Managing User Accounts, Passwords, and Logons. CHAPTER 16.
Managing User Accounts, Passwords, and Logons
Standard user accounts provide for better security and lower total cost of ownership in both home and corporate environments. When users run with standard user rights instead of administrative rights, the security configuration of the system, including antivirus and firewall, is protected. This provides users a secure area that can protect their account and the rest of the system.
Windows Vista introduced User Account Control (UAC). UAC is a collection of technologies that include file system and registry virtualization, the Protected Administrator (PA) account, UAC elevation prompts, and Windows Integrity levels that support these goals.
The most basic element and direct benefit of UAC's technology is simply making Windows more standard-user friendly.
The primary goal of UAC is to enable more users to run with standard user rights. However, one of UAC's technologies looks and smells like a security feature: the consent prompt.
The user account, which uniquely identifies each person who uses the computer, is an essential component in security and in providing a personalized user experience in Windows. Windows 7 allows you to restrict access to your computer so that only people you authorize can use the computer or view its files.
Require each user to identify himself or herself when logging on
Control access to files and other resources that you own
Audit system events, such as logons and the use of files and other resources
The Windows approach to security is discretionary: each securable system resource—each file or printer, for example—has an owner, who has discretion over who can and cannot access the resource. Usually, a resource is owned by the user who created it. If you create a file, for example, you are the file’s owner under ordinary circumstances. (Computer administrators, however, can take ownership of resources they didn’t create.)
With Vista SP1 Microsoft has introduced a new file system. Extended File Allocation Table (exFAT) is the successor to the old FAT32 file system. What are the advanatages and disadvantages to this new file system? What are the differences between exFAT and FAT32? When is exFAT preferred over NTFS?
FAT32 is the file system with which most windows users are most familiar. Windows first supported FAT32 with Windows 95 OSR2 and has increased support for it through XP.
With User Account Control (UAC) turned on, administrators who log on get two security access tokens—one that has the privileges of a standard user, and one that has the full privileges of an administrator.
Each folder and each file on an NTFS-formatted volume has an ACL(access control list ). An ACL comprises an access control entry (ACE) for each user who is allowed access to the folder or file. With NTFS permissions, you can control access to any file or folder, allowing different types of access for different users or groups of users.
To view and edit NTFS permissions for a file or folder, right-click its icon and choose Properties. The Security tab lists all the groups and users with permissions set for the selected object, as shown below. Different permissions can be set for each user, as you can see by selecting each one.
Full Control: Users with Full Control can list contents of a folder, read and open files, create new files, delete files and subfolders, change permissions on files and subfolders, and take ownership of files.
Modify Allows the user to read, change, create, and delete files, but not to change permissions or take ownership of files.
Read & Execute Allows the user to view files and execute programs.
List Folder Contents (folders only) Provides the same permissions as Read & Execute, but can be applied only to folders.
With UAC turned on, applications are normally launched using an administrator’s standard user token. (Standard users, of course, have only a standard user token.) If an application requires administrator privileges, UAC asks for your consent (if you’re logged on as an administrator) or the credentials of an administrator (if you’re logged on as a standard user) before letting the application run. With UAC turned off, Windows works in the same (rather dangerous) manner as previous versions: administrator accounts can do just about anything (sometimes getting those users in trouble), and standard accounts don’t have the privileges needed to run many older programs.
Windows distinguishes two types of access privileges: permissions and rights. A permission is the ability to access a particular object in some defined manner—for example, to write to an NTFS file or to modify a printer queue. A right is the ability to perform a particular systemwide action, such as logging on or resetting the clock.
Windows then controls, monitors, and restricts access to system resources based on the permissions and rights associated with each user account by the resource owners and the system administrator.
Account type is a simplified way of describing membership in a security group, a collection of user accounts. Windows classifies each user account as one of three account types:
Administrator , Standard user, Guest
If the administrator then adds all user accounts belonging to employees in the accounting department to the Accounting group, these users will automatically have access to the Payables folder. A user account can belong to one group, more than one group, or no group at all.
Permissions and rights for group members are cumulative. That means that if a user account belongs to more than one group, the user enjoys all of the privileges accorded to all groups of which the user account is a member.
Windows stores information about user accounts and security groups in a security database. Where the security database resides depends on whether your computer is part of a workgroup or a domain.
A workgroup setup (or a standalone computer) uses only local user accounts and local groups—the type described in this chapter. The security database on each computer stores the local user accounts and local groups that are specific to that computer.
Local user accounts allow users to log on only to the computer where you create the local account. Likewise, a local account allows users to access resources only on that same computer.
The alternative is to set up the network as a domain. A Windows domain is a network that has at least one machine running Windows Server as a domain controller. A domain controller is a computer that maintains the security database, including user accounts and groups, for the domain.
With a domain user account, you can log on to any computer in the domain (subject to your privileges set at the domain level and on individual computers), and you can gain access to permitted resources anywhere on the network.
In general, if your computer is part of a Windows domain, you shouldn’t need to concern yourself with local user accounts. Instead, all user accounts should be managed at the domain controller. But you might want to add certain domain user accounts or groups to your local groups.
By default, the Domain Admins group is a member of the local Administrators group, and Domain Users is a member of the local Users group; members of those domain groups thereby assume the rights and permissions afforded to the local groups to which they belong.
You can use Whoami to find out the name of the account that’s currently logged on, its SID, the names of the security groups of which it’s a member, and its privileges. To use Whoami, open a Command Prompt window. (You don’t need elevated privileges.)
If you’re curious about your SID, type whoami /user, type whoami /?.
When you install Windows 7 on a new computer, you create one user account, which is an administrator account. If you upgrade to Windows 7 from Windows Vista and you had local accounts set up in your previous operating system, Windows migrates those accounts to your Windows 7 installation.
Accounts that you migrate from Windows Vista maintain their group memberships and passwords.
Through User Accounts in Control Panel, Windows provides a simple method for creating new accounts, making routine changes to existing accounts, and deleting accounts.
You can jump straight into User Accounts without going through Control Panel. Simply open the Start menu and click the account picture in the upper right corner of the Start menu.
Figure 16-2 Manage Accounts shows all local user accounts that are a member of the Administrators, Users, or Guests groups.
To change your own account, start at the main User Accounts page, shown in Figure 16-1.To change another user’s account (you must have administrative privileges to do so), click Manage Another Account to display the page shown in Figure 16-2, and then click the name of the account you want to change. You’ll see links to options similar to those you can make to your own account.
Account name , Password , Picture ,
The Guest account is designed to allow an infrequent or temporary user such as a visitor to log on to the system without providing a password and use the system in a restricted manner. By default, the Guest account is disabled; no one can use an account that’s disabled.
To enable the Guest account, open User Accounts, click Manage Another Account, and click the Guest account icon. In the window that appears, click Turn On. The Guest account thereafter shows up on the Welcome screen, and anyone can use it. Users of the Guest account have access to items in the Public folder as well as those in the Guest profile.
You can delete any account except one that is currently logged on. To delete an account, open User Accounts, click Manage Another Account, and click the name of the account you want to delete. Then click Delete The Account.
User Accounts won’t let you delete the last local account on the computer, even if you’re logged on using the account named Administrator. This limitation helps to enforce the sound security practice of using an account other than Administrator for your everyday computing.
After you delete an account, of course, that user can no longer log on. Deleting an account also has other effects you should be aware of. You cannot restore access to resources that currently list the user in their access control lists simply by re-creating the account. This includes files to which the user has permission and the user’s encrypted files, personal certificates, and stored passwords for websites and network resources.
That’s because those permissions are linked to the user’s original SID—not the user name. Even if you create a new account with the same name, password, and so on, it will have a new SID, which will not gain access to anything that was restricted to the original user account.
Whether you’re setting up a computer for your family to use at home or to be used in a business, it’s prudent to set it up securely.
Control who can log on
Change all user accounts except one to standard accounts.
Be sure that all accounts are password protected
Restrict logon times.
Restrict access to certain files.
Turn on the Guest account only when necessary.
Windows 7 includes no fewer than four different interfaces for managing users and groups:
Advanced User Accounts
Local Users And Groups
Associating a password with your user account is your first line of defense against those who would like to snoop around in your files. Because the Welcome screen shows every user account, if you don’t set passwords, anyone who has physical access to your computer can log on by simply clicking a name on the Welcome screen.
If the chosen name belongs to an administrator account, the person who clicks it has full, unfettered access to every file and setting on the computer. Requiring a password for each account (particularly administrator accounts) goes a long way toward securing your computer.
A password is of little value if it’s easily guessed by an intruder. Obviously, you shouldn’t use your name or something equally transparent. However, even a random word provides little security against a determined intruder—some hackers use tools that try every word in the dictionary.
●Use at least eight characters. Longer is better, which is why some security experts suggest using a pass phrase. A password or phrase can (and should) include spaces and punctuation; the maximum length is 127 characters.
●Use a mixture of uppercase letters, lowercase letters, numbers, and punctuation.
●Avoid including your name or user name in the password.
Use random sequences instead of words, or intersperse numbers and punctuation within words—W!nd()wS 7 1ns!dE ()uT for example.
The simplest way to set a password for yourself or for another user (if you have administrator privileges) is with User Accounts in Control Panel. Click the name of the user for whom you want to set a password and then click Create A Password.
Use Ctrl+Alt+Delete to access password options
Windows offers two tools that help you to deal with this dilemma:
Password hint Your hint (if you’ve created one) appears below the password entry box after you make an incorrect entry and then click OK. You can create a hint when you set a password with User Accounts.
A password reset disk allows you (or anyone with your password reset disk) to change your password—without needing to know your old password. As standard practice, each user should create a password reset disk and keep it in a secure location. Then, if a user forgets the password, he or she can reset it using the password reset disk.
You can make a password reset disk only for your local user account. If your computer is joined to a domain, you can’t create a password reset disk as a back door to your domain logon password. However, in a domain environment, a domain administrator can safely reset your password and you’ll still have access to your encrypted files. Also, on a computer joined to a domain, password hints are never shown, even for local user accounts.
To create a password reset disk, you’ll need to know your current password and you’ll need to have removable media available. (You can use a floppy disk, USB flash drive, external hard drive, or memory card.) Follow these steps:
1. Log on using the account for which you want to create a password reset disk.
2. If you want to use a USB flash drive as a password reset disk, insert it in your computer’s USB slot.
3. In Control Panel, open User Accounts.
4. In the left pane, click Create A Password Reset Disk to launch the Forgotten Password wizard.
By default, on a computer joined to a domain, users must press Ctrl+Alt+Delete before the logon screen appears. This requirement can be removed from domain computers or added to others, as described in the following tip.
The Welcome screen for a workgroup or standalone computer shows an icon for each account on the computer, as shown in Figure 16-7.By contrast, after pressing Ctrl+Alt+Delete, a domain user sees only one user account, along with a Switch User button that enables you to log on using an account other than the one shown.
On a domain-based computer, if you don’t want to be bothered by pressing Ctrl+Alt+Delete to reach the logon screen, make the following change:
1. Open User Accounts in Control Panel, and then click Manage User Accounts to open Advanced User Accounts.
2. In the User Accounts dialog box that appears, click the Advanced tab.
3. Under Secure Logon, clear Require Users To Press Ctrl+Alt+Delete.
On a computer joined to a domain, by default the name and picture of the last user who logged on appears on the logon screen. On a system that’s used primarily by a single user, this is a convenient feature that allows the user to log on again without typing his or her name each time. For a computer that’s shared by many users, you might prefer not to show the last user. You can prevent the last-used name from appearing by typing secpol.msc at an elevated command prompt to open Local Security Policy. In Local Security Policy, open Local Policies\Security Options. Then enable the policy setting named Interactive Logon: Do Not Display Last User Name.
3. If a DWORD value named OEMBackground does not exist, create one.Set this value’s data to 1.
5. Copy the image you want to this folder, using these guidelines:
●The image must be in .jpg format, and the file size cannot exceed 256 KB.
●Scale the image to the pixel dimensions of your primary monitor’s native (or default) resolution, and name the file Backgroundwwwxhhh.jpg, where www and hhh represent the width and height, in pixels (for example, Background1600x1200.jpg).
If that procedure sounds too daunting, download the Tweaks.com Logon Changer, a utility that compresses your image file (to stay under the file-size limit) as well as safely diving into the registry and deeply nested folders for you. Get it from w7io.com/1603.
1. In the Start menu search box, type regedit and press Enter to open Registry Editor.
2. In Registry Editor, navigate to the HKU\.Default\Control Panel\Desktop key.
3. If a DWORD value named LogPixels does not exist, create one.
Log off to see the changes. The first time each user logs on after making this change, Windows applies the new DPI (Dots per inch ) setting to the user’s desktop as well as the logon screen. Users who want to change to a different text size can do so by visiting Display in Control Panel.
3. Type the user name and password for the account that you want to be logged on each time you start your computer.
When you’re finished using your computer, you want to be sure that you don’t leave it in a condition in which others can use your credentials to access your files. To do that, you need to log off, switch users, or lock your computer:
●Log Off With this option, all your programs close and dial-up connections are ended. To log off, click the arrow in the lower right corner of the Start menu and click Log Off.
Switch User With this option (sometimes called Fast User Switching), your programs continue to run.
●With this option, your programs continue to run, but the logon screen appears so that no one can see your desktop or use the computer. Only you can unlock the computer to return to your session; however, other users can log on in their own sessions without disturbing yours. To lock a computer, click the arrow in the lower right corner of the Start menu and click Lock.
Parental Controls is a feature that enables parents to help manage how their children use the computer. As a parent, you can set restrictions (different for each child, if you like) on which programs your children can run and which games they can play, and you can set hours of use for the computer.
With the addition of controls from Microsoft and other providers, you can specify which websites your children can visit and you can view activity logs that detail each child’s computer activity.
You must have at least two user accounts set up on your computer—an administrator account for the parent and a standard account for the child.
All administrator accounts on the computer should be protected by a password.
Your computer cannot be joined to a domain. On domain-joined computers, the Parental Controls feature is disabled, even when you’re connected to your home network (or no network).
To begin using Parental Controls, open it in Control Panel. (It’s in the User Accounts And Family Safety category.) After consenting to the User Account Control prompt (or entering an administrator password if you’re logged on as a standard user), you’ll see a window like the one shown in Figure 16-9.
Restricting Logon Hours
Controlling Access to Games
When your child attempts to run a blocked program, a dialog box appears.