Microsoft Windows OS Security Settings | CompTIA A+ 220-1002 | 2.6

In this video you will learn about Microsoft Windows operating system security settings such as: users & groups, NTFS vs. share permissions, shared files & folders, system files & folders, user authentication, BitLocker, BitLocker To Go, and encrypting file systems.

Users and Groups

There are four standard account levels in Windows:

  • Administrator: Administrator accounts are special accounts that are used for making changes to system settings or managing other people’s accounts. They have full access to every setting on the computer.
  • Power User: Power users can run legacy applications, in addition to Windows 2000 or Windows XP Professional certified applications. Power users do not have permission to add themselves to the Administrators group nor do they have access to the data of other users on an NTFS volume. In Windows 10 the Power Users group has been discontinued, but it is available to assign for backward compatibility.
  • Standard User:  Standard accounts are the basic accounts for normal everyday tasks. A Standard User can do just about anything except perform tasks that involve system wide changes, such as installing hardware or software, unless they can provide an administrator password.
  • Guest: The guest account lets other people use your computer without being able to change PC settings, install apps, or access private files. The guest account is disabled by default. Guest accounts are used for visitors.

NTFS vs. Share Permissions

NTFS (New Technology File System) is the standard file system for Microsoft Windows NT & later operating systems. NTFS permissions are used to manage access to data stored in NTFS file systems. The main advantages of NTFS share permissions are that they affect both local users & network users and that they are based on the permissions granted to an individual user at the Windows logon, regardless of where the user is connecting from.

Share permissions manage access to folders shared over a network. They don’t apply to users who log on locally. Share permissions apply to all files and folders in the share; you cannot granularly control access to subfolders or objects on a share. You can specify the number of users who are allowed to access the shared folder. Share permissions can be used with NTFS, FAT, & FAT32 file systems.

Allow vs. Deny

Both NTFS and Share Permissions each have two settings:  Allow or Deny. If a user wants access to an object such as a folder to where they can perform certain tasks, the user has to be added to a list granting access to the folder and then the administrator would have to select Allow for the appropriate permission. In some instances, an admin must issue an explicit denial if the user is part of a larger group that already has access to a parent folder but needs to be kept out of a particular subfolder.

Moving and Copying Folders & Files

Depending on the permissions, moving & copying files/folders can have produce different results. For example, copying a file/folder to a different volume, the file/folder will inherit the permissions of the parent folder it was copied to. When the file/folder is moved to a different location on the same volume, the file/folder will retain its original permissions.

File Attributes

File attributes are a type of meta-data that describe and may modify how files and/or directories in a filesystem behave. Typical file attributes may indicate or specify whether a file is visible, modifiable, compressed, or encrypted. To view file attributes in Windows:

  • Right-click in File Explorer or Windows Explorer > Properties
  • To view file attributes from Windows command line, use the Attrib command.

Shared Files and Folders

Shared files and folders assign permissions via the Security tab of the object’s properties sheet.  The permissions include:

  • Full Control:  Users can add, modify, move & delete files and directories, as well as their associated properties. In addition, users can change permissions settings for all files & subdirectories.
  • Modify:  Users can view & modify files and file properties, including adding files to or deleting files from a directory, or file properties to or from a file.
  • Read & Execute:  Users can run executable files, including scripts.
  • List Folder Contents:  Display folder contents.
  • Read:  Users can view files, file properties and directories.
  • Write:  Users can write to a file & add files to directories.

Administrative Shares vs. Local Shares

Administrative shares are hidden network shares that allow system administrators to have remote access to every disk volume on a network-connected system. To connect to the administrative share, a user must provide a username and password for an account on that system. Local shares are normally configured on a folder or library basis in Windows. For example, the administrative share for the C: drive on a system called MARK-PC is \\MARK-PC\C$.

Permission Inheritance and Propagation

Permission propagation and inheritance describe how files and folders receive permissions.

Permission inheritance is when any permissions that are set in the parent folder will be inherited by any subfolder of the parent. To view an example of this:

  • Select a folder within an NTFS volume
  • Right-click it & select Properties > Security > Advanced

Subfolders that are not inheriting permissions from the current folder, propagating permission changes can be applied:

  • Select Replace All Child Object Permissions with Inheritable Permissions from This Object

System Files and Folders

System files and folders are files with the system(s) attribute.  To make these files and folders visible in Windows 10:

  1. Open File Explorer > View.
  2. Uncheck the boxes that are hidden that need to be viewed.
Showing Hidden Files in Windows 10

User Authentication

Authentication is the process of proving that you are who you say you are. Windows includes a variety of authentication protocols that can be used on a corporate network, including Kerberos, TLS/SSL, PKU2U, and NTLM. Apple, Microsoft, and Google use single sign-on (SSO) to enable a single login that provides access to multiple servers. 

BitLocker

BitLocker is a full volume encryption feature included with Microsoft Windows versions starting with Windows Vista. It is designed to protect data by providing encryption for entire volumes (disks/drives). By default, it uses the AES encryption algorithm in cipher block chaining (CBC) with a 128-bit or 256-bit key. There are some requirements for this, including:

  • A Trusted Platform Module (TPM) chip, which is a chip residing on the motherboard that actually stores the encrypted keys. Or…
  • An external USB key to store the encrypted keys.  And…
  • A hard drive with two volumes, preferably created during the installation of Windows.  One volume is for the OS, and it will be encrypted; the other is the active volume, and it remains unencrypted so that the computer can boot.

BitLocker To Go

In Windows 7 and later versions, BitLocker functionality is extended to removable drives and external USB drives (including flash drives) with BitLocker To Go. To enable BitLocker on Windows 10

  • Go to Control Panel > System & Security > BitLocker Drive Encryption
  • For external drives, right-click the drive to encrypt & select Enable BitLocker

EFS (Encrypting File System)

The EFS on Microsoft Windows is a feature introduced in version 3.0 of NTFS that provides filesystem-level encryption. EFS can be used to protect sensitive data files and temporary files and can be applied to individual files or folders. EFS files can be opened only by the user who encrypted them, by an administrator, or by EFS keyholders. The technology enables files to be transparently encrypted to protect confidential data from attackers with physical access to the computer. Files encrypted with EFS are listed with green filenames when viewed in Windows Explorer or File Explorer.

To encrypt a file in Windows 10:

  • Right-click the file in File Explorer and select Properties > Advanced > Encrypt Contents to Secure Data > OK > Apply > OK > OK.
  • To decrypt the file, follow the same procedure but clear the Encrypt Contents to Secure Data.