Step 3. The next page gives you information about the request you are about to make. Click Next.
Step 4. On the next page, select the Active Directory Enrollment Policy and then click Next.
Step 5. The next page displays the types of certificates you can request from the domain’s PKI. Check the box next to User and then click Enroll.
Step 6. The last screen will confirm the status of the enrollment request.
Click the Finish button to dismiss the dialog.
Step 7. You can expand the Personal and Certificates folder to confirm that the certificate is installed. Double-click the certificate to view the details.
Note
Enterprise Certificate Services is beyond the scope of the 70-697 exam and this text. If you would like to learn more about implementing and managing a PKI in a Windows environment, refer to "Active Directory Certificate
Services Overview" at http://technet.microsoft.com/library/hh831740.
Although the information refers to Windows Server 2012, no functionality
has changed for Windows Server 2016.
Configuring Computer and User Authentication
You should understand some of the ways Windows helps secure
authentication in Windows 10 computers to prevent sniffing, dictionary attacks, brute-force password hacking, and other threats to user credential security. This section covers Secure Channel, which implements private, cryptographic security for data in motion, including passing credential information. You also learn about account policies that you can enforce to help ensure that user credentials are more difficult to guess.
Secure Channel
Secure Channel is a security support provider (SSP), commonly known as Schannel, which provides security using a set of security protocols for authentication and encrypted communications. Schannel on Windows systems is used to implement HTTPS (secure HTTP), among other things.
Confidentiality of network communication is implemented using Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, and Schannel handles the implementation of these protocols in Windows. Note that TLS is simply an updated version of the SSL protocol; however, due to recent revelations about vulnerabilities in the encryption of SSL
communications, SSL 2.0 and SSL 3.0 are considered insecure, and the recommendation is to restrict the use of these protocols in favor of TLS 1.0, 1.1, or 1.2. All these network layer encryption protocol versions are still typically referred to as SSL.
SSL encryption is a form of public-key cryptography, using certificates which can be generated from a commercial Certificate Authority (CA) or using an organization’s PKI and private CA such as the Active Directory Certificate Services (AD CS) on Windows Server. The certificate consists of both a public key and a private key. When secure communications are set up between two computers, they first exchange keys, and each computer then has the public key of the other. When the first computer encrypts a message, it uses the destination’s public key.
Authentication also uses public-key cryptography, but it works in reverse. If you want someone to be confident that a message is coming only from you, you can use your private key to encrypt it. Anyone can decrypt the message using your public key, so the decryption process authenticates that the
message was encrypted by you, the only person with the private key.
SSL communication uses both techniques. You want to be sure that when your web browser connects to your bank, you are really communicating with your bank’s website and not someone that wants to steal your credentials.
Your browser knows the CA that issued your bank’s certificate and can successfully decrypt the message and confirm that it really is the bank. This trust chain is the first step, using authentication to establish a trust. At that point, you can exchange public keys and set up a secure channel for
communication using each other’s public key, which can only be decrypted by the other party.
Secure channel is also used to establish the trust relationship between AD domain controllers in a domain and the computers that are joined to the domain. When you join a computer to a domain, a computer account is
created with an authentication and a password. You never see this password, but it’s needed by your computer to communicate with the domain and access resource. By default, domain-joined computers will contact a domain
controller and change its password every 30 days. When the password does not match, Windows displays the error message The Trust Relationship Between This Workstation and the Primary Domain Failed. When this happens, it may be necessary to rejoin the workstation to the domain. You can also use a PowerShell command to reset the machine password. Using the cmdlets Reset-ComputerMachinePassword from an administrative PowerShell prompt will fix this broken secure channel issue. You will need to run this command using a Domain Administrator account, or an account with privileges to reset computer accounts on the domain. To specify a credential, use the -Credential command-line switch and specify your domain username. You will be prompted for your password.
Account Policies
One of the most important security measures you can take is to ensure that
users’ passwords are complex, changed regularly, and kept secure. By
default, Windows will allow fairly weak passwords and does not force users to change them at any regular interval. You should know how to enforce good password practices in Windows.
In a secure environment, you may want to modify some account policies used by your organization. For domain-joined computers you can use Group
Policy Objects to set account policies and enforce them for the entire domain or specific groups. These policies are found in GPOs under Computer
Configuration\Windows Settings\Security Settings\Account Policies. You can also set the policies on nondomain devices using the Local Security Policy applet.
The most important set of policies is found under the Password Policy heading. Review Table 7-4 for the password policies you can configure.
Table 7-4. Account Policies for Passwords
Policy Name Description Settings
Enforce Password History
This security setting determines the number of unique new passwords that have to be associated with a user account before an old password can be reused. The value must be between 0 and 24 passwords.
Enable this setting and specify the number of passwords to remember. The value must be between 0 and 24 passwords.
This security setting determines the period of
You can set passwords to expire after a number of days between 1 and
Maximum Password Age
time (in days) that a password can be used before the system requires the user to change it.
999, or you can specify that passwords never expire by setting the number of days to 0.
Minimum Password Age
The minimum password age must be less than the maximum password age, unless the
maximum password age is set to 0, indicating that passwords will never expire.
Configure the minimum password age to be more than 0 if you want Enforce Password History to be effective. Without a minimum password age, users can cycle through
passwords repeatedly until they get to an old favorite.
If the maximum
password age is set to 0, the minimum password age can be set to any value between 0 and 998. Otherwise, it must be less than the
maximum password age.
Minimum Password Length
This security setting determines the least number of characters that a password for a user account may contain.
You can set a value of
between 1 and 14 characters, or you can establish that no password is required by setting the number of characters to 0.
Password Must Meet Complexity Requirements
This security setting determines whether passwords must meet complexity
requirements.
If this policy is enabled, passwords must meet the following minimum requirements:
• Not contain the user's account name or parts of the user's full name that exceed two
consecutive characters
• Be at least six characters in length
• Contain characters from three of the following four categories:
• English uppercase characters (A through Z)
• English lowercase characters (a through z)
• Base 10 digits (0 through 9)
• Non-alphabetic characters (for example, !,
$, #, %)
Enabled (enforce
complexity) or Disabled (do not require complex passwords).
Store Passwords Using Reversible Encryption
This security setting determines whether the operating system stores passwords using reversible encryption. This policy provides support for applications that use protocols that require knowledge of the user's password for authentication purposes. Storing
passwords using reversible encryption is essentially the same as storing plain text versions of the passwords. For this reason, this policy should never be enabled unless application requirements outweigh the need to protect password information.
Enabled (use reversible encryption) or Disabled (use nonreversible encryption).
Configuring NTFS Permissions
The New Technology File System (NTFS) that has existed since the early days of Windows NT enables you to secure and manage access to resources on both a network level and on a local level. These NTFS file and folder permissions are also known as security permissions; they can apply to both files and folders, and they apply on your computer to files and folders whether a folder is shared or not shared at all. Keep in mind, however, that although Windows 10 supports FAT and FAT32 partitions, NTFS
permissions apply only on partitions that are formatted using NTFS. Because you are already familiar with shared folder permissions, we will use that as a jumping-off point to describe NTFS permissions.
NTFS File and Folder Permissions
Like the shared permissions, which you learn about in detail in Chapter 14, NTFS permissions for a folder control how users access a folder. Windows stores an access control list (ACL) with every file and folder on an NTFS partition. The ACL is a list of users and groups that have been granted access for a particular file or folder, as well as the types of access that the users and groups have been granted. Collectively, these kinds of entries in the ACL are called access control entries (ACEs). If you think of the ACL as a list, it isn’t hard to conceive that a list contains entries of various kinds. Windows uses the ACL to determine the level of access a user should be granted when he attempts to access a file or folder.
NTFS file permissions control what users can do with files within a folder.
More specifically, the permissions control how users can alter or access the data that files contain. Table 7-5 describes the standard NTFS file
permissions in detail.
Table 7-5. NTFS File and Folder Permissions
Permission What a User Can Do on a Folder
What a User Can Do on a File
Full Control
Change permissions, take ownership, and delete
subfolders and files. All other actions allowed by the
permissions listed in this table are also possible.
Change permissions, take ownership, and perform all other actions allowed by the permissions listed in this table.
Modify
Delete the folder as well as grant that user the Read
permission and the List Folder Contents permission.
Modify a file’s contents and delete the file as well as
perform all actions allowed by the Write permission and the Read and Execute permission.
Read &
Execute
Run files and display file attributes, owner, and permissions.
Run application files and display file attributes, owner, and permissions.
List Folder Contents
List a folder's contents; that is,
its files and subfolders. (n/a)
Read
Display file names, subfolder names, owner, permissions, and file attributes (Read Only,
Hidden, Archive, and System).
Display data, file attributes, owner, and permissions.
Create new folders and files,
Write change a folder's attributes, and display owner and permissions.
Write changes to the file, change its attributes, and
display owner and permissions.
Applying NTFS Permissions
It is simple to apply NTFS permissions, as the following procedure shows:
Step 1. From File Explorer, right-click a folder or file and choose Properties.
Step 2. Select the Security tab of the Properties dialog box. Also known as the ACL Editor, the Security tab enables you to edit the NTFS permissions for a folder or file.
Step 3. Click Edit to display the dialog box shown in Figure 7-37. You can configure the options described in Table 7-6 and either allow or deny the permissions already described in Table 7-5.
Figure 7-37. Permissions for (File/Folder Name) Dialog Box Enabling You to Configure Security Permissions
Table 7-6. Security Tab Options
Option Description
Group or usernames
Start by selecting the user account or group for which you want to change permissions or that you want to
remove from the permissions list.
Permissions for (user or group name as specified)
Select the Allow check box to allow a permission.
Select the Deny check box to deny a permission.
Add
Click Add to open the Select User or Group dialog box to select user accounts and groups to add to the Name list.
Remove
Click Remove to remove the selected user account or group and the associated permissions for the file or folder.
Step 4. When finished, click OK to return to the Security tab shown in Figure 7-37.
Step 5. If you need to configure special permissions or access advanced settings, click Advanced. The next section discusses these permissions.
Note
You can also configure NTFS permissions from the command line by using the icacls.exe utility. This utility is useful for scripting permissions
configuration. For more information on this utility, refer to "Icacls" at http://technet.microsoft.com/en-us/library/cc753525.aspx.
Specifying Advanced Permissions
For the most part, the standard NTFS permissions are suitable for managing user access to resources. There are occasions where a more specialized
application of security and permissions is appropriate. To configure a more specific level of access, you can use NTFS special access permissions. It isn’t a secret, but it is not obvious in the Windows 8.1 interface that the NTFS standard permissions are actually combinations of the special access
permissions. For example, the standard Read permission is composed of the List Folder/Read Data, Read Attributes, Read Extended Attributes, and Read Permissions special access permissions.
In general, you will use only the standard NTFS permissions already
described. In exceptional cases, you might need to fine-tune the permissions further, and this is where the special access NTFS permissions come in. To configure special access permissions, use the following steps:
Step 1. From the Security tab of the appropriate file or folder, click Advanced to access the Advanced Security Settings dialog box.
Step 2. To add a user with special access permissions, click Add to display the Permission Entry for (folder name) dialog box.
Step 3. Click Select a Principal to display the Select User or Group dialog box.
Step 4. Type the required user or group name and click OK. The user or group is added to the Permission Entry dialog box.
Step 5. Click Show Advanced Permissions. The dialog box displays the advanced permissions, as shown in Figure 7-38.
Figure 7-38. Permission Entry Dialog Box Enabling You to Configure Advanced Permissions
Step 6. Configure the following options as required:
• Principal: The user account or group name appears on this line, but you can select a different one by clicking the Select a Principal link.
• Type: Select Allow or Deny as required.
• Applies To: You can adjust the level in the folder hierarchy at which the special permissions apply and are inherited. When permissions are not being inherited from a parent folder, you can choose between This Folder,
Subfolders and Files, or any one or two of these components.
• Advanced Permissions: You can configure any one or more of the special access permissions by selecting their corresponding check boxes.
• Only Apply These Permissions to Objects and/or Containers Within This Container: Here you can adjust a particular folder's properties so that files and subfolders inherit their permissions from the folder you are working on. Selecting this option propagates the special access permissions to files within and folders below your current location in a folder hierarchy.
• Clear All: You can clear all selected permissions.
Step 7. When finished, click OK.
Table 7-7 describes the special access file and folder permissions that you can configure from this location:
Table 7-7. NTFS Special Access Permissions
Folder Permission
What a User Is Allowed to Do
File
Permission
What a User Is Allowed to Do
Full control Includes all special access
permissions. Full control Includes all special access permissions.
Traverse folder
Navigate through folders that a user normally can’t access in order to reach files or folders that the user does have
permission to access.
Execute fileRun executable files.
List folder View files or subfolders. Read data View data in a particular file.
Read attributes
View folder attributes. These attributes are defined by NTFS.
Read attributes
View file attributes.
These attributes are defined by NTFS.
Read extended attributes
View extended folder
attributes. Extended attributes are defined by software and may vary.
Read extended attributes
View extended file attributes. Extended attributes are
defined by software and may vary.
Create files Create files within a folder. Write data Write changes to or overwrite a file.
Create
folders Create subfolders. Append data
Make changes to the end of a file by appending data.
Does not allow changing, deleting, or overwriting existing data.
Change the attributes of a
Change the
attributes of a file,
Write attributes
folder, such as read-only or hidden. Attributes are defined by NTFS.
Write attributes
such as read-only or hidden. Attributes are defined by NTFS.
Write extended attributes
Change the extended attributes of a folder. Extended
attributes are defined by programs and may vary.
Write extended attributes
Change the
extended attributes of a file. Extended attributes are
defined by programs and may vary.
Delete subfolders and files
Delete subfolders, even if the Delete permission has not been granted on the subfolder.
Delete subfolders and files
Delete files, even if the Delete
permission has not been granted on the file.
Delete Delete a folder or subfolder. Delete Delete a file.
Read
permissions
Read permissions for a folder, such as Full Control, Read, and Write.
Read
permissions
Read permissions for a file, such as Full Control, Read, and Write.
Change permissions
Change permissions for a folder, such as Full Control, Read, and Write.
Change permissions
Change permissions for a file, such as Full Control, Read, and Write.
Take
ownership Take ownership of a folder. Take ownership
Take ownership of a file.
Taking ownership is a very special type of access permission. In Windows 10, each NTFS folder and file has an owner. Whoever creates a file or folder automatically becomes the owner and, by default, has Full Control
permissions on that file or folder. If that person is a member of the
Administrators group, then the Administrators group becomes the owner. The owner possesses the ability to apply and change permissions on a folder or file that he or she owns, even if the ACL does not explicitly grant that ability.
This does make it possible for the owner of a particular file or folder to deny Administrators access to a resource. But an administrator can exercise the optional right to take ownership of any resource to gain access to it, if this becomes necessary.
In Table 7-5, which describes the standard access permissions, you might have noticed that a standard permission like Modify enables a user to do more than one thing to a file or folder. A special-access permission typically enables a user to do one thing only. All special permissions are encompassed within the standard permissions.
NTFS Permissions Inheritance
All NTFS permissions are inherited—that is, they pass down through the folder hierarchy from parent to child. Permissions assigned to a parent folder are inherited by all the files in that folder, and by the subfolders contained in the parent folder as well. Unless you specifically stop the process of files and folders inheriting permissions from their parent folder, any existing files and subfolders, and any new files and subfolders created within this tree of
folders will inherit their permissions from the original parent folder. To use the fancy term, permissions are propagated all the way down the tree.
Windows 10 lets you modify this permissions inheritance sequence if
necessary. To check whether permissions are being inherited and to remove permissions inheritance, use the following procedure:
Step 1. From the Advanced Security Settings dialog box previously shown in Figure 7-36, click the Disable Inheritance command button.