Lesson 2: Windows 7 Authentication and Authorization CHAPTER 9 493 Lesson 2: Windows 7 Authentication and Authorization When a user forgets his password, he is unable to log on to his computer. If he cannot log on to his computer, he cannot do his job. In this lesson, you learn about the methods Windows 7 provides through which you can deal with a forgotten password, from the preventative creation of a password reset disk to having a member of the Administrators local group log on and reset the password. Passwords are not the only way that you can authenticate to a client running Windows 7. Windows 7 supports multifactor authentication, primarily by including drivers that support the Personal Identity Verification (PIV) smart card standard and policies that can require a smart card to log on. In this lesson, you also learn about a new feature named Credential Manager. Credential Manager allows you to back up, restore, and manage saved credentials, such as those for Web sites and terminal services servers. You also learn about assigning user rights and configuring password policies. After this lesson, you will be able to: n Back up and restore credentials with Credential Manager. n Administer certificates with Certificate Manager. n Use runas to run commands with alternate credentials. n Configure account and smart card policies. n Resolve authentication issues. Estimated lesson time: 40 minutes Credential Manager Credential Manager stores logon user name and passwords for network resources, including file servers, Web sites, and terminal services servers. Credential Manager stores user name and password data in the Windows Vault. You can back up the Windows Vault and restore it on other computers running Windows 7 as a method of transferring saved credentials from one computer to another. Although Credential Manager can be used to back up some forms of digital certificates, it cannot be used to back up and restore the self-signed Encrypting File System (EFS) certificates that Windows 7 generates automatically when you encrypt a file. For this reason, you must back up EFS certificates using other tools. You will learn about backing up EFS certificates later in this lesson. As Figure 9-11 shows, it is possible to add credentials to the Windows Vault by selecting Remember My Credentials in the Windows Security dialog box. Whenever you choose to remember your credentials, using Windows Internet Explorer, Windows Explorer, or Remote Desktop Connection, Credential Manager transfers them to the Windows Vault. 4 9 4 CHAPTER 9 Authentication and Account Control FIGURE 9-11 Remember My Credentials You can also preemptively add credentials to Windows Vault for resources prior to actually accessing them. To add credentials to the Windows Vault, perform the following steps: 1. Open Credential Manager by typing Credential Manager into the Search Programs And Files text box and then clicking Credential Manager on the Start menu. 2. Click the Add a Windows Credential item. 3. In the Add a Windows Credential dialog box, shown in Figure 9-12, enter the Internet or network address, user name, and password of the credential that you want stored in the Windows Vault. FIGURE 9-12 Adding a Windows Credential To modify an existing password or to remove an existing credential, click the credential within Credential Manager and then click either the Edit item or the Remove From Vault item, respectively. You can see these items in Figure 9-13. Clicking Edit allows you to modify the Lesson 2: Windows 7 Authentication and Authorization CHAPTER 9 495 user name and password stored in the vault. You would use the edit functionality to update an existing stored password. It is important to note that the existing password is not displayed but is shown as a series of dots. You cannot use Credential Manager to determine what an existing stored password is—only that the password itself is stored. FIGURE 9-13 Editing and removing credentials You can use the Back Up Vault and Restore Vault items, shown in Figure 9-13, to back up and restore credential data, or to transfer credential data between computers. This can be especially useful if a user has a significant number of credentials stored on their computer running Windows 7 and does not want to have to re-enter all of them when they move to a new computer. The backup process involves pressing the Ctrl, Alt, and Del keys at the same time to enter the backup password to protect the credentials on the Secure Desktop. You must also press Ctrl, Alt, and Del keys to enter the password on the Secure Desktop that you assigned to the backup when restoring the Windows Vault. You will back up and restore the Windows Vault in the practice at the end of this lesson. Using Runas to Run Programs as Another User The Runas command-line utility enables you to run programs using the credentials of another user. To run the application named Application.exe with an option, enclose the application and the option within quotation marks. To run the program application.exe /option as user Kim_Akers on computer Canberra, issue the command: Runas /user:Canberra\Kim_Akers "application.exe /option" 4 9 6 CHAPTER 9 Authentication and Account Control When you enter this command, you have to enter the password of the target account. Once you have done this, the application runs using the target user’s security context. The default setting loads the target user’s profile. You can also use the /profile option to force the target user’s profile to be loaded. When the target user’s profile is loaded, you can access files encrypted to the target user’s account because the EFS certificates are stored with the user profile data. Use the /noprofile option to stop the profile being loaded. The /savecred option allows you to save the credentials of the target user account. You have to enter the password the first time you use the /savecred option. To access stored credentials with future Runas commands, use the /savecred option and specify the account name. Saved credentials are stored within the Windows Vault and can be managed using Credential Manager. To use runas with the /savecred option, use the command: Runas /savecred /user:computername\user name "application.exe /option" You cannot use the Runas command to execute an application that requires elevation if the target user account is configured to prompt for consent or prompt for credentials. You can use the Runas command to execute an application that requires elevation if the target user account is the built-in administrator account. The built-in administrator account is disabled by default, but it can be enabled through Group Policy. To run the Local Group Policy Editor console from a standard user account when the built-in administrator account has been enabled using Group Policy, use the command: runas /user:administrator "mmc gpedit.msc" You can use the /savecred option to save the local Administrator account credentials so that they can be used automatically in the future. You should be careful when doing this because of the security risk that it poses. Configuring User Rights You can configure user rights through the Computer Configuration\Windows Settings\ Security Settings\Local Policies\User Rights Assignment node of Group Policy. This node contains 44 policies, most of which relate to operating system functions that are unlikely to be tested on the 70-680 exam. Most administrators configure user rights by adding users to specific local groups rather than by modifying specific user rights group policies. For example, you can allow a user to back up files and directories by assigning them to the Backup Operators group rather than by modifying the Back Up Files and Directories policy. The same applies to using Remote Desktop. You can add a user account to the Remote Desktop Users group, or you can modify the Allow Log On Through Remote Desktop Services policy. It is usually easier to add members to the appropriate local groups because it is easier to keep track of which users have been assigned specific rights by examining group membership than it is to examine Group Policy settings. The Windows 7 built-in groups that you can add users to as a method of assigning them rights are as follows: n Administrators Members of this group have unrestricted access to the client running Windows 7. Lesson 2: Windows 7 Authentication and Authorization CHAPTER 9 497 n Backup Operators Members of this group are able to override file and folder access restrictions for the purpose of backing up data. n Cryptographic Operators Members of this group are able to perform cryptographic operations. This policy is used only when Windows 7 is deployed in a special configuration called common criteria mode. In this mode administrators are able to read and write all settings except those related to the cryptography of IPsec policy. n Distributed COM Users Members of this group are able to manipulate Distributed COM objects on this computer. n Event Log Readers Members of this group can read data stored in the event logs. n Network Configuration Operators Members of this group can change Transmission Control Protocol/Internet Protocol (TCP/IP) address settings. n Performance Log Users These users can schedule the logging of performance counters, enable trace providers, and collect event traces. n Performance Monitor Users These users can access performance counter data locally and remotely. n Power Users This group is included for backward compatibility. n Remote Desktop Users Members of this group are able to log on remotely through remote desktop. n Replicator This group is used to support file replication in domain environment. More Info DEFAULT LOCAL GROUPS You can learn more about the default local groups by navigating to the following Microsoft TechNet Web site: http://technet.microsoft.com/en-us/library/cc771990.aspx. You should be aware that some of the groups on this list are relevant only to domain environments. Quick Check n How can you delete credentials that you stored when using Runas with the /savecred option? Quick Check Answer n You can delete the credentials using Credential Manager. Smart Cards Smart cards store digital certificates that you can use for authentication. Smart cards are more secure than authenticating using user names and passwords. This is because it is possible for someone else to learn and use a person’s user name and password without that person being aware of it, but it is very difficult for someone else to possess a smart card without the owner 4 9 8 CHAPTER 9 Authentication and Account Control of the smart card becoming aware of the fact that she no longer has it. If a smart card is missing, an administrator can revoke the certificate stored on the smart card. This makes the missing smart card useless. Windows 7 supports the PIV standard that was issued by the National Institute of Standards and Technology (NIST). Support for this standard allows Windows 7 to obtain drivers for smart cards from Windows Update or a PIV-compliant mini-driver that is included with Windows 7. The advantage of this is that you can use smart cards directly with Windows 7 without requiring specific vendor software. Smart cards allow you to implement multifactor authentication on clients running Windows 7. Multifactor authentication requires a user to authenticate using two or more separate methods. The user might have to provide a user name/password and smart card, or a user name/password and biometric ID, such as a fingerprint. The most common form of multifactor authentication used with clients running Windows 7 in enterprise environments is smart card and password authentication. Biometric authentication is more likely to be used on portable stand-alone clients running Windows 7 and cannot be integrated into Active Directory Domain Services (AD DS) without third-party products. More Info BIOMETRICS IN WINDOWS 7 Although Biometric authentication is unlikely to be tested on the 70-680 exam, you can learn more about support for Biometrics at the following Microsoft TechNet Web page: http://technet.microsoft.com/en-us/library/dd367857.aspx. Windows 7 has the following policies related to smart cards. These policies are located in the Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options node and are as follows: n Interactive Logon: Require Smart Card When this policy is enabled, users are able to log onto the computer only using a smart card. When the policy is disabled, which is the default setting, users can log on using any method. n Interactive Logon: Smart Card Removal Behavior This policy allows you to determine how the computer reacts when a user removes his smart card. The default setting is for no action to be taken if a smart card is removed. The other options that are available are: • Lock Workstation When you implement this setting, Windows 7 locks the screen if the user removes the smart card. The user can only unlock the screen by reinserting the smart card. • Force Logoff When you implement this setting, the user is forcibly logged off. • Disconnect If A Remote Desktop Services Session This policy applies to what is known as Terminal Services sessions hosted on Windows Server 2008. Terminal Services is renamed Remote Desktop Services in Windows Server 2008 R2. This policy forces a disconnection from the Remote Desktop Services session when the user removes his smart card. Lesson 2: Windows 7 Authentication and Authorization CHAPTER 9 499 More Info SMART CARDS IN WINDOWS 7 To learn more about using smart cards with Windows 7, consult the following Microsoft TechNet Web page: http://technet.microsoft.com/en-us/library/dd367851.aspx. Account Policies Password and account lockout policies, which can be found under the Computer Configuration\Windows Settings\Security Settings node of Group Policy, allow you to configure how passwords work on clients running Windows 7. You can use these policies to configure settings such as the length of time a user can use the same password before needing to change it, whether accounts are locked out after a number of invalid passwords are entered, and whether passwords must meet a set of complexity requirements. You can configure the following password policies: n Enforce Password History Use this policy to ensure that people do not use a small set of passwords that they rotate through each time they are asked to update their password. When you configure the Enforce Password History, Windows 7 remembers a certain number of prior passwords and does not allow users to set their new password to one they have used previously. When configuring this policy, you specify how many passwords Windows remembers. n Maximum Password Age The maximum number of days that a person can keep the same password. Once this limit expires, users must change their password. If a user account has the Password Never Expires setting enabled (not recommended), it is not subject to this policy. n Minimum Password Age Use this policy to require that a new password be kept for a minimum number of days before the user is allowed to change it. This stops users from rapidly changing passwords so that they can go through their existing password history and end up keeping the same password they had before they were asked to change it the first time. n Minimum Password Length Use this policy to ensure that passwords have a minimum number of characters. n Password Must Meet Complexity Requirements Use this policy to require passwords to include three of the following: uppercase letters, lowercase letters, numbers, and symbols. When you enforce this policy, passwords also cannot contain part of the user’s first name, last name, or user name. n Store Passwords Using Reversible Encryption Use this policy only if you are using older applications that use older authentication technologies. This policy makes password storage less secure. You can configure the following account lockout policies: n Account Lockout Duration Use this policy to configure the length of time an account is locked out before a user can attempt to log in again. 5 0 0 CHAPTER 9 Authentication and Account Control n Account Lockout Threshold Use this policy to configure the number of times a user can enter an incorrect password before Windows locks out the account. n Reset Account Lockout Counter After Use this policy to specify the period in which Windows records invalid logon attempts. For example, if you set this period to 30 minutes and the Account Lockout Threshold policy is set to 3, three invalid logon attempts in 30 minutes triggers a lockout whereas three invalid logon attempts in 31 minutes will not. A valid logon automatically resets the account lockout counter. Resolving Authentication Issues The most common authentication issue that users face is that they have forgotten their password. There are two methods that you can use to deal with this problem: password reset disks and resetting user account passwords. Password reset disks, which can include universal serial bus (USB) storage devices, have the advantage that they allow a user to recover a forgotten password without losing encrypted data. The downside of password reset disks is that you must create one prior to the password being lost. Another disadvantage is that they can be used by anyone to recover that specific account’s password, so they must be kept in a secure location because anyone who has access to the disk can gain access to the user’s computer. You can create a password reset disk, which can store password reset data on a floppy disk or a USB flash disk, by using the Create A Password Reset Disk item in the User Accounts Control Panel. Clicking the Create A Password Reset Disk item starts the Forgotten Password Wizard. When you use the wizard, you check which removable storage device you will store the data on and then enter the current user account password, as shown in Figure 9-14. You can activate the Password Reset Wizard once an incorrect password is entered on the Windows 7 logon screen. When using this wizard, the user specifies the password reset disk’s location (either floppy disk or USB device) and then enters the new password. The user still has access to all her encrypted data. FIGURE 9-14 Creating a password reset disk Lesson 2: Windows 7 Authentication and Authorization CHAPTER 9 501 If a user has forgotten her password and there is no password reset disk available, it will be necessary to change the password. This can be done through the Users node of the computer management console or by using the Manage Accounts option within the User Accounts control panel. Only members of the local Administrators group can change another user’s password. When you change a user’s password, the user loses all access to EFS-encrypted files, personal certificates, and stored passwords that are stored with the Windows Vault in Credential Manager, as displayed in Figure 9-15. If the user has backed up these passwords and certificates, it is possible to recover some items by restoring the Windows Vault. If the user has backed up her EFS key, she can access her encrypted files by restoring that key. You will learn about backing up and restoring EFS keys later in this lesson. It is also possible for an administrator to recover EFS-encrypted files if there is an existing EFS recovery agent configured for the computer. You learned about creating EFS recovery agents in Chapter 8, “BranchCache and Resource Sharing.” FIGURE 9-15 Change Password warning If you have configured account lockout policies, a user may have his account locked out if he enters an incorrect password the number of times specified in the policy. You can unlock the account by editing the account properties using the Computer Management Console and removing the check next to the Account Is Locked Out setting, as shown in Figure 9-16. Only members of the local Administrators group can unlock accounts. Unlocking an account does not reset the account password and has no impact on stored credentials or EFS certificates. A user that has an unlocked account still needs to remember his password before he is able to log on to the computer running Windows 7. 5 0 2 CHAPTER 9 Authentication and Account Control FIGURE 9-16 Account lockout Managing Certificates Although you cannot use Credential Manager to back up EFS certificates, Windows 7 includes three other tools that you can use to perform this task. These are the Certificates Console (Certmgr.msc), the Manage File Encryption Certificates tool, and the Cipher.exe command- line tool. Each of these tools can be used to back up or export an existing EFS certificate to a password-protected PFX file. This PFX file can then be imported on other computers, or back to the original computer if necessary, either by using these tools, or double-clicking the PFX file using Windows Explorer. Most users will use the Manage Your File Encryption Certificates tool, shown in Figure 9-17, to back up their EFS certificates because it is easier to use than other tools. This tool comprises a wizard that can be used either to back up your certificates or to configure EFS to use a smart card. The tool is accessed by typing Manage File Encryption Certificates into the Search Programs And Files text box. Using the wizard, you select the certificate that you want to back up, the location where the backup will be stored, and the password used to protect the backup. The Certificates console, shown in Figure 9-18, can also be used to back up EFS certificates. This console can be opened by typing certmgr.msc into the Search Programs And Files text box. Certificates can be exported to password-protected PFX files by right-clicking the certificate that you want to export and then clicking Export. This console is less likely to be used by normal users because it is less intuitive than the Manage Your File Encryption Certificates tool. You have to remember that your EFS certificate is stored under the Personal\Certificates node, something that might not be obvious to a non-technical user. . smart cards from Windows Update or a PIV-compliant mini-driver that is included with Windows 7. The advantage of this is that you can use smart cards directly with Windows 7 without requiring. Domain Services (AD DS) without third-party products. More Info BIOMETRICS IN WINDOWS 7 Although Biometric authentication is unlikely to be tested on the 70 -6 80 exam, you can learn more about. http://technet.microsoft.com/en-us/library/dd3 678 57. aspx. Windows 7 has the following policies related to smart cards. These policies are located in the Computer Configuration Windows SettingsSecurity