Configure Shared Resources Perform this practice when logged on to computer Canberra with the Kim_Akers user account.?. Configure File and Folder Access Perform both of these practices
Trang 1Case Scenarios CHAPTER 8 473
Chapter review
To further practice and reinforce the skills you learned in this chapter, you can perform the
following tasks:
n Review the chapter summary
n Review the list of key terms introduced in this chapter
n Complete the case scenarios These scenarios set up real-world situations involving the
topics of this chapter and ask you to create a solution
n Complete the suggested practices
n Take a practice test
Chapter Summary
n HomeGroups allow for the sharing of resources on home networks
n You can manage shared folders centrally using the Computer Management console
n Libraries are virtual collections of folders that host similar content
n NTFS permissions determine which files a user or group can access on a computer
n Print permissions determine what rights a user has to manage a printer or documents
n BranchCache is a technology that speeds up branch office access to files in remote
locations through the caching of previously accessed files on the branch office network
Key terms
Do you know what these key terms mean? You can check your answers by looking up the
terms in the glossary at the end of the book
n BranchCache
n encrypting File System (eFS)
n homegroup
n library
Case Scenarios
In the following case scenarios, you apply what you’ve learned about subjects covered in
this chapter You can find answers to these questions in the “Answers” section at the end of
this book
Trang 2474 CHAPTER 8 BranchCache and Resource Sharing
Case Scenario 1: Permissions and Encryption
A computer running Windows 7 Enterprise named Waverley has two NTFS-formatted
volumes, volume C and volume D The folder C:\Share is shared and has 15 subfolders and hundreds of files Many of these folders have unique NTFS permissions You want to move this folder so that it is hosted on volume D because volume C is running out of space One of the users of computer Waverley will be changing to computer Warrandyte This user has copied
a large number of EFS-encrypted files onto a NTFS-formatted USB flash device
With these facts in mind, answer the following questions:
1 What steps can you take so that the user is able to read the encrypted files on the USB flash device on computer Warrandyte?
2 What steps can you take to ensure that it is possible to recover all files that are
encrypted in future?
3 What steps can you take to move the shared folder to volume D?
Case Scenario 2: Configuring Contoso Branch Offices
You are trying to make the use of WAN bandwidth between Contoso’s head office in
Melbourne and branch offices in Wangaratta and Traralgon more efficient All client
computers at Contoso have Windows 7 Enterprise installed Users turn their computers
on and off during the day If possible, you want to store any BranchCache data so that it
is always available There is a Windows Server 2008 R2 RODC at the Traralgon site named rodc traralgon contoso internal, and there is a Windows Server 2008 RODC named rodc wangaratta contoso internal at the Wangaratta site You do not plan on upgrading any server operating systems in the near future
With these facts in mind, answer the following questions:
1 Which BranchCache mode should you use at the Wangaratta branch office?
2 Which BranchCache mode should you use at the Traralgon branch office?
3 What steps do you need to take to prepare server rodc traralgon contoso internal to support BranchCache?
Suggested practices
To help you master the exam objectives presented in this chapter, complete the following tasks
Configure Shared Resources
Perform this practice when logged on to computer Canberra with the Kim_Akers user
account
Trang 3Take a Practice Test CHAPTER 8 475
n Configure a shared printer Create a local group named PrinterManagers and assign
the Manage Printers permission to this group
Configure File and Folder Access
Perform both of these practices when logged on to computer Canberra with the Kim_Akers
user account
n practice 1 Use Gpedit msc and Cipher exe to configure and assign an EFS recovery
agent certificate
n practice 2 Create a file named Gamma txt Use Icacls exe to assign the Modify (Deny)
permission to the file Use Robocopy exe to copy Gamma txt to a new folder while
retaining its original permissions
Configure BranchCache
Perform this practice when logged on to computer Canberra with the Kim_Akers user
account
n Configure computer Canberra using the Netsh command to use local caching only
take a practice test
The practice tests on this book’s companion DVD offer many options For example, you
can test yourself on just one exam objective, or you can test yourself on all the 70-680
certification exam content You can set up the test so that it closely simulates the experience
of taking a certification exam, or you can set it up in study mode so that you can look at the
correct answers and explanations after you answer each question
More Info praCtICe teStS
For details about all the practice test options available, see the section entitled “How to
Use the Practice Tests,” in the Introduction to this book.
Trang 5CHAPTER 9 477
C h a p t e r 9
Authentication
and Account Control
User Account Control (UAC) is a tool for administrators that alerts you to the fact that
what you are trying to do requires administrator privileges You should not be surprised
to encounter a UAC prompt when modifying firewall rules You would be justifiably wary if you encounter a UAC prompt when trying to open a picture of a cat eating a cheeseburger sent to you by your aunt One of these tasks should require administrator privileges and one
of them should not UAC can protect your computer from malware because it allows you
to notice when a program or document that should not require administrative privileges
requests them UAC rarely affects normal users because, by definition, normal users should not be doing anything that requires administrator privileges In the first part of this chapter, you learn how to configure UAC for your environment so that it warns you when necessary but keeps out of your way the rest of the time
Passwords are the primary method through which you secure a computer running
Windows 7 The strength of a password is directly proportional to the strength of the
security it provides If passwords are not secure enough for your environment, you can
configure Windows 7 to require a smart card before it allows users to log on Privileges
allow users to perform tasks You can assign privileges, such as allowing a user to back up
a computer in its entirety by adding them to the appropriate group or by configuring the appropriate Group Policy In the second part of this chapter, you learn how to configure
password policies, resolve authentication problems, assign privileges, and back up and
restore saved credentials
Exam objectives in this chapter:
n Configure User Account Control (UAC)
n Configure authentication and authorization
Lessons in this chapter:
n Lesson 1: Managing User Account Control 479
n Lesson 2: Windows 7 Authentication and Authorization 493
Trang 6478 CHAPTER 9 Authentication and Account Control
Before You Begin
To complete the exercises in the practices in this chapter, you need to have done the following:
n Installed Windows 7 on a stand-alone client PC named Canberra, as described in Chapter 1, “Install, Migrate, or Upgrade to Windows 7 ”
real World
Orin Thomas
The UAC prompt doesn’t appear capriciously UAC lets you know if software
is doing something suspicious If you are messing around with the guts of your operating system, you should expect a couple of UAC prompts This is because you are making substantive changes to the operating system, and you need administrator privileges to do that However, if you are doing something normal with your computer, such as playing a game or running a word processor (something that shouldn’t require administrative privileges), and you are prompted
by UAC, your first thought shouldn’t be “Oh, not that annoying prompt again!” You should be thinking, “Now what on Earth made it do that?” Normal programs do not require administrative privileges to run This is the key thing to understand about UAC If UAC does interrupt when you are doing something that isn’t related to your computer configuration, you should get suspicious UAC is a red flag, a warning you should pay attention to UAC is the computer’s way of asking you, “Are you sure you want to let this program have administrative rights?” The answer to this question is important To take control of your computer, malware needs to elevate its privileges
so that it can run with administrative rights Malware authors have a whole bag of tricks that they use to try to get you to run their programs Sometimes malware try to get you to execute it by piggybacking on another program that you run on
a regular basis You run the program, thinking it is something else and then bang, pwnd! UAC cannot stop you from running the malware, but it warns you when the program tries to do something that requires admin privileges If you do get prompted when you are doing something that you should be able to do without administrator rights, UAC lets you proceed if you so choose Of course, if your computer does end up infected with malware, you won’t be able to say that you weren’t warned.
Trang 7Lesson 1: Managing User Account Control CHAPTER 9 479
Lesson 1: Managing User account Control
User Account Control (UAC) is a tool that you will likely use only if your user account is
a member of the local administrators group This is because UAC is disabled by default for
standard users, which means that standard users do not, by default, encounter a UAC prompt
UAC settings can be tailored to better meet the needs of your organization In this lesson, you
learn how to configure UAC so that it does not have to run on the Secure Desktop, how to
require administrators to enter their credentials rather than just clicking OK, and to configure
UAC so that administrators assisting standard users can access elevated privileges
After this lesson, you will be able to:
n Configure local security policies related to UAC
n Configure behavior of the User Account Control elevation prompt
n Configure the behavior of Secure Desktop
Estimated lesson time: 40 minutes
User Account Control (UAC)
UAC is a security feature of Windows 7 that informs you when the action that you want to
undertake requires an elevation of privileges If you logged on with a user account that was
a member of the local administrators group in previous versions of Microsoft Windows, such
as Windows XP, you automatically had administrator-level access at all times This, by itself,
was not a problem because recommended good practice was that people logged on with
accounts that were members of the local administrator group only when they needed to do
something related to administration The problem with this is that people tended to use their
administrator account as their normal user account It was convenient for them because they
did not have to log off and log on again each time they wanted to do something related to
systems administration Unfortunately, this behavior presented a security problem because
any program run by a user logged on with an administrative account runs with the rights and
privileges of that user UAC resolves this problem by allowing a user that is a member of the
local Administrators group to run as a standard user most of the time and to briefly elevate
their privileges so that they are running as administrators when they attempt to carry out
specific administration-related tasks
To understand UAC, you need to understand the following concepts:
n privilege elevation All users of clients running Windows 7 run with the rights of
a standard user When a user attempts an act that requires administrative privileges,
such as creating a new user account, her rights need to be raised from those of
a standard user to those of an administrative user This increase in rights is termed
privilege elevation UAC is a gateway to privilege elevation It allows users who are
members of the local Administrators group to access administrative rights, but ensures
that the person accessing the Administrative rights is aware that they are doing so
Trang 8480 CHAPTER 9 Authentication and Account Control
This privilege elevation occurs only for a specific task Another task executed at the same time that also requires privilege elevation generates its own UAC prompt
n admin approval mode Admin Approval mode is where an administrator must give
explicit approval for elevation to occur by responding to the UAC prompt The UAC
prompt might require either clicking yes, called prompting for consent, or entering
a user name and password, which is called prompting for credentials
n Secure Desktop Secure Desktop ensures that malware is unable to alter the display of
the UAC prompt as a method of tricking you into allowing administrative access When you configure UAC to use the Secure Desktop, the desktop is unavailable when a UAC prompt is triggered You must respond to the UAC prompt before you can interact with the computer The dimmed screen is actually a screen shot of the current desktop, which is why if you have video running in the background and a UAC prompt uses Secure Desktop, the video appears to freeze If you do not respond to a UAC prompt
on a Secure Desktop after 150 seconds, Windows automatically denies the request for privilege elevation, and the computer returns to the standard desktop
UAC Settings
You can determine how intrusive UAC is by configuring the User Account Control Settings dialog box, shown in Figure 9-1 You can access this dialog box from the User Accounts control panel by clicking the Change User Account Control Settings item The dialog box consists of
a slider that allows you to adjust UAC notifications between Always Notify and Never Notify
FIgUre 9-1 User Account Control Settings
Trang 9Lesson 1: Managing User Account Control CHAPTER 9 481
If you make an adjustment using this slider, you are prompted by UAC informing you
that the program named UserAccountControlSettings is trying to make a change to your
computer You can see this dialog box in Figure 9-2 This dialog box is a security measure that
ensures that malware is unable to modify your UAC settings without you being aware of it
If you see this message and you have not modified UAC yourself, it is likely that malware is
attempting to compromise the integrity of your computer
FIgUre 9-2 UAC settings change warning
The settings that you can configure using the slider do the following:
n always Notify This is the most secure setting You are prompted before programs
make changes to your computer or Windows settings that require administrator
permissions During notification, your desktop appears dimmed This is because Secure
Desktop has become active You must respond to the UAC prompt before it is possible
to do anything else with the computer If you do not respond to the UAC prompt after
150 seconds, Windows automatically denies the request for privilege elevation, and the
computer returns to the standard desktop
n Notify Me Only When programs try to Make Changes to My Computer When this
option is set, you are prompted before programs make changes to your computer or
Windows settings that require administrator permissions Notification occurs on the
Secure Desktop If you do not respond to the UAC prompt after 150 seconds, Windows
automatically denies the request for privilege elevation
n Notify Me Only When programs try to Make Changes to My Computer (Do Not Dim
My Desktop) With this option, you are prompted before programs make changes
that require administrator permissions You are not prompted if you try to make
changes to Windows settings that require administrator permissions using programs
that are included with Windows You are prompted if a program that is not included
with Windows attempts to modify Windows settings
n Never Notify When logged on as an administrator, you are not notified before
programs make changes to your computer or to Windows settings If you are logged on
as a standard user, any changes that require administrative privileges are automatically
denied
Trang 10482 CHAPTER 9 Authentication and Account Control
quick Check
n What is the difference between the Always Notify Me And Dim My Desktop Until
I Respond and Always Notify Me UAC settings?
quick Check answer
n The Always Notify Me And Dim My Desktop Until I Respond setting uses Secure Desktop in conjunction with UAC When the more secure option is in effect, you must respond to the UAC prompt before you can continue to use your computer
If the Always Notify Me setting is enabled, you can continue working without having to respond directly to the UAC prompt.
User Account Control Policies
You primarily manage UAC settings through Group Policy The UAC policies are all located
in the Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options node There are 10 policies, all of which are prefixed by the name User Account Control, as shown in Figure 9-3
FIgUre 9-3 User Account Control policies
In the next few sections, you learn more about these policies and how they influence the operation of User Account Control
UAC: Admin Approval Mode For The Built-In
Administrator Account
UAC: The Admin Approval Mode For The Built-In Administrator Account policy controls how Administrator Approval mode works for the built-in Administrator account The built-in Administrator account is disabled by default, so this policy is relevant only if you have enabled