By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.
Objective 2.5: Given a scenario, manage and configure basic security settings in the Microsoft Windows OS. Microsoft has made several security settings and tools available in the Windows OS. These settings and tools allow users and administrators to control access to the computer, as well as to files and folders. Defender Antivirus Windows comes with Microsoft Defender Antivirus, which is part of the Windows Security suite. To access Windows Security, go to Start Windows Security. From the Security at a Glance window, select Virus & Threat protection. From the Virus & Threat Protection window, you can run a quick scan, select scan options, manage settings, and check for updates. You can even manage ransomware protection. For real-world application and the A+ exam, ensure that you know how to activate and deactivate real-time protection (under Manage Settings), and understand how to keep your definitions up-to-date by selecting the Check for Updates link.
Microsoft offers a great resource for configuring Microsoft Defender Antivirus in Windows: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows?view=o365-worldwide Firewall A firewall is a physical device or software program that examines data packets on a network to determine whether to either forward them to their destination or block them. A firewall can be a one-way firewall, which protects against inbound threats only, or a two-way firewall, which protects against both unauthorized inbound and outbound traffic. Most third-party firewall programs, such as ZoneAlarm, are two-way firewalls. A software firewall can be configured to permit traffic between specified IP addresses and to block traffic to and from the Internet except when permitted on a per-program basis. A corporate network can use a proxy server with a firewall as the sole direct connection between the Internet and the corporate network and then use a firewall in the proxy server to protect the corporate network against threats. Physical firewalls are specialized computers whose software is designed to quickly analyze network traffic and make forwarding decisions based on rules set by the administrator. Over time, that task has been incorporated more into software on the computers and into the OS design. An example is Windows Defender Firewall in Windows, which is discussed in the section, “Microsoft Windows OS Security Settings.”
Most current operating systems have some sort of firewall built in: - As initially configured, the standard firewall in Windows is a one-way firewall. However, it can be configured to work as a two-way firewall. For more information about how it works, see the section “Firewall Settings,” later in this guide. - macOS includes an application firewall. In OS X 10.6 and newer, the application firewall offers additional customization options. - Linux, starting with distros based on kernel 2.4.x and later, includes iptables to configure netfilter, its packet-filtering framework. To learn more, see www.netfilter.org. Many distros and third-party Linux apps are available to help make iptables and netfilter easier to configure. Activate/Deactivate Windows Defender Firewall was covered in detail in, “Operating Systems.” However, we can’t stress enough how important a working knowledge of Windows Defender Firewall is for real-world application and the A+ exam. You should be familiar with activating and deactivating (turning on and off) Windows Defender Firewall, and you should understand related port and application security settings and procedures. To turn Windows Defender Firewall on or off in Windows 10, do the following: Step 1. Select Start Settings Update & Security Windows Security Firewall & Network Protection. Open Windows Security settings. Step 2. Select a network profile: Domain network, Private network, or Public network. Step 3. Under Microsoft Defender Firewall, switch the setting to On. Step 4. To turn off Windows Defender Firewall, switch the setting to Off. Turning off Microsoft Defender Firewall could make your device (and your network, if you have one) more vulnerable to unauthorized access. If you need to use an app that is being blocked, you can allow it through the firewall instead of turning off the firewall. Port Security Managing port security refers to using a firewall appliance or a software firewall to prevent specified UDP or TCP ports from being used by a service, an application, a specific device, or all devices. Turning off unused ports makes it harder for hackers to find stealthy access into a machine. Application Security Many applications are designed to update and communicate with other computers. Authorization for external communication can be managed in Windows Defender Firewall. When opening Windows Defender Firewall, select Allow an App or Feature Through Windows Defender Firewall, to bring up the window shown in Figure below. Each app and feature can be enabled or disabled from this menu. Managing Apps in Windows Defender Firewall
Microsoft also offers excellent detailed instructions for configuring Windows Firewall with Advanced Security at https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security Access Control The next sections discuss the purposes and principles of access control through the following: - Users and groups - NTFS vs. share permissions - Shared files and folders - System files and folders - User authentication - Run as administrator vs. standard user - BitLocker - BitLocker To Go - Encrypting File System (EFS) Users and Groups Users in Windows can be assigned to different groups, each with different permissions. The Local Policy settings (for local PCs) and Group Policy settings (for networked PCs connected to a domain controller running Active Directory) can restrict PC features by group or by PC. The 220-1102 exam covers some of the differences between the accounts. Local vs. Microsoft Accounts When setting up a computer in Windows 10, you can choose whether to use a local account or a Microsoft account. Each has its own purpose, and you should know the difference. - Local account: A local account is the same as the non-networked accounts that users experienced in previous editions of Windows. Configurable settings include the local username and password, desktop customization, access to Windows features, application installation, and the personalization of the desktop. Missing are the added features of the expansive Windows 10 online environment. - Microsoft Account: Using a Microsoft account establishes an online relationship with Microsoft and allows for easier access to common Microsoft products such as Skype, Outlook, and even gaming features on Xbox. The username and password are not local preference, but rather the account email and associated password. A Microsoft account provides simplified setup and synchronization of additional devices, as well as easy access to the Windows Store. All Microsoft accounts can be combined and centrally managed. Standard and Administrator Accounts Three standard account levels exist in Windows: - Standard account: Standard accounts have permission to perform routine tasks. However, these accounts are blocked from performing tasks that involve systemwide changes, such as installing hardware or software, unless they can provide an administrator password when prompted by User Account Control (UAC). - Administrator account: Users with an administrator account can perform any and all tasks. - Guest account: The guest account level is the most limited. A guest account cannot install software or hardware or run existing applications; likewise, a guest account cannot access files in shared document folders or the Guest profile. The guest account is disabled by default. If it is enabled for a user to gain access to the computer, that access should be temporary, and the account should be disabled again when the user no longer requires access. Note: When a user is created using the Users applet in Windows, the user must be assigned a standard or administrator account. Guest accounts are used for visitors. In Windows versions up to 8.1, the power users account is a specific account type that has more permissions than standard users but fewer than administrators. In those versions, power users have the same rights and permissions as standard users; however, a custom security template can be created if the Power Users group needs specific permissions, such as for the operation of legacy programs. In Windows 10 and Windows 11, the Power Users group has been discontinued; however, it is available to assign for backward compatibility. NTFS vs. Share Permissions Microsoft introduced theNew Technology File System (NTFS) as an improved way to store files on disks over the FAT system of Windows 95. The changes in storage systems facilitated implementing file-level security in the form of permissions. Permissions control both local and network access to files and can be set for individual users or groups. Allow vs. Deny Each permission has two settings: Allow and Deny. Generally, if you want a user to have access to a folder, you add that user to the list and select Allow for the appropriate permission. If you don’t want to allow a user access, normally you simply do not add the user to a list. In some cases, an administrator must issue an explicit denial if the user is part of a larger group that already has access to a parent folder but needs to be kept out of a particular subfolder. Inheritance The acts of moving and copying folders and files have different results, depending on permissions. For example, when you copy a folder or file to a different volume, the folder or file inherits the permissions of the parent folder it was copied to (the target directory). When you move a folder or file to a different location on the same volume, the folder or file retains its original permissions. File and Folder Attributes File attributes are used in Windows to indicate how files can be treated. They can be used to specify which files should be backed up, which files should be hidden from the normal GUI or command-line file listings, whether a file is compressed or encrypted, and so on, depending on the operating system. To view file attributes in Windows, right-click a file in File Explorer or Windows Explorer and select Properties. To view file attributes from the Windows command line, use the Attrib command. Shared Files and Folders Shared files and folders have their permissions assigned from the Security tab of the object’s properties sheet. Folder and file permissions vary by user type or group and can include the following: - Full control: Grant complete access to the contents of the file or folder. When Full Control is selected, all of the following are selected and enabled automatically. - Modify: Change file or folder contents. - Read & Execute: Access file or folder contents and run programs. - List Folder Contents: Display folder contents. - Read: Access a file or folder. - Write: Add a new file or folder. Permission Inheritance and Propagation Permission inheritance and propagation describe how files and folders receive permissions. If you create a folder, the default action is for the folder to inherit permissions from the parent folder—that is, any permissions that you set in the parent are inherited by any subfolder of the parent. To view an example of this, locate any folder within an NTFS volume (besides the root folder), right-click it, and select Properties; then access the Security tab and click the Advanced button. In Windows 10 or 11, the Advanced Security Settings dialog offers these buttons: Add, Remove, View, and Disable Inheritance. You can also propagate permission changes to subfolders that are not inheriting from the current folder. To do so, select Replace All Child Object Permissions with Inheritable Permissions from This Object. Remember that folders automatically inherit from the parent unless you turn off inheritance, and you can propagate permission entries to subfolders at any time by selecting the Replace option. Run as Administrator vs. Standard User In Windows 10, press Windows+X and then click or tap Windows PowerShell to run in standard mode. An option to run as an administrator is also available. User Account Control User Account Control (UAC) allows the end user to select a level of notifications concerning changes being made to the computer. The purpose of this tool is to prevent unauthorized changes to the computer; the varying levels are designed to allow end users to tailor notifications to their comfort level. UAC can be disabled, but it is better to define some level of notification than to have none at all. To access the settings for UAC, simply type UAC in the Search area on the taskbar. Select UAC to see the UAC controls in Figure below. UAC Controls in Windows 10 Login OS Options Authentication is the process of securely determining that the authorized persons accessing computers or the network are who they say they are. Windows includes a variety of authentication protocols that can be used on a corporate network, including Kerberos, TLS/SSL, PKU2U, and NTLM. Apple, Microsoft, and Google use mutual authentication for multiple services (also known as single sign-on [SSO]) to enable a single login that provides access to multiple services. For example, a single Microsoft Account login provides access to Outlook email, the Microsoft Store, and OneDrive. To make SSO possible in Windows, client IP addresses are mapped to usernames in Windows Active Directory. Similarly, a single Apple login provides access to iTunes, iCloud, and other services. A single Google login provides access to Gmail, Google Drive, and other services. Other Windows login OS options (besides username and password) include logging in with a PIN, a fingerprint, or even facial recognition. In Windows 10 and 11, you can manage how to sign into your device by going to Settings Accounts Sign-in Options. Here you can manage options such as facial recognition (Windows Hello), fingerprint recognition (Windows Hello), and Windows Hello PIN, as shown in Figure below. Windows Sign-in Options BitLocker To encrypt an entire drive, you need some kind of full disk encryption software. Several options are currently available on the market; one option developed for business-oriented versions of Windows by Microsoft is called BitLocker. This software can encrypt the entire disk, which, after completed, is transparent to the user. However, BitLocker has some requirements, including the following: - A Trusted Platform Module (TPM) chip, which is a chip residing on the motherboard that actually stores the encrypted keys. or - An external USB key to store the encrypted keys. Using BitLocker without a TPM chip requires changes to Group Policy settings. - A hard drive with two volumes, preferably created during the installation of Windows. One volume is for the operating system (most likely C:), and it will be encrypted; the other is the active volume, and it remains unencrypted so that the computer can boot. If a second volume needs to be created, the BitLocker Drive Preparation Tool can assist you; you can download it from the Microsoft Download Center.
BitLocker software is based on the Advanced Encryption Standard (AES) and uses a 128-bit encryption key. Since Windows Vista SP1, it has been possible to use BitLocker to encrypt internal hard disk volumes other than the system drive. For example, if a hard disk is partitioned as C: and D: drives, BitLocker can encrypt both drives. Windows 10 and 11 have several enhancements that make BitLocker more user friendly, but the essentials of BitLocker are the same as in Windows 7. BitLocker To Go To enable BitLocker To Go on Windows 10 or 11, go to the Control Panel System and Security BitLocker Drive Encryption. For external drives, simply right-click the drive to encrypt and select Enable BitLocker to start the encryption process. During the process, you are prompted to specify a password or a smart card for credentials to access the drive’s contents. EFS Business-oriented editions of Windows include support for the Encrypting File System (EFS). As Figure below shows, EFS can be used to protect sensitive data files and temporary files, and can be applied to individual files or folders. (When EFS is applied to folders, all files in an encrypted folder are also encrypted.) EFS Encryption Steps EFS files can be opened only by the user who encrypted them, by an administrator, or by EFS keyholders (users who have been provided with the EFS certificate key for another user’s account). Thus, the files are protected against access by hackers. Files encrypted with EFS are listed with green filenames when viewed in Windows Explorer or File Explorer. Only files stored on a drive that uses NTFS can be encrypted. To encrypt a file in Windows 10 or 11, follow this process: Step 1. Right-click the file in File Explorer and select Properties. Step 2. Click the Advanced button on the General tab. Step 3. Click the empty Encrypt Contents to Secure Data check box. Figure below shows the steps for EFS encryption. Step 4. Click OK. Step 5. Click Apply. When prompted, select the option to encrypt either the file and parent folder or only the file, as desired, and click OK. Step 6. Click OK to close the properties sheet. To decrypt the file, follow the same procedure, but clear the Encrypt Contents to Secure Data check box in Step 3. Note: To enable the recovery of EFS encrypted files in the event that Windows cannot start, you should export the user’s EFS certificate key. For details, see the Microsoft TechNet article “Create and Verify an Encrypting File System (EFS) Data Recovery Agent (DRA) Certificate,” at https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.
Join 4M+ learners. Unlock unlimited quizzes, wrong-answer tracking, flashcards + reminders, study guides, and 1-on-1 challenges.