Chapter 14: Users, Groups and Permissions
Which term refers a unique combination of a user name and an associated password?
user account
_______________ refers to a unique combo of a user name and an associated account
user account
What two sets of data does every folder and file on an NTFS partition list?
user group access and level of access
Created automatically by Windows, ________ give local administrators access to resources whether they log on locally or remotely?
Administrative shares
Which string displayed using the ls ?l command in a Linux terminal indicates that group permissions are set to read and modify?
-rw-rw-r--
A strong password is at least ____ characters
8
Which character in a password is most helpful in defeating common word hacks?
@
What process identifies and grants user access to a user who is trying to access a system?
Authentication
What process determines what a legit user can and cannot do on a system?
Authorization
_________ determines what a legit user can and cannot do.
Authorization
Authentication gives user access to a system
Authorization is how we determine what an authenticated user can do with a system
What tool or mechanism defines what resources a user may access and what he or she may do with such resources?
Authorization through NTFS
If you use the System Configuration utility (msconfig) and select Disable UAC on the Tools tab, what further action is required to turn off UAC?
Reboot
Beyond Sharing Users and Groups:
Beyond Sharing Users and Groups
How can you encrypt an entire drive, including files and folders belonging to other users?
BitLocker
What tool is offered by Windows Vista Ultimate and Enterprise editions to encrypt entire hard drives?
BitLocker
Passwords help secure user accounts
CompTIA recommends users change password at regular interventions, enforced by a Password Expiration policy.
All Window systems store the user accounts as an encrypted database of user names and passwords. Windows calls each record in this database a LOCAL USER ACCOUNT.
Creating a user account generates a number of folders on a computer. In Windows, for example, each user account gets unique personal folders, such as Documents, Desktop, Pictures, Music and more. By default, only a person logged in as a specific user can acess the personal folders for that user account.
What file system enables you to encrypt files, thus making them unviewable by any account but your own?
EFS
_________ ratings such as E, T and M can be used to allow or block computer game us?
ESRB
All versions of Windows have LOCAL SECURITY POLICY utility. You can access this tool through Control Panel-Administrative Tools-Local Security Policy but you can just open it as a command line and run secpol.msc
EXAM TIP: Local Security policies are very powerful. Covering just enough here to cover a very basic questions on the Exam.
EXAM TIP: The default behavior for the UAC in Windows 7 is the second from top is "Do you want to allow the following program to make changes to this computer?"
Each of these options isn't a program - each is merely a feature built into Windows. Those shields tell you that clicking feature next to a shield will require administrator privileges.
FILES: Modify
Enables you to read, write and delete file
How many notification levels of UAC did MS include in Windows 7?
Four
The standard NTFS permissions for a FOLDER:
Full Control, Modify, Read and Execute, List Folder Contents, Read and Write
What type of access is granted if you log on to a computer remotely as an admin with no password?
Guest
What process is described as a file or folder automatically getting all the NTFS permissions of the parent folder?>
Inheritance
On every Windows system, each record in an encrypted database of user names and passwords is called a(n)______________
Local User Accounts
Authorization for Windows files and folders is controlled by the ________ file system, which assigns permissions to users and groups
NTFS
What is the primary tool Windows uses for providing authorization?
NTFS
Sharing a folder. Select folder-right click on it - select Properties-Sharing tab. From here, select Advanced Sharing. Click on the share this folder checkbox and give the folder a network share name
Next, click on Permissions button. By default, all new windows shares only have Read permission. Here is where you set your share to Full Control.
YOu ropy a file from a folder on a hard drive formatted as NTFS, with permissions set to Read for everyone, to a USB thumb drive formatted as FAT32. What effective permissions does the copy of the file have?
None
In Windows 7, which UAC notification level is the default setting?
Notify me only when programs try to make changes
What option enables you to share files easily among multiple users on a single Windows 8 system?
Place the file in public libraries
By default, who has complete control over a folder of file?
Owner
Everyone
Permissions for anyone for this file or folder
How are Libraries folders displayed in Windows 8.1 File Explorer?
Right click in the navigation and click Show Libraries
What tool in Windows 8.1 enables you to create a new user account based on a global MS account?
Settings charm
What chip on the motherboard validates on boot that you still have the same operating System installed and that the computer was not hacked by some malevolent program?
TPM
What does Bitlocker require on a motherboard to validate on boot that a Windows Vista computer has not been changed?
TPM
Which NTFS permission allows an account to seize control of a file or folder owned by another account?
Take ownership permission
4. Moving from one NTFS volume to another creates one copy of the object.
The object in the new location INHERITS the permissions from that new location. The newly moved file can have different permissions than the original
What happens to a file or folder permission if it is copied within an NTFS partition?
The original retains permission and the copy inherits permission
The second from top level will display the typical consent form, but only when programs try to make changes.
The third from top-level displays a consent form but where the normal concent form dims your desktop and doesn't allow you to do anything but address the form, this consent just pops up like a normal dialog box. EXAM TIP: Make sure you know what each of the four UAC Levels does
How to turn off UAC
Two common ways: User Accounts Control Panel applet, you will see option to TURN user Account Control off. You can also configure UAC from the Tools tab in the System Configuration utility. UAC in Windows Vista worked well but it startled users.
An unpopular, but necessary, security feature introduced in Windows Vista was ____________
UAC
What is the Windows Vista tool for managing users and groups>?
User Account Applet
What UAC classification is associated with a digitally signed, third-party program or non-core OS program?
Verified
Authentication
What process identifies and grants access to a user who is trying to access a system
rwx
What three letters are used in a Linux terminal to indicated permissions associated with a file or folder
What's the difference between a program making a change and you making a change?
Windows 7 is set to the second from top option, in this case. A program (the very safe and verified) adobe download manager is attempting to install a feature into Internet Explorer. Because this is a program trying to make changes, the UAC consent form appears and darkens the desktop. If you lower the UAC to the third from top option, you still see a consent form, but now it acts like a typical dialog box.
Change Permissions
can give or take away permissions from other accounts
What command is used to change file permissions in Linux?
chmod
Which Linux command enables you to change the owner and the group with which a file or folder is associated?
chown
A password _______ policy forces users to select a new password periodically
expiration
Chmod Command:
is used to change permissions.
UAC in Modern Windows:
less aggressive in your face. MS introduced four UAC levels. Go to the User Account applet and select Change User Account Control settings A slider with four levels: the top level (Always notify) means you want UAC to work exactly as it does in Vista, displaying the aggressive content form middle level (Don't notify me when I make changes middle level (Notify me when programs try to make changes) The bottom level (Never notify me)
Linux File Permissions accessed by what command?
ls -l
Users Group
members cannot edit the Registry or access critical system files. They can create groups but can manage on those they create. These are called STANDARD USERS.
Opening a command line and running ___________ provides access to a utility called a Local Security Policy
secpol.msc
How to set NTFS permissions
Right click Properties-security tab-"edit" to make changes. Top section shows accounts that have permissions for resource. Bottom section shows permissions assigned to account.
Full Control Permissions
Same for files and folders - grants full control
FOLDER: Write
Enables you to write to files and create new files and folders
Take Ownership Permission
Permission allows admin user to seize control (take ownership) of file or folder to access it.
The letters r, w. and x represent the following permissions:
r = read the contents of a file
Administrative share. Administrative shares are hidden network shares created by Windows NT family of operating systems that allow system administrators to have remote access to every disk volume on a network-connected system. These shares may not be permanently deleted but may be disabled.
A C-share is a class of mutual fund with a level load. Class C shares tend to not have front-end loads, but they often carry small back-end loads. These loads are typically around 1% and may vanish once the investor has held the shares of the mutual fund for a year.
Windows security from the point of view or a single or STANDALONE machine.
AUTHENTICATION WITH USERS AND GROUPS
The "primary operating system" is the operating system on which the file sharing protocol in question is most commonly used. On Microsoft Windows, a network share is provided by the Windows network component "File and Printer Sharing for Microsoft Networks", using Microsoft's SMB (Server Message Block) protocol.
Administrative shares give local administrators administrative access to these resources whether they log on locally or remotely. In contrat, shares added manually are called LOCAL SHARES.
Before Vista, MS invented the idea of Power Users group to give users almost all of the power of an admin account without actually giving users the full power of the account
Assigning a user to the Power Users group still required someone who knew how to do this, however, to most folks at home/office level simply ignored to the Power Users group. MS needed a better method to prevent people from running problems that they should not run.. But those who have the rights to do what they want, it should be as simple as possible.
Windows Ultimate and Enterprise editions and Wind8 offer full drive encryption through BITLOCKER DRIVE ENCRYPTION. Encrypts the whole drive, including every user's files so it's not dependent on any one account. If your hard drive is stolen, all the data on the hard drive is safe.
Bitlocker requires a special Trusted Platform Module (TPM) chip on the motherboard to function.
MS needed to make the following changes: the idea of using an admin account for daily use needed to go away. any level account should be able to do anything as easily as possible If a regular account wants to do something that requires administrator privileges, the user of the regular account will need to enter the admin password If a user with admin privileges wants to run something that requires admin privileges, the user will not have to reenter his or her password. If a user with admin privleges wants to run something that requires admin privileges, the user will not have to reenter his or her password, but the user will have to respond to "Are you Sure" dialog box - the famous UAC dialog box.
Both Linux and MAC OS have been using a UAC function for a long time, it's called SUDO.
With the ____________ permission for an NTFS partition, you can give or take away permissions for other accounts.
Change
FOLDER: Read
Enables you to view a folder's contents and open any file in the folder
What techniques provide the only true way to protect your data from access by any other user?
Encryption
Security begins with USER ACCOUNT, a unique combo of a user name and an associated password, stored in some database on your computer, that grants the user access to the system
Every Windows system has a SYSTEM account that Windows uses when it runs programs. Two mechanisms enable user account security: AUTHENTICATION and AUTHORIZATION
Windows administration allows a certain level of access for a file or folder to be assigned to a(n) _____________ rather than just a single user account.
Group
To log onto a standalone Windows PC, you need a(n) ________________
Local user account
Just right click on the file or folder you want to encrypt, select Properties. In the Properties dialog box for that object, select the General tab and click the Advanced Button to open the Advanced Attributes dialog box.
Encryption is just one possible attribute of a file. You can make files, hidden, read-only and more from a file or folder's Properties dialog box.
For groups, Windows Admin is easy: first, you can assign a certain level of access for a file or folder to a group instead of just a single user account. You can make a group called Accounting and put all user accounts for the accounting department in that group. Second, Windows provides numerous built-in groups with various access levels already pre-determined.
EXAM TIP: Be familiar with these groups for the exam: Administrators, Power Users, Users, Guests
From a tech's standpoint, you need to be aware of how permissions can change when you move or copy files, and if you are still in doubt about a sensitive file, check it before you sign off to a client
EXAM TIP: Current versions of windows refer to a grouping of cylinders or transistors on an HDD or SSD as volumes. Earlier versions refer to such groupings as PARTITIONS. Be ready for either term.
Consider four situations in this situation:
Copying data within one NTFS-based volume Moving data within one NTFS-based volume Copying data between two NTFS-based volumes Moving data between two NTFS-based partitions
Folder Permissions
Defines what a user can do to a folder or sub-folder: view, modify, etc.
CONFIGURING USERS AND GROUPS
Every version of Windows includes one or two users and group management tools. Most editions of Windows include a Control panel applet called User Accounts. More advanced editions include a second, more advanced utility called LOCAL USERS AND GROUPS. You will find this in the Computer Management console in Administrative Tools.
A _________ is a collection of user accounts that share the same access capabilities
Group
Add/Edit Users and/or Groups
Head over to Security tab. There are two sections: the top section is a list of users and groups that currently have NTFS permissions to that folder and the bottom section is a list of NTFS permissions for the currently selected users and groups. to add a new user or group, click the edit button. In Permission dialog box that opens, you cannot only add new users and groups but also remove them and edit existing NTFS permissions.
If you use EFS, you simply must have a valid password reset disk in the event of a horrible event.
If you copy an encrypted file to a drive formatted as anything but NTFS, you will get a prompt saying that the copied file will not be encrypted. If you copy to a drive with NTFS, the encryption stays. The encrypted file, even on a removable disk, will only be readable on your system with your login
NTFS Permissions
In Windows, every folder and file on an NTFS partition has a list that contains two sets of data. First, the list details every user and group with access to that file or folder. Second, the list specifies the level of access each user or group has to that file or folder. The level of access if defined by a set of restrictions called NTFS permissions.
Administrative shares are odd ducks: you cannot change the default permissions on them. You can delete them, but Windows will recreate them automatically ever time you reboot. They're hidden so they don't appear when you browse a machine over the network, though you can map them by name.
Keep admin passwords safe, and these default shares won't affect the overall security of the computer.
chmod
Linux/MAC OS X used to change permissions uses numbering system (r4, w2, x1) and uses binary math to combine permissions
Chown
Linux/MAC OSX enables changing a file/folder's owner or group. Syntax: chown<new owner> filename
Managing Users in Windows 8-10
MS started to shift focus of user accounts from local accounts to internet-wide MS accounts. Windows 8 debuted the Settings charm. Select Change PC settings from the initial charm screen to open PC settings and gets access to the Accounts option. Note that the User Accounts applet in Control Panel enables you to make changes to the current accounts (local or global) and gives you access to the Settings Charm (or app in Windows 20) when you opt to add new account
Windows uses NTFS to make the folders and fiiles in a specific user's personal folders (Documents, Music, Pictures and so on) private. Only the user who created those documents can access those documents.
Members of the admin group canoverride this behavior, but members of the Users group (standard users) cannot. On a Shared windows machine, you will need to take extra steps and actively share resources to make them avialable for multiple users.
Power Users Group
Members of this group are almost as powerful as members of the Admin group, but they cannot install new devices or access other users' files or folders unless the files or folders specifically provide them access.
Which NTFS permission for a colder is defined as enabling you to read, write and delete both files and subfolders?
Modify
LOCAL SECURITY POLICY has a number of containers that help organize the many types of policies on a typical system. Each container are subcontainers or preset policies. A local Security Policy can use user passwords to expire every 30 days. To do this, open up the Account Policies container and then open the Password Policy subcontainer.
On almost all Windows versions your local user account passwords expire after 42 days. You can change this to 30 by double-clicking on Max Password age and adjusting the setting in the Properties dialog box. If you set the value to 0 the password will never expire. This setting only works for your local user accounts.
By default, who has complete control over a folder or file?
Owner
When you create a new file or folder on an NTS partition you become the _______ of that file folder
Owner
EXAM TIP: Exam only tests your understanding of only a few basic concepts of NTFS permissions:
Ownership, Take Owner permission, Change permission, folder permission, File permissions
Group
Permissions for members of the group for this file or folder
Owner
Permissions for the owner of this file or folder
"protect yourself from passwords"
Permissions in Linux and Mac OSX: EXAM concentrates on Windows users, groups and permissions, remember the concepts for Linux and Mac OSX. Look at the chmod and chown commands as they are listed as exam objectives.
Local Users and Groups
Professional editions of Windows include the LOCAL USERS AND GROUPS tool, a more powerful tool for working with user accounts. You can create, modify and remove users and groups. Home editions of Windows do not have the Local Users and Groups utility. You must use the User Accounts applet or the Settings charm.
Selecting _________ while adding a new user in Windows 7 makes that user a member of the local Users group
Standard user
Administrative shares have been exploited by malware programs especially because many users who set up their computers never give the admins account a password.
Starting WinXP Home, MS changed the remote access permissions for such machines. If you log on to a computer remotely as an administrator with no password, you get guest access rather than admin access. That neatly nips potential exploits in the bud.
Techs and Permissions
Techs and Permissions
Techs need to know these four things
Techs need to know what happens when you copy or move an object, such as a file or folder
2. Moving within a volume creates one copy of the object.
That object retains its permissions, unchanged
3. Copying from one NTFS volume to another creates two copies of the object.
The copy of the new object in the new location INHERITS the permission from that new location. The new copy can have different permissions than the original
1. Copying within a volume creates two copies of the object
The copy of the object in the new location INHERITS the permissions from that new location. The new copy can have different permissions than the original
UAC works for both standard user accounts and administrator accounts. If a standard user attempts to do something that requires administrator privileges, you will see a UAC dialog box that prompts for the admin password
The official name for the UAC dialog box is the "UAC consent prompt" VISTA has four consent prompts
What happens to a file or folder permission if it is copied within an NTFS partition?
The original retains permissions, and the copy inherits permissions from the new locations.
Protecting Data with Encryption
The scrambling of data through ENCRYPTION techniques provides the only true way to secure your data from access by any other user. Admin can use the Take Owernship Permission to seixe any file or folder on a computer, even those you don't actively share. Thus, you need to implement other security measures for that data that needs be ultra secure. Depending on the version of Windows, you have between zero and three encryption tools. Windows Home Editions have no security features. Advanced editions of Windows add a system that can encrypt files and folders called ENCRYPTION FILE SYSTEM. Finally, the most feature drive encryption through BIT LOCKER
The TPM chip validates on boot that the computer has not changed, that you still have the same OS installed.
To enable Bitlocker, double-click the Bitlocker Drive Encryption icon in the Classic Control Panel, or select Security in Control Panel Home and then click Turn on Bitlocker.
What Windows Vista feature provides a dialog box when standard users and administration perform certain tasks that could potentially harm the computer?
User Account Control
What feature in Windows 7 opens a consent prompt for standard users to enter administrator credentials to accomplish various tasks reserved for the latter group?
User Account Control
If your Vista computer is on a workgroup what applet is used to manage user accounts?
User Accounts and Family Safety
If your Vista computer is on a workgroup, what applet is used to manage user accounts?
User Accounts and Family Safety
What ________ enables you to manager user accounts in Windows
User account applet
What two sets of data does every folder and file on an NTFS partition list?
User and group access and level of access
User Account Control
Vista had the worst. UAC got a bad rap but it an important security update for all versions of Windows, it's also a common feature in both MAC and Linux. UAC enables users to know when they are about to do something that has serious consequences.
You may see the NTFS permissions on a folder or file by accessing the Properties dialog box for that file or folder and opening the Security tab.
Windows editions for home use have a limited set of permissions you can assign. As far as folder permission go, you can only assign only one: Make this Folder Private.
Authorization Through NTFS
Windows uses the powerful NT File System (NTFS) as the primary tool for providing authorization.
Managing Users in Windows Vista:
You create three accounts when you set up a computer: guest, administrator, and a local account that's a member of the Administrators group. To add or modify a user account, you have many options depending on which Control Panel view you select and which edition and update of Vista you have installed. Most techs changed the Control View to Classic.
BitLocker To Go
enables you to apply Bitlocker encryption to removable drives, like USB-based flash drives. Although it shares a name, Bitlocker to Go applies encryption and password protection but doesn't require a TPM chip.
FOLDER: Full Control:
enables you to do anything you want
FILES: Read & Execute
enables you to open and run the file
FILES: Write
enables you to open and write to the file
FILES: Read
enables you to open the file
https://www.lifewire.com/finding-shared-windows-folders-816533
https://www.wikihow.com/Access-Shared-Folders-in-Windows-7
What permission enables an administrator to change the ownership of a file without knowing the user account password for that file?
take Ownership permission
Just like windows, every file and folder on a Linux and Mac OSX system has permissions. Go to Linux terminal and type this command: ls-l. This shows a detailed list of all the files and folders in a particular location.
-rwxrwxrwx We have three groups of rwx. The three groups, in order, stand for: OWNER, GROUP, EVERYONE.
Whoever creates a folder or a file has complete control over that folder or file. This is called OWNERSHIP.
Administrators do not automatically have complete control over every folder and file. If an admin wants to access a folder or file they do not have permission to access, they may go through a process called TAKE CONTROL.
Viewing the Permissions You can view the permissions by checking the file or directory permissions in your favorite GUI File Manager (which I will not cover here) or by reviewing the output of the \"ls -l\" command while in the terminal and while working in the directory which contains the file or folder. The permission in the command line is displayed as: _rwxrwxrwx 1 owner:group User rights/Permissions The first character that I marked with an underscore is the special permission flag that can vary. The following set of three characters (rwx) is for the owner permissions. The second set of three characters (rwx) is for the Group permissions. The third set of three characters (rwx) is for the All Users permissions. Following that grouping since the integer/number displays the number of hardlinks to the file. The last piece is the Owner and Group assignment formatted as Owner:Group. Modifying the Permissions When in the command line, the permissions are edited by using the command chmod. You can assign the permissions explicitly or by using a binary reference as described below. Explicitly Defining Permissions To explicity define permissions you will need to reference the Permission Group and Permission Types. The Permission Groups used are: u - Owner g - Group o - Others a - All users The potential Assignment Operators are + (plus) and - (minus); these are used to tell the system whether to add or remove the specific permissions. The Permission Types that are used are: r - Read w - Write x - Execute So for an example, lets say I have a file named file1 that currently has the permissions set to _rw_rw_rw, which means that the owner, group and all users have read and write permission. Now we want to remove the read and write permissions from the all users group. To make this modification you would invoke the command: chmod a-rw file1 To add the permissions above you would invoke the command: chmod a+rw file1 As you can see, if you want to grant those permissions you would change the minus character to a plus to add those permissions. Using Binary References to Set permissions Now that you understand the permissions groups and types this one should feel natural. To set the permission using binary references you must first understand that the input is done by entering three integers/numbers. A sample permission string would be chmod 640 file1, which means that the owner has read and write permissions, the group has read permissions, and all other user have no rights to the file. The first number represents the Owner permission; the second represents the Group permissions; and the last number represents the permissions for all other users. The numbers are a binary representation of the rwx string. r = 4 w = 2 x = 1 You add the numbers to get the integer/number representing the permissions you wish to set. You will need to include the binary permissions for each of the three permission groups. So to set a file to permissions on file1 to read _rwxr_____, you would enter chmod 740 file1. Owners and Groups I have made several references to Owners and Groups above, but have not yet told you how to assign or change the Owner and Group assigned to a file or directory. You use the chown command to change owner and group assignments, the syntax is simplechown owner:group filename, so to change the owner of file1 to user1 and the group to family you would enter chown user1:family file1.
Advanced Permissions The special permissions flag can be marked with any of the following: _ - no special permissions d - directory l- The file or directory is a symbolic link s - This indicated the setuid/setgid permissions. This is not set displayed in the special permission part of the permissions display, but is represented as a s in the read portion of the owner or group permissions. t - This indicates the sticky bit permissions. This is not set displayed in the special permission part of the permissions display, but is represented as a t in the executable portion of the all users permissions Setuid/Setgid Special Permissions The setuid/setguid permissions are used to tell the system to run an executable as the owner with the owner\'s permissions. Be careful using setuid/setgid bits in permissions. If you incorrectly assign permissions to a file owned by root with the setuid/setgid bit set, then you can open your system to intrusion.
Basic rule of Windows Inheritance is that any new files or folders placed into an folder automatically get all the NTFS permissions of the parent folder. For example, you will automatically get Read and Execute permission.
All versions of Windows have inheritance turned on by default. if you access a Properties' dialog box, click on the Security tab, and then click the Advanced button, you will see a little cbeckbox that says INCLUDE INHERITABLE PERMISSIONS FROM THIS OBJECT'S PARENT.
Administrator groups
Any account that is a member of the Administrators group has complete administrator privileges. Administrator privileges grant complete control over a machine. It is common for the primary user of a Windows system to have her account to the Admin group.
File Permissions
Defines what a user can do to a file . read, write, delete, etc.
FOLDER: Modify
Enables you to read, write, and delete both files and subfolders
FOLDER: List Folder Contents
Enables you to see the contents of the folder and any subfolders
FOLDER: Read & Execute
Enables you to see the contents of the folder and any subfolders as well as run any executable programs or associations in that folder
NTFS File Permissions:
Full control, modify, read & Execute, Read, Write
Parental Controls
an administrator account can monitor and limit the activities of any standard user in Windows, a feature that gives parents and managers an excellent level of control over the content their children and employees can access. Activity Reporting logs a user's successful and blocked attempts
Examples of common actions that require administrator privileges:
Installing and uninstalling applications Installing a driver for a device Installing Window Updates Adjusting Windows Firewall settings Changing a user's account type Browsing to another user's directory
So I will show you some documents and folders that you want to focus on and show you how the optimal permissions should be set. home directories- The users\' home directories are important because you do not want other users to be able to view and modify the files in another user\'s documents of desktop. To remedy this you will want the directory to have the drwx______ (700) permissions, so lets say we want to enforce the correct permissions on the user user1\'s home directory that can be done by issuing the command chmod 700 /home/user1. bootloader configuration files- If you decide to implement password to boot specific operating systems then you will want to remove read and write permissions from the configuration file from all users but root. To do you can change the permissions of the file to 700. system and daemon configuration files- It is very important to restrict rights to system and daemon configuration files to restrict users from editing the contents, it may not be advisable to restrict read permissions, but restricting write permissions is a must. In these cases it may be best to modify the rights to 644. firewall scripts - It may not always be necessary to block all users from reading the firewall file, but it is advisable to restrict the users from writing to the file. In this case the firewall script is run by the root user automatically on boot, so all other users need no rights, so you can assign the 700 permissions.
Linux/MAC OS X: Users: Group, Everyone, Owner
NTFS permissions are assigned both to user accounts and groups though it is best practice to assign permissions to groups then add user accounts to groups instead of adding permissions directly to individual user accounts
Permissions are cumulative. If you have Full Control on a folder and only Read permission on a file in the folder, you get Full Control permission on the file.
Permission propagation
Same Volume Different volume MOVE keeps orig. perms Inherits new perms COPY inherits new perms inherits new perms
UAC (User Account Control)
____________ enables standard users to perform certain tasks and provides a permission dialog box when standard users and administrators do certain things that could potentially harm the computer
Sharing Resources Securely
Sharing Resources Securely
Groups
a container that holds user accounts and defines the capabilities of its members. A single account can be a member of multiple groups. Groups are an efficient way of managing multiple users, especially when you are dealing with a whole network of accounts. Standalone computers rely on groups, too, though Windows obscures this a little, especially with home users.
At least one account must be an administrator account.
UAC (User Account Control) gives admins greater control
Ownership
When specific user creates file or folder they become the owner of that object giving them full permissions to set and modify all user permissions of that object
you need local admin privileges to change almost on a Windows machine, such as small updates, change drivers, and install applications.
When you have fixed a system and changed the password to get there, have admin changed the password you used when you are finished.
https://www.howtoforge.com/linux-chown-command/
chown command enables us to change the owner and the group with which a file or folder is associated.
FILES: Full Control
enables you to do anything you want
Inheritance
is the process of determining the default NTFS permissions any newly introduced files or subfolders contained in a folder receive. Inheritance is a huge issue as we tend to make lots of folder and file changes on a system. We need to let NTFS know that we want to do when new files and folders suddenly appear.
Permission Propagation
is the process of determining what NTFS permissions are applied to files that are moved or copied into a new folder. Be careful! You might be tempted to think, given you've just learned about inheritance, that any new files/folders copied or true, and COMPTIA wants to make sure you know the it. It really depends on two issues: whether the data is being copied or moved, and whether the data is coming from the same volume or a different one.
Security Policies
rules we apply to users and groups do work with NTFS permissions. Would you like to configure your computer so that the Accounting Group can only log on between 9 a.m. to 5 p.m.? There's a security policy for that. You can force new users to create an 8 character password. Windows provides thousands of preset security policies that you may use simply by turning on in a utility called LOCAL SECURITY POLICY.
Authentication:
the process of identifying and granting access to some user, usually a person, who is trying to access a system. In Windows, this is most commonly handled by a password-protected account. The process of logging into a system is where the user types in an active user name and password.
Authorization:
the process that defines that resources an authenticated user may access and what he or she may do with those resources. Authorization for Windows files and folders is controlled by the NTFS file system, which assigns permissions to users and groups. These permissions define exactly what users may do to a resource on the system.
Encryption File System
the professional editions of Windows offer a feature the ENCRYPTING FILE SYSTEM (EFS), an encryption scheme that any user can use to encrypt individual files or folders on a computer
Guests Group
this group enables someone who does not have an account on the system to log on by using a guest account.
his example uses symbolic permissions notation. The letters u, g, and o stand for "user", "group", and "other". The equals sign ("=") means "set the permissions exactly like this," and the letters "r", "w", and "x" stand for "read", "write", and "execute", respectively. The commas separate the different classes of permissions, and there are no spaces in between them. Here is the equivalent command using octal permissions notation: chmod 754 myfile Here the digits 7, 5, and 4 each individually represent the permissions for the user, group, and others, in that order. Each digit is a combination of the numbers 4, 2, 1, and 0: 4 stands for "read", 2 stands for "write", 1 stands for "execute", and 0 stands for "no permission." So 7 is the combination of permissions 4+2+1 (read, write, and execute), 5 is 4+0+1 (read, no write, and execute), and 4 is 4+0+0 (read, no write, and no execute).
to make the change, we use the chmod command as follows: chmod 660 launch_codes
w = write or modify a file or folder
x = execute a file or list the folder contents