Windows Vista Configuration MCTS : User Account Security

User Accounts and Groups Workstations can be configured as a member of a workgroup or domain. A domain is a logical group of computers that define a security boundary. A user account enables a user to log on to a computer or domain with an identity that can be authenticated and authorized for access to the resources of the computer or domain.

User Accounts Local user accounts Defined on a local computer and have access to the local computer only. Local Users and Groups is accessible through the Computer Management console. Domain user accounts Defined in the Active Directory. Can access resources throughout a domain/forest.

Default User Accounts Administrator Provides complete access to files, directories, services, and other facilities on the computer. This account cannot be deleted. Guest Designed for users who need one-time or occasional access. Has limited privileges. High risk of potential security problems.

Windows Vista Local Accounts Standard Account to use for everyday computing. Permission from an administrator is required if you want to make changes that affect other users or the security of the computer. Administrator Provides the most control over the computer. Can change security settings, install software and hardware, and access all files on the computer. Guest For people who need temporary access to the computer. Enables people to use your computer without having access to your personal files. Can’t install software or hardware, change settings, or create a password.

Domain Logon Names At symbol The full logon name for User1 in the Acme.com domain is Backslash symbol (\) The full logon name for User1 in the Acme domain is Acme\User1

Managing Local Logon Accounts

Giving Domain Accounts Local Access

User Accounts Console Change accounts Create and change passwords Remove local user accounts

Network Rights and Permissions When planning for how you assign the rights and permissions to the network resources, follow these two main rules: Give the rights and permissions for the user to do his job. Don’t give any additional rights and permissions that a user does not need.

User Account Control

User Account Privileges View system clock and calendar Change time zone Install Wired Equivalent Privacy (WEP) to connect to secure wireless networks Change display settings Change power management settings Install fonts Add printers and other devices that have the required drivers installed on computer or are provided by an IT administrator Create and configure a virtual private network connection Download and install updates using UAC-compatible installer

Tasks that will trigger a UAC prompt, if UAC is enabled: Changes to files in %SystemRoot% or %ProgramFiles% Installing and uninstalling applications Installing device drivers Installing ActiveX controls Installing Windows Updates Changing settings for Windows Firewall Changing UAC settings Configuring Windows Update Adding/removing user accounts Changing a user’s account type Configuring parental controls Running Task Scheduler Restoring backed-up system files Viewing/changing another user’s folders and files

UAC Messages Windows needs your permission to continue A program needs your permission to continue An unidentified program wants access to your computer This program has been blocked

Program Compatibility Some legacy applications will not run on Windows Vista because of compatibility problems. Windows includes a Program Compatibility Wizard to configure Windows to run a program under an older Windows environment. A fully compatible application will keep the system secure by requesting privilege elevation as necessary. The Run This Program as an Administrator option allows the application to use the UAC system to request privilege escalation.

UAC Message Behavior Administrators Elevate without Prompting Prompt for Credentials Prompt for Consent Standard Users Automatically Deny Elevation Requests Prompt for Credentials