exercise 1 Exploring Runas Credentials and Credential Manager In this exercise, you use the Runas command to run several applications using another user’s credentials.. Note that this ti
Trang 1FIgUre 9-17 Backup EFS certificate
FIgUre 9-18 Certificates Console (Certmgr msc)
EFS keys can also be backed up from the command line using the Cipher exe
command-line utility When you back up your key, you are provided with a warning on the desktop that
this is about to take place and are asked to provide a password to protect the exported key
The command to back up an EFS certificate is:
Cipher.exe /x filename.pfx
Trang 2eXaM tIP
Remember what tasks you can complete with Credential Manager.
Practice Managing Credentials
The Windows Vault allows you to store login and password information This is very useful if you need to access resources outside a domain network and you have trouble remembering all of the unique passwords and login names that you have to use for each different research
In this practice, you explore the Windows Vault and the Runas utility You get an understanding
of each utility’s function and how you might use them when deploying Windows 7 in your own network environment
exercise 1 Exploring Runas Credentials and Credential Manager
In this exercise, you use the Runas command to run several applications using another user’s credentials You save those credentials to the Windows Vault, verify that they have been saved, and then remove them To complete this exercise, perform the following steps:
1 Log on to computer Canberra with the Kim_Akers user account
2. In the Search Programs And Files text box, type Credential Manager Click Credential
Manager Verify that no credentials are currently stored under any categories Close Credential Manager
3 Open an elevated command prompt and issue the following command:
Net user Dan_Park P@ssw0rd /ADD
4 Close the elevated command prompt Open a normal command prompt and issue the following command, which opens Notepad:
Runas /savecred /user:Canberra\Dan_Park notepad
5. Enter the password p@ssw0rd when prompted Close Notepad Enter the following
command at the command prompt:
Runas /user:Canberra\Dan_Park write
6 Note that you needed to enter the password to run WordPad Close WordPad Enter the following command from the command prompt to open Microsoft Paint:
Runas /savecred /user:Canberra\Dan_Park mspaint
7 Note that you did not need to enter a password because the saved credentials were used Close Paint
8. In the Search Programs And Files text box, type Credential Manager Click Credential
Manager Click the Canberra\Dan_Park item under Windows Credentials, as shown in Figure 9-19
Trang 3FIgUre 9-19 Stored credentials
9 Click Remove From Vault to remove the Dan_Park credentials Click Yes when
prompted by the Delete Windows Credential dialog box From the command prompt,
again issue the following command:
Runas /savecred /user:Canberra\Dan_Park mspaint
10 Note that this time you must enter credentials because they are no longer stored in the
Windows Vault (though by running this command, you have again added them)
exercise 2 Adding a Credential and Backing Up and Restoring Windows Vault
In this exercise, you add a credential to the one that was added to the Windows Vault at the
end of the previous exercise You then add yet another credential From there, you back up
the Windows Vault, delete the existing credentials, and then restore them by restoring the
Windows Vault To complete this exercise, perform the following steps:
1 If you have not done so already, log on to computer Canberra with the Kim_Akers user
account Use Windows Explorer to create the directory C:\Vault
2. In the In the Search Programs And Files text box, type Credential Manager Click
Credential Manager
3 Verify that the Canberra\Dan_Park (Interactive Logon) credential is present in
Credential Manager You re-created this credential in step 9 of Exercise 1
Trang 44 Click Add a Windows Credential In the Add A Windows Credential dialog box, enter the following credentials:
n Internet Or Network Address: aberdeen.contoso.internal
n User name: Sam_abolrous
n Password: p@ssword
5 Click OK to close the Add A Windows Credential dialog box
6 Click the Back Up Vault item This opens the Stored User Names And Passwords dialog box In the Back Up To text box, click Browse Navigate to C:\Vault\, enter the name
Winvault, and click Save Click Next
7 Press Ctrl, Alt, and Delete at the same time to continue the backup on the Secure Desktop, as shown in Figure 9-20
FIgUre 9-20 Backup on Secure Desktop
8. Enter the backup password p@ssw0rd twice and then click Next Click Finish
9 Use the Credential Manager to remove the Aberdeen contoso internal and
Canberra\Dan_Park (Interactive Logon) credentials
10 Click the Restore Vault item
11 Click Browse to browse to C:\Vault\Winvault crd and then click Next
12 Press Ctrl, Alt, and Delete at the same time to continue restoring logon credentials on the Secure Desktop
13. Enter the password p@ssw0rd on the Stored User Names And Password dialog box, as
Trang 5FIgUre 9-21 Restoring password
14 Click Finish when you are informed that your logon credentials have been restored
15 Close and reopen Credential Manager to verify that the deleted logon credentials have
been recovered
Lesson Summary
n Credential Manager allows you to manage passwords for Web sites, terminal services
and remote desktop sessions, stand-alone network resources, and smart card
certificates You can use Credential Manager to back up and restore these credentials
n The Runas utility allows you to run programs using alternate credentials You can use
the /savecred option to store the password associated with these alternate credentials
n You can use Certmgr msc, Cipher exe, or the Manage File Encryption Certificates tool to
back up EFS certificates
n Users can create a password reset disk to assist them if they forget their password
Password reset disks must be created before the password is forgotten
n Members of the local administrators group can reset the passwords of users that have
forgotten them
n Group policies can be configured to enforce multifactor authentication by requiring
users to log on with smart cards
n You can assign rights to users by adding them to the appropriate built-in local group
or by assigning them rights through Group Policy
Trang 6Lesson Review
You can use the following questions to test your knowledge of the information in Lesson 2,
“Windows Authentication and Authorization ” The questions are also available on the
companion CD if you prefer to review them in electronic form
note aNSWerS
Answers to these questions and explanations of why each answer choice is correct or incorrect are located in the “Answers” section at the end of the book
1. You have used Runas with the /savecred option to save the credentials of an
administrator account on a client running Windows 7 You have finished performing the tasks that you needed to and now want to remove those credentials from the computer Which of the following tools could you use to do this?
a Runas
B Credential Manager
c The Certificates console
D UAC settings
2 You want to ensure that users are forcibly logged off from their computers running Windows 7 if they remove their smart cards Which of the following policies and settings should you configure to accomplish this goal? (Choose all that apply; each answer forms part of a complete solution )
a Interactive Logon: Smart Card Removal Behavior Properties: No Action
B Interactive Logon: Smart Card Removal Behavior Properties: Lock Workstation
c Interactive Logon: Smart Card Removal Behavior Properties: Force Logoff
D Interactive Logon: Require Smart Card: Enabled
3 A user has forgotten the password to the stand-alone desktop computer running Windows 7 that she uses at your organization The user does not have a reset disk You have an account on this computer that is a member of the local Administrators group Which of the following steps can you take to resolve this user’s authentication problem?
a Unlock her account
B Reset her password
c Create a password reset disk for her account
D Create a password reset disk for your account
Trang 74 You want to ensure that users of stand-alone clients running Windows 7 in your
organization change their passwords every three weeks Which of the following
policies should you configure on each computer to accomplish this goal?
a Enforce Password History
B Minimum Password Length
c Minimum Password Age
D Maximum Password Age
5 Which of the following tools can users use to back up EFS certificates created when
they encrypt a file on a stand-alone computer running Windows 7? (Choose all that
apply )
a Credential Manager
B The Manage File Encryption Certificates tool
c The Certificate Manager console
D Cipher exe
Trang 8Chapter review
To further practice and reinforce the skills you learned in this chapter, you can perform the following tasks:
n Review the chapter summary
n Review the list of key terms introduced in this chapter
n Complete the case scenarios These scenarios set up real-world situations involving the topics of this chapter and ask you to create a solution
n Complete the suggested practices
n Take a practice test
Chapter Summary
n UAC can be configured to either prompt for credentials or prompt for consent When prompting for credentials, you must enter your user account password
n When Secure Desktop is implemented, users must respond to a UAC prompt before being able to continue working with their computer
n UAC is configured through Group Policy
n Credential Manager stores credentials entered into Internet Explorer, Remote Desktop Connection, and through Windows Explorer when connecting to remote servers You can back up and restore these credentials
n Password policies determine how often passwords need to be changed, whether users are locked out for entering successive incorrect passwords, and how complex passwords may be
n Forgotten passwords can be recovered using the Password Recovery Tool
An administrator can reset a forgotten password, but credential data and encrypted files may be lost
n You can back up EFS certificates using Certmgr msc, Cipher exe, or the Manage File Encryption Certificates tool
n You can enforce multifactor authentication on a client running Windows 7 by
configuring smart card policies
Key terms
Do you know what these key terms mean? You can check your answers by looking up the terms in the glossary at the end of the book
n multifactor authentication
n privilege elevation
Trang 9Case Scenarios
In the following case scenarios, you apply what you’ve learned about subjects covered in this
chapter You can find answers to these questions in the “Answers” section at the end of this book
Case Scenario 1: User Account Control at Coho Vineyard
You are developing UAC policies for the deployment of clients running Windows 7 at Coho
Vineyard Administrators often have to help out standard users using remote assistance
At times, it is necessary for administrators to perform actions that require elevation
Administrators should have to provide their authentication credentials when performing an
act that triggers an elevation prompt The administrators should be able to continue using
other parts of the operating system and should not have to respond to the elevation prompt
immediately All approved applications at Coho Vineyard have been digitally signed by the
application publisher
With these facts in mind, answer the following questions:
1 Which policies do you need to configure to support the elevation requirements for
administrators?
2 Which policies do you need to configure to support elevation during remote
assistance?
3 Which policy do you need to configure to ensure that only approved applications can
initiate elevation?
Case Scenario 2: Resolving Password Problems
at Wingtip Toys
Wingtip Toys has 20 people that have stand-alone computers running Windows 7 One of the
users recently had a problem where he forgot his password You were able to reset this user’s
password, but the user lost access to several important encrypted documents as well as all
his stored Web site credentials You are in the process of developing a policy to ensure that
this type of data loss does not happen again You also want to ensure that users do not keep
the same passwords because several appear to have been using the same password for the
last few months without changing it, even though your company policy states that passwords
should be changed every month
With these facts in mind, answer the following questions:
1 What steps can you take to ensure that users do not lose access to encrypted
documents or credentials if their password is reset?
2 What steps can you take to ensure that users are able to recover their own forgotten
passwords?
3 What steps can you take to ensure that users regularly change their passwords and do
not use the same small number of passwords?
Trang 10Suggested practices
To help you master the exam objectives presented in this chapter, complete the following tasks
Configure User Account Control (UAC)
You should perform the first practice and then test it using one of the standard user accounts that you have created in previous exercises The second practice requires two computers
to test
n practice 1 Configure UAC policies using the Local Security Policy console so that standard users are prompted for credentials when performing an activity that requires elevated privileges, such as attempting to run an elevated command prompt
n practice 2 Configure UAC policies using the Local Security Policy console so that
a user in the helper role is able to respond to a UAC prompt by entering their
credentials when connected remotely using Remote Assistance Use the computer named Aberdeen, which you configured in Chapter 6, “Network Settings,” as the computer from which the Remote Assistance invitation is sent
Configure Authentication and Authorization
You should perform both of these practices The first exercise requires you to have access to
a floppy disk or a USB storage device
n practice 1 Create a password reset disk for a user account other than the Kim_Akers user account Use the password reset disk to log on to an account
n practice 2 Use Manage File Encryption Certificates tool to back up an EFS certificate
take a practice test
The practice tests on this book’s companion CD offer many options For example, you can test yourself on just one exam objective, or you can test yourself on all the 70-680 certification exam content You can set up the test so that it closely simulates the experience of taking
a certification exam, or you can set it up in study mode so that you can look at the correct answers and explanations after you answer each question
More Info praCtICe teStS
For details about all the practice test options available, see the section entitled “How to Use the Practice Tests,” in the Introduction to this book.