E N D
Standard user accounts provide for better security and lower total cost of ownership in both home and corporate environments. When users run with standard user rights instead of administrative rights, the security configuration of the system, including antivirus and firewall, is protected. This provides users a secure area that can protect their account and the rest of the system. Inside Windows 7 User Account Control
Windows Vista introduced User Account Control (UAC). UAC is a collection of technologies that include file system and registry virtualization, the Protected Administrator (PA) account, UAC elevation prompts, and Windows Integrity levels that support these goals.
The most basic element and direct benefit of UAC's technology is simply making Windows more standard-user friendly. The primary goal of UAC is to enable more users to run with standard user rights. However, one of UAC's technologies looks and smells like a security feature: the consent prompt.
The user account, which uniquely identifies each person who uses the computer, is an essential component in security and in providing a personalized user experience in Windows. Windows 7 allows you to restrict access to your computer so that only people you authorize can use the computer or view its files.
Require each user to identify himself or herself when logging on Control access to files and other resources that you own Audit system events, such as logons and the use of files and other resources User accounts in Windows 7 provide the means by which you can:
The Windows approach to security is discretionary: each securable system resource—each file or printer, for example—has an owner, who has discretion over who can and cannot access the resource. Usually, a resource is owned by the user who created it. If you create a file, for example, you are the file’s owner under ordinary circumstances. (Computer administrators, however, can take ownership of resources they didn’t create.) Introducing Access Control in Windows
To exercise full discretionary control over individual files, you must store those files on an NTFS volume. For the sake of compatibility, Windows 7 supports the FAT and FAT32 file systems used by early Windows versions and many USB flash drives, and the exFAT file system used on some removable drives. However, none of the FAT-based file systems support file permissions. To enjoy the full benefits of Windows security, you must use Note
With Vista SP1 Microsoft has introduced a new file system. Extended File Allocation Table (exFAT) is the successor to the old FAT32 file system. What are the advanatages and disadvantages to this new file system? What are the differences between exFAT and FAT32? When is exFAT preferred over NTFS?
FAT32 is the file system with which most windows users are most familiar. Windows first supported FAT32 with Windows 95 OSR2 and has increased support for it through XP.
- By default windows systems can only format a drive up to 32 GB. Additional software works around this issue. When formatted at these bigger sizes, FAT32 becomes increasingly inefficient. • - The maximum file size on a FAT32 formatted drive is around 4 GB. With DVD and high resolution DVD formats now available, this limit is commonly noticed. • - Dealing with fragmentation and free disk space calculations can become painfully resource intensive in large FAT32 systems. • - A FAT32 directory can have 65,536 directory entries. Each file or subdirectory can take up multiple entries; therefore, FAT32 directories are limited with how many files it can hold. FAT32 has multiple issues that modern systems can experience:
-File size limit is now 16 exabytes. • - Format size limits and files per directory limits are practically eliminated. • - Like HPFS, exFAT uses free space bitmaps to reduce fragmentation and free space allocation/detection issues. • - Like HTFS, permission systems should be able to be attached through an access control list (ACL). It is unclear if or when Vista will include this feature, however. exFAT has several advantages over FAT32:
To determine which users have access to a resource, Windows assigns a security identifier (SID) to each user account. Your SID (a gigantic number guaranteed to be unique) follows you around wherever you go in Windows. When you log on, the operating system first validates your user name and password. Then it creates a security access token. You can think of this as the electronic equivalent of an ID badge. It includes your user name and SID, plus information about any security groups to which your account belongs. Any program you start gets a copy of your security access token. Windows security identifier
With User Account Control (UAC) turned on, administrators who log on get two security access tokens—one that has the privileges of a standard user, and one that has the full privileges of an administrator. User Account Control
Each folder and each file on an NTFS-formatted volume has an ACL(access control list ). An ACL comprises an access control entry (ACE) for each user who is allowed access to the folder or file. With NTFS permissions, you can control access to any file or folder, allowing different types of access for different users or groups of users. What Are ACLs?
To view and edit NTFS permissions for a file or folder, right-click its icon and choose Properties. The Security tab lists all the groups and users with permissions set for the selected object, as shown below. Different permissions can be set for each user, as you can see by selecting each one.
Full Control: Users with Full Control can list contents of a folder, read and open files, create new files, delete files and subfolders, change permissions on files and subfolders, and take ownership of files. Modify Allows the user to read, change, create, and delete files, but not to change permissions or take ownership of files. Read & Execute Allows the user to view files and execute programs. List Folder Contents (folders only) Provides the same permissions as Read & Execute, but can be applied only to folders. The access granted by each permission type is as follows:
Read Allows the user to list the contents of a folder, read file attributes, read permissions, and synchronize files. • Write Allows the user to create files, write data, read attributes and permissions, and synchronize files. • Special Permissions The assigned permissions don’t match any of the preceding permission descriptions. To see precisely which permissions are granted, click Advanced.
With UAC turned on, applications are normally launched using an administrator’s standard user token. (Standard users, of course, have only a standard user token.) If an application requires administrator privileges, UAC asks for your consent (if you’re logged on as an administrator) or the credentials of an administrator (if you’re logged on as a standard user) before letting the application run. With UAC turned off, Windows works in the same (rather dangerous) manner as previous versions: administrator accounts can do just about anything (sometimes getting those users in trouble), and standard accounts don’t have the privileges needed to run many older programs.
Windows distinguishes two types of access privileges: permissions and rights. A permission is the ability to access a particular object in some defined manner—for example, to write to an NTFS file or to modify a printer queue. A right is the ability to perform a particular systemwide action, such as logging on or resetting the clock. Permissions and Rights
The backbone of Windows security is the ability to uniquely identify each user. While setting up a computer—or at any later time—an administrator creates a user account for each user. The user account is identified by a user name and is (optionally) secured by a password, which the user provides when logging on to the system. User Accounts and Security Groups
Windows then controls, monitors, and restricts access to system resources based on the permissions and rights associated with each user account by the resource owners and the system administrator.
Account type is a simplified way of describing membership in a security group, a collection of user accounts. Windows classifies each user account as one of three account types: Administrator , Standard user, Guest
Security groups allow a system administrator to create classes of users who share common privileges. For example, if everyone in the accounting department needs access to the Payables folder, the administrator can create a group called Accounting and grant the entire group access to that folder.
If the administrator then adds all user accounts belonging to employees in the accounting department to the Accounting group, these users will automatically have access to the Payables folder. A user account can belong to one group, more than one group, or no group at all.
Permissions and rights for group members are cumulative. That means that if a user account belongs to more than one group, the user enjoys all of the privileges accorded to all groups of which the user account is a member.
Windows stores information about user accounts and security groups in a security database. Where the security database resides depends on whether your computer is part of a workgroup or a domain. Local Accounts and Groups vs. Domain Accounts and Groups
A workgroup setup (or a standalone computer) uses only local user accounts and local groups—the type described in this chapter. The security database on each computer stores the local user accounts and local groups that are specific to that computer.
Local user accounts allow users to log on only to the computer where you create the local account. Likewise, a local account allows users to access resources only on that same computer.
The alternative is to set up the network as a domain. A Windows domain is a network that has at least one machine running Windows Server as a domain controller. A domain controller is a computer that maintains the security database, including user accounts and groups, for the domain.
With a domain user account, you can log on to any computer in the domain (subject to your privileges set at the domain level and on individual computers), and you can gain access to permitted resources anywhere on the network.
In general, if your computer is part of a Windows domain, you shouldn’t need to concern yourself with local user accounts. Instead, all user accounts should be managed at the domain controller. But you might want to add certain domain user accounts or groups to your local groups.
By default, the Domain Admins group is a member of the local Administrators group, and Domain Users is a member of the local Users group; members of those domain groups thereby assume the rights and permissions afforded to the local groups to which they belong.
You can use Whoami to find out the name of the account that’s currently logged on, its SID, the names of the security groups of which it’s a member, and its privileges. To use Whoami, open a Command Prompt window. (You don’t need elevated privileges.) Learning About Your Own Account with Whoami
If you’re curious about your SID, type whoami /user, type whoami /?.
When you install Windows 7 on a new computer, you create one user account, which is an administrator account. If you upgrade to Windows 7 from Windows Vista and you had local accounts set up in your previous operating system, Windows migrates those accounts to your Windows 7 installation. Working with User Accounts
Accounts that you migrate from Windows Vista maintain their group memberships and passwords.
Through User Accounts in Control Panel, Windows provides a simple method for creating new accounts, making routine changes to existing accounts, and deleting accounts.
You can jump straight into User Accounts without going through Control Panel. Simply open the Start menu and click the account picture in the upper right corner of the Start menu. Access User Accounts quickly
Creating a New User Account Figure 16-2 Manage Accounts shows all local user accounts that are a member of the Administrators, Users, or Guests groups.
Figure 16-3 Creating an account couldn’t be much easier; just specify a name and account type.
To change your own account, start at the main User Accounts page, shown in Figure 16-1.To change another user’s account (you must have administrative privileges to do so), click Manage Another Account to display the page shown in Figure 16-2, and then click the name of the account you want to change. You’ll see links to options similar to those you can make to your own account. Changing Account Settings
The Guest account is designed to allow an infrequent or temporary user such as a visitor to log on to the system without providing a password and use the system in a restricted manner. By default, the Guest account is disabled; no one can use an account that’s disabled. Using the Guest Account for Visitors
To enable the Guest account, open User Accounts, click Manage Another Account, and click the Guest account icon. In the window that appears, click Turn On. The Guest account thereafter shows up on the Welcome screen, and anyone can use it. Users of the Guest account have access to items in the Public folder as well as those in the Guest profile.
You can delete any account except one that is currently logged on. To delete an account, open User Accounts, click Manage Another Account, and click the name of the account you want to delete. Then click Delete The Account. Deleting an Account