Chapter 13: Users, Groups, and Permissions

Groups

A group is a container that holds user accounts and defines the capabilities of its members. A single account can be a member of multiple groups. Groups are an efficient way of managing multiple users, especially when you are dealing with a whole network of accounts. Standalone computers rely on groups too, though Windows obscures this a little, especially with Home edition users. First, you can assign a certain level of access for a file or folder to a group instead of to just a single user account. You can make a group called Accounting, for example, and put all user accounts for the accounting department in that group. If a person quits, you don't need to worry about assigning all the proper access levels when you create a new account for his or her replacement. After you make an account for the new person, just add her account to the appropriate access group! Second, Windows provides numerous built-in groups with various access levels already predetermined. EXAM TIP: Note that the default administrator account is Administrator. You should use this default only if no other administrators can log on. Best practice is to make a complex password for Administrator; write it down, and put it in a safe for emergency use. Change the default admin user account/password to reflect one or more of the user accounts added to the Administrators group.

User Account

A unique combination of a user name and an associated password, stored in a database on your computer, that grants the user access to the system. Although we normally assign a user account to a human user, user accounts are also assigned to everything that runs programs on your computer. For example, every Windows system has a SYSTEM account that Windows uses when it runs programs. Two mechanisms enable user account security: authentication and authorization.

Password

A unique key known only by the system and the person using that user name. This user name and password are encrypted on the system—and only those with a user name and password are allowed access to the system via the login process. Passwords help secure user accounts. Protect your passwords. Never give out passwords over the phone. If someone learns your user name and password, he or she can log on to your computer. Even if the user account has only limited permissions—perhaps it can only read files, not edit them—you still have a security breach. NOTE For the latest password recommendations, check out the National Institute of Technology and Standards (NIST) Special Publication 800-63B, Digital Identity Guidelines. Using non-alphanumeric characters makes any password much more difficult to crack, for two reasons. First, adding non-alphanumeric characters forces the hacker to consider many more possible characters than just letters and numbers. Second, most password crackers use a combination of common words and numbers to hack passwords. Because non-alphanumeric characters don't fit into common words or numbers, a character such as an exclamation point defeats these commonword hacks. Not all systems allow you to use characters such as @, $, %, or \, however, so you need to experiment. CompTIA also recommends that you should have users change passwords at regular intervals; this can be enforced with a password expiration policy that forces users to select a new password periodically. CAUTION: Blank passwords or passwords that are easily visible on a sticky note provide no security. Always insist on non-blank passwords, and do not let anyone leave a password sitting out in the open.

Change Permission

Another important permission for all NTFS files and folders is the Change permission. An account with this permission can give or take away permissions for other accounts.

Administrators

Any account that is a member of the Administrators group has complete administrator privileges. Administrator privileges grant complete control over a machine. It is common for the primary user of a Windows system to have her account in the Administrators group. When you create the Jane user account, in other words, and make Jane an administrator, you place the Jane account in the Administrators group. Because the Administrators group has all power over a system, Jane has all power over the system.

Local User Account

Every Windows system stores the user accounts as an encrypted database of user names and passwords. Windows calls each record in this database a local user account. User names and passwords are stored here: C:\Windows\System32\config\SAM On Chrome OS, the only way to get the full experience is by logging in with a Google account. The opposite is true on Linux, where local user accounts (tied to a specific computer and user) rule. Windows and macOS split the difference, supporting traditional local user accounts as well as the ability to log in with your Microsoft or Apple account, respectively. NOTE: Global user account is my term. Each company uses specific naming for its accounts, such as a Microsoft account, Apple ID, or Gmail account. Still, you get the idea, right?

NTFS Permissions

Every file and folder on an NTFS partition has a list that contains two sets of data. First, the list details every user and group that has access to that file or folder. Second, the list specifies the level of access that each user or group has to that file or folder. The level of access is defined by a set of restrictions called NTFS permissions. NTFS permissions are rulesets, connected to every folder and file in your system, that define exactly what any account or group can or cannot do to the file or folder. NTFS permissions to enable any member of a user group to create a subfolder for a folder. You can even configure a folder so that one group may be able to read the files but not delete them, modify them, or even see them in Windows Explorer. CompTIA A+ 220-1002 exam tests your understanding of only a few basic concepts of NTFS permissions: Ownership, Take Ownership permission, Change permission, folder permissions, and file permissions. The primary way to set NTFS permissions is through the Security tab under the Properties of a folder or file. The Security tab contains two main areas. The top area shows the list of accounts that have permissions for that resource. The lower area shows exactly what permissions have been assigned to the selected account.

User Accounts

Every user account has a user name and a password. A user name is a text string that identifies the user account assigned to a system. Associated with every user name is a password. NOTE Global user account is my term. Each company uses specific naming for its accounts, such as a Microsoft account, Apple ID, or Gmail account. Still, you get the idea, right?

File Permissions

File permissions define what a user may do to an individual file. One example might be "Read and Execute," which gives a user account the permission to run an executable program.

Folder Permissions

Folder permissions define what a user may do to a folder. One example might be "List folder contents," which gives the permission to see what's in the folder.

Power Users

Power Users group are almost as powerful as members of the Administrators group, but they cannot install new devices or access other users' files or folders unless the files or folders specifically provide them access.

NTFS File Permissions are quite similar to Permission minus the Special Permissions

Full Control - Enables you to do anything yo uwant to the file. Modify - Enables you to read, write, and delete the file. Read & Execute - Enables you to open and run the file. Read - Enables you to open the file. Write - Enables you to open and write to the file.

Here are the standard NTFS permissions for a folder: 1) Full Control 2) Modify 3) Read & Execute 4) List Folder Contents 5) Read 6) Write

Full Control - Enables you to do anything you want Modify - Enables you to read, write, and delete both files and subfolders Read & Execute - Enables you to see the contents of the folder and any subfolders as well as run any executable programs or associations in that folder List Folder Contents - Enables you to see the contents of the folder and any subfolders Read - Enables you to view a folder's contents and open any file in the folder. Write - Enables you to write files and create new files and folder.

Guests

Guests group enables someone who does not have an account on the system to log on by using a guest account. You might use this feature at a party, for example, to provide casual Internet access to guests, or at a library terminal. Most often, the guest account remains disabled.

Inheritance

Inheritance determines which NTFS permissions any newly introduced files or subfolders contained in a folder receive. Techs should understand how inheritance works. The base rule of Windows inheritance is that any new files or folders placed into a folder automatically get all the NTFS permissions of the parent folder. All versions of Windows have inheritance turned on by default, which most of the time is a good idea. If you access a folder's Properties dialog box, click on the Security tab, and then click the Advanced button, you'll see a little checkbox that says Include inheritable permissions from this object's parent. If you wanted to turn off inheritance, you would just uncheck this box. Don't do that. Inheritance is good. Inheritance is expected. NOTE: The Deny checkbox always overrides the NTFS inheritance.

Authentication

Is the process of identifying and granting access to some user, usually a person, who is trying to access a system. Windows, authentication is most commonly handled by a password-protected user account. The process of logging into a system is where the user types in an active user name and password. NOTE: Authentication is the process of giving a user access to a system. Authorization determines what an authenticated user can do to a system.

Local Users and Groups.

NOTE: To create and manage users, you must run Local Users and Groups as an administrator. The easiest way to do this is to open a command prompt with elevated privileges and then type lusrmgr.msc (and press ENTER).

RWX (Three Groups) 1) Owner 2) Group 3) Everyone

Owner - Permissions for the owner of this file or folder. Group - Permissions for members of the group for this file or folder. Everyone - Permissions for anyone for this file or folder. The letters r, w, and x represent the following permissions: r - read the contents of a file w - write or modify a file or folder x execute a file or list the folder contents. -rw-rw-r - - 1 mikemeyers users 299 Oct 2 18:36 launch_codes * This file is called launch codes. The owner of this file is mikemeyers. This file is in the users group. * The owner, mikemeyers, has read and write privileges (rw-). * No one has execute permissions (x) because this is just a text file, not a script or program. * No one has execute permissions (x) because this is just a text file, not a script or program.

Permission Propagation

Permission propagation determines what NTFS permissions are applied to files that are moved or copied into a new folder. Be careful here! You might be tempted to think, given you've just learned about inheritance, that any new files/folders copied or moved into a folder would just inherit the folder's NTFS permissions. This is not always true, and CompTIA wants to make sure you know it. It depends on two issues: whether the data is being copied or moved, and whether the data is coming from the same volume or a different one. So, we need to consider four situations: 1) Copying data within one NTFS-based volume. 2) Moving data within one NTFS-based volume. 3) Copying data between two NTFS-based volumes. 4) Moving data between two NTFS-based volumes. Let's look at a list of four things techs need to know to see what happens when you copy or move an object, such as file or folder. 1) Copying within a volume creates two copies of the object. The copy of the object in the new locatino inherits the permissions from that new location. The new copy can have different permissions than the original. 2) Moving within a volume creates one copy of the object. That object retains its permissions, unchanged. 3) Copying from one NTFS volume to another creates two copies of the object. The copy of the object in the new location inherits the permissions from that new location. The new copy can have different permissions than the original. 4) Moving from one NTFS volume to another creates one copy of the object. The object in the new location inherits the permissions from that new location. The newly moved filed can have different permissions than the original. EXAM TIP: Current versions of Windows refer to sections of an HDD or SSD as volumes, as you'll recall from Chapter 9. Earlier versions—and many techs and exams in your near future—refer to such groupings as partitions. Be prepared for either term.

Authorization Through NTFS

User accounts and passwords provide the foundation for securing a Windows computer, enabling users to authenticate to log on to a PC. After you've created a user account, you need to determine what the user can do with the available resources (files, folders, applications, and so on). This authorization process uses the NT File System (NTFS) as the primary tool.

User Accounts in W 8/8.1

Select Change PC settings from the initial charm screen to open PC settings (see Figure 13-11) and get access to the Accounts option. Note that the User Accounts applet in Control Panel enables you to make changes to local user accounts, and gives you access to the Settings charm when you opt to add a new account. When you set up a Windows 8/8.1 PC, you are aggressively prompted to dump the local user account and instead log on with a Microsoft global account or create one at that time. In fact, Windows makes it very challenging to create a regular old local user account. Although the language of the sign-up option for the new account suggests a Microsoft-sponsored email address (like [email protected]), any valid e-mail address will serve as a Microsoft account. You could opt to create a local user account instead and that functions like any local account on previous versions. But if you opt for a global Microsoft account, you'll synchronize photos, files, and Desktop settings (like the background picture and colors). To create a new account, click the Other accounts option. This opens the Manage other accounts page (see Figure 13-13). From this page you can modify the status or group of any current local user account. Click the + symbol next to Add an account to get started. On the How will this person sign in? screen, you'll see options to use a valid Microsoft account, get a Microsoft account, add a child's account, or create a local account only. The Add a child's account option creates an account with parental controls enabled.

Every version of Windows includes at least two user and group management tools; let's focus on the simplest, Local Users and Groups. You can access Local Users and Groups in two ways:

Select Control Panel | Administrative Tools | Computer Management | Local Users and Groups or Type lusrmgr.msc in the search field in the taskbar and press enter. For reasons that will be described shortly, Windows 10 Home edition does not have Local Users and Groups.

User Accounts (Windows 10)

The User Accounts control panel utility in Windows 10 is handy for making more technical changes to your account. Here you can change (but not create) your group memberships as well as make simple changes to your account and other accounts (like changing passwords). You need to be a member of the Administrators group to make these changes. If you're not using the Windows 10 Home edition, Local Users and Groups is still the best way to go if you're comfortable with the power of the tools (and don't try to do something dangerous such as deleting the administrator account) NOTE: Windows 10 Home users need to use Accounts in Settings or User Accounts in Control Panel. EXAM TIP: The CompTIA A+ 1002 exam objective 1.5 (at least in the initial release—your mileage may vary) lists User Account Management as a Control Panel applet in Windows. This has never been a thing in Windows. Most likely, the objectives conflate two separate applets: User Accounts— which we just covered in detail—and User Account Control. See "Sharing Resources Securely" later in this chapter for the scoop on the latter.

Authorization

The process that defines what resources an authenticated user may access and what he or she may do with those resources. Authorization for Windows' files and folders is controlled by the NTFS file system, which assigns permissions to users and groups. These permissions define exactly what users may do to a resource on the system.

Users

Users group cannot edit the Registry or access critical system files. They can create groups but can manage only those they create. Members of the Users group are called standard users. If you change the Jane account from administrator to standard user, you specifically take the Jane account out of the Administrators group and place it into the Users group. Nothing happens with her personal files or folders, but what the Jane account can do on the computer changes rather dramatically.

Ownership (NTFS Permission)

When you create a new file or folder on an NTFS partition, you become the owner of that file or folder. This is called ownership. Owners can do anything they want to the files or folders they own, including changing the permissions to prevent anybody, even administrators, from accessing them.

User Accounts (Windows 7)

Windows 7 offers a utility called the User Accounts applet in the Control Panel. To create a user account, open the User Accounts applet and select Manage another account. Click Create a new account to see your options for making a new account & applet only enables you to make administrator accounts (in the Administrators group) or standard users (in the Users group)

Take Ownership Permission

With the Take Ownership permission, anyone with the permission can seize control of a file or folder. Administrator accounts have Take Ownership permission for everything. Note the difference here between owning a file and accessing a file. If you own a file, you can prevent anyone from accessing that file. An administrator whom you have blocked, however, can take that ownership away from you and then access that file!

chmod command

chmod command is used to change permissions. Sadly, it uses a somewhat nonintuitive addition system that works as follows: r: 4 w: 2 x: 1 -rw-rw-r - - 1 mikemeyers mi6 299 Oct 2 18:36 launch_codes as follows: *Owner's permissions are 6: 4+2 (rw-) *Group's permissions are 6: 4+2 (rw-) *Everyone's permissions are 4: 4 (r--) The chmod command uses the following syntax to make permission changes: chmod <permissions> <filename> Using this nomenclature, we can make any permission change desired using only three numbers. The current permissions can be represented by 664. To keep the launch codes out of the wrong hands, just change the 4 to a 0: 660. To make the change, use the chmod command as follows: chmod 660 launch codes To give everyone complete control, give everyone read + write + execute. 4 + 2 + 1 = 7. So, use the command as follows: chmod 777 launch_codes NOTE: The most common syntax for the chmod command uses 3 digits, from 0 to 7, but the command technically supports 4 digits (and even an entirely different symbolic syntax). Run the command man chmod for more detail.

Chown Command

chown command enables you to change the owner and the group with which a file or folder is associated. The chown command uses the following syntax: chown <new owner> filename To change the group, use the following syntax: chown <owner>:<group> filename To change the owner of launch_codes to sally, type chown sally launch_codes To change the group to mi6, type chown sally:mi6 launch_codes If you retype the ls-1 command, you would see the following output: -rw-rw-r - - 1 sally mi6 299 Oct 2 18:36 launch_codes.