all times. This, by itself, was not a problem because recommended good practice was that people logged on with accounts that were members of the local administrator group only when they needed to do something related to administration. The problem with this is that people tended to use their administrator account as their normal user account. It was convenient for them because they did not have to log off and log on again each time they wanted to do something related to systems administration. Unfortunately, this behavior presented a security problem because any program run by a user logged on with an administrative account runs with the rights and privileges of that user. UAC resolves this problem by allowing a user that is a member of the local Administrators group to run as a standard user most of the time and to briefly elevate their privileges so that they are running as administrators when they attempt to carry out specific administration-related tasks. To understand UAC, you need to understand the following concepts: n Privilege elevation All users of clients running Windows 7 run with the rights of a standard user. When a user attempts an act that requires administrative privileges, such as creating a new user account, her rights need to be raised from those of a standard user to those of an administrative user. This increase in rights is termed privilege elevation. UAC is a gateway to privilege elevation. It allows users who are members of the local Administrators group to access administrative rights, but ensures that the person accessing the Administrative rights is aware that they are doing so. 4 8 0 CHAPTER 9 Authentication and Account Control This privilege elevation occurs only for a specific task. Another task executed at the same time that also requires privilege elevation generates its own UAC prompt. n Admin Approval mode Admin Approval mode is where an administrator must give explicit approval for elevation to occur by responding to the UAC prompt. The UAC prompt might require either clicking yes, called prompting for consent, or entering a user name and password, which is called prompting for credentials. n Secure Desktop Secure Desktop ensures that malware is unable to alter the display of the UAC prompt as a method of tricking you into allowing administrative access. When you configure UAC to use the Secure Desktop, the desktop is unavailable when a UAC prompt is triggered. You must respond to the UAC prompt before you can interact with the computer. The dimmed screen is actually a screen shot of the current desktop, which is why if you have video running in the background and a UAC prompt uses Secure Desktop, the video appears to freeze. If you do not respond to a UAC prompt on a Secure Desktop after 150 seconds, Windows automatically denies the request for privilege elevation, and the computer returns to the standard desktop. UAC Settings You can determine how intrusive UAC is by configuring the User Account Control Settings dialog box, shown in Figure 9-1. You can access this dialog box from the User Accounts control panel by clicking the Change User Account Control Settings item. The dialog box consists of a slider that allows you to adjust UAC notifications between Always Notify and Never Notify. FIGURE 9-1 User Account Control Settings Lesson 1: Managing User Account Control CHAPTER 9 481 If you make an adjustment using this slider, you are prompted by UAC informing you that the program named UserAccountControlSettings is trying to make a change to your computer. You can see this dialog box in Figure 9-2. This dialog box is a security measure that ensures that malware is unable to modify your UAC settings without you being aware of it. If you see this message and you have not modified UAC yourself, it is likely that malware is attempting to compromise the integrity of your computer. FIGURE 9-2 UAC settings change warning The settings that you can configure using the slider do the following: n Always Notify This is the most secure setting. You are prompted before programs make changes to your computer or Windows settings that require administrator permissions. During notification, your desktop appears dimmed. This is because Secure Desktop has become active. You must respond to the UAC prompt before it is possible to do anything else with the computer. If you do not respond to the UAC prompt after 150 seconds, Windows automatically denies the request for privilege elevation, and the computer returns to the standard desktop. n Notify Me Only When Programs Try To Make Changes To My Computer When this option is set, you are prompted before programs make changes to your computer or Windows settings that require administrator permissions. Notification occurs on the Secure Desktop. If you do not respond to the UAC prompt after 150 seconds, Windows automatically denies the request for privilege elevation. n Notify Me Only When Programs Try To Make Changes To My Computer (Do Not Dim My Desktop) With this option, you are prompted before programs make changes that require administrator permissions. You are not prompted if you try to make changes to Windows settings that require administrator permissions using programs that are included with Windows. You are prompted if a program that is not included with Windows attempts to modify Windows settings. n Never Notify When logged on as an administrator, you are not notified before programs make changes to your computer or to Windows settings. If you are logged on as a standard user, any changes that require administrative privileges are automatically denied. 4 8 2 CHAPTER 9 Authentication and Account Control Quick Check n What is the difference between the Always Notify Me And Dim My Desktop Until I Respond and Always Notify Me UAC settings? Quick Check Answer n The Always Notify Me And Dim My Desktop Until I Respond setting uses Secure Desktop in conjunction with UAC. When the more secure option is in effect, you must respond to the UAC prompt before you can continue to use your computer. If the Always Notify Me setting is enabled, you can continue working without having to respond directly to the UAC prompt. User Account Control Policies You primarily manage UAC settings through Group Policy. The UAC policies are all located in the Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options node. There are 10 policies, all of which are prefixed by the name User Account Control, as shown in Figure 9-3. FIGURE 9-3 User Account Control policies In the next few sections, you learn more about these policies and how they influence the operation of User Account Control. UAC: Admin Approval Mode For The Built-In Administrator Account UAC: The Admin Approval Mode For The Built-In Administrator Account policy controls how Administrator Approval mode works for the built-in Administrator account. The built-in Administrator account is disabled by default, so this policy is relevant only if you have enabled . have done the following: n Installed Windows 7 on a stand-alone client PC named Canberra, as described in Chapter 1, “Install, Migrate, or Upgrade to Windows 7. ” real World Orin Thomas T he UAC. in this chapter: n Lesson 1: Managing User Account Control 479 n Lesson 2: Windows 7 Authentication and Authorization 493 4 7 8 CHAPTER 9 Authentication and Account Control Before You Begin To. this book. 4 7 4 CHAPTER 8 BranchCache and Resource Sharing Case Scenario 1: Permissions and Encryption A computer running Windows 7 Enterprise named Waverley has two NTFS-formatted volumes,