CompTIA A+ Exam 220-902 sub-objective 3.3 –Compare and contrast differences of basic Windows OS security settings

Back to the main 902 ExamNotes page

Detailed (and official) description of CompTIA A+ sub-objective 3.3

3.3 Compare and contrast differences of basic Windows OS security settings.

User and groups
Administrator
Power user
Guest
Standard user

NTFS vs. Share permissions
Allow vs. deny
Moving vs. copying folders and files
File attributes

Shared files and folders
Administrative shares vs. local shares
Permission propagation
Inheritance

System files and folders

User authentication
Single sign-on

Run as administrator vs. standard user

Bitlocker

Bitlocker-To-Go

EFS

Welcome to Exam Notes by CertBlaster! Here we will examine the security settings of a basic Windows OS.

We will point out the differences between settings that are context sensitive, or plainly mean one thing here and another thing there. Yes it’s true, but remember please that we didn’t author the operating system, only this page.

Users and groups

To manage permissions Microsoft uses User accounts that can be assigned rights or privileges. These accounts can be assigned to Groups that contain multiple users and are assigned a specific set of privileges. The group privileges are common to all members of a group. A user can belong to more than one group. Privileges explicitly assigned to an individual user take precedence over any conflicting group settings. Here is a look at the built-in groups in Computer Management:

screenshot of Local Users and Groups, Groups tab
Local Users and Groups – Groups tab

Administrator

The most powerful group is the Administrators the most powerful user account is Administrator. Users assigned to the Administrators group have complete and unrestricted access to the computer and domain if applicable. Standard users can be temporarily elevated by temporarily using the alternate credentials as you will see later in this post. Best practices indicate that the actual Administrator account be disabled, this will affect only that account not the group.

Power User

In the hierarchy the Power User has limited administrative powers, but more than a standard user. This group is included in current Windows operating systems to provide compatibility with legacy Windows versions, XP and earlier.

Guest

The Guest account is limited in its capability. It can only create or modify object in the guest account folder structure. It cannot make any changes to any files or folders elsewhere on the PC. It is disabled by default. Enabling the account can be accomplished by clicking its icon on the login screen or by accessing Local Users and Groups in the Computer Management window in the Control Panel under Administrative Tools. Even though it is a restricted account it is wise to use a password. Here we see the Guest account showing the default settings.

screenshot of Guest account Disabled
Guest account disabled

Standard user

The best balance of privilege and security are achieved with the standard user account. Identified in the system as simply “Users”. This account type allows users to run application, perform common actions and access most areas of their system without the need for administrative intervention. Some activities like adding hardware or a software program that requires access to system components will trigger a UAC prompt, and in some cases the UAC will require the administrator password. Also when users are created you will be asked if a child will be using this account. If there will be a child accessing through this account you would use parental controls in Windows 7 and Family Safety in later OS versions to rate content, monitor or restrict the account.

New users are created as Standard Users by default.

Screenshot of Set Standard User
Set Standard User

NTFS vs. Share permissions

NTFS and Share level permissions both provide a customizable level of security. Share level permissions are set on the share by the owner. NTFS permissions are set as a security property. They differ in some key aspects. Share permissions manage access at the folder level. By contrast NTFS allows every file to have individual and varying accessibility if desired. Share permissions are used for compatibility with Fat32 file systems and support three permissions, Read, Change and Full Control. NTFS can manage these attributes as well as others like Write, Modify, Read & Execute Special and others. There are instances where share permissions and NTFS permissions are essentially the same, like Change for a share and Modify in NTFS. Since both permission types are independent and their values are combined to determine permission and the more restrictive combination is applied. This is in contrast to an NTFS to NTFS cumulative result which s less restrictive.

Allow vs. deny

Allow vs deny can be interpreted as allow vs. not allow. The deny permission is the strongest and will be set regardless of the weaker permissions applied. You can allow a group to access a folder and in NTFS you can deny a specific user or users in that group. In this case even though the group is allowed access, that particular user’s deny value overrides all others.

Moving vs. copying folders and files

Getting content from one location to the other can be accomplished a few ways. From a command prompt or simply by dragging and dropping. The method you use id determined by your desired result. Do you want the content to exist in both the source location and the destination? Or do you want the content removed from the source and exist only at the destination. As you would expect copying the content results in it being present in both locations and moving the content results in it being only at the destination. The command prompt allows you to copy using the Copy command for files only, the Xcopy command for files and folder structure, and Robocopy, the newer faster replacement for Xcopy, to copy files and folders. Both Xcopy and Robocopy retain the content’s permissions when using the correct syntax. For those who wish to use the GUI it is as simple as drag and drop and choosing Move or Copy when the option menu pops up. Right click the destination and choose Paste.

two screenmshots of Copy Operation in GUI
Copy Operation in GUI

Cut and Paste can also be used similarly. Right click on your source object (file or folder) choose cut or copy at the source and paste at the destination. Keep in mind that with an NTFS source the destination file structure must support NTFS or the source permissions will be lost. When copying/moving NTFS to NTFS on a different volume, the file or folder will receive the cumulative permission set, meaning the sets of permissions will be compared and when a conflict exists the least restrictive values will be assumed.

File attributes

Windows and operating systems in general classify the contents in their file structure using one or more of these alpha designations indicating the object’s attributes.

Here is a list of them and a brief description:

A = Archive This attribute is used by backup programs and other utilities to indicate that the file is ready for backup (archiving) After a file has been backed up the Archive bit(value) is set to zero or off. If a program makes a change to a file it will reset the bit to one to indicate the need to include it in the next backup. This setting makes incremental backups possible by only archiving objects that have changed.

D = Directory This setting indicates that the object is a directory, not a file.

H = Hidden This setting indicates that the object is hidden from normal view. System files and folders are routinely hidden. In the GUI there is a View setting that will allow them to show. When displayed they will be gray to differentiate it visually. You may be unable to access this content without the administrator’s help.

I = Not Content Indexed This setting indicates that the object is not indexed. Indexing, which is off by default, allows the operating to perform faster searches. Objects that have this bit set off will be included in searches.

R = Read-Only This setting indicates that the object cannot be altered without resetting this value to off. Read-only interestingly protects a file from being altered but it does not protect it against deletion.

S = System This setting indicates that the object is a system file or folder and the read-only setting prevents tampering. Do not delete or modify these files.

Shared files and folders

Administrative shares vs. local shares

There are two types of shared folder objects Administrative shares and local shares. Local shares are created by users and are accessible by those with the appropriate permission. Administrative shares are generally used by administrators to access system drives and areas not generally shared. You will see the four administrative share names are appended by a $ while the local share has a common name.

Administrative and User Shares

Permission propagation

Permission propagation takes place when a container object (folder) is shared by its owner. Upon sharing the owner can determine how much of the folders contents will receive the same set of permissions. This will effect how the files and folders within the container are treated by the OS. When applying permissions you will have the option to apply the permissions to the containers folders, subfolders and files those permissions are said to be propagated to the folders, subfolders and files.

Inheritance

Inheritance describes the way permissions are handled within a shared folder. Depending on the choices you make the Child folders, the subfolders of the original share folder, may or may not receive the permissions applied to the Parent folder.

System files and folders

You will always find system files and folders classified as Read-Only and usually Hidden. Doing this helps protect the system from damage, either deliberate or unintentional. The standard user never sees these files and folders thereby keeping everything safe. Here is a look at a hidden system folder and its properties Note that the folder in question is grayed out. That’s your first sign to stay out. In the properties you’ll see the read only setting which applies to the files in the folder. (Show Hidden System Folders)

Hidden System Folder

User authentication

Single sign-on

A Single Sign-On (SSO) identifies the practice of permitting a user and their programs to use their credentials to automatically log in to the sites and services they are permitted to use. This saves the user the trouble of entering their login information for each website or secure location they visit. A good example is a Microsoft account. If the same login is used, each device will share access to different online accounts like online storage or email.

Run as administrator vs. standard user

A standard user, a member of the users group has a useful but limited level of activity.  For example there may be programs that require direct disk access or other system level operations that are outside the scope of the regular user. Using the runas command with the user name and program name at the command prompt will elevate your privileges to administrator. This can also be accomplished by right clicking its icon or the Start menu shortcut to the program and choosing run as Administrator. Attempting to run a program that requires administrative privilege will result in a UAC and possibly require a password.

Bitlocker

BitLocker Drive Encryption is a data protection feature that is used to encrypt the data on an entire disk. The encryption uses the host machine’s motherboard to develop the encryption. The BitLocker will not decrypr the disk without the TPM chip which is hardwired to the motherboard. On systems without a TPM chip a portable USB key is produced during encryption and can be used to decrypt the contents of the drive.

Bitlocker-To-Go

Bitlocker-To-Go is the BitLocker for external and portable devices. Since it is portable the TPM chip is ignored in favor of a password. The password should be saved either to a local drive or by printing it. Bitlocker-To-Go was introduced in Windows 7. Earlier versions of Windows will be able to read from the portable device but not write to them.

EFS

To encrypt specific files and folders without using whole disk encryption NTFS offers the Encrypting File System. Choose the properties of the folder or file you wish to encrypt and check the box to “Encrypt contents to secure data.”

Screenshot of Advanced EFS Encryption
Advanced EFS Encryption

That’s all for Objective 3.3! Hope you enjoyed it and solidified your skills a bit. Good luck on the test!
Back to the main 902 ExamNotes page

4 thoughts on “CompTIA Aplus Exam 220-902 sub-objective 3.3 basic Windows OS security settings

  1. Hey,

    Just saying thanks for updating regularly. Studying for the A+ test and these resources are really helpful. Thanks!

    1. Hey thanks you so much for reaching out and letting us know this helps you! We really appreciate it. Just as an FYI, know that 3.4 will be up on Thursday. Best of luck on the A+ exam!

Leave a Reply

Your email address will not be published. Required fields are marked *

On Facebook

Share This
Real Time Web Analytics