Windows 10 Exam 70-698, Module 14 - Configure Authorization and Authentication, Key Terms

Microsoft Accounts

A Microsoft account provides you with an identity that you can use to sign in on multiple devices and access online services. You can also use the account to synchronize your personal settings between your Windows-based devices. If Windows 10 detects an Internet connection during setup, you are prompted to specify your Microsoft account details. However, you can link your Microsoft account to a local or AD DS domain account after setup is complete. After you connect your Microsoft account with your local account, you can: * Access personal Microsoft cloud services, including OneDrive, Outlook.com, and other personal apps. * Use the Microsoft account to access Microsoft Intune, Microsoft Office 365, and Microsoft Azure. * Download and install apps from the Microsoft Store. * Sync your settings between devices that are linked to your account. Tip: You can browse the Windows Store even if you do not sign in using a Microsoft account.

Workgroup

A workgroup is a small collection of computer devices that can share resources. Unlike a HomeGroup, which is discussed in Chapter 6, "Configure networking," setup and sharing resources in a workgroup requires significant manual intervention. Unlike a domain, there is no centralization of user accounts and related security policies and settings. A workgroup is sometimes described as a peer-to-peer network, in which each device has its own set of user and group accounts, its own security policy, and its own resources that can be shared with others. To establish a workgroup, you must define the workgroup name. You do this on each computer that will be part of the workgroup. Use the following procedure to define the workgroup. 1. Open Control Panel. 2. Click System And Security and then click System. 3. Click Change Settings, as shown in inset Figure. 4. In the System Properties dialog box, on the Computer Name tab, click Change. 5. In the Computer Name/Domain Changes dialog box, in the Workgroup box, as shown in inset Figure, type the name of the new workgroup and click OK twice. Restart your computer. After you have defined the workgroup name, configure all other devices to use the same workgroup name; this makes browsing for network resources easier for users. Next, set up user accounts on each computer. This is necessary because there is no centralization of user accounts in a workgroup. When a user maps a network drive to a folder that you have shared on your computer, they must provide credentials to connect to the resource; these credentials are held on the sharing computer. Note: Your computer can only belong to one workgroup. Your computer can also only belong to a workgroup or a domain, not both.

Biometrics

After a user has completed the registration process, Microsoft Passport generates a new public-private key pair on the device known as a protector key. If installed in the device, the Trusted Platform Module (TPM) generates and stores this protector key; if the device does not have a TPM,Windows encrypts the protector key and stores it on the file system. Microsoft Passport also generates an administrative key that is used to reset credentials if necessary. The user now has a PIN gesture defined on the device and an associated protector key for that PIN gesture. *The user can now securely sign in to their device using the PIN and then add support for a biometric gesture as an alternative for the PIN*. The gesture could be facial recognition, iris scanning, or fingerprint recognition, depending on available hardware in the device. When a user adds a biometric gesture, it follows the same basic sequence as mentioned earlier. The user authenticates to the system by using the PIN and then registers the new biometric. Windows generates a unique key pair and stores it securely. The user can then sign in using the PIN or a biometric gesture.

Credential security

After you have configured sign-in options, it is important to understand how user credentials are stored and protected. Users must sign in not only to Windows 10 but to websites and online services, most of which do not use the user's Windows 10 credentials. To help users access these websites and services, Windows stores the credentials and provides two features to help protect users' credentials: * Configure Credential Manager * Configure Credential Guard

Windows PowerShell to create Local Accounts

Before you can manage local user accounts, you must install the Windows PowerShell local account module. You can do this by running the following cmdlet from an elevated Windows PowerShell command. Find-Module localaccount | Install-Module You can then use the following cmdlets to manage local user accounts. - *Get-LocalUser* - *New-LocalUser* - *Remove-LocalUser* - *Rename-LocalUser* - *Disable-LocalUser* - *Enable-LocalUser* For example, to add a new local user account called Sales 02 with a password that expires in one month, run the following cmdlet. New-LocalUser -Name "Sales02" -Description "Sales User account" -PasswordExpires (Get-Date).AddMonths(1) Tip: To review further details about using Windows PowerShell to manage local accounts,refer to the Microsoft TechNet website at: https://technet.microsoft.com/library/mt651682.aspx

User Accounts

Before you can sign in to your Windows 10-based computer, you must create a user account. Windows 10 supports the ability for you to sign in using local accounts, Active Directory Domain Services (AD DS) domain accounts, and Microsoft accounts. After you are signed in, it is important to ensure that your user account operates as a standard user account and is only elevated to an administrative level when needed. User Account Control (UAC) can help you control administrative privilege elevation in Windows 10.

Picture passwords

In addition to using PINs and biometric gestures to sign in, users can also choose to use a picture password. This is configured in the Settings app. As shown in inset Figure, select Accounts and then select the Sign-In Options tab. To set up picture passwords, complete the following procedure. 1. On the Sign-in Options tab, under Picture Password, click Add. You are prompted to verify your account information. 2. Reenter your account password. 3. You are provided with an initial picture. If you want, click Select Picture to choose another. 4. Draw three gestures directly on your screen. Remember that the size, position, and direction of the gestures are stored as part of the picture password. 5. You are prompted to repeat your gestures. If your repeated gestures match, click Finish. Note: If you do not see the Picture Password heading, your display is not touch-enabled. Picture passwords are associated with an image and a touch gesture on the screen.

User Account Control

In earlier versions of Windows, it was necessary to sign in using an administrative account to perform administrative tasks. This often led to users signing in with administrative accounts at all times, even when performing standard user tasks, such as running apps or browsing Internet websites. However, being signed in with administrative privilege at all times poses a security risk because it provides for the possibility of malicious software exploiting administrative access to files and other resources. Windows 10 provides UAC to help mitigate this threat. When you sign in using an administrative account, UAC inhibits the account's access to that of a standard user, only elevating the account's privileges to administrative level when required, and only after prompting the user for permissions to do so. In addition, if a user signs in with a standard user account and attempts to perform a task requiring administrative privileges, UAC can prompt the user for administrative credentials. Standard users can perform the following tasks without requiring elevation: * Change their user account passwords. * Configure accessibility options. * Configure power options. * Install updates by using Windows Update. * Install device drivers included in the operating system or by using Windows Update. * View Windows 10 settings. * Pair Bluetooth devices. * Establish network connections, reset network adapters, and perform network diagnostics and repair. However, the following tasks require elevation: * Install or remove apps. * Install a device driver not included in Windows or Windows Update. * Modify UAC settings. * Open Windows Firewall in Control Panel. * Add or remove user accounts. * Restore system backups. * Configure Windows Update settings.

AD DS Domain Settings

In most organizations, using an AD DS domain environment provides the best management experience. In a domain environment, you can centralize administration, security, and application policies and provide a more managed approach to sharing and accessing resources. To join a computer to an AD DS domain, use the following procedure. 1. Open Control Panel. 2. Click System And Security. 3. Click System. 4. Click Change Settings. 5. In the System Properties dialog box, on the Computer Name tab, click Change. 6. In the Computer Name/Domain Changes dialog box, under Member Of, in the Domain box, type the domain name and click OK. 7. In the Windows Security dialog box shown in inset Figure, enter the credentials of a domain account that has the required permission to join computers to the domain. Typically, this is a domain administrator account. 8. Click OK. The computer attempts to connect to the domain, create an object for the computer in the AD DS domain, and then update the local computer's configuration to reflect these changes. 9. When prompted, click OK twice. 10. Click Close and restart your computer. You can now sign in using domain user accounts. After you have added your computer to the domain, it becomes a managed device and is affected by domain GPO settings and security policies. To use the preceding procedure to add a computer to a domain, the computer you are adding must be online and must be able to communicate with a domain controller. It is possible to add a computer to a domain if the computer you want to add is offline; this process is known as offline domain join. Offline domain join is useful when you are adding computers to a domain from a regional data center that has limited connectivity to the main data center where domain controllers reside. To add a computer to a domain by using the offline domain join procedure, use the Djoin.exe command-line tool. Note: Need More Review? Offline Domain Join (Djoin.exe) Step-by-Step Guide To review further details about using offline domain join, refer to the Microsoft TechNet website at https://technet.microsoft.com/library/offline-domain-join-djoin-step-by-step(v=ws.10).aspx

Device Security

It is important that when users attempt to connect their devices to your organization's network, you can determine that those devices are secure and conform to organizational policies regarding security settings and features. Microsoft provides two features in Windows 10 that can help you meet the goal of allowing only secured devices to connect to your organization's network. These features are: - *Device Guard* and - *Device health attestation*

Device Health Attestation

It is important to consider the question, "What is device health?" before looking at how Windows 10 helps to ensure that only healthy devices can connect to corporate network resources. Generally, a Windows 10 device might be considered healthy if it is configured with appropriate security features and settings. For example, a Windows 10-based device might have the latest antivirus patterns and antimalware signatures installed, be up to date with important Windows updates, and have Device Guard and Credential Guard enabled and configured. Windows 10 Enterprise includes the Device Health Attestation feature, which can help you determine the health of devices connecting to your corporate network. The requirements for Device Health Attestation are the same as for Device Guard with the exception that TPM 2.0 is required. However, you also require a cloud-based service such as Microsoft Intune to enable the necessary MDM features and device policies to enforce health attestation on your users' devices. After determining what constitutes a healthy device, you must next consider how to evaluate device health and what to do when devices fail health evaluation. Windows 10 contains features that enable device health determination during startup, and Device Health Attestation to be stored in the device's TPM. The process is as follows: 1. Hardware startup components are measured. 2. Windows 10 startup components are measured. 3. If Device Guard is enabled, the current Device Guard policy is measured. 4. The Windows 10 kernel is measured. 5. Antivirus software is started as the first kernel mode driver. 6. Boot start drivers are measured. 7. The MDM server through the MDM agent issues a health check command by using the Health Attestation configuration service provider (CSP). 8. Startup measurements, now stored in a log, are sent to and validated by the Health Attestation Service. Note: Need More Review? Control the Health of Windows 10-Based Devices To review further details about Device Health Attestation, refer to the Microsoft TechNet website at https://technet.microsoft.com/itpro/windows/keep-secure/protect- high-value-assets-by-controlling-the-health-of-windows-10-based-devices

Local Accounts

Local accounts, as the name suggests, exist in the local accounts database on your Windows 10 device; it can only be granted access to local resources and, where granted, exercise administrative rights and privileges on the local computer. When you first install Windows 10, you are prompted to sign in using a Microsoft account or to create a local account to sign in with. Thereafter, you can create additional local user accounts as your needs dictate. *Default accounts* In Windows 10, three user accounts exist by default in the local accounts database. These are the Administrator account, DefaultAccount, and the Guest account. All of these are disabled by default. When you install Windows 10, you create an additional user account. You can give this account any name. This initial user account is a member of the local Administrators group and therefore can perform any local management task. You can view the installed accounts, including the default accounts, by using the Computer Management console, as shown in inset Figure. You can also use the net user command-line tool and the *get-wmiobject -class win32_useraccount* Windows PowerShell cmdlet to list the local user accounts. You can view the installed accounts, including the default accounts, by using the Computer Management console, as shown in inset Figure. You can also use the *net user* command-line tool and the *get-wmiobject -class win32_useraccount* Windows PowerShell cmdlet to list the local user accounts.

Configure HomeGroup, workgroup, and domain settings

There are a number of ways you can connect your users' devices to your organization's network infrastructure, depending on your requirements. In small networked environments, the simplicity of creating and using a workgroup is usually sufficient. In larger organizations, the desirability of centralizing security settings for connected devices means that using an AD DS domain is the logical option. Understanding when to use workgroups and domains is important, and you must know how to connect your users' devices to these environments: - workgroups - AD DS domain membership - Device Registration

Microsoft Passport

To avoid authentication with passwords, Microsoft provides an authentication system called *Microsoft Passport*. This enables secure authentication without sending a password to an authenticating authority, such as an AD DS domain controller. Microsoft Passport uses two-factor authentication based on Windows Hello-based biometric authentication (or a PIN) together with the ownership of a specific device. Using Microsoft Passportm provides a number of benefits for your organization. *User convenience* - After your employees set up Windows Hello, they can access enterprise resources without needing to remember user names or passwords. *Security* - Because no passwords are used, Microsoft Passport helps protect user identities and user credentials. To set up Microsoft Passport, after users have configured Windows Hello and signed in using their biometric features (or PIN), they register the device. The registration process is as follows: 1. The user creates an account on the device; this can be a local account or a domain account. 2. The user signs in using the account. 3. The user sets up PIN authentication for the account. After a user has completed the registration process, Microsoft Passport generates a new public-private key pair on the device known as a protector key. If installed in the device, the Trusted Platform Module (TPM) generates and stores this protector key; if the device does not have a TPM, Windows encrypts the protector key and stores it on the file system. Microsoft Passport also generates an administrative key that is used to reset credentials if necessary. Note: Signing in with a Microsoft account on a Windows 10-based device automatically sets up Microsoft Passport on the device; users do not need to do anything else.

Computer Management

To manage user accounts by using Computer Management, right-click Start and then click Computer Management. Expand the Local Users And Groups node and then click Users. To create a new user, right-click the Users node and click New User. In the New User dialog box, configure the following properties, as shown in inset Figure, and then click Create. * User Name * Full Name * Password * User Must Change Password At Next Logon * User Cannot Change Password * Password Never Expires * Account Is Disabled After you have added the new user account, you can modify more advanced properties by double-clicking the user account. On the General tab, you can change the user's full name and description and password-related options. On the Member Of tab, you can add the user to groups or remove the user from groups. The Profile tab, enables you to modify the following properties: *Profile path* - The path to the location of a user's desktop profile. The profile stores the user's desktop settings, such as color scheme, desktop wallpaper, and app settings, including the settings stored for the user in the registry. By default, each user who signs in has a profile folder created automatically in the C:\Users\Username folder. You can define another location here, and you can use a Universal Naming Convention (UNC) name in the form of \\Server\Share\Folder. *Logon script* - The name of a logon script that processes each time a user signs in. Typically, this will be a .bat or .cmd file. You might typically place commands to map network drives or load apps in this script file. It is not usual to assign logon scripts in this way. Instead, Group Policy Objects (GPOs) are used to assign logon and startup scripts for domain user accounts. *Home folder* - A personal storage area where users can save their personal documents. By default, users are assigned subfolders within the C:\Users\Username folder for this purpose. However, you can use either of the following two properties to specify an alternate location. *Local path* - A local file system path for storage of the user's personal files. This is entered in the format of a local drive and folder path. *Connect* A network location mapped to the specified drive letter. This is entered in the format of a UNC name.

Authentication in Windows 10

Traditional computer authentication is based on user name and password exchange with an authentication authority. Although password-based authentication is acceptable in many circumstances, Windows 10 provides for a number of additional, more secure methods for users to authenticate with their devices, including multifactor authentication. Multifactor authentication is based on the principle that users who wish to authenticate must have two (or more) things with which to identify themselves. Specifically, they must have knowledge of something, they must be in possession of something, and they must be something. For example, a user might know a password, possess a security token (in the form of a digital certificate), and be able to prove who they are with biometrics, such as fingerprints.

Credential Guard

When a user signs in to an AD DS domain, they provide their user credentials to a domain controller. As a result of successful authentication, the authenticating domain controller issues Kerberos tickets to the user's computer. The user's computer uses these tickets to establish sessions with server computers that are part of the same AD DS forest. Essentially, if a server receives a session request, it examines the Kerberos ticket for validity. If valid in all respects, and issued by a trusted authenticating authority, such as a domain controller in the same AD DS forest, a session is allowed. These Kerberos tickets, and related security tokens such as NTLM hashes, are stored in the Local Security Authority, a process that runs on Windows-based computers and handles the exchange of such information between the local computer and requesting authorities. However, it is possible for certain malicious software to gain access to this security process and, hence, exploit the stored tickets and hashes. To help protect against this possibility, 64-bit versions of both Windows 10 Enterprise and Windows 10 Education editions have a feature called Credential Guard, which implements a technology known as virtualization-assisted security; this enables Credential Guard to block access to credentials stored in the Local Security Authority. In addition to requiring the appropriate edition of 64-bit editions of Windows 10, the following are the requirements for implementing Credential Guard: - Unified Extensible Firmware Interface (UEFI) 2.3.1 or greater - Secure Boot - Virtualization features: Intel VT-X, AMD-V, and SLAT must be enabled - A VT-d or AMD-Vi input-output memory management unit - A TPM: Windows 10 version 1511 supports both TPM 1.2 and TPM 2.0, but earlier versions of Windows 10 support only TPM 2.0 - Firmware lock After you have verified that your computer meets the requirements, you can enable Credential Guard by using GPOs in an AD DS environment. Open the appropriate GPO for editing and navigate to Computer Configuration \ Policies \ Administrative Templates \ System \ Device Guard. Enable Turn On Virtualization Based Security, as shown in inset Figure.

Credential Manager

When users access a website, online service, or server computer on a network, they might need to provide user credentials to access those sites and services. Windows can store the credentials to make it easier for users to access those sites and services later. These credentials are stored in secure areas known as *vaults*. To access the stored credentials, open Control Panel, click User Accounts, and then click Credential Manager. As shown in inset Figure, you can then browse the list of stored credentials. Windows separates the list into those used for websites, listed under Web Credentials, and those used for Windows servers, listed under Windows Credentials. To view stored credentials, select the appropriate website or online service from the list and expand the entry by clicking the Down Arrow. Click Show to view the stored password and click Remove if you no longer want to store the entry. You are prompted to reenter your user account password before you can perform either of these actions.

Windows Hello

Windows Hello is a biometric authentication mechanism built into Windows 10 to address the requirement that users must be able to prove who they are by something they uniquely have. When you implement Windows Hello, users can unlock their devices by using facial recognition or fingerprint scanning. Windows Hello works with Microsoft Passport to authenticate users and enable them to access your network resources. It provides the following benefits: - It helps protect against credential theft. Because a malicious person must have both the device and the biometric information or PIN, it becomes more difficult to access the device. - Employees don't need to remember a password any longer. They can always authenticate using their biometric data. - Windows Hello is part of Windows 10, so you can add additional biometric devices and authentication policies by using GPOs or mobile device management (MDM) configurations service provider (CSP) policies. To implement Windows Hello, your devices must be equipped with appropriate hardware. For facial recognition and iris scanning, suitable cameras must be present in the Windows 10 device. For fingerprint recognition, your devices must be equipped with a fingerprint scanner. After you have installed the necessary hardware devices, to set up Windows Hello, open Settings, click Accounts, and then, on the Sign-in Options page, under Windows Hello, review the options for face, fingerprint, or iris. If you do not have Windows Hello-supported hardware, the Windows Hello section does not appear on the Sign-in Options page. Note: Need More Review? Windows Hello Biometrics in the Enterprise To review further details about using Windows Hello in the enterprise, refer to the Microsoft TechNet website at https://technet.microsoft.com/itpro/windows/keep-secure/windows-hello-in-enterprise

Device Guard

With malicious software (malware) changing daily, the ability of organizations to keep up to date with emerging threats is challenged. Device Guard is an attempt to mitigate this challenge. Rather than allow apps to run unless blocked, Device Guard only runs specifically trusted apps. The requirements for Device Guard are as for Credential Guard. These are: - 64-bit version of Windows 10 Enterprise. - UEFI 2.3.1 or greater. - Secure Boot. - Virtualization features: Intel VT-X, AMD-V, and SLAT must be enabled. - A VT-d or AMD-Vi input-output memory management unit. - A TPM: Windows 10 version 1511 supports both TPM 1.2 and TPM 2.0, but earlier versions of Windows 10 support only TPM 2.0. - Firmware lock. To enable Device Guard in your organization, you must first digitally sign all the trusted apps that you want to allow to run on your devices. You can do this in a number of ways: - *Publish your apps by using the Windows Store* - All apps in the Windows Store are automatically signed with signatures from a trusted certificate authority (CA). - *Use your own digital certificate or public key infrastructure (PKI)* - You can sign the apps by using a certificate issued by a CA in your own PKI. - *Use a non-Microsoft CA* - You can use a trusted non-Microsoft CA to sign your own desktop Windows apps. - *Use the Device Guard signing portal* - In Windows Store For Business, you can use a Microsoft web service to sign your desktop Windows apps. After digitally signing the trusted apps, you must enable the required hardware and software features in Windows 10. Assuming your devices meet the hardware requirements, and you have enabled the required software features in Windows 10 (Hyper-V Hypervisor and Isolated User Mode), using Control Panel, you can use GPOs to configure the required Device Guard settings. Open the appropriate GPO for editing and navigate to Computer Configuration \ Policies \ Administrative Templates \ System \ Device Guard. Note: Need More Review? Device Guard Signing? To review further details about digital signing for Device Guard, refer to the Microsoft TechNet website at https://technet.microsoft.com/itpro/windows/manage/device-guard-signing-portal

Control Panel

You can manage user accounts from Control Panel. Open Control Panel and click User Accounts and then click User Accounts again. From here, you can: *Make Changes To My Accounts In PC Settings* - Launches the Settings app to enable you to make user account changes. *Change Your Account Name* - Enables you to change your account name *Change Your Account Type* - Enables you to switch between Standard and Administrator account types *Manage Another User Account* - Enables you to manage other user accounts on this computer, as shown in inset Figure. *Change User Account Control Settings* - Launches the User Account Control Settings dialog box from Control Panel Note: You cannot add new accounts from this location. If you want to add a new account, use Computer Management, the Settings app, or Windows PowerShell.