moac 70-687 l17 authentication and authorization
TRANSCRIPT
-
8/10/2019 MOAC 70-687 L17 Authentication and Authorization
1/65
Lesson 17: ConfiguringAuthentication and
AuthorizationMOAC 70-687: Configuring Windows 8
-
8/10/2019 MOAC 70-687 L17 Authentication and Authorization
2/65
Working with Usersand Groups
Lesson 17: Configuring Authentication
and Authorization
2013 John Wiley & Sons, Inc. 2
-
8/10/2019 MOAC 70-687 L17 Authentication and Authorization
3/65
User Accounts The user account is the fundamental unit of
identity in the Windows operating system.
As an operating system element, the user
account and its properties are vitalcomponents in two of the most importantWindows functions:
o Authentication
o Authorization
2013 John Wiley & Sons, Inc. 3
-
8/10/2019 MOAC 70-687 L17 Authentication and Authorization
4/65
Groups A group is another type of entity that
Windows uses to represent a collection ofusers.
System administrators can create groups, forany reason and with any name, and thenuse them just as they would a user account.
Any permissions or user rights that an
administrator assigns to a group areautomatically inherited by all members ofthe group.
2013 John Wiley & Sons, Inc. 4
-
8/10/2019 MOAC 70-687 L17 Authentication and Authorization
5/65
Understanding Local andDomain Users
The concept of users and groups iscomplicated in Windows because there aretwo completely separate user account
systems:o Local users
o Domain users
Which user account system a Windowscomputer uses depends on whether it is amember of a workgroup or an ActiveDirectory Domain Services domain.
2013 John Wiley & Sons, Inc. 5
-
8/10/2019 MOAC 70-687 L17 Authentication and Authorization
6/65
-
8/10/2019 MOAC 70-687 L17 Authentication and Authorization
7/65
Workgroup A workgroup is a collection of computers
that are all peers.
A peer network is one in which every
computer can function as botho A server: By sharing its resources with other
computers.
o A client: By accessing the shared resources on
other computers.
2013 John Wiley & Sons, Inc. 7
-
8/10/2019 MOAC 70-687 L17 Authentication and Authorization
8/65
Domain A domain is a collection of computers that all
utilize a central directory service forauthentication and authorization.
A directory service is a collection of logical
objects that represent various types of networkresources, such aso Computerso Applicationso Users
o Groups Each object consists of attributes that contain
information about the object.
2013 John Wiley & Sons, Inc. 8
-
8/10/2019 MOAC 70-687 L17 Authentication and Authorization
9/65
Differentiating Local andDomain Users
Local and domain users are different inseveral important ways.
You use different tools to create and
manage the two types of users, and the useraccounts themselves are different incomposition.
A user account consists of attributes, which
contain information about the user. Domainusers have many more attributes than localusers.
2013 John Wiley & Sons, Inc. 9
-
8/10/2019 MOAC 70-687 L17 Authentication and Authorization
10/65
Differentiating Local andDomain Users
The Properties sheet for a local user
2013 John Wiley & Sons, Inc. 10
-
8/10/2019 MOAC 70-687 L17 Authentication and Authorization
11/65
Differentiating Local andDomain Users
The Properties sheet for a domain user
2013 John Wiley & Sons, Inc. 11
-
8/10/2019 MOAC 70-687 L17 Authentication and Authorization
12/65
Frequently Asked Questions
About Local and Domain Users
2013 John Wiley & Sons, Inc. 12
Quest ion Lo cal Users Domain Users
What tools do
you use to
manage the
user accounts?
The User Accounts
control panel applet or
the Local Users and
Groups snap-in for
Microsoft Management
Console (MMC)
The Active Directory Users and
Computers MMC snap-in
Where are the
user accounts
stored?
In the Security Accounts
Manager (SAM) on the
local computer
On the Active Directory Domain
Services domain controllers
What can you
access with theuser account?
Local computer
resources only
All domain and network
resources
What
restrictions are
there on the
user name?
Each user name must be
unique on the computer
Each user name must be
unique in the directory
-
8/10/2019 MOAC 70-687 L17 Authentication and Authorization
13/65
Built-In Local UsersThe following user accounts are built-in on Windows 8: Administrator:During a typical Windows 8
installation, the Setup program creates anAdministrator account and makes it a member ofthe Administrators group, giving it complete accessto all areas of the operating system.
New User:During the operating system installationprocess, the installer must specify the name for anew user account, which the Setup programcreates and adds to the Administrators group.
Guest:This account is designed for users that requireonly temporary access to the computer, and whodo not need high levels of access.
2013 John Wiley & Sons, Inc. 13
-
8/10/2019 MOAC 70-687 L17 Authentication and Authorization
14/65
Local and DomainGroups
Whether local or domain, a group isessentially just a collection of users and, insome cases, other groups.
By assigning rights and permissions to agroup, you assign those rights andpermissions to all of its members.
2013 John Wiley & Sons, Inc. 14
-
8/10/2019 MOAC 70-687 L17 Authentication and Authorization
15/65
Using Local GroupsLocal groups are subject to the following restrictions: You can only use local groups on the computer where you
create them. Only local users from the same computer can be members of
local groups.
When the computer is a member of an AD DS domain, localgroups can have domain users and domain global groups asmembers.
Local groups cannot have other local groups as members.However, they can have domain groups as members.
You can only assign permissions to local groups when you are
controlling access to resources on the local computer. You cannot create local groups on a Windows servercomputer that is functioning as a domain controller.
2013 John Wiley & Sons, Inc. 15
-
8/10/2019 MOAC 70-687 L17 Authentication and Authorization
16/65
Windows 8 Built-In Local
Groups and Their Capabilities
2013 John Wiley & Sons, Inc. 16
Bu il t- In Local
Group
Group Funct ion
Access Control
Assistance
Operators
Members can remotely query authorization permissions for
resources on this computer.
Administrators Members have full administrative access to the entire operating
system. By default, the Administrator user and the user accountcreated during the operating system installation are both members
of this group.
Backup Operators Members have user rights enabling them to override permissions
for the sole purpose of backing up and restoring files, folders, and
other operating system elements.
CryptographicOperators
Members are capable of performing cryptographic operations.
Distributed COM
Users
Members are capable of launching, activating, and using
distributed COM objects.
Event Log Readers Members can read the computers event logs.
Wi d 8 B il I L l
-
8/10/2019 MOAC 70-687 L17 Authentication and Authorization
17/65
Windows 8 Built-In Local
Groups and Their Capabilities
2013 John Wiley & Sons, Inc. 17
Buil t - In Local Group Group Funct ion
Guests Members have no default user rights. By default, the Guest user account
is a member of this group.
Hyper-V
Administrators
Members have full control of all Hyper-V features.
IIS_IUSRS Group used to provide privileges to dedicated Internet InformationServices users.
Network
Configuration
Operators
Members have privileges that enable them to modify the computers
network configuration settings.
Performance Log
Users
Members have privileges that enable them to schedule the logging of
performance counters, enable trace providers, and collect event traces on
this computer, both locally and from remote locations.
Performance Monitor
Users
Members have privileges that enable them to monitor performance counter
data on the computer, both locally and from remote locations.
Power Users Members possess no additional capabilities in Windows 8, In previous
Windows versions, the Power Users group provided privileges for a limited
number of administrative functions, but in Windows 8, the group is
included solely for reasons of backwards compatibility.
-
8/10/2019 MOAC 70-687 L17 Authentication and Authorization
18/65
Windows 8 Built-In Local
Groups and Their Capabilities
2013 John Wiley & Sons, Inc. 18
Bu il t- In Local
Group
Group Funct ion
Remote Desktop
Users
Members can log on to the computer from remote locations,
using Terminal Services or Remote Desktop.
Remote
Management
Users
Members can access Windows Management Instrumentation
(WMI) resources using management protocols.
Replicator When the computer is joined to a domain, this group provides the
access needed for file replication functions. The only member
should be a user account dedicated solely to the replication
process.
Users Members can perform most common tasks, such as running
applications, using local and network printers, and locking the
server. However, members are prevented from making many
system-wide configuration changes, whether they do so
accidentally or deliberately.
WinRM
RemoteWMIUsers
_
Members can access Windows Management Instrumentation
(WMI) resources using management protocols.
-
8/10/2019 MOAC 70-687 L17 Authentication and Authorization
19/65
Special Identities A special identity is a placeholder for a
collection of users with a similarcharacteristic.
For example, the Authenticated Usersspecial identity represents all the users thatare logged on to the computer at a giveninstant.
You can assign rights and permissions to aspecial identity just as you would to a group.
2013 John Wiley & Sons, Inc. 19
-
8/10/2019 MOAC 70-687 L17 Authentication and Authorization
20/65
Creating and ManagingLocal Users and Groups
Lesson 17: Configuring Authentication
and Authorization
2013 John Wiley & Sons, Inc. 20
C
-
8/10/2019 MOAC 70-687 L17 Authentication and Authorization
21/65
Creating a NewUser Account
New to Windows 8 is the ability to create a localuser account based on an existing WindowsLive ID.
The User accounts control panel applet
provides access to existing local accounts, butwhen creating new accounts, the systemtransfers you to the Users page of the PCSettings app.
Adding a user through this interface takes youthrough the same procedure as the new usercreation process in the Windows 8 installation.
2013 John Wiley & Sons, Inc. 21
-
8/10/2019 MOAC 70-687 L17 Authentication and Authorization
22/65
Create a New User Account
The User accounts control panel applet
2013 John Wiley & Sons, Inc. 22
-
8/10/2019 MOAC 70-687 L17 Authentication and Authorization
23/65
Create a New User Account
The Choose the user you would like to change page
2013 John Wiley & Sons, Inc. 23
-
8/10/2019 MOAC 70-687 L17 Authentication and Authorization
24/65
Create a New User Account
The Users page in the PC Settings screen
2013 John Wiley & Sons, Inc. 24
-
8/10/2019 MOAC 70-687 L17 Authentication and Authorization
25/65
Create a New User Account
The Add a user screen
2013 John Wiley & Sons, Inc. 25
-
8/10/2019 MOAC 70-687 L17 Authentication and Authorization
26/65
Create a New User Account
The Add a user form
2013 John Wiley & Sons, Inc. 26
-
8/10/2019 MOAC 70-687 L17 Authentication and Authorization
27/65
Manage User Accounts
The Make changes to [users] account page
2013 John Wiley & Sons, Inc. 27
-
8/10/2019 MOAC 70-687 L17 Authentication and Authorization
28/65
Manage User Accounts
The Type a new account name for [users]account page
2013 John Wiley & Sons, Inc. 28
-
8/10/2019 MOAC 70-687 L17 Authentication and Authorization
29/65
Manage User Accounts
The Choose a new account type for [user] page
2013 John Wiley & Sons, Inc. 29
d A
-
8/10/2019 MOAC 70-687 L17 Authentication and Authorization
30/65
Creating a Windows 8 Account
from a Microsoft Account When you specify your email address on the
Add a user screen, the system searches for aMicrosoft account that uses that address.
Then it either prompts you for the accountpassword or, if it fails to find one, displays aSet up a Microsoft account form with whichyou can create a new account.
2013 John Wiley & Sons, Inc. 30
-
8/10/2019 MOAC 70-687 L17 Authentication and Authorization
31/65
Creating a Windows 8 Accountfrom a Microsoft Account
The Set up a Microsoft Account page
2013 John Wiley & Sons, Inc. 31
U i th L l U d
-
8/10/2019 MOAC 70-687 L17 Authentication and Authorization
32/65
Using the Local Users andGroups Snap-In
By default, the Local Users and Groups snap-in ispart of the Computer Management console.
You can open the Local Users and Groups
snap-in using one of three basic ways:o Open the Control Panel, select System and Security >
Administrative Tools > Computer Management
o Launch Microsoft Management Console (Mmc.exe),choose File > Add/Remove Snap-In, and then select
the Local Users and Groups snap-in.
o Open the Run dialog box and type Lusrmgr.msc in theOpen text box.
2013 John Wiley & Sons, Inc. 32
-
8/10/2019 MOAC 70-687 L17 Authentication and Authorization
33/65
Create a New User
The Computer Management console
2013 John Wiley & Sons, Inc. 33
-
8/10/2019 MOAC 70-687 L17 Authentication and Authorization
34/65
Create a New User
The Local Users and Groups snap-in
2013 John Wiley & Sons, Inc. 34
-
8/10/2019 MOAC 70-687 L17 Authentication and Authorization
35/65
Create a New User
The New User dialog box
2013 John Wiley & Sons, Inc. 35
-
8/10/2019 MOAC 70-687 L17 Authentication and Authorization
36/65
Manage a User
The Member Of tab of a users Properties sheet
2013 John Wiley & Sons, Inc. 36
-
8/10/2019 MOAC 70-687 L17 Authentication and Authorization
37/65
Manage a User
The Select Groups dialog box
2013 John Wiley & Sons, Inc. 37
-
8/10/2019 MOAC 70-687 L17 Authentication and Authorization
38/65
Manage a User
The Profile tab of a users Properties sheet
2013 John Wiley & Sons, Inc. 38
-
8/10/2019 MOAC 70-687 L17 Authentication and Authorization
39/65
Create a Local Group
The New Group dialog box
2013 John Wiley & Sons, Inc. 39
Working with Domain
-
8/10/2019 MOAC 70-687 L17 Authentication and Authorization
40/65
Working with DomainUsers and Groups
To create and manage AD DS domain usersand groups on a Windows 8 workstation:
o Install the Remote Server Administration Tools
o Turn on the Active Directory Users and Computersnap-in under Turn Windows features on or off
o Have the appropriate Active Directorypermissions
2013 John Wiley & Sons, Inc. 40
-
8/10/2019 MOAC 70-687 L17 Authentication and Authorization
41/65
Authenticating and
Authorizing UsersLesson 17: Configuring Authentication
and Authorization
2013 John Wiley & Sons, Inc. 41
-
8/10/2019 MOAC 70-687 L17 Authentication and Authorization
42/65
Working with Passwords Potential intruders can obtain passwords in two
possible ways: cracking them or discoveringthem.
These methods are possible only when users
compromise their passwords in some way. Some of the ways in which users can weaken
the security of their passwords are:o Short passwords
o Simple passwordso Unchanging passwords
o Predictable passwords
2013 John Wiley & Sons, Inc. 42
-
8/10/2019 MOAC 70-687 L17 Authentication and Authorization
43/65
Configure Password Policies
The Local Security Policy console
2013 John Wiley & Sons, Inc. 43
-
8/10/2019 MOAC 70-687 L17 Authentication and Authorization
44/65
Configure Password Policies
Password Policies in the Local Security Policy console
2013 John Wiley & Sons, Inc. 44
-
8/10/2019 MOAC 70-687 L17 Authentication and Authorization
45/65
Configure Password Policies
The Properties sheet of a password policy
2013 John Wiley & Sons, Inc. 45
-
8/10/2019 MOAC 70-687 L17 Authentication and Authorization
46/65
Configure Password Policies
Password Policies in an AD DS Group Policy object
2013 John Wiley & Sons, Inc. 46
Configuring Account
-
8/10/2019 MOAC 70-687 L17 Authentication and Authorization
47/65
Configuring AccountLockout Policies
Windows 8 can protect against brute forcepassword penetration techniques by limitingthe number of unsuccessful logon attemptsallowed by each user account.
When a potential infiltrator exceeds thenumber of allowed attempts, the systemlocks the account for a set period of time.
To impose these limits, you can use LocalSecurity Policy for standalone computers, orGroup Policy for AD DS networks.
2013 John Wiley & Sons, Inc. 47
Co figu e Accou t
-
8/10/2019 MOAC 70-687 L17 Authentication and Authorization
48/65
Configure AccountLockout Policies
Account Lockout Policies in the Local SecurityPolicy console
2013 John Wiley & Sons, Inc. 48
Configure Account
-
8/10/2019 MOAC 70-687 L17 Authentication and Authorization
49/65
Configure AccountLockout Policies
The Properties sheet of an account lockout policy
2013 John Wiley & Sons, Inc. 49
Using Credential
-
8/10/2019 MOAC 70-687 L17 Authentication and Authorization
50/65
Using CredentialManager
Credential Manager is a Windows 8 tool thatstores the user names and passwords peoplesupply to servers and websites in a protectedarea called the Windows Vault.
When a user selects the Remember mycredentials check box while authenticating inWindows Explorer, Internet Explorer, or RemoteDesktop Connection, the system adds thecredentials to the Windows Vault.
It is also possible to add credentials directly tothe vault using Credential Manager, by clickingAdd a Windows credential, or one of the similarlinks.
2013 John Wiley & Sons, Inc. 50
-
8/10/2019 MOAC 70-687 L17 Authentication and Authorization
51/65
Using Credential Manager
The Remember my credentials control
2013 John Wiley & Sons, Inc. 51
-
8/10/2019 MOAC 70-687 L17 Authentication and Authorization
52/65
Using Credential Manager
Credential Manager
2013 John Wiley & Sons, Inc. 52
-
8/10/2019 MOAC 70-687 L17 Authentication and Authorization
53/65
Using Credential Manager
The Add a Windows Credential window
2013 John Wiley & Sons, Inc. 53
Using PIN and Picture
-
8/10/2019 MOAC 70-687 L17 Authentication and Authorization
54/65
Using PIN and PicturePasswords
On the Users page of the PC Settings screenyou can change the password of your localuser account, and you can also replace thepassword entirely, with either a numerical PIN ora picture and a sequence of gestures.
A PIN password is a four-digit number that auser can employ to log on in place of apassword.
Picture passwords are designed to take
advantage of touch interfaces by replacing thestandard alphanumeric password with apicture.
2013 John Wiley & Sons, Inc. 54
-
8/10/2019 MOAC 70-687 L17 Authentication and Authorization
55/65
Using PIN and Picture Passwords
The Users page of the PC Settings screen
2013 John Wiley & Sons, Inc. 55
-
8/10/2019 MOAC 70-687 L17 Authentication and Authorization
56/65
Using PIN and Picture Passwords
The Create a PIN screen
2013 John Wiley & Sons, Inc. 56
-
8/10/2019 MOAC 70-687 L17 Authentication and Authorization
57/65
Using Smart Cards A smart card is a credit card-like device that
contains a chip, on which is stored a digitalcertificate that serves as an identifier for a
particular user. On a computer equipped with a card
reader, a user can authenticate him- orherself by specifying a user name and
inserting the smart card.
2013 John Wiley & Sons, Inc. 57
-
8/10/2019 MOAC 70-687 L17 Authentication and Authorization
58/65
Managing Certificates Windows 8 uses digital certificates for a variety
of authentication tasks, internally, on the localnetwork, and on the Internet.
Every user account has a certificate storecontaining a variety of certificates obtained byvarious means.
To access the Certificates snap-in, click theSearch charm, select Settings, and type cert inthe search box.
In the Results list, click Manage user certificatesto load the snap-in and point it at the currentuser account.
2013 John Wiley & Sons, Inc. 58
-
8/10/2019 MOAC 70-687 L17 Authentication and Authorization
59/65
Managing Certificates
The Certificates snap-in
2013 John Wiley & Sons, Inc. 59
-
8/10/2019 MOAC 70-687 L17 Authentication and Authorization
60/65
Managing Certificates
A Certificate dialog box
2013 John Wiley & Sons, Inc. 60
-
8/10/2019 MOAC 70-687 L17 Authentication and Authorization
61/65
Managing Certificates
The Export File Format page in the
Certificate Export Wizard
2013 John Wiley & Sons, Inc. 61
-
8/10/2019 MOAC 70-687 L17 Authentication and Authorization
62/65
Using Biometrics Biometric authentication uses a scan of a
physical characteristic to confirm the identity ofa user.
There are a great many third-party biometric
authentication solutions available, most ofwhich take the form of finger print scanners forlaptop computers.
Windows 8 now includes a new component
called the Windows Biometric Framework,which provides a core biometric functionalityand a Biometric Device control panel.
2013 John Wiley & Sons, Inc. 62
-
8/10/2019 MOAC 70-687 L17 Authentication and Authorization
63/65
Elevating Privileges The preferred mechanism for performing
tasks that require administrative privileges isto use the Run As feature to execute aprogram using another account.
Shortcuts in the Start menu have a Run asadministrator option in their context menus.
This option causes standard users to receivea credential prompt and administrators toreceive an elevation prompt, according tothe systems normal User Account Control(UAC) practices.
2013 John Wiley & Sons, Inc. 63
-
8/10/2019 MOAC 70-687 L17 Authentication and Authorization
64/65
Authorizing Users Authentication confirms a users identity.
Authorization grants the user access tocertain resources.
The most commonly-used mechanisms forauthorizing users in Windows 8 are the NTFS,share, and registry permission systems.
2013 John Wiley & Sons, Inc. 64
-
8/10/2019 MOAC 70-687 L17 Authentication and Authorization
65/65
Configuring User Rights
User Rights Assignments