CHAPTER19 Security Essentials -...

991

Security Essentials

• Why it is impor-tant to complywith establishedsecurity policies

• Ways to authenti-cate and classifyusers so that youcan control whohas access toyour resourcesand what userscan do with them

• About additionalmethods you canuse to protectresources

• How to monitorand maintain thesecurity measuresyou haveimplemented

In this chapter,you will learn:

CHAPTER

19

In today’s computing environment, we all need to know how tokeep our shields up. Security is an important concern for PC

support technicians, and many of the chapters of this book haveaddressed security concerns as appropriate within the content of eachchapter. This chapter focuses on the concepts, technologies, and bestpractices you need to know to protect a computer and a smallnetwork. In the next chapter, we will focus on how to apply thesesecurity measures.

In this chapter, you will learn about compliance measures youmight be required by law to use in your organization or profession.You will also learn many ways to protect computing resources,including authenticating and authorizing users, locking down systems,encryption, protecting against malware, and educating your users tonot compromise the system unintentionally. Finally, you will learnabout the importance of maintaining the security measures you haveimplemented.

A+ Exam Tip All the content in this chapter applies to security objectives on theA+ 220-701 Essentials exam. Chapter 20 covers security objectives on the A+ 220-702Practical Applications exam.

9781133726890, A+ Guide to Managing and Maintaining Your PC, Jean Andrews - © Cengage Learning.All rights reserved. No distribution allowed without express authorization

COMPLY WITH SECURITY POLICIES

Sometimes an individual or company is free to decide what security measures they want touse. On the other hand, many corporations and individuals are required by law to imple-ment one or more security standards or guidelines in order to be qualified to do business. Inaddition, some individuals and corporations freely decide to implement these standards andguidelines because they see value in doing so. Here are just three security standards, butmany more exist:

The International Organization for Standardization (ISO, www.iso.org) has developedtwo documents (ISO 17799 and ISO 27002), which describe, in detail, the recom-mended standards to secure computer resources. Many organizations use thesestandards, which are considered security benchmarks in the IT industry.In the United States, the National Institute of Standards and Technology(www.nist.gov) has published information technology standards for security to befollowed by the U.S. government and its contractors. Other government agenciesmight have their own security standards.For the health care industry, the Health Insurance Portability and Accountability Act(HIPAA, pronounced “hip-ah”) includes regulations to secure patient data that applyto all health care companies and professionals.

Where you have a choice in the security that you use, keep in mind two goals, which aresometimes in conflict. One goal is to protect resources, and the other goal is to not interferewith the functions of the system. A computer or network can be so protected that no one canuse it, or so accessible that anyone can do whatever they want with it. The trick is to provideenough security to protect your resources while still allowing users to work unhindered. Also,too much security can sometimes force workers to find nonsecure alternatives. For example,if you require users to change their passwords weekly, some of them might start writing theirpasswords down to help remember them.

When implementing a security plan, many organizations follow a four-step cyclic processshown in Figure 19-2. The four steps are sometimes called the Plan-Do-Study-Act (PDSA)cycle:

1. Plan. Your first steps to making a security plan are to find out what standards, ifany, your employer or company must follow. Obtain these standards in writing,and carefully read them. Full compliance is required. If you don’t implement theentire standard, your company might be at risk of a lawsuit or losing its license todo business. If you are not required to comply with security standards, use yourbest judgment as to which security measures mentioned in this chapter and the nextwill serve your purposes. Then get the approval of others in your organization.Know that many security consulting firms are available to help. However, checkthem out carefully before using one.

2. Do. Implement each security method you decide to use. The plan might need to beimplemented in stages.

CHAPTER 19992 Security Essentials

A+ Exam Tip The A+ 220-701 Essentials exam expects you to know the importance of compliancewhen it comes to securing sensitive data.

A+220-7015.1


ntials

993Controlling Access to Secured Resources

19

A+ 220-701

3. Study. A security plan needs to include methods to monitor the security of a system.You need to know when security has been compromised or when attempts have beenmade to hack a system. It’s also important to monitor the system to make sure thatusers are following any security policies you have set in place.

4. Act. Maintain and improve your security plan as needed. As the organization changes,so do its security needs. Also, as you monitor and review the security measures youare using, you’ll find better ways to implement security. Then you need to go back tothe Plan stage to decide what to do to improve your security.

CONTROLLING ACCESS TO SECURED RESOURCES

Controlling access to a computer, file, folder, or network is done in Windows by using acombination of authentication and authorization techniques. First, let’s look at a definitionof these two key words:

Authentication proves that an individual is who he says he is and is accomplished by avariety of techniques, including a username, password, personal identification number(PIN), smart card, or biometric data (for example, a fingerprint or iris scan). Using

Figure 19-1 Security measures should protect resources without hindering how users work© Phil Marden/Getty Images

Act

Plan

Study

Do

Figure 19-2 A four-step plan to develop a system for an organizationCourtesy: Course Technology/Cengage Learning

A+220-7015.1

A+220-7015.1


Controlli


Windows, this authentication is normally done when a user enters a password for hisuser account. After an individual is authenticated, the individual is allowed access. (Inpractice, even though an individual is most often a person, sometimes an individual isa computer program or process.)Authorization determines what an individual can do in the system after he or she isauthenticated. The rights or privileges assigned to an individual depend on how theindividual is classified. Classifications are based on job needs. A user should beallowed the rights he needs to do his job. Other rights should not be available tohim. For Windows, these classifications are generally implemented in two ways:Assigning rights to user accounts or user groups and assigning permissions to datafolders and files.

Keep in mind as you learn how Windows authenticates and authorizes access to computerresources, that physical security also needs to be in place. For example, not only do youneed to set up a Windows file server to use password-protected user accounts, but also youmight need to place the server in a room that is locked from unauthorized people. If a thiefgets physical access to a computer, many of the software security measures you have usedwon’t protect the system. These types of physical security techniques and devices are dis-cussed later in the chapter.

Now let’s see how Windows authenticates users and then we’ll learn how to classify usersand authorize their access to resources.

AUTHENTICATE USERSUsers of a local computer and network can be authenticated by BIOS settings that controlwho can use the computer and by a local user account login to Windows. After the user haslogged onto Windows using a workgroup, recall that other computers on the networkcontrol who can use their resources. On larger networks, a domain controller managesauthentication to the network. The most common method of authentication is to require apassword, although other methods such as biometric data and smart cards can be used forauthentication.

Let’s first look at how Windows, BIOS, and larger networks authenticate users, and thenwe’ll look at how to create strong passwords.

AUTHENTICATE USERS IN WINDOWSUsing Windows, controlling access to a computer or the resources on that computer isaccomplished by assigning a password to each user account. As an administrator, whenyou first create an account, be sure to assign a password to that account. It is best to givethe user the ability to change the password at any time. Recall that in Windows anadministrator can create a user account by using the User Accounts window accessedfrom Control Panel or by using the Computer Management console. You can also controlhow a user logs on. And, as an administrator, you can reset a password if a user forgetsit. Now let’s see how to control user logon and how to deal with a forgotten password.

Controlling How a User Logs OnNormally, Windows Vista/XP provides a Welcome screen (see Figure 19-3) that appearswhen the PC is first booted or comes back from a sleep state. All users are listed on theWelcome screen along with a picture (which can be the user’s photograph); a user clicks hisor her user name and enters the password. Using this logon method, it is possible formalware to intercept the user account and password information.

A+220-7015.1


ntials


19

A+ 220-701

A more secure method of logon is to require that the user press Ctrl+Alt+Del to get to alogon window. Use this method to change the way Windows logon works:

Using Vista, enter netplwiz in the Start Search box and press Enter. Respond to theUAC box. The User Accounts box appears. Click the Advanced tab. Check Requireusers to press Ctrl+Alt+Delete (see Figure 19-4). Click Apply and close the box.

Figure 19-3 Windows Vista Welcome screenCourtesy: Course Technology/Cengage Learning

A+220-7015.1

Figure 19-4 Change the way users log onto VistaCourtesy: Course Technology/Cengage Learning


Controlli


Using Windows XP, open Control Panel and then open the User Accounts applet.Click Change the way users log on or off. The User Accounts window opens, asshown in Figure 19-5. If you want to require users to press Ctrl-Alt-Delete to get alogon window, then uncheck Use the Welcome screen. If you want to allow only oneuser logged on at a time, then uncheck Use Fast User Switching. When you’re donewith your changes, click Apply Options to close the window.

Figure 19-5 Options to change the way Windows XP users log on or offCourtesy: Course Technology/Cengage Learning

Figure 19-6 Windows Vista screen after the boot or returning from sleep stateCourtesy: Course Technology/Cengage Learning

A+220-7015.1

When Crtl-Alt-Delete is required, the Windows screen looks like that in Figure 19-6. Whena user presses Ctrl-Alt-Delete, the Windows Welcome screen appears that cannot be inter-cepted by malware.

Forgotten PasswordSometimes a user forgets his or her password or the password is compromised. If this hap-pens and you have Administrator privileges, you can reset the password.


ntials


19

A+ 220-701

Keep in mind, however, that resetting a password causes the OS to lock the user out fromusing encrypted e-mail or files and from using Internet passwords stored on the computer.For Vista Business or Ultimate editions or for XP Professional, you can reset a passwordusing the Computer Management console. For all versions of Vista or XP, you can use aControl Panel applet to reset a password for another user. Follow these steps:

For Vista, click User Accounts and Family Safety in the Control Panel. Then click UserAccounts and click Manage another account. Respond to the UAC box. Click theaccount you want to change. The Change an Account window opens. Click Change apassword. The Change Password window opens (see Figure 19-7). Enter the new pass-word twice and a password hint. Click Change password. Close the window.

Notes The password reset disk should be kept in a protected place so that others cannot use it togain unauthorized access to the computer.

A+220-7015.1

Figure 19-7 Reset a user’s passwordCourtesy: Course Technology/Cengage Learning

For Windows XP, open the User Accounts applet in Control Panel. Click Change anaccount and select the account. Then click Change the password and enter the newpassword twice and a password hint. Click Change Password and close the window.

Because of the problem of losing encrypted data and Internet passwords when a user pass-word is reset, each new user should create a password reset disk for use in the event the userforgets the password. Vista allows you to use a flash memory device, and XP expects you touse a floppy disk. To create the disk, open the User Accounts window in Control Panel, andclick Create a password reset disk (in XP, click Prevent a forgotten password) in the left paneof the window shown in Figure 19-8. Follow the wizard to create the disk. Explain to the userthe importance of keeping the device or disk in a safe place in case it’s needed later. If a userenters a wrong password at logon, he or she will be given the opportunity to use the disk.


Controlli


AUTHENTICATE USERS WITH BIOS SETTINGSPower-on passwords are assigned in BIOS setup and kept in CMOS RAM to prevent unau-thorized access to the computer and/or to the BIOS setup utility. Most likely, you’ll find thesecurity screen to set the passwords under the boot menu or security menu options. For oneBIOS, this security screen looks like that in Figure 19-9, where you can set a supervisor pass-word and a user password. In addition, you can configure how the user password works.

Figure 19-8 Create a password reset diskCourtesy: Course Technology/Cengage Learning

Figure 19-9 Set supervisor and user passwords in BIOS setup to lock down a computerCourtesy: Course Technology/Cengage Learning

A+220-7015.1

The choices under User Access Level are No Access (the user cannot access the BIOSsetup utility), View Only (the user can access BIOS setup, but cannot make changes),Limited (the user can access BIOS setup and make a few changes such as date and time),and Full Access (the user can access the BIOS setup utility and make any changes). When


ntials


19

A+ 220-701

supervisor and user passwords are both set and you boot the system, a box to enter a pass-word is displayed. What access you have depends on which password you enter. Also, ifboth passwords are set, you must enter a valid password to boot the system. By setting bothpasswords, you can totally lock down the computer from unauthorized access.

For another computer, BIOS setup controls how to lock down a computer on the AdvancedBIOS screen shown in Figure 19-10. Under the Security Option, choices are Setup and System.If you choose Setup, the power-on passwords control access only to BIOS setup. If you choose

A+ Tip The A+ 220-701 Essentials exam expects you to know how to use BIOS setup tosecure a workstation from unauthorized use.

Notes For added protection, configure the BIOS setup utility so that a user cannot boot from aremovable device such as a CD, USB device, or floppy disk.

Caution Recall from Chapter 5 that these supervisor and user passwords to the computercan be reset by setting a jumper on the motherboard to clear all BIOS customized settings and returnBIOS setup to its default settings. To keep someone from using this technique to access the computer,you can use a computer case with a lockable side panel and install a lock on the case.

A+220-7015.1

Figure 19-10 Change the way a user password functions to protect the computerCourtesy: Course Technology/Cengage Learning

System, a power-on password is required every time you boot the system. (The supervisor anduser power-on passwords for this BIOS are set on another screen.) Also notice on the setupscreen in Figure 19-10, the Virus Warning option, which is enabled. If an attempt to write tothe boot sectors happens, a warning message appears on-screen and an alarm beeps.


Controlli


In addition to power-on passwords, some notebooks give you the option of setting a harddrive password, which is set in BIOS setup and written on the hard drive. This password issometimes called a drive lock password. Data on the hard drive cannot be changed withoutentering this password. The advantage of using a drive lock password over a power-on

password or a Windows password is that if the hard drive isremoved and installed in another notebook, it still protectsthe hard drive’s data. Just as with the power-on password, thehard drive password is requested by the system when it ispowering up.

To know if your notebook supports these three types of power-on passwords, look onthe BIOS setup screens. Figure 19-11 shows one notebook BIOS screen that shows theoptions to set four passwords (supervisor password, user password, and a hard drive pass-word for each of two hard drives in the system). To set a hard drive password or the userpassword, you must first set a supervisor password. After that is set, to set a hard drivepassword, on the Security menu, select Hard Disk Security. The submenu in Figure 19-12shows where you can choose to set a password for either or both hard drives.

Configuring a MotherboardVideo

Figure 19-11 BIOS setup main menu shows support for four power-on passwordsCourtesy: Course Technology/Cengage Learning

A+220-7015.1

AUTHENTICATE USERS FOR LARGER NETWORKSHow to secure a large network is beyond the scope of this book. However, as a PC supporttechnician, you might be called on to support the devices and techniques that are used toauthenticate users when they first try to connect to a large network. In this part of thechapter, you’ll learn how user accounts and passwords are encrypted as this information issent over the network when authenticating the user. You’ll also learn how smart cards andbiometric data can be used to authenticate users.

Encrypted User Accounts and PasswordsWhen logging on to a network, such as that managed by Windows Server 2008, the useraccount and password must be passed over the network in order to be authenticated by the


ntials


19

A+ 220-701

domain controller. If someone intercepts that information, the network security can be compro-mised. For this reason, user accounts and passwords are encrypted before they are sent over thenetwork to the computer that is the domain controller and decrypted just before they arevalidated. The protocols used to encrypt account names and passwords are called authenticationprotocols. The two most popular protocols are CHAP (Challenge Handshake AuthenticationProtocol) and Kerberos. Kerberos is the default protocol used by Windows Vista/XP.

Smart CardsBesides a user account and strong password, a network might require more security to con-trol access. Generally, the best validation to prove you are who you say you are requires atwo-factor authentication: You prove you have something in your possession and youprove you know something. For example, a user can enter a user ID and password andalso prove he has a token in hand. This token can take on many forms. The most populartype of token is a smart card, which is any small device that contains authentication infor-mation that can be keyed into a logon window by a user or can be read by a smart cardreader, when the device is inserted in the reader. (You also need to know that some peopledon’t consider a card to be a smart card unless it has an embedded microprocessor.)

Figure 19-12 Submenu shows how to set a hard drive password that will be written on the driveCourtesy: Course Technology/Cengage Learning

A+220-7015.1

A+ Tip The A+ 220-701 Essentials exam expects you to know about using smart cards andbiometric devices for hardware and software security.

Here are some variations of smart cards:

One type of smart card is a key fob, so called because it fits conveniently on a keychain.RSA Security (www.rsasecurity.com), a leader in authentication technologies, makes sev-eral types of smart cards, called SecurIDs. One SecurID key fob by RSA Security isshown in Figure 19-13. The number on the key fob changes every 60 seconds. When a


Controlli


user logs on to the network, she must enter the number on the key fob, which is syn-chronized with the network authentication service. Entering the number proves that theuser has the smart card in hand.Other smart cards that look like a credit card also have an embedded microchip thatdisplays a number every few seconds for a user to enter during the authenticationprocess. The advantage of using smart cards that display a number to key in is that nospecial equipment needs to be installed on the computer. The disadvantage is that thesmart card can only validate that the person has the token in hand but can provide noadditional data about the user.Other smart cards have magnetic stripes that can be read by a smart card readerthat has a slot for the card (see Figure 19-14). Because these cards don’t contain a

microchip, they are sometimes called memory cards, and are sometimes used togain entrance into a building. They can also be read by a smart card reader, such asthe one shown in Figure 19-15, that connects to a PC using a USB port. Used inthis way, they are part of the authentication process into a network. The magneticstripe can contain information about the user to indicate their rights on the system.Not only does the smart card validate that the person has a token, but it can alsobe used to control other functions on the network. The major disadvantage of thistype of smart card is that each computer used for authentication must have one ofthese smart card reader machines installed. Also, in the industry, because a cardwith a magnetic stripe does not contain a microchip, some in the industry don’tconsider it to fit into the category of a smart card, but rather simply call it a mag-netic stripe card.

Figure 19-14 A smart card with a magnetic strip can be usedinside or outside a computer networkCourtesy of IDenticard Systems

A+220-7015.1

Figure 19-13 A smart card such as this SecurID key fob is used to authen-ticate a user gaining access to a secured networkCourtesy of RSA Security


ntials


19

A+ 220-701

Another type of smart card plugs directly into a USB port, such as the one inFigure 19-16 by Aladdin (www.aladdin.com). The device displays a number thatchanges every 60 seconds, which a user can enter when logging onto the system.The device can also be read by software installed on the computer and most likelycontains one or more digital certificates that a user needs to authenticate into theprivate network and do business on the network. A digital certificate is assigned bya Certification Authority (for example, VeriSign—www.verisign. com), and is usedto prove you are who you say you are. These smart cards are designed to helpencrypt any data sent over the Internet to the corporate network, such as that usedby a VPN. In fact, many VPN solutions are based on a VPN router at the corpo-rate office and a smart card token at the user end of the VPN tunnel. The advan-tage of this type of smart card is that it can contain sensitive data that can beread by a remote computer, but the computer does not need any special equipmentto read the card. Remember that it’s best to use two-factor authentication. Eventhough a user’s password could be stored on this type of smart card, for addedsecurity, the user should still be expected to enter a password to gain access tothe system.

Figure 19-15 This smart card reader by Athena Smartcard Solutions(www.athena-scs.com) uses a USB connectionCourtesy of Athena Smartcard Solutions Ltd.

A+220-7015.1

Figure 19-16 This eToken by Aladdin can contain digital certificatesso that a user can do business over a VPNCourtesy of Aladdin


Controlli


Using Biometric DataAs part of the authentication process, rather than proving a person is in possession of atoken, some systems are set to use biometric data to validate the person’s physical body. Abiometric device is an input device that inputs biological data about a person, which can beinput data to identify a person’s fingerprints, handprints, face, voice, eye, and handwrittensignatures. Figure 19-17 shows one biometric input device, an iris reader, that scans youriris. Iris scanning is one of the most accurate ways to identify a person using biological data.The biometric data collected is then used to authenticate that person using some type ofaccess control system.

Figure 19-17 The BM-ET200 iris reader by PanasonicCourtesy of Panasonic Corporation

A+220-7015.15.2

Using a biometric device, a person presses his finger against a fingerprint reader or putshis face in front of a Web cam that has been programmed to scan facial features, and beauthenticated into a computer or network using data that has previously been recordedabout this person. For desktop and notebook computer users, the most common biometricdevice is a fingerprint reader.

Although using biometric devices is gaining in popularity, the disadvantages of using thesedevices still outweigh the advantages. The most important disadvantage to using biometricdevices is the danger of false negatives or false positives. For organizations with high secu-rity needs, security personnel must decide the fault tolerance limit of the input data. If youset the fault tolerance limit too low (to make sure only the person’s data is the only dataauthenticated) then you run the risk that the person will not be authenticated (false nega-tive). If you set the fault tolerance level too high (to make sure this person gets authenti-cated), you run the risk that someone with similar biometric data can get access (falsepositive). Biometric devices are still to be considered in the pioneering stage of development.For best security, use a combination of two authentication techniques such as a smart cardand a password.

CREATE STRONG PASSWORDSYou can lock down a computer by using power-on passwords and Windows passwords.In addition, you need passwords to protect your online accounts that you access throughWeb sites. Also, many applications give you the option to set a password on the data files


ntials


19

A+ 220-701

associated with the application. A password needs to be a strong password, which means itis not easy to guess by both humans and computer programs designed to hack passwords.

A strong password, such as @y&kK1ff, meets all of the following criteria:

Use eight or more characters (14 characters or longer is better).If your system allows it, a passphrase rather than a password is easier to rememberand harder to guess. A passphrase is made of several words with spaces allowed.Combine uppercase and lowercase letters, numbers, and symbols.Use at least one symbol in the second through sixth position of your password.Don’t use consecutive letters or numbers, such as “abcdefg” or “12345.”Don’t use adjacent keys on your keyboard, such as “qwerty.”Don’t use your logon name in the password.Don’t use words in any language. Don’t even use numbers for letters (as in“p@ssw0rd”, as programs can now guess those as well.Don’t use the same password for more than one system.

A+220-7015.15.2

Notes Microsoft offers a password checker at www.microsoft.com/protect/yourself/password/checker.mspx. Go to this link and enter your password in the window shown in Figure 19-18. Microsoftwill then rate the strength of your password.

Figure 19-18 Microsoft password checker windowCourtesy: Course Technology/Cengage Learning


Controlli


In some situations, a blank Windows password might be more secure than an easy-to-guess password such as “1234.” That’s because you cannot log on to a Windows Vista/XPcomputer from a remote computer unless the user account has a password. A criminalmight be able to guess an easy password and log on remotely. For this reason, if your com-puter is always sitting in a protected room such as your home office and you don’t intend toaccess it remotely, you might choose to use no password. However, for notebook computersthat are not always protected in public places, always use a strong password. It’s too easyfor a criminal to log on to your Windows notebook if you use no password. You can useGroup Policy to require that every account has a password.

If you write your password down, keep it in as safe a place as you would the data you areprotecting. Don’t send your passwords over e-mail or chat. Change your passwords regu-larly, and don’t type your passwords on a public computer. For example, computers in hotellobbies or Internet cafes should only be used for Web browsing—not for logging on to youre-mail account or online banking account. These computers might be running keystroke-logging software put there by criminals to record each keystroke. Several years ago, whileon vacation, I entered credit card information on a computer in a hotel lobby in a foreigncountry. Months later, I was still protesting $2 or $3 charges to my credit card from thatcountry. Trust me. Don’t do it—I speak from experience.

CLASSIFY USERS AND DATAWhen you are asked to set up a new user account on a computer, you need to classify theuser. Find out the minimum set of resources the user needs on the computer and network toperform her job. All users should be classified in this way so that you give to users only therights and permissions that they need. Also classify the data so that you know who ownsthe data and who needs what type of access to it.

A+ Exam Tip The A+ 220-701 Essentials exam expects you to know the basics of dataclassifications.

A+220-7015.15.2

A+220-7015.13.3

CLASSIFY USER ACCOUNTS AND USER GROUPSComputer users should be classified to determine the rights they need to do their jobs. To classifya user is to assign certain rights to that user. For example, some users need the right to log onto asystem remotely and others do not. Other rights granted to users might include the right to installsoftware or hardware, change the system date and time, change Windows Firewall settings, andso forth. Generally, when a new employee begins work, that employee’s supervisor determineswhat rights the employee needs to perform his job. You, as the support technician, will beresponsible to make sure the user account assigned to the employee has these rights and no more.

In Windows, the rights or privileges assigned to an account are established when you firstcreate a user account and decide the account type. Recall that accounts are created from theControl Panel (using any edition of Vista or XP) or by using the Computer Managementconsole (using Vista Business or Ultimate editions or XP Professional).

Vista offers these types of user accounts:

An administrator account has complete access to the system and can make changesthat affect the security of the system and other users. Recall that one account withadministrative rights is created when Windows is first installed.A standard account can use software and hardware and make some system changes,but cannot make changes that affect the security of the system or other users.A guest account is normally not activated and has very limited rights.


ntials


19

A+ 220-701

Windows XP also has an administrator account and guest account. In addition to thesetwo accounts, XP also uses these account types:

A limited account has read-write access only on its own folders, read-only access tomost system folders, and no access to other users’ data. Using a Limited account, auser cannot install applications or carry out any administrative responsibilities.A power user account can read from and write to parts of the system other than hisown local drive, install applications, and perform limited administrative tasks.A backup operator account can back up and restore any files on the system regardlessof its access permissions to these files.

When an account is created, it is assigned one of the account types listed above. Thisaccount type determines the rights assigned to the account. After an account is created, anadministrator can use the Computer Management console in Vista Business or Ultimate edi-tions or XP Professional to change the groups an account belongs to. By adding an accountto a group, the rights and permissions assigned to that group are assigned to the account.Recall from Chapter 17 that before an account could use the Telnet service, it had to belongto the TelnetClients group. Figure 19-19 shows the Computer Management console and theJean Andrews account being added to the TelnetClients group.

In Windows, the two terms, rights and permissions, have very different meaningswhen classifying user accounts and data. Rights (also called privileges) refer to the tasks

A+220-7015.13.3

Figure 19-19 To enhance the permissions assigned to an account, add the account to a new member groupCourtesy: Course Technology/Cengage Learning


Controlli


an account is allowed to do in the system (for example, installing software or changingthe system date and time). Permissions refer to which user accounts or groups areallowed to access data. Rights are assigned to an account, and permissions are assignedto data.

One way to manage data permissions is by creating new user groups. For example, youcan create an Accounting group and a Medical Records group. It’s easier to give permissionto use a certain data folder to the Accounting group than it is to give individual permissionto each user in that group. User groups are created by using the Computer Managementconsole, and the details of how to do that are covered in Chapter 20. After the group is cre-ated, you need to assign the correct data permissions to the group and add the users to thatgroup who need those permissions to do their jobs.

CLASSIFY DATAFolders and files stored on a workstation or server that contain user data need to be classi-fied as to the permissions assigned to the data. These permissions include the user accountsor account groups that are authorized to read and/or change the data.

Data classification as it applies to security involves putting data into categories and thendeciding how secure each category must be. Here are some general guidelines to help youunderstand the process of classifying data:

Classification of data must follow any security policies with which your organizationmust comply. Find out who in your organization is responsible for compliance, andmake sure your classification plan gets that person’s approval.Each data folder must have an owner who is responsible for that data and decideswho else in the organization gets access. For example, the owner of the C:\Payrollfolder might be the director of the Payroll Department or someone she designates.Based on the security needs of your organization, you might decide on categories of classi-fications. For example, data might be classified as public, for official use only, confidential,or top secret. Each category demands a different level of protection and security measure.To protect the integrity of the data, always document when the owner of a data folderasks you to give someone else access or informs you that access to a user must berevoked. Then document when you made the change in permissions.Don’t forget that backup media needs the same degree of protection as does the origi-nal data. When you make your backup plans, include in them how you will secure thebackup media.

Here are general guidelines as to how to implement classifications of data using Windows:

Private data for individual users is best kept in the Vista C:\Users folder or the XPC:\Documents and Settings folder for that user. User accounts with limited or standardprivileges cannot normally access these folders belonging to another user account.However, accounts with administrative rights do have access.The Vista C:\Users\Public folder is intended to be used for folders and files that allusers share.You can create a folder on a drive and assign share permissions to that folder and its sub-folders and files. You can allow all users access or only certain users or user groups. When

Notes If a Windows computer is configured to belong to a domain instead of a workgroup, all secu-rity is managed by the network administrator for the entire network.

A+220-7015.13.3


ntials


19

A+ 220-701

you assign permissions to a folder or file, you decide who can view the contents and whohas the right to change the contents. For example, you might set up folders like this:

• The C:\Accounting folder contains several folders and files. Some employeesin the Accounting Department need full access to these folders. Other employ-ees need read-only access to certain subfolders in the C:\Accounting folder.

• The C:\Payroll folder contains sensitive data and only two employees needfull access. One other person needs read-only access.

A folder can be hidden on the network so that users cannot see the folder unless theyknow its name.A folder or file can also be encrypted, and a digital certificate is required for access.Passwords can be required to access shared resources.A computer can be locked down so that no files or folders are shared on the network. Thisis the desired setting when you use public networks such as a public wireless hotspot.

SHARING FILES AND FOLDERSShared folders and files might be stored on a user’s PC or on a file server that is dedicated tostoring and serving up data files and folders. If the network is not being managed by adomain controller, each computer in the workgroup must share its folders, files, and printersbefore others on the network can access them.

In this chapter, you will learn how to share a folder or file without applying strict securitymeasures. In Chapter 20, you will learn how to apply higher security to shared files and folders.Let’s first see how to share a file or folder and how to solve problems with sharing. Then you’lllearn how to map a network drive to make shared resources easier to access for remote users.

HOW TO SHARE A FILE OR FOLDERFollow these steps to share a file or folder using Windows Vista:

1. Using Windows Explorer, right-click the folder or file you want to share and selectShare from the shortcut menu. The File Sharing box opens (see Figure 19-20).

2. Click the down arrow to see a list of users of this computer. To allow everyone access,select Everyone (All users in this list) and click Add. (Alternately, you can select anindividual user.) Whomever you add is assigned the permission level of Reader, asshown in Figure 19-21.

3. To allow the users the right to make changes to the folder, click the down arrowbeside Reader. Notice the three choices of permission levels and the opportunity toremove the user from the list of users. Table 19-1 explains the meaning of the threepermission levels. Select Co-owner from the shortcut menu, as shown in Figure 19-21.

4. To close the box, click Share and respond to the UAC box. Then click Done. Vistaplaces a two-friends icon under shared folders (see Figure 19-22).

To share a folder in Windows XP, follow these steps:

1. In Windows Explorer, right-click a folder and select Sharing and Security from theshortcut menu. The Properties box opens with the Sharing tab active. Click If youunderstand the security risks but want to share files without running the wizard, clickhere. The Enable File Sharing dialog box appears. Select Just share the folder and clickOK. The Sharing tab on the Properties box now has the Share this folder on the net-work check box available (see Figure 19-23). You only need to enable file sharingonce. After that, the check box is always available.

A+220-7015.13.3

A+220-7013.3


Controlli


Figure 19-21 Change the permission level of a userCourtesy: Course Technology/Cengage Learning

A+220-7013.3

Figure 19-20 Choose people to share the folderCourtesy: Course Technology/Cengage Learning


ntials


19

A+ 220-701

Table 19-1 Permission levels for files and folders in Windows Vista

Reader Can read, but not write, to the contents of the folder and itssubfolders.

Contributor Can write files and read existing files, but cannot change existingfiles put there by others. Applies only to folder sharing.

Co-owner Has full control over the folder in the same way the owner does, butis not identified as the folder owner.

Permission Level DescriptionA+220-7013.3

Figure 19-22 The two-friends icon indicates a shared folderCourtesy: Course Technology/ Cengage Learning

Figure 19-23 A user on a network can share a folder withothers on the networkCourtesy: Course Technology/Cengage Learning


Controlli


2. Check Share this folder on the network. If you want to allow others to change thecontents of the folder, check Allow network users to change my files. Click Apply, andclose the window.

After a folder or file is shared, other users on the network can see the folder when theyopen the Vista Network window or XP My Network Places.

Notes When a window is open, you can press the F5 key to refresh the contents of that window.

Notes If you are responsible for protecting shared files and folders on the network, be sure you putin place a method to back up this data on a regular basis. How to perform backups is covered in Chapter 13. Also, see Chapter 20 to find out how to set up the right security measures so that sharedresources are only available to the specific users who are authorized to access these resources.

A+220-7013.3

Some applications can also be shared with others on the network. If you share a folder thathas a program file in it, a user on another PC can double-click the program file and executeit remotely on his or her desktop. This is a handy way for several users to share an applica-tion that is installed on a single PC. However, know that not all applications are designed towork this way.

TROUBLESHOOT PROBLEMS WITH SHARED FILES AND FOLDERSIf you have problems accessing a shared resource in Vista, follow these steps:

1. Open the Network and Sharing Center (see Figure 19-24) and verify the following:

File sharing is turned on.If you want to share the Public folder to the network, turn on Public folder sharing.If you want the added protection of requiring that all users on the network musthave a valid user account and password on this computer, turn on Password pro-tected sharing.If you want to share a printer connected to this PC with others on the network,turn on Printer sharing.

2. In the Network and Sharing Center, click Manage network connections. In theNetwork Connections window, right-click the network connection icon, selectProperties from the shortcut menu, and respond to the UAC box. In the Propertiesdialog box, verify that File and Printer Sharing for Microsoft Networks is checked.

For Windows XP, do the following to verify that Windows components needed for shar-ing are installed and enabled:

1. Open the Network Connections window, right-click the connection icon (default nameis Local Area Connection), and select Properties from the shortcut menu. The LocalArea Connection Properties dialog box opens. See Figure 19-25.

2. Verify Client for Microsoft Networks and File and Printer Sharing for MicrosoftNetworks are both checked. If you don’t see these items in the list, click Install toinstall them. The Select Network Component Type box appears (see the left side ofFigure 19-25). Select Client, click Add, and follow the directions on-screen. Whenyou’re done, close all windows.


ntials


19

A+ 220-701

A+220-7013.3

Securitysettings

Figure 19-24 Use the Network and Sharing Center to verify the computer is set to share resourcesCourtesy: Course Technology/Cengage Learning

Figure 19-25 Use the Network Connections applet to install a network client, service, or protocol forWindows XPCourtesy: Course Technology/Cengage Learning


Controlli


HOW TO MAP A NETWORK DRIVEA network drive map is one of the most powerful and versatile methods of communicatingover a network. A network drive map makes one PC (the client) appear to have a new harddrive, such as drive E, that is really hard drive space on another host computer (the server).This client/server arrangement is managed by a Windows component called the NetworkFile System (NFS), which makes it possible for files on the network to be accessed as easilyas if they are stored on the local computer. NFS is a type of distributed file system (DFS),which is a system that shares files on a network. Even if the host computer uses a differentOS, such as UNIX, the drive map still functions.

Using a mapped network drive, files and folders on a host computer are available even tonetwork-unaware DOS applications. The path to a file simply uses the remote drive letter,such as drive K or drive Z, instead of a local drive, such as drive A or drive C. Also,mapped network drives are more reliable than using the Vista Network or XP My NetworkPlaces tool to access folders on the network.

Notes A computer that does nothing but provide hard drive storage on a network for other comput-ers is called a file server or a network attached storage (NAS) device. Other computers on the networkcan access this storage using a mapped network drive.

Notes You might be asking why mapped network drives are more reliable than the Vista Network andXP My Network Places windows. The answer is because these windows rely on the Windows browser sub-system. These browser services (not to be confused with Web browsers, such as Internet Explorer) period-ically poll the network for resources. To avoid excessive network traffic, one computer in a workgroup isdesignated as the master browser. (This designation happens behind the scenes without user involve-ment.) If this computer is down or the network resources change after the master browser polls, theother computers on the network might report wrong resources in the Network or My Network Places win-dows. We see the results of this problem when we know a computer is on the network, but other Networkor My Network Places windows don’t report it. Mapped network drives don’t rely on browser services, andare therefore, more reliable.

To set up a network drive, follow these steps:

1. On the host computer, share the folder or entire volume to which you want others tohave access.

2. On the remote computer that will use the network drive, connect to the network andaccess Windows Explorer. Click the Tools menu and select Map Network Drive.

Notes By default, Vista does not show the menu bar in Windows Explorer. To display the menu, clickOrganize and then click Folder and Search Options. In the Folder Options box, click the View tab.Under Advanced settings, check Always show menus. Click Apply and OK to close the box.

3. The Map Network Drive dialog box opens, as shown in Figure 19-26. Select a driveletter from the drop-down list.

A+220-7013.3


ntials


19

A+ 220-701

4. Click the Browse button and locate the shared folder or drive on the host computer(see the left side of Figure 19-26). Click OK to close the Browse For Folder dialogbox, and click Finish to map the drive. The folder on the host computer now appearsas one more drive in Explorer on your computer (see Figure 19-27).

Figure 19-26 Mapping a network drive to a host computerCourtesy: Course Technology/Cengage Learning

Figure 19-27 The Documentation folder on the \\Bluelight host computer is known as Drive Z on the localcomputerCourtesy: Course Technology/Cengage Learning

A+220-7013.3


Controlli


5. If a network drive does not work, go to the Vista Network window or XP My NetworkPlaces, and verify that the network connection is good. You can also use the net usecommand discussed in Chapter 18 to solve problems with network connections.

Notes When mapping a network drive, you can type the path to the host computer rather than click-ing the Browse button to navigate to the host. To enter the path, in the Map Network Drive dialog box,use two backslashes, followed by the name of the host computer, followed by a backslash and the driveor folder to access on the host computer. For example, to access the Public folder on the computernamed Scott, enter \\Scott\Public and then click Finish.

Tip A host computer might be in sleep mode when a remote computer attempts to makea mapped drive connection at startup. To solve this problem, change the power settings on the hostcomputer to wake up for network activity. How to change power settings is covered in Chapter 21.

How to encrypt and hide folders and files is covered in Chapter 20. Other methods ofsecuring the data and other resources are covered next.

ADDITIONAL METHODS TO PROTECT RESOURCES

Securing data and other computer resources might seem like a never-ending task. Come tothink of it, that’s probably true. In this part of the chapter, you’ll learn even more ways tosecure a computer or small network, including hardware security devices, encryption tech-niques, BIOS security features, locking a workstation, protecting against malicious software,and educating users to not unintentionally compromise the security measures you’ve putin place.

SECURITY DEVICES TO PROTECT DATA AND COMPUTERSPhysically protecting your computer and data might be one of the security measures youimplement. Here are some suggestions:

If your data is really private, keep it under lock and key. You can use all kinds ofsecurity methods to encrypt, password protect, and hide data, but if it really is thatimportant, one obvious thing you can do is store the data on a removable storagedevice such as a flash drive and, when you’re not using the data, put the flash drivein a fireproof safe. And, of course, keep two copies. Sounds simple, but it works.Lock down the computer case. Some computer cases allow you to add a lock so thatyou can physically prevent others from opening the case (see Figure 19-28). Later inthe chapter, you’ll learn that some motherboards have a BIOS feature that alerts youwhen an intrusion has been detected.Lock and chain. You can also use a lock and chain to physically tie a computer to adesk or other permanent fixture so someone can’t walk away with it. Figure 19-29shows a cable lock system for a laptop. Most laptops have a security slot on the caseto connect the cable lock.Theft-prevention plate. As an added precaution, physically mark a computer case orlaptop so it can be identified if it is later stolen. You embed a theft-prevention plateinto the case or engrave your ID information into it. The identifying numbers or bar

A+220-7013.3

A+220-7015.1


ntials

1017Additional Methods to Protect Resources

19

A+ 220-701code identify you, the owner, and can also clearly establish to police that the notebookhas been stolen. Two sources of theft-prevention plates and cable locks are ComputerSecurity Products, Inc. (www.computersecurity.com) and Flexguard Security System(www.flexguard.com). To further help you identify stolen equipment, record serialnumbers and model numbers in a safe place separate from the equipment.

Notebook computers are especially susceptible to thieves. Dell recently commissioned astudy that showed that 12,000 laptops are stolen each year from United States airports.They also discovered that 65 percent of business travelers have not secured the corporate

Figure 19-28 This computer case allows you to use a lock and key to keepintruders from opening the caseCourtesy of wesecure.com

Figure 19-29 Use a cable lock system to secure a notebook computer to adesk to help prevent it from being stolenCourtesy of Kensington Technology Group


Addididitiona


data on their hard drives, and 42 percent don’t back up that data. Here are some common-sense rules to help protect your notebook:

Use one or more Windows techniques in this chapter to protect the data on your lap-top hard drive. Back up that data and don’t keep the backup media in your laptopcarrying case. If the case and laptop get stolen, at least you know the thief will nothave easy access to your data and you have backups.When traveling, always know where your notebook is. If you’re standing at an airportcounter, tuck your notebook case securely between your ankles. At security checkpoints,pay attention to your belongings; tell yourself to stay focused. When flying, never check inyour notebook as baggage, and don’t store it in airplane overhead bins; keep it at your feet.Never leave a notebook in an unlocked car. If you leave your notebook in a hotelroom, use a notebook cable lock to secure it to a table. When you’re using your note-book, always lock down Windows before you walk away from it.Consider using laptop tracking software such as Computrace LoJack by AbsoluteSoftware (www.absolute.com). Install the software on your laptop. If the laptop is everstolen and you report it to Absolute, the company accepts responsibility to track downthe laptop. The laptop will report to Absolute the next time it connects to the Internet.Absolute then uses the information to locate the laptop and work with the police toreturn it to you. One feature of the software is to delete personal data on the laptopthat might be used to steal your identity.When at work, lock your notebook in a secure place or use a notebook cable lock tosecure it to your desk.

ENCRYPTION TECHNIQUESEncryption puts data into code that must be translated before it can be accessed, and can beapplied in several ways. Here are some of these encryption techniques:

Encrypt folders and files in Windows. In Windows, files and folders can be encryptedusing the Windows Encrypted File System (EFS). This encryption works only when usingthe Windows NTFS file system and the Windows Vista Ultimate and Business editionsand Windows XP Professional. (Windows Vista and XP Home editions do not provideencryption.) If a folder is marked for encryption, every file created in the folder or copiedto the folder will be encrypted. Encryption can apply only to this top-level folder, or it canapply to all subfolders in a folder (called inherited encryption). You can also encrypt indi-vidual files. Encrypting at the folder level in Windows is considered a best practicebecause it provides greater security: Any file placed in an encrypted folder is automaticallyencrypted so you don’t have to remember to encrypt it. An encrypted file remainsencrypted if you move it from an encrypted folder to an unencrypted folder on the sameor another NTFS logical drive. A user does not have to go through a complex process ofencryption to use EFS; from a user’s perspective, it’s just a matter of placing a file into afolder marked for encryption. In Windows Explorer, encrypted file and folder names aredisplayed in green.Encrypt an entire hard drive. BitLocker Encryption in Windows Vista Ultimate andEnterprise editions locks down a hard drive by encrypting the entire Vista volume andany other volume on the drive. It’s a bit complicated to set up and has some restric-tions that you need to be aware of before you decide to use it. It is intended to workin partnership with file and folder encryption to provide data security.Encrypt wireless networks. In Chapter 18, you learned how to set up a wireless net-work to use encryption. Recall from that chapter that wireless networks use WEP,WPA, or WPA2 encryption technologies. Also recall from Chapter 18 that another

A+220-7015.1


ntials


19

A+ 220-701

popular method to secure a wireless network is to change the name of the SSID anddisable broadcasting that name.Encryption used by a VPN. Recall that a virtual private network (VPN) encrypts alltransmissions to and from the client and the VPN server inside a corporate network. AVPN is considered a best practice to secure data and other network resources for thoseemployees who travel or work from home or for trusted contractors.Embedded encryption in devices. Some devices such as laptops, USB flash drives, andexternal hard drives have built-in encryption features.Other secured connections used for data transmissions. Besides a VPN with a corporatenetwork, many Web sites use secure connections to transmit sensitive data. Recall fromChapter 17 that one secure protocol used is HTTPS. You can use a similar encryption tech-nique to encrypt your e-mail transmissions. To do that, you can download encryption soft-ware and install it into your e-mail client software. Most encryption software products usea method called Public Key Encryption, which is explained in Figure 19-30. Before you cansend an encrypted message to someone, that person must first make available to you herpublic key. Note, however, that only she has the private key that is used to decrypt themessage. Encryption software must be installed on both the sender’s and receiver’s e-mailclient. One popular encryption software product is PGP (which stands for Pretty GoodPrivacy) by PGP Corporation (na.store.pgp.com/desktop_email.html). Encrypting Web siteand e-mail transmissions usually involves using a digital certificate. Using a digital certifi-cate ensures that you are who you say you are, and that someone else has not interceptedyour transmission and is spoofing you (pretending to be you). Digital certificates are trans-ported over the Internet and verified using PKI (Public-key Infrastructure) standards.

Requests public key1

Public key sent2

Encrypted message sent4

Message is encrypted using recipient’spublic key3

Recipient uses private key todecode message5

Figure 19-30 Public key encryption uses two keys: the recipient’s public key to encrypt themessage and her private key to decrypt itCourtesy: Course Technology/Cengage Learning

A+220-7015.1


Addididitiona


USE BIOS FEATURES TO PROTECT THE SYSTEMMany motherboards for desktop and laptop computers offer several BIOS features designedto secure the system. Here is a quick summary of these methods:

Power-on passwords. Earlier in the chapter, you learned about these passwords kept inCMOS RAM. They are set in BIOS setup and used to limit who can use the system oraccess BIOS setup.Drive lock password protection. Recall that some motherboards and hard drives allowyou to set a password that must be entered before someone can access the hard drive.This password is kept on the drive and works even if the drive is moved to anothercomputer. Some manufacturers of storage media offer similar products. For example,Seagate (www.seagate.com) offers Maxtor BlackArmor, a technology that encrypts anentire external storage media that is password protected.

Notes Drive lock password protection might be too secure at times. I know of a situation where ahard drive with password protection became corrupted. Normally, you might be able to move the drive toanother computer and recover some data. However, this drive asked for the password, but then could notconfirm it. Therefore, the entire drive was inaccessible and all data was lost.

TPM (Trusted Platform Module) chip. Many high-end computers have a chip on themotherboard called the TPM (Trusted Platform Module) chip. BitLocker is designed towork with this chip; the chip holds the BitLocker encryption key (also called the startupkey). A notebook might be secured to a table or other fixture with a lock and chain.Even though a thief cannot steal the notebook, it’s still possible to quickly remove thehard drive. If the hard drive is stolen from the notebook and installed in another com-puter, the data would be safe because BitLocker would not allow access without thestartup key stored on the TPM chip. Therefore, this method assures that the drive can-not be used in another computer. However, if the motherboard fails and is replaced,you’ll need a backup copy of the startup key to access data on the hard drive.

A+ Exam Tip The A+ 220-701 Essentials exam expects you to know about these BIOS security fea-tures: passwords, drive lock, TPM, and intrusion detection.

Intrusion detection. A motherboard BIOS feature used primarily with servers is intrusiondetection. A sensor device is installed inside the computer case and connected to a header(group of pins) on the motherboard. When the case cover is removed, the device sends analert (called an interrupt), and BIOS records the event. If the power is turned off when theevent occurs, the event is still recorded in BIOS. The sensor device can work by a switchor magnet that detects the cover is removed or a light sensor that detects light inside thecase when the case is opened. Take a look at Figure 19-9, shown earlier in the chapter,where you can see the option to disable or enable Chassis Intrusion in BIOS setup. To usethe intrusion detection feature on this system, Chassis Intrusion must be enabled.Boot sector protection for the hard drive. When you enable this protection, a boot sec-tor virus cannot write to this sector. Figure 19-10, shown earlier in the chapter, showsthe option enabled. Recall that the boot sector must be healthy if the hard drive isbootable. However, before you upgrade your OS, such as when you upgrade WindowsVista to Windows 7, be sure to enable writing to the boot sector, which the OS setupwill want to do.

A+220-7015.2


ntials


19

A+ 220-701

LOCK A WORKSTATIONTo keep a system secure, users need to practice the habit of locking down their workstationeach time they step away from their desks. The quickest way to do this is to press theWindows key and L. Another method is to press Ctrl-Alt-Del. If the user is already logged onwhen she presses these keys, the login screen in Figure 19-31 appears for Vista. When the userclicks Lock this computer, Windows locks down. To unlock Windows, the user must enter herpassword. For this method to be effective, all user accounts need a password. You can useGroup Policy to make passwords a requirement.

Figure 19-31 Results of pressing Crtl-Alt-Del when a user is already logged onCourtesy: Course Technology/Cengage Learning

Also recall that when the system is powered down, power-on BIOS passwords can berequired before the system can be used. For best security, use both hardware and softwaremethods to lock a workstation.

PROTECT AGAINST MALICIOUS SOFTWAREMalicious software, also called malware, or a computer infestation, is any unwanted pro-gram that means you harm and is transmitted to your computer without your knowledge.Grayware is any annoying and unwanted program that might or might not mean you harm.Many types of malware and grayware have evolved over the past few years, such as adware,spyware, and worms, and there is considerable overlap in what they do, how they spread,and how to get rid of them. In this part of the chapter, you’ll learn about the different typesof malware and grayware and how to protect a system from infection. In the next chapter,you’ll learn how to clean up an infected system.

Notes Malicious software is designed to do varying degrees of damage to data and software,although it does not damage PC hardware. However, when boot sector information is destroyed on a harddrive, the hard drive can appear to be physically damaged.

A+220-7015.2


Addididitiona


WHAT ARE WE UP AGAINST?You need to know your enemy! Different categories of malicious software and scammingtechniques are listed next:

A virus is a program that replicates by attaching itself to other programs. The infectedprogram must be executed for a virus to run. The program might be an application, amacro in a document, a Windows system file, or one of the small programs at thebeginning of the hard drive needed to boot the OS. (These programs are called theboot sector program and the master boot program.) The damage a virus does rangesfrom minor, such as displaying bugs crawling around on a screen, to major, such aserasing everything written on a hard drive or stealing your credit card information.The best way to protect against viruses is to always run antivirus (AV) software in thebackground.Adware produces all those unwanted pop-up ads. Adware is secretly installed on yourcomputer when you download and install shareware or freeware, including screensavers, desktop wallpaper, music, cartoons, news, and weather alerts. Then it displayspop-up ads which might be based on your browsing habits (see Figure 19-32).Sometimes when you try to uninstall adware, it deletes whatever it was you down-loaded that you really wanted to keep. And sometimes adware is also spying on youand collecting private information.

Figure 19-32 This pop-up window is luring the user to take the baitCourtesy: Course Technology/Cengage Learning

Spyware is software that installs itself on your computer to spy on you and to collectpersonal information about you that it transmits over the Internet to Web-hostingsites. These sites might use your personal data in harmless or harmful ways such astailoring marketing information to suit your shopping habits, tracking marketingtrends, or stealing your identity for harm. Spyware comes to you by way of e-mailattachments, downloaded freeware or shareware, instant messaging programs, orwhen you click a link on a malicious Web site.

A+ Exam Tip The A+ 220-701 Essentials exam expects you to know about viruses, Trojans, worms,spam, spyware, adware, and grayware and summarize security features to protect against them.

A+220-7015.2


ntials


19

A+ 220-701

A keylogger tracks all your keystrokes, including passwords, chat room sessions, e-mail messages, documents, online purchases, and anything else you type on your PC.All this text is logged to a text file and transmitted over the Internet without yourknowledge. A keylogger is a type of spyware that can be used to steal a person’sidentity, credit card numbers, Social Security number, bank information, passwords, e-mail addresses, and so forth.A worm is a program that copies itself throughout a network or the Internet withouta host program. A worm creates problems by overloading the network as it repli-cates. Worms cause damage by their presence rather than by performing a specificdamaging act, as a virus does. A worm overloads memory or hard drive space byreplicating repeatedly. When a worm (for example, Sasser or W32.Sobig.F@mm) isloose on the Internet, it can cause damage such as sending mass e-mailings. The bestway to protect against worms is to use a firewall. Antivirus software also offersprotection.A browser hijacker, also called a home page hijacker, does mischief by changing yourhome page and other browser settings. Figure 19-33 shows Internet Explorer after auser tried to install a free game downloaded from the Internet. The program installedtwo new toolbars in his browser and changed his home page. Browser hijackers canset unwanted bookmarks, redirect your browser to a shopping site when you type in awrong URL, produce pop-up ads, and direct your browser to Web sites that offer pay-per-view pornography.

Spam is junk e-mail that you don’t want, you didn’t ask for, and that gets in your way.A virus hoax or e-mail hoax is e-mail that does damage by tempting you to forward itto everyone in your e-mail address book, with the intent of clogging up e-mail systemsor tempting you to delete a critical Windows system file by convincing you the file ismalicious. Also, some e-mail scam artists promise to send you money if you’ll circulatetheir e-mail messages to thousands of people. I recently received one that was suppos-edly promising money from Microsoft for “testing” the strength of the Internet e-mail

Figure 19-33 Internet Explorer with toolbars installed and home page changedCourtesy: Course Technology/Cengage Learning

A+220-7015.2


Addididitiona


system. Beware! Always check Web sites that track virus hoaxes before pressing thatSend button! Your AV software Web site most likely keeps a database of virus hoaxes.Here are some other good sites to help you debunk a virus hoax:

• www.hoaxkill.com by Oxcart Software

• www.snopes.com by Barbara and David Mikkelson

• www.viruslist.com by Kaspersky Lab

• www.vmyths.com by Rhode Island Soft Systems, Inc.

When you get a hoax, if you know the person who sent it to you, do us all a favor andsend that person some of these links!Phishing (pronounced “fishing”) is a type of identity theft where the sender of an e-mailmessage scams you into responding with personal data about yourself. The scam artistbaits you by asking you to verify personal data on your bank account, ISP account, creditcard account, or something of that nature. Often you are tricked into clicking a link inthe e-mail message, which takes you to an official-looking site complete with corporate orbank logos where you are asked to enter your user ID and password to enter the site.Scam artists use scam e-mail to lure you into their scheme. One scam e-mail I recentlyreceived was supposedly from the secretary of a Russian oil tycoon who was being heldin jail with his millions of dollars of assets frozen. If I would respond to the e-mail andget involved, I was promised a 12 percent commission to help recover the funds.A logic bomb is dormant code added to software and triggered at a predetermined timeor by a predetermined event. For instance, an employee might put code in a program todestroy important files if his or her name is ever removed from the payroll file.A Trojan horse does not need a host program to work; rather, it substitutes itself for alegitimate program. In most cases, a user launches it thinking she is launching a legiti-mate program. Figure 19-34 shows a pop-up that appears when you’re surfing theWeb. Click OK and you might introduce a Trojan into your system. A Trojan is likelyto introduce one or more viruses into the system. These Trojans are called download-ers. A Trojan sometimes installs a backdoor in the system, which is a hidden way toallow malware to reach the system in secret even after the Trojan has been removed.

Figure 19-34 Clicking an action button on a pop-up window might invite a Trojan into your systemCourtesy: Course Technology/Cengage Learning

A+220-7015.2


ntials


19

A+ 220-701

Last year, I got fooled with a Trojan when I got an e-mail message near the actual date ofmy birthday from someone named Emilia, whom I thought I knew. Without thinking, Iclicked the link in the e-mail message to “View my birthday card to you.” Figure 19-35shows what happened when I clicked.

A virus attacks your computer system and hides in several different ways. A boot sectorvirus can hide in either of two boot sectors of a hard drive. It can hide in the master bootprogram, which is the boot program in the very first 512-byte sector of a hard drive calledthe master boot record (MBR). A boot sector virus can also hide in the OS boot programof a hard drive, floppy disk, or other boot media. Recall that the OS boot program isstored in the first sector of the volume on which Windows is installed, called the activepartition. For most hard drives, this OS boot sector is the second sector on the drive, fol-lowing the MBR.

A file virus hides in an executable program having an .exe, .com, .sys, .vbs, or otherexecutable file extension, or in a word-processing document that contains a macro. A multipartite virus is a combination of a boot sector virus and a file virus and can hide ineither. A macro is a small program contained in a document that can be automaticallyexecuted either when the document is first loaded or later by pressing a key combination.For example, a word-processing macro might automatically read the system date and copy itinto a document when you open the document. Viruses that hide in macros of documentfiles are called macro viruses. Macro viruses are the most common viruses spread by e-mail,hiding in macros of attached document files. A script virus is a virus that hides in a script,which might execute when you click a link on a Web page or in an HTML e-mail messageor when you attempt to open an e-mail attachment.

Figure 19-35 A Trojan can get in when you click a link in an e-mail messageCourtesy: Course Technology/Cengage Learning

A+220-7015.2


Addididitiona


One type of malware, called a rootkit, loads itself before the OS boot is complete.Because it is already loaded when the AV software loads, it is sometimes overlooked byAV software. In addition, a rootkit hijacks internal Windows components so that it masksinformation Windows provides to user mode utilities such as Task Manager, WindowsExplorer, the registry editor, and AV software. This helps it remain undetected. Rootkitscan also install a backdoor (called a backdoor rootkit) that can be used by malware orhackers to secretly gain access even after the rootkit has been cleaned from the system.Using a backdoor, a hacker can sometimes hijack the system, gaining full control of it.

HOW TO PROTECT AGAINST MALICIOUS SOFTWAREThe best practices you need to follow to protect a system against malicious software andother grayware are listed next. The first three methods are the most important ones:

Always use a software firewall. Never, ever connect your computer to an unprotectednetwork without using a firewall. Recall that Windows Firewall can be configured toallow no uninvited communication in or to allow in the exceptions that you specify(see Figure 19-36).

Network

We didn’t ask forthat. No exceptions!

I have a message for Port 194. Port Services

Firewall

Chat

Figure 19-36 A software firewall protecting a computerCourtesy: Course Technology/Cengage Learning

Use antivirus (AV) software. As a defensive and offensive measure to protectagainst malicious software, install and run antivirus (AV) software and keep it cur-rent. Configure the AV software so that it automatically downloads updates to thesoftware and runs in the background. To be effective, AV software must be keptcurrent and must be turned on. Set the AV software to automatically scan incominge-mail attachments.Use the Vista UAC box. The UAC box is one of your best defenses against malwareinstalling itself. When software attempts to install in Vista, the UAC box appears. Ifyou don’t respond to the box, Windows aborts the installation.

Notes Even with Windows Firewall, Microsoft still recommends that you use a hardware firewall toprotect your system from attack. Software firewalls are better than no firewall at all, but a hardware fire-wall offers greater protection.

A+220-7015.2


ntials


19

A+ 220-701

Limit the use of administrator accounts. If malware installs itself while you’re loggedon as an administrator, it will most likely be running under this account with moreprivileges and the ability to do more damage than if you had been logged on under aless powerful account. Use an account with lesser privileges for your everyday normalcomputer activities.Set Internet Explorer for optimum security. Internet Explorer includes the pop-upblocker, the ability to manage add-ons, the ability to block scripts and disable scriptsembedded in Web pages, and the ability to set the general security level. Figure 19-37shows the Internet Options window where many of these options are configured. Formost Web browsing, set the security level to Medium-high, as shown in the figure.Also consider updating IE to the latest version because later versions are likely to haveenhanced security features.

Figure 19-37 Control security settings for Internet ExplorerCourtesy: Course Technology/Cengage Learning

Use alternate client software. Using alternate client software, including browsers ande-mail clients, can give you an added layer of protection from malicious software thattargets Microsoft products. Firefox by Mozilla (www.mozilla.org) is an excellentbrowser, and Thunderbird, also by Mozilla, is a popular e-mail client. Some peopleeven use a different OS than Windows because of security issues.

Notes You might want to also consider using an alternate e-mail address. When you have to give ane-mail address to companies that you suspect might sell your address to spammers, use a second e-mailaddress that you don’t use for normal e-mailing.

A+220-7015.2


Addididitiona


Keep good backups. One of the more important chores of securing a computer is toprepare in advance for disaster to strike. One of the most important things you can doto prepare for disaster is to make good backups of user data.

EDUCATE USERSGenerally speaking, the weakest link in setting up security in a computer environment ispeople. That’s because people can often be tricked into giving out private information. Evenwith all the news and hype about identify theft and criminal Web sites, it’s amazing howwell these techniques still work. Many users naively download a funny screen saver, open ane-mail attachment, or enter credit card information into a Web site, without regard to secu-rity. In the computer arena, social engineering is the practice of tricking people into givingout private information or allowing unsafe programs into the network or computer.

A good support technician is aware of the criminal practices used, and is able to teachusers how to recognize this mischief and avoid it. Here is a list of important security measures that users need to follow:

Never give out your passwords to anyone, not even a supervisor or tech support per-son who calls and asks for it. These people should know how to access the systemwithout passwords that belong to someone else. Also, don’t give out your accountnames. These account names are usually easy to guess, but, still, you shouldn’t com-promise them by giving them to others.Don’t store your passwords on a computer. Some organizations even forbid employeesfrom writing down their passwords.Don’t use the same password on more than one system (computer, network, or appli-cation).Lock down your workstation each time you step away from your desk. Here are someways to do that:

• Press the Windows key and L (the quickest method).

• Press Ctrl-Alt-Del and choose Lock this computer from the menu.

• For Vista, click Start and the lock icon (see Figure 19-38).

• For Vista, put the system into a sleep state. One way to do that is to usethe sleep button shown in Figure 19-38. (You must enter a password totake Vista out of the sleep state.)

• Power down the system when you leave for the day.

Sleep button

Lock button

Figure 19-38 Use the Vista Start menu to lock a computerCourtesy: Course Technology/Cengage Learning

Beware of social engineering techniques. Don’t be fooled by phishing techniques suchas the e-mail shown in Figure 19-39. When the user who received this e-mail scannedthe attached file using antivirus software, the software reported the file contained aTrojan program (see Figure 19-40).

A+220-7015.2

A+220-7015.1


ntials


19

A+ 220-701

Figure 19-39 This phishing technique using an e-mail message with an attached file is an example of socialengineeringCourtesy: Course Technology/Cengage Learning

Figure 19-40 Antivirus software that scanned the attachment reports a TrojanCourtesy: Course Technology/Cengage Learning

A+220-7015.15.2


Addididitiona


Exercise good judgment when using the Internet, so that you don’t compromise secu-rity. Here are six rules that can help you use the Internet responsibly:

• Don’t open e-mail attachments without scanning them for viruses first. Infact, if you don’t know the person who sent you the attachment, saveyourself a lot of trouble and just delete it without opening it.

• Don’t click links inside e-mail messages. These links might contain a mali-cious script. For example, you receive spam in your e-mail, open it, andclick the link “Remove me” to supposedly get removed from the spamlist. However, by doing so, you spread a virus or worm, or install adwareonto your PC. Also, a link that appears to contain a URL might actuallycontain a script. For example, the e-mail text, “Click www.symantec.comto read about the latest virus attack,” appears to have a link to theSymantec Web site, but rather points to www.symantec.com.vbs, which isa script embedded in the e-mail message. To keep the script from running,copy and paste the link to your browser address bar instead.

• Don’t forward an e-mail message without first checking to see if that warningis a hoax. Save us all the time of having to delete the thing from our Inbox.

• Always check out a Web site before you download anything from it. Freewareisn’t so free if you end up with an infected computer. Only download fromtrusted sites. Free music and video sites are notorious for distributing malware.

• Never give your private information to just any ole Web site. Use a searchengine and search for information about a site before you trust it withyour identity.

• Never trust an e-mail message asking you to verify your private data on a Website with which you do business. If you receive an e-mail that looks like it camefrom your bank, your PayPal account, or your utility company, don’t clickthose links in that message. If you think it might be legitimate, open yourbrowser, type in the link to the business’s Web site, and check out the request.

PERFORM ROUTINE SECURITY MAINTENANCE

When you are responsible for the security of a computer or small network, make it a habitto check every computer for which you are responsible each month. You can use the follow-ing checklist. However, know that routine maintenance tends to evolve over time based onan organization’s past problems that might need special attention. Start with this list andthen add to it as the need arises:

1. Change the administrator password. (Use a strong password.)

2. Check that Windows Automatic Updates is turned on and working. For applicationsthat users routinely rely on, you might also download and install any critical oroptional updates.

3. Check that AV software is installed and current. If you are running antiadwaresoftware, also verify that it is running and current.

A+ Tip The A+ 220-701 Essentials exam expects you to be aware of social engineeringsituations that might compromise security.

A+220-7015.15.2

A+220-7015.12.5


ntials

1031Chapter Summary

19

A+ 220-701

4. Verify that Windows Firewall is turned on. Also, verify that port security is set sothat only the exceptions made to open ports are those the users of this computerneed to do their jobs.

5. If you are the only user with administrative privileges of this computer, verify thatWindows settings are as you intend. For example, check that important folders areshared and encrypted as you set them and that only authorized software is installed.

6. Visually check the equipment to make sure the case has not been tampered with. Isthe lock secure?

7. Check Event Viewer. Take a look at the Security list, looking for failed attempts toaccess the system.

8. Verify that user backups of data are being done and current backups of data exist.Also verify that System Protection is set to automatically create restore points.

9. If you find you must replace storage media, don’t forget to destroy all data on themedia before you throw it away. If a computer is changing users or you are moving ahard drive from one computer to another, be sure to wipe clean all data on the drive.Most hard drive manufactures offer a zero-fill utility for this purpose. The utilityoverwrites every sector of the drive with zeros. Recall from Chapter 11 that thismethod works for normal security within an organization. However, if you need todestroy data so that expert criminals can’t recover destroyed, deleted, or overwrittendata, you’ll need to use stronger methods like those discussed in Chapter 11.

10. Document your monthly maintenance and note anything unusual that you see ormust change.

As a part of managing the security of a computer or network, your organization might make youaccountable to fill out an incident report of unusual or atypical events. Incidents that you mightbe expected to report can include an attempt at breaking in to a secured computer or network,the security has been broken, an accident has occurred, property has been lost or damaged, ahazard has been reported, an alarm has been activated, unauthorized changes to a system or itsdata were made, or other such events. Reasons for incident reporting include the need for othersto respond to an incident, the need to know about a weak security loophole that can be plugged,the need to be aware of trends in problems over the entire organization, and legal concerns.

For large networks, a computerized incident reporting tool is most likely already inplace and your responsibility might be to learn how to use it, to know your user accountand password to the system, and to make sure you report all incidents in a timely manner.On the other hand, old-fashioned paper reporting might be used. Either way, the incident-reporting forms will most likely include your name, job title, contact information, and fulldescription of the incident. The description might include the system or systems affected,the people involved, the resulting damage, and if the problem is resolved or still active.Also included might be your recommendations or actions to resolve the problem.

>> CHAPTER SUMMARY

Compliance with de facto or legal security policies might be required for a company orprofessional to do business. Ignorance of legal security requirements is not an excuse thatwill justify noncompliance.

Implemented security measures must balance between protection (keeping resources safe)and functionality (not hindering workers doing their jobs).

A+220-7015.12.5



Controlling access to secured resources uses two techniques: authentication and authoriza-tion. Authentication proves a person or program is who they say they are. Authorizationincludes classifying users and data and deciding which users have access to which dataresources.

BIOS on the motherboard can be used to set power-on passwords and drive lock pass-words to authenticate users.

Other methods to authenticate users include Windows logon passwords, smart cards,and biometric data. Biometric data is not considered as secure as passwords and smartcards.

Strong passwords are passwords that are not easy to guess.

Windows Vista classifies user accounts as administrative accounts, standard accounts, andguest accounts. Windows XP uses these classifications: administrative accounts, limitedaccounts, power user accounts, backup operator accounts, and guest accounts. Theaccount type determines the rights assigned to the user. These rights can be increased byadding the account to a new user group.

When classifying data, consider the security policies with which your organization mustcomply, who owns each data folder, and categories of classifications. Don’t forget to clas-sify and protect backup media just as you would the original data.

Security devices used to protect data and computers include fireproof safes, locks andchains, and theft-prevention plates.

Encryption is putting data into code that cannot be read without a key to that code.Encryption techniques are encrypting files and folders in Windows, BitLocker Encryptionto encrypt a hard drive, wireless network encryption (WEP, WAP, and WAP2), VPNs,and encrypting e-mail and Web site transmissions. This last type of encryption usuallyinvolves a digital certificate. The digital certificate proves that someone is who they saythey are.

Security features used by BIOS include power-on passwords, drive lock passwords, TPMchips, intrusion detection, and boot sector protection. The TPM chip is used to hold theencryption key for Windows Vista BitLocker Encryption.

You can lock down a workstation using Windows. Press the Windows key and L, and then a password is required to continue using Windows. When you first turn on a computer, BIOS power-on passwords can also be used to lock down the system.

Malicious software or grayware can include viruses, adware, spyware, keyloggers, worms,browser hijackers, spam e-mail, virus hoax e-mail, scam e-mail, logic bombs, and Trojans.Phishing techniques can be used to lure you into downloading or opening a maliciousprogram.

Techniques to protect against malware or grayware include firewalls, antivirus soft-ware, the Vista UAC box, limiting the use of the administrator account, InternetExplorer security settings, using alternate e-mail and browser software, and keepinggood backups.

Users need to know how to protect passwords, lock a workstation, and avoid socialengineering attempts.

When you are responsible for the security of a system, check security settings and software monthly and know how to report an incident if security is threatened.


ntials

1033Reviewing the Basics

19

>> KEY TERMS

>> REVIEWING THE BASICS

1. What industry is required by law to use the HIPAA security standards?

2. Classifying the rights assigned to a computer user depends on what one factor?

3. What applet in the XP Control Panel is used to reset a password?

4. What must a user do in order to use his password reset disk to log onto Windows?

5. Name three types of passwords that can be set in BIOS setup.

6. What is the default encryption protocol that Windows uses when sending an account nameand password to a domain controller for validation?

7. What is the name for a small device that contains authentication information keyed into alogon window to gain access to a network?

8. What is the purpose of a digital certificate?

9. Who assigns a digital certificate?

10. Why is the name of your pet not a strong password?

11. In what situation might a blank password be better than an easy-to-guess password?

12. Which has more rights, a standard account or a guest account?

13. What folder in Vista is intended to be used for folders and files that all users share?

14. What file system must be used in order to encrypt folders and files in Windows Vista or XP?

15. What Vista tool can be used to encrypt an entire hard drive?

16. What is the purpose of the TPM chip on a motherboard?

17. What is the quickest way to lock down a Windows workstation?

18. Which type of malware can copy itself over a network without involving a host program?

administrator accountadwareantivirus (AV) softwareauthenticationauthorizationbackdoorbackup operatorBitLocker Encryptionboot sector virusbrowser hijackerCHAP (Challenge Handshake

Authentication Protocol)data classificationsdigital certificatedrive lock passwordEncrypted File System (EFS)encryptionfile virusgrayware

guest accountincident reportinfestationKerberoskey fobkeyloggerlimited accountlogic bombmacromacro virusesmalicious softwaremalwaremultipartite virusnetwork drive mappassphrasepassword reset diskpermissionsphishingPKI (Public-key Infrastructure)

power user accountPublic Key Encryptionrootkitscam e-mailscript virussmart cardsmart card readersocial engineeringspamspywarestandard accountstrong passwordTPM (Trusted Platform Module)

chipTrojan horsevirusvirus hoaxwormzero-fill utility

For explanations of key terms, see the Glossary near the end of the book.


19. Which type of malware substitutes itself for a legitimate program?

20. Why is it important to not click a link in an e-mail message from someone you don’t know?

>> THINKING CRITICALLY

1. If you have Windows Firewall set not to allow any exceptions and keep all ports closed, whichof the following activities will be allowed, and which will not be allowed? Explain your answer.

a. You receive e-mail.

b. You receive an MSN Messenger notice that a friend wants to have a chat session with you.

c. Your antivirus software informs you a new update has just been downloaded and installed.

d. You log into the computer from a remote location on the Internet using Remote Desktop.

2. Your organization has set up three levels of data classification accessed by users on a smallnetwork:

Low security: Data in the C:\Public folder.Medium security: Data in a shared folder that some, but not all, user groups can access.High security: Data in a shared and encrypted folder that requires a password to access.The folder is shared only to one user group.

Classify each of the sets of data:

a. Directions to the company Fourth of July party

b. Details of an invention made by the company president that has not yet been patented

c. Resumes presented by several people applying for a job with the company

d. Payroll spreadsheets

e. Job openings at the company

3. You work in the Accounting Department and have been using a network drive to postExcel spreadsheets to your workgroup file server as you complete them. When you attemptto save a spreadsheet to the drive, you see the error message: “You do not have access tothe folder ‘J:\’. See your administrator for access to this folder.” What should you do first?Second? Explain the reasoning behind your choices.

a. Ask your network administrator to give you permission to access the folder.

b. Check the Network window to verify that you can connect to the network.

c. Save the spreadsheet to your hard drive.

d. Using Windows Explorer, remap the network drive.

e. Reboot your PC.

>> HANDS-ON PROJECTS

PROJECT 19-1: E-Mail Hoax

Search through your spam and junk mail for an e-mail you think might be a hoax. (Please don’tclick any links or open any attachments as you search.) Using the Web sites listed earlier in the



ntials

1035Hands-On Projects

19

chapter for debunking virus hoaxes, search for information about this potential hoax. Youmight need to enter the subject line in the e-mail message into a search box on the Web site.

PROJECT 19-2: Using Firefox

Go to the Mozilla Web site (www.mozilla.org) and download and install Firefox. Use it tobrowse the Web. How does it compare to Internet Explorer? What do you like better about it?What do you not like as well? When might you recommend to someone that they use Firefoxrather than Internet Explorer? Also, download the FoxFilter plug-in from www.mozilla.organd install it. What are the differences between FoxFilter and the IE content filter?

PROJECT 19-3: Using a Port Scanner

Port scanning software can be used to find out how vulnerable a computer is with openports. This project will require the use of two computers on the same network to practiceusing port scanning software. Do the following:

1. Download and install Advanced Port Scanner by Famatech at www.radmin.com onComputer 1.

2. On Computer 2, make sure that Windows Firewall is turned on and that the Block allincoming connections box is checked. Also, disable any third-party personal firewalls.

3. On Computer 1, start Advanced Port Scanner and make sure that the range of IPaddresses includes the IP address of Computer 2. Then click Scan.

4. Browse the list and find Computer 2. List the number and purpose of all open portsfound on your Computer 2.

5. On Computer 2, turn Windows Firewall off.

6. On Computer 1, rescan and list the number and purpose of each port now open onComputer 2.

If Computer 2 has another personal firewall installed, turn on that firewall. On Computer 1,rescan and list the number and purpose of each port now open on Computer 2 when thepersonal firewall is running.

PROJECT 19-4: Managing User Accounts

Do the following to experiment with managing user accounts:

1. Using Windows Vista, create a Standard user account and log on using that account. Canyou view the contents of the Documents folder for an account with Administrator privileges?

2. Using the Standard account, try to install a program. What message do you receive?

3. What happens if you try to create a new account while logged on under the Standard account?

PROJECT 19-5: Using Password Checker

Microsoft offers a password checker for users to know the strength of their passwords. To use the utility, go to the Microsoft Web site at www.microsoft.com and search for



“Password Checker.” Use this free Microsoft utility to verify that a password you havemade up is a strong password. Based on the measure of the strength of several of your pass-words, what do you think the password checker is looking for?

>> REAL PROBLEMS, REAL SOLUTIONS

REAL PROBLEM 19-1: Require Passwords for User Accounts

To better secure Windows and shared resources, all user accounts on a system need a pass-word. Using Windows Vista Ultimate or Business editions, follow these steps to use GroupPolicy to require that each user account on a PC have a password:

1. In the Start Search box, enter gpedit.msc, press Enter and respond to the UAC box.

2. Drill down to the Computer Configuration, Windows Settings, Security Settings, AccountPolicies, and Password Policy (see the left side of Figure 19-41).

Figure 19-41 Use Group Policy to control user account passwordsCourtesy: Course Technology/Cengage Learning


ntials

1037Real Problems, Real Solutions

19

3. Double-click the Minimum password length policy. The Properties box for the policyappears (see the right side of Figure 19-41). Enter the value of 8 for the minimumpassword length. Click Apply and OK to close the box.

4. List the other policies that can be set to control Windows passwords and a one-sentencedescription of that policy. The Explain tab in the policy’s Properties box can help.

5. Close the Group Policy window.

6. Try to reset your Windows password to all blanks. What error message do you receive?

REAL PROBLEM 19-2: Recovering From a Forgotten Windows Password

Forgotten passwords can be a messy problem if you have not made a password reset disk. Ifyou have forgotten the password for a Windows user account and you know the passwordfor an administrator account, you can log on as an administrator and reset the forgottenpassword. If you don’t know a password for any Windows account, here are somepassword recovery utilities that can help. Research each utility and describe its approach to helping with forgotten passwords and how much the utility costs. Which of the threeutilities would you select for purchase and why?

Ophcrack by phpBB Group at ophcrack.sourceforge.net

Active Password Changer at www.password-changer.com

Windows Password Reset at ResetWindowsPassword.com


CHAPTER19 Security Essentials -...

Documents

Transcript of CHAPTER19 Security Essentials -...