Lesson 2: Windows 7 Authentication and Authorization CHAPTER 9 503 FIGURE 9-17 Backup EFS certificate FIGURE 9-18 Certificates Console (Certmgr.msc) EFS keys can also be backed up from the command line using the Cipher.exe command- line utility. When you back up your key, you are provided with a warning on the desktop that this is about to take place and are asked to provide a password to protect the exported key. The command to back up an EFS certificate is: Cipher.exe /x filename.pfx 5 0 4 CHAPTER 9 Authentication and Account Control eXaM tIP Remember what tasks you can complete with Credential Manager. Practice Managing Credentials The Windows Vault allows you to store login and password information. This is very useful if you need to access resources outside a domain network and you have trouble remembering all of the unique passwords and login names that you have to use for each different research. In this practice, you explore the Windows Vault and the Runas utility. You get an understanding of each utility’s function and how you might use them when deploying Windows 7 in your own network environment. exercise 1 Exploring Runas Credentials and Credential Manager In this exercise, you use the Runas command to run several applications using another user’s credentials. You save those credentials to the Windows Vault, verify that they have been saved, and then remove them. To complete this exercise, perform the following steps: 1. Log on to computer Canberra with the Kim_Akers user account. 2. In the Search Programs And Files text box, type Credential Manager. Click Credential Manager. Verify that no credentials are currently stored under any categories. Close Credential Manager. 3. Open an elevated command prompt and issue the following command: Net user Dan_Park P@ssw0rd /ADD 4. Close the elevated command prompt. Open a normal command prompt and issue the following command, which opens Notepad: Runas /savecred /user:Canberra\Dan_Park notepad 5. Enter the password P@ssw0rd when prompted. Close Notepad. Enter the following command at the command prompt: Runas /user:Canberra\Dan_Park write 6. Note that you needed to enter the password to run WordPad. Close WordPad. Enter the following command from the command prompt to open Microsoft Paint: Runas /savecred /user:Canberra\Dan_Park mspaint 7. Note that you did not need to enter a password because the saved credentials were used. Close Paint. 8. In the Search Programs And Files text box, type Credential Manager. Click Credential Manager. Click the Canberra\Dan_Park item under Windows Credentials, as shown in Figure 9-19. Lesson 2: Windows 7 Authentication and Authorization CHAPTER 9 505 FIGURE 9-19 Stored credentials 9. Click Remove From Vault to remove the Dan_Park credentials. Click Yes when prompted by the Delete Windows Credential dialog box. From the command prompt, again issue the following command: Runas /savecred /user:Canberra\Dan_Park mspaint 10. Note that this time you must enter credentials because they are no longer stored in the Windows Vault (though by running this command, you have again added them). exercise 2 Adding a Credential and Backing Up and Restoring Windows Vault In this exercise, you add a credential to the one that was added to the Windows Vault at the end of the previous exercise. You then add yet another credential. From there, you back up the Windows Vault, delete the existing credentials, and then restore them by restoring the Windows Vault. To complete this exercise, perform the following steps: 1. If you have not done so already, log on to computer Canberra with the Kim_Akers user account. Use Windows Explorer to create the directory C:\Vault. 2. In the In the Search Programs And Files text box, type Credential Manager. Click Credential Manager. 3. Verify that the Canberra\Dan_Park (Interactive Logon) credential is present in Credential Manager. You re-created this credential in step 9 of Exercise 1. 5 0 6 CHAPTER 9 Authentication and Account Control 4. Click Add a Windows Credential. In the Add A Windows Credential dialog box, enter the following credentials: n Internet Or Network Address: Aberdeen.contoso.internal n User name: Sam_Abolrous n Password: P@ssword 5. Click OK to close the Add A Windows Credential dialog box. 6. Click the Back Up Vault item. This opens the Stored User Names And Passwords dialog box. In the Back Up To text box, click Browse. Navigate to C:\Vault\, enter the name Winvault, and click Save. Click Next. 7. Press Ctrl, Alt, and Delete at the same time to continue the backup on the Secure Desktop, as shown in Figure 9-20. FIGURE 9-20 Backup on Secure Desktop 8. Enter the backup password P@ssw0rd twice and then click Next. Click Finish. 9. Use the Credential Manager to remove the Aberdeen.contoso.internal and Canberra\Dan_Park (Interactive Logon) credentials. 10. Click the Restore Vault item. 11. Click Browse to browse to C:\Vault\Winvault.crd and then click Next. 12. Press Ctrl, Alt, and Delete at the same time to continue restoring logon credentials on the Secure Desktop. 13. Enter the password P@ssw0rd on the Stored User Names And Password dialog box, as shown in Figure 9-21, and then click Next. Lesson 2: Windows 7 Authentication and Authorization CHAPTER 9 507 FIGURE 9-21 Restoring password 14. Click Finish when you are informed that your logon credentials have been restored. 15. Close and reopen Credential Manager to verify that the deleted logon credentials have been recovered. Lesson Summary n Credential Manager allows you to manage passwords for Web sites, terminal services and remote desktop sessions, stand-alone network resources, and smart card certificates. You can use Credential Manager to back up and restore these credentials. n The Runas utility allows you to run programs using alternate credentials. You can use the /savecred option to store the password associated with these alternate credentials. n You can use Certmgr.msc, Cipher.exe, or the Manage File Encryption Certificates tool to back up EFS certificates. n Users can create a password reset disk to assist them if they forget their password. Password reset disks must be created before the password is forgotten. n Members of the local administrators group can reset the passwords of users that have forgotten them. n Group policies can be configured to enforce multifactor authentication by requiring users to log on with smart cards. n You can assign rights to users by adding them to the appropriate built-in local group or by assigning them rights through Group Policy. 5 0 8 CHAPTER 9 Authentication and Account Control Lesson Review You can use the following questions to test your knowledge of the information in Lesson 2, “Windows Authentication and Authorization.” The questions are also available on the companion CD if you prefer to review them in electronic form. note ANSWERS Answers to these questions and explanations of why each answer choice is correct or incorrect are located in the “Answers” section at the end of the book. 1. You have used Runas with the /savecred option to save the credentials of an administrator account on a client running Windows 7. You have finished performing the tasks that you needed to and now want to remove those credentials from the computer. Which of the following tools could you use to do this? a. Runas B. Credential Manager c. The Certificates console D. UAC settings 2. You want to ensure that users are forcibly logged off from their computers running Windows 7 if they remove their smart cards. Which of the following policies and settings should you configure to accomplish this goal? (Choose all that apply; each answer forms part of a complete solution.) a. Interactive Logon: Smart Card Removal Behavior Properties: No Action B. Interactive Logon: Smart Card Removal Behavior Properties: Lock Workstation c. Interactive Logon: Smart Card Removal Behavior Properties: Force Logoff D. Interactive Logon: Require Smart Card: Enabled 3. A user has forgotten the password to the stand-alone desktop computer running Windows 7 that she uses at your organization. The user does not have a reset disk. You have an account on this computer that is a member of the local Administrators group. Which of the following steps can you take to resolve this user’s authentication problem? a. Unlock her account B. Reset her password c. Create a password reset disk for her account D. Create a password reset disk for your account Lesson 2: Windows 7 Authentication and Authorization CHAPTER 9 509 4. You want to ensure that users of stand-alone clients running Windows 7 in your organization change their passwords every three weeks. Which of the following policies should you configure on each computer to accomplish this goal? a. Enforce Password History B. Minimum Password Length c. Minimum Password Age D. Maximum Password Age 5. Which of the following tools can users use to back up EFS certificates created when they encrypt a file on a stand-alone computer running Windows 7? (Choose all that apply.) a. Credential Manager B. The Manage File Encryption Certificates tool c. The Certificate Manager console D. Cipher.exe 5 1 0 CHAPTER 9 Authentication and Account Control Chapter Review To further practice and reinforce the skills you learned in this chapter, you can perform the following tasks: n Review the chapter summary. n Review the list of key terms introduced in this chapter. n Complete the case scenarios. These scenarios set up real-world situations involving the topics of this chapter and ask you to create a solution. n Complete the suggested practices. n Take a practice test. Chapter Summary n UAC can be configured to either prompt for credentials or prompt for consent. When prompting for credentials, you must enter your user account password. n When Secure Desktop is implemented, users must respond to a UAC prompt before being able to continue working with their computer. n UAC is configured through Group Policy. n Credential Manager stores credentials entered into Internet Explorer, Remote Desktop Connection, and through Windows Explorer when connecting to remote servers. You can back up and restore these credentials. n Password policies determine how often passwords need to be changed, whether users are locked out for entering successive incorrect passwords, and how complex passwords may be. n Forgotten passwords can be recovered using the Password Recovery Tool. An administrator can reset a forgotten password, but credential data and encrypted files may be lost. n You can back up EFS certificates using Certmgr.msc, Cipher.exe, or the Manage File Encryption Certificates tool. n You can enforce multifactor authentication on a client running Windows 7 by configuring smart card policies. Key Terms Do you know what these key terms mean? You can check your answers by looking up the terms in the glossary at the end of the book. n multifactor authentication n privilege elevation n Secure Desktop Case Scenarios CHAPTER 9 511 Case Scenarios In the following case scenarios, you apply what you’ve learned about subjects covered in this chapter. You can find answers to these questions in the “Answers” section at the end of this book. Case Scenario 1: User Account Control at Coho Vineyard You are developing UAC policies for the deployment of clients running Windows 7 at Coho Vineyard. Administrators often have to help out standard users using remote assistance. At times, it is necessary for administrators to perform actions that require elevation. Administrators should have to provide their authentication credentials when performing an act that triggers an elevation prompt. The administrators should be able to continue using other parts of the operating system and should not have to respond to the elevation prompt immediately. All approved applications at Coho Vineyard have been digitally signed by the application publisher. With these facts in mind, answer the following questions: 1. Which policies do you need to configure to support the elevation requirements for administrators? 2. Which policies do you need to configure to support elevation during remote assistance? 3. Which policy do you need to configure to ensure that only approved applications can initiate elevation? Case Scenario 2: Resolving Password Problems at Wingtip Toys Wingtip Toys has 20 people that have stand-alone computers running Windows 7. One of the users recently had a problem where he forgot his password. You were able to reset this user’s password, but the user lost access to several important encrypted documents as well as all his stored Web site credentials. You are in the process of developing a policy to ensure that this type of data loss does not happen again. You also want to ensure that users do not keep the same passwords because several appear to have been using the same password for the last few months without changing it, even though your company policy states that passwords should be changed every month. With these facts in mind, answer the following questions: 1. What steps can you take to ensure that users do not lose access to encrypted documents or credentials if their password is reset? 2. What steps can you take to ensure that users are able to recover their own forgotten passwords? 3. What steps can you take to ensure that users regularly change their passwords and do not use the same small number of passwords? 5 1 2 CHAPTER 9 Authentication and Account Control Suggested Practices To help you master the exam objectives presented in this chapter, complete the following tasks. Configure User Account Control (UAC) You should perform the first practice and then test it using one of the standard user accounts that you have created in previous exercises. The second practice requires two computers to test. n Practice 1 Configure UAC policies using the Local Security Policy console so that standard users are prompted for credentials when performing an activity that requires elevated privileges, such as attempting to run an elevated command prompt. n Practice 2 Configure UAC policies using the Local Security Policy console so that a user in the helper role is able to respond to a UAC prompt by entering their credentials when connected remotely using Remote Assistance. Use the computer named Aberdeen, which you configured in Chapter 6, “Network Settings,” as the computer from which the Remote Assistance invitation is sent. Configure Authentication and Authorization You should perform both of these practices. The first exercise requires you to have access to a floppy disk or a USB storage device. n Practice 1 Create a password reset disk for a user account other than the Kim_Akers user account. Use the password reset disk to log on to an account. n Practice 2 Use Manage File Encryption Certificates tool to back up an EFS certificate. Take a Practice Test The practice tests on this book’s companion CD offer many options. For example, you can test yourself on just one exam objective, or you can test yourself on all the 70-680 certification exam content. You can set up the test so that it closely simulates the experience of taking a certification exam, or you can set it up in study mode so that you can look at the correct answers and explanations after you answer each question. More Info PRACTICE TESTS For details about all the practice test options available, see the section entitled “How to Use the Practice Tests,” in the Introduction to this book. . Lesson 2: Windows 7 Authentication and Authorization CHAPTER 9 503 FIGURE 9- 17 Backup EFS certificate FIGURE 9-1 8 Certificates Console (Certmgr.msc) EFS keys. Click the CanberraDan_Park item under Windows Credentials, as shown in Figure 9-1 9. Lesson 2: Windows 7 Authentication and Authorization CHAPTER 9 505 FIGURE 9-1 9 Stored credentials 9. Click Remove. And Password dialog box, as shown in Figure 9-2 1, and then click Next. Lesson 2: Windows 7 Authentication and Authorization CHAPTER 9 5 07 FIGURE 9-2 1 Restoring password 14. Click Finish when