A homegroup lets home users easily share documents, printers, and media with others on their private, local network. This is the simplest kind of sharing, but it is limited in what permissions and restrictions can be placed on the data shared. By default, all users who join a homegroup (and there can be only one homegroup per network) have read-only access to what’s already shared. Users can reconfigure this, though, allowing both read and write access if desired.

When opting for a homegroup, users can do the following:

Although we could spend a few pages walking you through how to create and join a homegroup, because it’s done with a wizard, that isn’t really necessary. However, you should create a homegroup on your own local network to see how it’s done and let other computers join it so that you are familiar with the process. Note that users might already be joined to a homegroup, as Windows detects existing homegroups automatically during setup. Figure 4-1 shows a computer that is connected to a private network and has joined a homegroup.

Figure 4-1. Create, join, or view homegroup status from the Network And Sharing Center.

Once a homegroup is configured, users can share data with the homegroup from File Explorer on the Share tab (among other places). Note the Stop Sharing option for the selected folder, shown in Figure 4-2, and the option to allow the entire homegroup to view or view and edit the selected data. You can see here that a specific user, [email protected], also has an option.

Figure 4-2. In File Explorer, use the Share tab to choose how to share selected data with homegroup participants.

If you don’t want to share the data with everyone in the homegroup, you can opt to share it with only specific people. You can also set different permissions for the people you choose. This is a very simple way to share data, and it will work on small home networks but not too many other places. To do this, follow these steps:

There are two folder sharing options to discuss here: Public folder sharing and what we refer to as Any folder sharing. Any folder sharing is the more complex of the two and offers more options than Public folder sharing. You can also share from a command line, from a Microsoft Management Console (MMC), and using Windows PowerShell.

Any folder sharing

Any folder sharing has a lot more options than the other types you’ve seen so far. Any folder sharing lets users do the following:

• Share files from any location in addition to their original location

• Set different permissions for individual users

• Protect data in domain networks

• Protect data in local networks that require more security than the homegroup or public folder option can offer

To get started you must first choose or create a folder to share. Then, you can right-click the folder, click Properties, and click the Sharing tab to display the Properties dialog box shown in Figure 4-4. It’s important to note that if you click Share in the Properties dialog box, you are given the same sharing options you saw earlier for homegroups (Figure 4-3). That’s not where the power in Any folder sharing lies. Instead, click Advanced Sharing to access the Advanced Sharing dialog box, also shown in Figure 4-4.

More Info: Share Characteristics

Share permissions have the following characteristics:

• They apply only to users who gain access to the resource over the network. They do not apply to users who log on locally. To protect a resource in these cases, you must use NTFS to set permissions.

• They are the only way to secure network resources on FAT and FAT32 volumes, because NTFS permissions are not available on those volumes.

• They specify the maximum number of users who are allowed to access the shared resource or folder over the network.

• When both Share and NTFS permissions are applied, the cumulative permission for both sets is compared and the more restrictive permission is applied.

Figure 4-4. With Any folder sharing you’re in complete control of what is shared and with whom.

Now you have several options. First, select the Share This Folder check box, which defaults to 20 simultaneous users. Next, click Permissions. Now you have access to the advanced sharing options shown in Figure 4-5. What you’ll likely want to do here is remove Everyone from the list (I’ve done this in Figure 4-5 already) and then add specific users or groups whom you want to have access (I’ve done that, too). The default permission is Read, but you can add Change or Full Control for the selected user or group. You could also opt to deny access, although this is not the generally accepted way to limit access to a share.

Figure 4-5. Remove the Everyone group and then add specific users or groups and apply permissions for them.

Exam Tip

No matter what share permissions are applied to a group or a user and no matter what combination of permissions one has, Deny always means deny. You might see a long question on an exam that gives lots of information about a user, what groups he is in, and so on, and there might be one lone Deny permission for a share he also has permission to access. If he’s denied access, that’s that. He’s denied access.

Table 4-1 shows the Share permissions and their limitations.

Table 4-1. Share permissions and their limitations

Share Permission	Limitations
Read	Display folder names; display file names, data, and attributes; execute program files; access other folders inside the shared folder
Change	Perform all read actions; create and add files to folders; change and append data to files; change file attributes; delete folders and files
Full Control	Perform all change permissions; change file permissions; take ownership of files

Here are a few more things to know about share permissions:

• Share permissions are completely separate from NTFS permissions.

• Share permissions are the simplest permissions you can configure.

• On networks that employ NTFS, most of the time administrators simply grant the Share permission Full Control to Everyone and then configure the NTFS permissions as desired. When both Share and NTFS are applied, the more restrictive wins; in this case, that is the NTFS permission.

• NTFS permissions on a subfolder inherit the permissions assigned to the parent folder. Share permissions do not combine in the same way. Succinctly, Share permissions applied to a folder that sits inside another folder do not inherit the parent folder’s permissions. They use the permissions explicitly assigned to the folder in question.

Other ways to share

You don’t have to use the available end-user tools to create and manage sharing. You can share at a command line by using the Shared Folders snap-in inside an MMC and by using Windows PowerShell. Although you might not opt to use these tools for sharing, it’s likely you’ll see questions about them on the exam.

Share from a command line

You can share folders at a command prompt. The command you use is net share, often in the form of net share [ShareName] to display information about a share and net share [ShareName=Drive:Path] to specify the path of the directory to be shared. You can also add these parameters:

• /users: number. This parameter sets the maximum number of users who can simultaneously access the shared resource.

• /unlimited. This parameter sets an unlimited number of users who can simultaneously access the shared resource.

• /remark: “text”. This parameter adds a descriptive comment about the resource. Enclose the text in quotation marks.

• /cache:automatic. This parameter enables offline client caching with automatic reintegration.

• /cache:manual. This parameter enables offline client caching with manual reintegration.

• /cache:no. This parameter advises the client that offline caching is inappropriate.

• /delete. This parameter stops sharing the shared resource.

• net help command. This parameter displays Help for the specified command.

Exam Tip

To create a share that is invisible to users who browse the network, add a dollar sign ($) to the share name (CTest$, DShare$, and so on).

Share using an MMC

To share using an MMC, add the Shared Folders snap-in. Click the Shares node in the left pane, right-click in the middle, and click New Share, as shown in Figure 4-6, to start the Create A Shared Folder Wizard. You can also view sessions and open files using the console.

Figure 4-6. Use an MMC to create and manage a share.

Share using windows powershell

You can use Windows PowerShell to create and manage shares. One command you’ll likely use is New-SmbShare followed by the share name and path to the folder to share. (SMB stands for Server Message Block.) There are additional commands for managing shares using Windows PowerShell:

• Get-SmbShare. Use this command to list the shares that already exist on the computer. See Figure 4-7.

• Set-SmbShare. Use this command to modify a share.

• Remove-SmbShare. Use this command to remove a share.

• Grant-SmbShareAccess. Use this command to set permissions for a share.

Figure 4-7. View shares using Windows PowerShell.

Exam Tip

It’s highly likely you’ll see something on the exam that involves the SmbShare commands.

Windows 8.1 comes with its own library structure that includes libraries for Desktop, Documents, Downloads, Music, Pictures, and Videos. Anything you save to the related folder is available in the library with the same name. This means if you save a file to the Documents folder, you’ll have access to it in the Documents library. The library doesn’t actually hold the files though; it only keeps a record of where the files are stored. By default, libraries only offer access to data in the related personal folder. Libraries do not offer access to the related Public folders or any others, although you can add them if you like. (Note that libraries offered access to the Public folders in Windows 7.) There isn’t that much more to know about libraries except how to create your own libraries and add folders to existing ones.

To create your own library, follow these steps:

To add a location to an existing library, in File Explorer, double-click the library to which you’d like to add a folder and then click the Manage tab. From there, click Manage Library and add folders as desired.

If you’ve created a homegroup, your printers are already shared. Both the printer and the computer to which it’s connected must be turned on and ready for a request, but the sharing is done automatically. When a homegroup isn’t used, you have to share the printers manually. You might also have to enable file and print sharing in some instances, including if you’re sharing printers on a public network.

In a workgroup or domain setting, sharing is basically the same. You locate the printer and access the option to share it. You can share the printer with a mix of computers on your network, including x86-based and x64-based PCs. You only need to make sure the applicable drivers are available, and for the most part they are. You’ll likely need administrator approval to install drivers, though, so you need to keep that in mind if you think drivers are going to be an issue.

Add a printer and configure sharing

You can add a printer in Windows 8.1 from the Devices And Printers window, available in Control Panel. There, click Add A Printer and choose it from the list. If the printer you want isn’t listed, you can add it manually, which is likely what you’ll have to do if you have an old printer connected to an LPT port or if you need to add a printer using its TCP/IP address or host name. You can connect a wireless printer from this window, but you can also use the manual option to add a wireless printer if you need to. You can also use this option to type a path to the printer to locate it manually. See Figure 4-9.

Figure 4-9. Add a printer manually.

Table 4-2 shows the basic printer permissions.

Table 4-2. Basic printer permissions

Permission	Limitations/capabilities	Default assignment
Print	Connect to a printer; print; control the user’s own print jobs	Everyone
Manage this printer	Cancel documents; share and delete printers; change printer properties; change printer permissions	Administrators
Manage documents	Pause, resume, restart, and cancel all documents; control job settings for all documents	Creator Owner

Share and configure a printer manually

To manually share a printer, right-click the device in the Devices And Printers window and then click Printer Properties. From there, use the Sharing tab to share the printer and configure other options. If the computer is a member of an Active Directory domain, you’ll see the List In The Directory check box. Select this check box to create a new printer object in the Active Directory database. This will enable domain users to locate the printer by searching in the directory. In this dialog box you can also opt to add drivers, if necessary.

The other tabs offer additional options, including the option to configure when the computer is available and what types of users have access to the Print permissions: Print, Manage This Printer, Manage Documents, and Special Permissions. In Figure 4-10, you can see that the Everyone group has the ability to print. However, if you click Administrators in the Group Or User Names list, you’ll see that this group has Print, Manage This Printer, and Manage Documents set to Allow. Table 4-2 explains these options. Make sure you are comfortable with all of these graphical options available in Windows 8.1 before moving on.

Note: How to Assign Permissions

When assigning permissions in an Active Directory domain, you assign permissions for domain users, groups, and other objects. On a stand-alone computer, you select the local user and group accounts that should receive the permissions.

Figure 4-10. Use the printer’s Properties dialog box to share a printer and configure sharing options.

Exam Tip

Near Field Communication (NFC) is a radio-based communications technology (based on radio-frequency identification [RFID] standards) that lets users complete tasks with compatible objects, mostly to complete brief transactions without having to physically connect to the device or the network. In the case of printers, NFC allows mobile devices to submit print jobs to printers, provided compatible technologies exist between the two and the proximity between the devices is acceptable.

SkyDrive enables users to store data in the cloud almost seamlessly from their Windows 8.1 computers. SkyDrive is an app on the Start screen and an option on the File Explorer Navigation tab. When data is stored in SkyDrive, users can access that data from virtually any device that has an Internet connection. Users can also share any part of what they’ve stored there with others, allowing them to read or read and edit the data. Users need a Microsoft account and the applicable app or browser to access the data. Users can also access the files locally when a connection isn’t available.

Users can access SkyDrive in a number of ways:

Figure 4-11. Save to SkyDrive from a desktop application.

Setting up SkyDrive only involves logging in to the Windows 8.1 computer with a Microsoft account. Windows does the rest. There are some configuration options to look at right away, though. You can configure the option to access all files offline from the Settings charm (click Options) from inside the SkyDrive app. See Figure 4-12. This might be the first thing you’ll want to configure if you have the available SkyDrive space.

Figure 4-12. The SkyDrive app offers the option to access all of your files offline.

Configuration options are available from PC Settings and on the SkyDrive website. Figure 4-13 shows what’s available in PC Settings. There are four tabs. On the File Storage tab you can buy more storage and configure your documents to save to SkyDrive by default. You can see that I have an enormous amount of space available on SkyDrive. That’s not typical. Make sure you explore all of the settings and options here as time allows.

Figure 4-13. Configure SkyDrive settings from PC Settings in Windows 8.1.

Finally, you can configure SkyDrive settings on the SkyDrive website. Once you log in at http://skydrive.com you can click the Tools icon in the top-right corner and click Options. See Figure 4-14. Note the options on the left side:

Figure 4-14. Configure settings on the SkyDrive website.

Answer the following questions to test your knowledge of the information in this objective. You can find the answers to these questions and explanations of why each answer choice is correct or incorrect in the “Answers” section at the end of this chapter.

There’s a lot to learn about NTFS permissions, the Windows permission architecture, the differences between basic and advanced permissions, and how permissions are inherited, among other things, and there just isn’t enough room here to discuss all of it. However, we’ll try to cover the most important facts you’ll need to know for the exam and how to apply NTFS permissions to secure a resource.

There are four kinds of permissions. You already know a little about two: Share and NTFS. There are two others: Registry permissions and Active Directory permissions. You might not ever assign these two types, but they do exist. All of these permissions are independent of one another and can be combined if desired.

Permission terminology and rules

Any element or resource that is protected has an access control list (ACL). This is basically just a list of permissions that have been applied to it. The individual permissions applied are access control entries (ACEs). Every ACE has at least one security principal. A security principal is the user, group, or computer given permissions, along with the permissions that have been configured for it (them). This means that permissions are stored with the resource that is being protected. The permissions are not stored with the user, group, or computer that is granted access. This is why you configure permissions on the Security tab of the element’s Properties dialog box (see Figure 4-15). If you click Edit in the Test Properties dialog box, you gain access to the Permissions For dialog box shown on the right. There you can add or remove users, groups, and so on and apply the applicable NTFS permissions for those new entries.

Figure 4-15. Configure NTFS permissions from the element’s Properties and Permissions For dialog boxes.

You can use the basic permissions shown in Figure 4-15 to create very specific access options to a shared resource. You can grant a single user Full Control to a resource and at the same time grant all of the users in the Users group only Read access. You can configure it so that a specific person or persons can’t access the resource at all or so that an entire group, like HomeUsers, can read, write, list folder contents, and read and execute while using the resource, but can’t modify or take ownership of it. The scenarios are almost endless.

If a user is configured permissions to a resource from more than one place, the permissions granted are cumulative. As an example, if Bob is a member of the Users group and the Users group has only the NTFS permission Read, but Bob is also a member of the Sales group and the Sales group has the NTFS permission Modify, then Bob has both Read and Modify permissions. Remember, Share permissions are cumulative and NTFS permissions are cumulative, and if both exist, the more restrictive of the results of these are applied. Deny means deny though; if Deny is assigned to a user from anywhere, that user can’t access the resource.

Exam Tip

Allow permissions are cumulative. Deny permissions override Allow permissions. Explicit permissions take precedence over inherited permissions.

Users will keep as much data and use as much server and storage space as you allow. Some users might never delete anything unless you force them to. As a network administrator you must be able to manage this, and you do so by configuring disk quotas.

Once you’ve enabled disk quotas (which you can do only on NTFS volumes, not on FAT volumes) you can also configure what happens when users meet those limits. You might want to give them a warning, or you might want to force them to delete data before they can save more. You configure NTFS disk quotas as follows:

Encryption protects data from unauthorized access when other security measures fail. Much of the time failure has to do with someone gaining physical access to a machine and having the knowledge and time to figure out how to access the data on it. There are many ways this type of breach can occur. However, with Encrypting File System (EFS), the public and private keys that are generated during encryption ensure that only the user that encrypted the file can decrypt it. Technically, encrypted data can only be decrypted if the user’s personal encryption certificate is available, which is generated using the private key. Another user can’t access this key, and neither can a person who tries to access data to copy or move it who does not have the proper credentials.

Here’s a little more information about EFS:

To encrypt a folder, right-click the folder to share then click Properties. In the Properties dialog box, on the General tab, click Advanced. Select the Encrypt Contents To Secure Data check box for the folder, as shown in Figure 4-19. You can use this same Advanced Attributes dialog box to remove encryption if you want to later.

Figure 4-19. Enable encryption for a folder in the Advanced Attributes dialog box for the item to encrypt.

After you’ve performed your first encryption, you’ll be prompted to back up your file encryption certificate and key. This helps you avoid permanently losing access to the encrypted files if the original certificate and key (that were generated when you encrypted it) are lost or corrupted. If you miss the prompt, you can follow the steps given next to perform the backup, but it’s likely you’ll be prompted to back up the key each time you log on anyway. You can back up your personal certificates manually using the Certificate Manager MMC (you should keep the EFS recovery key stored away from the computer in a safe place).

Figure 4-20. Opt to export all selected certificates and work through the resulting wizard to complete the process.

You can use CertMgr to recover your EFS encrypted files, too, by importing your EFS certificate backup. As with exporting certificates, this is achieved using a wizard. To get started, select the Personal folder, click Action, and then click All Tasks. From there, select Import. Work through the prompts to import the required data.

You can use the command line to manage encryption, too. You use Cipher.exe to perform encryption and decryption tasks. You might see this command on the exam. For more information about Cipher, refer to this page on TechNet: http://technet.microsoft.com/en-us/library/cc771346.aspx. Here are a few of the most common parameters used with Cipher:

Network administrators often audit events to see which have occurred, often for the purpose of maintaining security on a particular object, such as a secure folder. It can also be a file, printer, or almost any other resource available from a computer. It can even be as small as a Registry key. Most of the time this type of object access auditing is done to see how many attempts have been made to access an object and how many times those attempts failed. All audited events appear in Event Viewer as they are captured.

Administrators can audit specific events, too, such as successful or failed logon attempts. This isn’t object access auditing, but it deserves a mention because the option is part of the Audit Policy options you’ll explore here. Also, it could be that objects are being accessed when they should not be, due to successful logons that aren’t performed by the desired users. (See the Real World example for more information on how this can happen.)

In the following set of steps you enable the option to audit successful logon events. You also enable auditing of failures on objects you specify in the second set of steps here.

To enable auditing for successful logons and object auditing, follow these steps:

The successful logon attempts will appear in Event Viewer with no other configuration. However, to see events for object access you must specify which objects you want to watch for. You enable auditing on an object in its Properties dialog box, on the Security tab. On the Security tab, click Advanced. This opens the Advanced Security Settings For dialog box you used earlier to disable permission inheritance, view permissions, and learn the effective access when multiple permissions are applied. To enable auditing, click the Auditing tab and click Continue. From there you can add the objects to audit. See Figure 4-22.

Figure 4-22. Configure auditing by adding objects in the Advanced Security Settings For dialog box.

In the Advanced Security Settings For dialog box, click Add. In the resulting window, click Select A Principal and type the name of the users or groups to be audited. (As an example, you might opt for Users.) Select the auditing option, perhaps Success. Finally, choose an option to which the auditing applies (perhaps This Folder Only) and configure the basic permissions. See Figure 4-23. Click OK and close the open dialog boxes.

Figure 4-23. Configure auditing from the Auditing Entry For dialog box.

To view the audited events, open Event Viewer. Because the events will be entered into the Security logs, navigate to Windows Logs and then Security Logs. You’ll see the events listed there. Double-click any event to learn more. See Figure 4-24. (You have to trigger the event to have it appear in the Security log.)

Figure 4-24. The Event Properties dialog box details the date and time of the audited event.

Answer the following questions to test your knowledge of the information in this objective. You can find the answers to these questions and explanations of why each answer choice is correct or incorrect in the “Answers” section at the end of this chapter.

The Microsoft account (what used to be called Windows Live ID) is a new way to log on to a computer running Windows 8. This type of account enables users to sync specific settings to the cloud for the purpose of having access to those settings from other computers that they can log on to using that same Microsoft account. With a Microsoft account, users can also access their own cloud space, called SkyDrive. Windows 8.1 comes with a SkyDrive app, and SkyDrive can be accessed from compatible applications, various web browsers, and File Explorer.

Users are prompted to set up a Microsoft account when they first set up their Windows 8 computers. They can opt to do that, or they can decline and create a local account instead. Users might also create a local account if the computer is unable to access the Internet during setup (because they won’t be able to create or confirm the Microsoft account if there is no Internet access). Child accounts can also be created. Users generally opt to create a Microsoft account later even when they start with a local account, because many apps are inaccessible if the user is logged in with a local account. Additionally, users cannot get apps from the Store without a Microsoft account.

Once a Microsoft account is created, the user doesn’t need to be connected to the Internet to log on in subsequent sessions. The account information is saved locally. If an Internet connection isn’t available, the last saved settings will also be applied because they are cached locally as well.

You can switch from a local account to a Microsoft account from PC Settings. You can also create new users there and let them log on later with their own Microsoft account to finalize account creation. A wizard walks you through the process. To get started, in PC Settings, click Accounts. You switch from a local account to a Microsoft account on the Your Account tab, shown in Figure 4-25. You create additional users with the Other Accounts option by clicking Add An Account, also shown in Figure 4-25. Once the account is created you can return here later to change the account type if desired. (Control Panel is still an option for creating accounts, too.)

Figure 4-25. Add accounts easily in PC Settings.

A Microsoft account can be used in a domain if it isn’t restricted through Group Policy. If it’s possible at your place of business, once connected you’ll see the same desktop background, app settings, browser history, and so on that you see on your main computer at home (or in another office). You make the change through PC Settings, from Users. Once there, click Connect Your Microsoft Account and work through the setup process.

The weakest link when protecting computers is most often the password applied to the user account. The password could be nonexistent, too short, too simple, or too predictable. In some cases, the user might simply never change it. Often, users create and use the same password for multiple user IDs, too. This is a secondary weak link. If a hacker finds a password for a user’s online bank account, she will try that same password elsewhere, including the user’s computer. To protect authentication in both workgroups and domains, administrators can create local and group policies defining how passwords should be created, how often they can or must be changed, and what happens when a user fails to log on after making the attempt a specific number of times.

In this section we look at the password and account policies available in the Local Security Policy for a stand-alone computer or computers in a workgroup, but the same policies exist in Group Policy Management Console for domains as well.

Password policies

Because users likely won’t change their password every 30 days or use complex passwords just because you tell them to, administrators can force users to comply with the password policies through group policies. There are six policies that can be configured. To see these policies, open the Local Security Policy MMC. You can do this from a Run dialog box by typing secpol.msc. Expand Account Policies and click Password Policy. No policies are configured by default, but you can set them by double-clicking the policy to change. See Figure 4-26.

Figure 4-26. Create password policies.

If you’re unsure what a particular policy does if enabled, click the Explain tab, also shown in Figure 4-26. There you can read a fairly lengthy description of the policy that includes the default settings, available parameters, and best practices, among other things. Briefly, these six policies are defined as follows:

• Enforce Password History. Configure this when you want to require users to create unique passwords that have not been used before. For example, if you configure the setting to 5, users must create five different and new passwords before they can reuse the one they prefer over all others.

• Maximum Password Age. Configure this when you want users to change their password after a specific number of days.

• Minimum Password Age. Configure this when you want users to have to keep their new password for a specific amount of time before they can change it. This is important because if you don’t set it, but you do set Enforce Password History, users can just cycle through the required passwords one after another until they can reuse the one they like best.

• Minimum Password Length. Use this setting to require the password to be a specific length or longer. There’s a fine line between security and client happiness and compliance. Although you might think a 14-character password is the most secure option, note that if you require something that long, users will likely just print the password and leave it on their desks for easy access.

• Password Must Meet Complexity Requirements. Use this setting to require users to create passwords that meet complexity standards. When this is enabled, passwords must not contain the user’s account name or parts of the user’s full name, must be at least six characters long, and must contain characters from three of these four categories: uppercase letters, lowercase letters, numbers, and special characters (!, $, #).

• Store Passwords Using Reversible Encryption. Configure this to have the operating system store the password with reversible encryption. Although it sounds like a good idea, it isn’t. When this is enabled, the operating system stores passwords essentially as plaintext versions. You have to select this if you’re using Challenge-Handshake Authentication Protocal (CHAP) through remote access or Internet Authentication Services (IAS). It is also required when using Digest Authentication in Internet Information Services (IIS).

Account Lockout policies

If a hacker has enough time and enough information, he might be able to crack a user’s password and gain access to the computer. This can be done manually but is often done with programs designed for this purpose. You can configure Account Lockout policies to prevent this. Like Password policies, you configure Local Security Policy for stand-alone and workgroup computers, and you use Group Policy Management Console for Active Directory domain networks. Figure 4-27 shows the Local Security Policy MMC.

Figure 4-27. Configure Account Lockout policies in the Local Security Policy MMC.

There are three Account Lockout policies to consider, and in most instances they must be configured together:

• Account Lockout Duration. If you’ve configured an account lockout threshold, and if that threshold is met, this setting defines how long (in minutes) the user will be locked out of her computer. A setting of 5 to 15 minutes is usually fine.

• Account Lockout Threshold. You must configure this to use the other options. This setting defines how many times users can try to log on to their computer and fail before they are locked out.

• Reset Account Counter After. This setting defines the number of minutes that must pass after a failed logon attempt before the failed logon attempt counter is reset to zero. If an account lockout threshold is defined, this must be less than or equal to the number of minutes set there.

User names and passwords are inherently weak ways to protect a computer from unauthorized access. The user is generally the problem, because users can willingly give their password to a person, be tricked into it, or leave their password out on their desks or in a desk drawer. Smart cards can provide better security, especially if used with user names and passwords (or PINs) as part of a multifactor authentication policy (although it’s equally likely a user might give a coworker the card and the PIN willingly so that the coworker can access his workstation). Another option is also available: biometrics. This can be a fingerprint, eye scan, and so on.

Use biometrics

Windows 8.1 includes a component called Windows Biometric Framework. This makes it possible to use a physical characteristic like a fingerprint to identify a user without having to go to the great lengths required to do so in Windows 7 (and earlier versions). It’s important to use this with a secondary authentication method, though, because scanners can fail and it is theoretically possible for the biometric identification method to be compromised. For example, I was able to unlock my smartphone that I configured to use facial recognition using my cat’s face instead of mine. That is an issue with the manufacturer and could be an issue for you, too.

You need to make sure the Biometrics Service is running in the Services console to use the service. You also need to install the biometric hardware, generally a scanner of some sort. Device Manager supports these types of devices, as does Windows Update; there are settings available in Group Policy to manage them (see Figure 4-28) and there is a Biometric Devices item in Control Panel that allows users to control the availability of biometric devices and state whether they can be used to log on to a local computer or domain. You can use a biometric device to grant User Account Control elevation, too.

Figure 4-28. Configure Group Policy for biometrics.

You can find Group Policy settings related to biometrics in the Group Policy Editor under Computer Configuration, Administrative Templates, Windows Components, Biometrics. There you can select from the following options:

• Allow The Use Of Biometrics

• Allow Users To Log On Using Biometrics

• Allow Domain Users To Log On Using Biometrics

• Specify Timeout For Fast User Switching Events

More Info: Learn more about biometrics

For more information about biometrics, refer to this article on TechNet: http://technet.microsoft.com/en-us/library/dn308564.aspx.

User rights allow users to perform computer-related tasks, such as changing the system time or the time zone, shutting down a computer, and taking ownership of files, among other things. User rights are preconfigured for the groups available in Windows 8.1, including Users, Administrators, Guests, HomeUsers, Hyper-V Administrators, and so on. (You can view all groups in the Computer Management console under System Tools, Local Users And Groups, Groups.)

You can configure user rights and privileges through the Security Policy console. You can also get a feel for how user rights are assigned already by viewing the entries in the Security Settings pane for a particular policy. Figure 4-29 shows the Local Security Policy console with Change The System Time selected. Note that only the LOCAL SERVICE and Administrators groups can perform this task by default.

Figure 4-29. View defaults from Security SettingsLocal PoliciesUser Rights Assessment.

You can add (or remove) users or groups to any entry in the User Rights Assignment pane. To do so, double-click the entry to change (we’ll chose Deny Access To This Computer From The Network), click Add User Or Group, and then use the Select Users Or Groups dialog box to complete the addition. See Figure 4-30. However, before you do this, remember that administrators generally add users to groups first and then go from there. In the case of user rights, administrators traditionally either add the user who should have the rights to the group that already has those rights assigned or assign user rights to groups they create and then add users to those groups when necessary.

Figure 4-30. Configure User Rights Assignment in Local Security Policy.

Credentials and certificates help secure the computer in different ways. Credentials are user names and passwords; certificates verify the security of a particular thing, like encrypted files or Internet downloads.

Credentials

Credentials are user names and passwords. Windows 8.1 comes with Credential Manager to help manage and maintain them. Credential Manager saves the credentials users enter when they use their own computer to access network servers and resources on local networks (Windows Credentials) and can be used to back up and restore them. The user has to select the Remember My Credentials check box when prompted, though, or else the credential won’t be saved. Credential Manager also offers Credential Locker, which saves user names and passwords associated with websites and Windows apps (Web Credentials). It saves all of these in an area called the Windows Vault.

More Info: How credentials are saved

Credentials are saved in encrypted folders on the computer under the user’s profile. Applications that support this feature, such as web browsers and Windows 8 apps, can automatically offer up the correct credentials to other computers and websites during the sign-in process.

If the user name or password has been changed since the last time it was saved and access is unsuccessful, the user is prompted to type the new credentials. When access to the resource or website is successful, Credential Manager and Credential Locker overwrite what was there.

The saved user names and passwords follow the users when they move from one computer to another in a workgroup or homegroup, provided the user logs on with his or her Microsoft account. This feature isn’t enabled on domains, though, for security reasons. You can open Credential Manager from Control Panel. Figure 4-31 shows Credential Manager.

Figure 4-31. Open Credential Manager and Windows Credentials.

Here are a few more things to know about Credential Manager:

• Windows Store apps can be programmed to use Credential Locker.

• Credential roaming requires the Microsoft account for synchronization.

• Credential roaming is enabled by default on non-domain-joined computers, and it is disabled on domain-joined computers.

• Credential Locker supports seamless sign in by using Windows Store apps that use Web Authentication Broker and remember passwords for services like Twitter and LinkedIn.

Exam Tip

To store a credential at a command line, use the command-line tool cmdkey /add.

Note in Figure 4-31 that options exist to back up and restore credentials, but these options are only available when Windows Credentials is selected. When you click Back Up Credentials you are prompted first to browse to a location to which to save the credentials, name the file (it has a .crd extension), and then press Ctrl+Alt+Del to continue the backup process on the Secure Desktop. There you create a password for the file so that only you can access it.

Exam Tip

It’s important to understand that you can’t back up credentials you’ve saved in your web browser from inside Credential Manager. Those credentials are saved as part of your Microsoft account and are synchronized with it. (Those credentials do roam, provided you’ve logged on with the Microsoft account you used to create them.)

Certificates

Websites use certificates to verify that the site meets specific requirements for security. Executable files you download from the Internet often have certificates, too, to show they have not been tampered with since their creation. These generally come from verified certificate authorities if they are offerings from valid online entities that you can trust. Windows 8 creates its own certificates, including the self-signed certificates used with EFS, discussed earlier in this chapter. Although the use of certificates is invisible to the end user, you might want to manage them, specifically by backing them up. You might want to migrate them, for instance, or just provide one more tool for backup and recovery.

The only place to perform this particular backup task is from the Certificate Manager MMC. You can open it from a Run dialog box or the Start screen by typing certmgr.msc. You can see this in Figure 4-32. There are a lot of entries, and each represents a specific kind of certificate. Personal Certificates and Trusted Publishers are two of them. Figure 4-32 shows Trusted Root Certification Authorities expanded and Certificates selected. Look closely and you might recognize some of the names: VeriSign, Go Daddy, Microsoft, and Equifax.

Figure 4-32. The Certificate Manager MMC offers a listing of all the certificates available on the computer.

To back up a single certificate, right-click the certificate to back up, click All Tasks, and then click Export. Work through the wizard to select the format to use. This is the only way to back up a certificate and have the options shown in Figure 4-33 available. If you select more than one certificate, you’ll have to choose Personal Information Exchange or Microsoft Serialized Certificate Store.

Figure 4-33. Select certificates to back up one at a time to have access to the three options shown here.

More Info: Supported file formats

Certificate import and export operations support four file formats:

• Personal Information Exchange (PKCS #12)

  The Personal Information Exchange format (PFX, also called PKCS #12) supports secure storage of certificates, private keys, and all certificates in a certification path. The PKCS #12 format is the only file format that can be used to export a certificate and its private key.

• Cryptographic Message Syntax Standard (PKCS #7)

  The PKCS #7 format supports storage of certificates and all certificates in the certification path.

• DER Encoded Binary X.509

  The Distinguished Encoding Rules (DER) format supports storage of a single certificate. This format does not support storage of the private key or certification path.

• Base-64 Encoded X.509

  The Base-64 format supports storage of a single certificate. This format does not support storage of the private key or certification path.

You are likely familiar with the User Account Control (UAC) prompt that appears when elevated privileges are required to perform a task. When logged on as a Standard user, the user must input both an Administrator user name and password in the UAC dialog box and click Yes before continuing. When logged on as an Administrator, the user must click Yes or No to continue. When these prompts appear, they appear on a Secure Desktop. Nothing can happen until the proper credentials or answer is input or that task attempt is canceled. Secure Desktop keeps anything from happening behind the scenes while the user decides what to do.

You might also know how to change the level of UAC in Control Panel using the slider available for that purpose. You can access this from the Action Center by clicking Change User Account Control Settings.

There’s a lot more to UAC than that, though. One option is to use Local Security Policy to specifically define how UAC is configured. There are too many options to list here, but you can review them in the Local Security Policy window from Local Policies, Security Options. Double-click any User Account Control policy option and click the Explain tab to learn about it. Figure 4-34 shows this, with User Account Control: Behavior Of The Elevation Prompt For Standard Users selected.

Figure 4-34. Change options for the various UAC policies to suit your environment’s needs.

Here are a few more things to know about the UAC prompt in Windows 8.1. The elevation prompt color-coding is as follows:

Answer the following questions to test your knowledge of the information in this objective. You can find the answers to these questions and explanations of why each answer choice is correct or incorrect in the “Answers” section at the end of this chapter.