Client Chap 14
User Control Panel
You can manage user accounts from Control Panel You cannot add new accounts from this location. If you want to add a new account, use Computer Management, the Settings app, or Windows PowerShell.
Authentication is
the process of verifying the identity of a security principal: a user, a group, a computer or other device, a service or process.
Microsoft Passport uses
two-factor authentication based on Windows Hello-based biometric authentication (or a PIN) together with the ownership of a specific device.
To enable Device Guard in your organization,
you must first digitally sign all the trusted apps that you want to allow to run on your devices. You can do this in a number of ways. Publish your apps by using the Windows Store All apps in the Windows Store are automatically signed with signatures from a trusted certificate authority (CA). Use your own digital certificate or public key infrastructure (PKI) You can sign the apps by using a certificate issued by a CA in your own PKI. Use a non-Microsoft CA You can use a trusted non-Microsoft CA to sign your own desktop Windows apps. Use the Device Guard signing portal In Windows Store For Business, you can use a Microsoft web service to sign your desktop Windows apps.
To configure UAC by using Control Panel, use the following procedure.
1. From Control Panel, click System And Security. 2. Click Change User Account Control Settings. you can use the slider bar in the Choose When To Be Notified About Changes To Your Computer dialog box to adjust the UAC settings
To set up picture passwords, complete the following procedure.
1. On the Sign-in Options tab, under Picture Password, click Add. You are prompted to verify your account information. 2. Reenter your account password. 3. You are provided with an initial picture. If you want, click Select Picture to choose another. 4. Draw three gestures directly on your screen. Remember that the size, position, and direction of the gestures are stored as part of the picture password. 5. You are prompted to repeat your gestures. If your repeated gestures match, click Finish
Profile path
By default, each user who signs in has a profile folder created automatically in the C:\Users\Username folder. You can define another location here, and you can use a Universal Naming Convention (UNC) name in the form of \\Server\Share\Folder
Home folder
By default, users are assigned subfolders within the C:\Users\Username folder for this purpose. However, you can use either of the following two properties to specify an alternate location. Local path A local file system path for storage of the user's personal files. This is entered in the format of a local drive and folder path. Connect A network location mapped to the specified drive letter. This is entered in the format of a UNC name.
Standard users can perform the following tasks without requiring elevation.
Change their user account passwords. Configure accessibility options. Configure power options. Install updates by using Windows Update. Install device drivers included in the operating system or by using Windows Update. View Windows 10 settings. Pair Bluetooth devices. Establish network connections, reset network adapters, and perform network diagnostics and repair.
To help users access these websites and services, Windows stores the credentials and provides two features to help protect users' credentials.
Configure Credential Manager Configure Credential Guard
After you enable Device Registration, users can register and enroll their devices in your organizational network. After they have enrolled their devices:
Enrolled devices are associated with a specific user account in the AD DS directory. A device object is created in AD DS to represent the physical device and its associated user account. A user certificate is installed on the user's device.
Before you can manage local user accounts, you must install the Windows PowerShell local account module. You can do this by running the following cmdlet from an elevated Windows PowerShell command.
Find-Module localaccount | Install-Module
can then use the following cmdlets to manage local user accounts.
Get-LocalUser New-LocalUser Remove-LocalUser Rename-LocalUser Disable-LocalUser Enable-LocalUser
add a new local user account called Sales 02 with a password that expires in one month, run the following cmdlet.
New-LocalUser -Name "Sales02" -Description "Sales User account" -PasswordExpires (GetDate).AddMonths(1)
After you have verified that your computer meets the requirements, you can enable Credential Guard by using GPOs in an AD DS environment
Open the appropriate GPO for editing and navigate to Computer Configuration \ Policies \ Administrative Templates \ System \ Device Guard. Enable Turn On Virtualization Based Security,
login script
The name of a logon script that processes each time a user signs in. Typically, this will be a .bat or .cmd file. You might typically place commands to map network drives or load apps in this script file. It is not usual to assign logon scripts in this way. Instead, Group Policy Objects (GPOs) are used to assign logon and startup scripts for domain user accounts.
In addition to using PINs and biometric gestures to sign in, users can also choose to use a picture password.
This is configured in the Settings app. select Accounts and then select the Sign-In Options tab.
The main reasons to implement Device Registration are:
To enable access to corporate resources from non-domain-joined devices. To enable SSO for specific apps and/or resources in your internal network.
Using Microsoft Passport provides a number of benefits for your organization.
User convenience After your employees set up Windows Hello, they can access enterprise resources without needing to remember user names or passwords. Security Because no passwords are used, Microsoft Passport helps protect user identities and user credentials.
Configure Device Guard
With malicious software (malware) changing daily, the ability of organizations to keep up to date with emerging threats is challenged. Device Guard is an attempt to mitigate this challenge. Rather than allow apps to run unless blocked, Device Guard only runs specifically trusted apps.
summary
You can use either local or Microsoft accounts for authentication in Windows 10. You can use Windows Hello, Microsoft Passport, and picture passwords to improve authentication security. You can use Credential Manager and Credential Guard to help protect authentication. Device Guard and Device Health Attestation can help secure Windows 10 devices. Devices can access domain resources by belonging to that domain or by using Device Registration.
Windows Hello
is a biometric authentication mechanism built into Windows 10 to address the requirement that users must be able to prove who they are by something they uniquely have. When you implement Windows Hello, users can unlock their devices by using facial recognition or fingerprint scanning.
Multifactor authentication
is based on the principle that users who wish to authenticate must have two (or more) things with which to identify themselves. Specifically, they must have knowledge of something, they must be in possession of something, and they must be something
To access the stored credentials,
open Control Panel, click User Accounts, and then click Credential Manager. Windows separates the list into those used for websites, listed under Web Credentials, and those used for Windows servers, listed under Windows Credentials.
After determining what constitutes a healthy device, you must next consider how to evaluate device health and what to do when devices fail health evaluation. Windows 10 contains features that enable device health determination during startup, and Device Health Attestation to be stored in the device's TPM. The process is as follows.
1. Hardware startup components are measured. 2. Windows 10 startup components are measured. 3. If Device Guard is enabled, the current Device Guard policy is measured. 4. The Windows 10 kernel is measured. 5. Antivirus software is started as the first kernel mode driver. 6. Boot start drivers are measured. 7. The MDM server through the MDM agent issues a health check command by using the Health Attestation configuration service provider (CSP). 8. Startup measurements, now stored in a log, are sent to and validated by the Health Attestation Service.
To connect your Microsoft account to your local or domain user account, use the following procedure
1. In Settings, click Accounts. 2. On the Your Email And Accounts page, in the details pane, click Sign In With A Microsoft Account Instead 3. On the Make It Yours page, enter the email address and password associated with your Microsoft account and then click Sign In 4. On the Sign In To This Device Using Your Microsoft Account page, in the Old Password box, type the password for your local user account and then click Next. 5. On the Set Up A PIN page, click Set A PIN. This is optional, but using a PIN is more secure than a password because it is only relevant on this device. If you prefer to not use a PIN, click Skip This Step. 6. When prompted, in the Set Up A PIN dialog box, enter your chosen PIN twice and click OK. 7. You are returned to the Your Email And Accounts page. Click Verify to enable Microsoft to verify that you have permission to connect this Microsoft account to your device.
If you want to add a local account by using the Settings app, use the following procedure
1. In the Settings app, click Accounts. 2. On the Family & Other Users tab, under Other Users, click Add Someone Else To This PC. 3. In the How Will This Person Sign In dialog box, click I Don't Have This Person's Sign-In Information. 4. In the Let's Create Your Account Dialog Box, click Add A User Without A Microsoft Account. 5. On the Create An Account For This PC page, type the user name, type a new password twice, and then click Next to create the local account.
You work in support at A. Datum Corporation. You are implementing authentication and authorization. Your manager has some concerns about security of devices, and you must investigate and then configure features in Windows 10 that can help allay your manager's concerns. As a consultant for A. Datum, answer the following questions about authentication and authorization in the A. Datum organization. 1. Your manager asks you about the benefits of using Microsoft accounts over those of using local accounts on your users' Windows 10 devices. What are these benefits? 2. Your manager wants to know why entering a four-digit PIN is more secure than using a complex password. How would you answer? 3. Windows 10 implements a feature called User Account Control. What is the default prompt that a user receives when they attempt to perform a management task requiring elevation when they are signed in using a standard user account? 4. What are the requirements of Device Guard in Windows 10? 5. What is the purpose of Device Registration?
1. Microsoft accounts offer the following benefits to users of Windows 10 devices. A. Access to personal Microsoft cloud services, including OneDrive, Outlook.com, and other personal apps B. Access to Microsoft Intune, Microsoft Office 365, and Microsoft Azure C. The ability to download and install apps from the Microsoft Store D. The ability to sync user settings between devices that are linked to your account 2. A PIN is more secure because it is based on two-factor authentication: knowledge of the PIN and possession of the device where that PIN is registered as an authentication gesture. A password can be used on any device, and only knowledge of the password is required. 3. A standard user receives the prompt for credentials when they attempt elevation to perform an administrative task. 4. To implement Device Guard, your device requires a 64-bit version of Windows 10 Enterprise; a UEFI version 2.3.1 or greater; Secure Boot; virtualization features: Intel VT-X, AMD-V , and SLAT; a VT-d or AMDVi input-output memory management unit; a TPM; and firmware lock. 5. Device Registration enables users with their own devices to access corporate network resources by using SSO. From the organization's perspective, these devices can be managed as part of an MDM policy.
Use the following procedure to define the workgroup.
1. Open Control Panel. 2. Click System And Security and then click System. 3. Click Change Settings 4. In the System Properties dialog box, on the Computer Name tab, click Change. 5. In the Computer Name/Domain Changes dialog box, in the Workgroup box
In a domain environment, you can centralize administration, security, and application policies and provide a more managed approach to sharing and accessing resources. To join a computer to an AD DS domain, use the following procedure
1. Open Control Panel. 2. Click System And Security. 3. Click System. 4. Click Change Settings, 5. In the System Properties dialog box, on the Computer Name tab, click Change. 6. In the Computer Name/Domain Changes dialog box, under Member Of, in the Domain box, type the domain name and click OK. 7. In the Windows Security dialog box, shown in Figure 14-15, enter the credentials of a domain account that has the required permission to join computers to the domain. Typically, this is a domain administrator account. The computer attempts to connect to the domain, create an object for the computer in the AD DS domain, and then update the local computer's configuration to reflect these changes. 9. When prompted, click OK twice. 10. Click Close and restart your computer
Procedure to register devices
1. Open Settings and then click Accounts. 2. In Accounts, click the Work Access tab 3. In the details pane, under Enroll In To Device Management, click Enroll In To Device Management. 4. On the Connect To Work Or School page, in the Email Address box, type the user ID with which you want to register the device. 5. When prompted, enter the domain credentials to begin Device Registration. You must use a domain account for this purpose, even if your Windows 10-based device is in a workgroup. The device attempts to communicate with the Enterpriseregistration host and continues the process of Device Registration.
To sign up for a Microsoft account, use the following procedure
1. Open a web browser and navigate to https://signup.live.com. 2. To use your own email address for your Microsoft account, type it into the web form. If you choose this option, you must verify the address later. 3. If you want to create a Hotmail or Outlook.com account, click Get A New Email Address and then complete the email address line, specifying whether you want a Hotmail or Outlook suffix. 4. Press Tab to verify that the name you entered is available. 5. Complete the rest of the form and then agree to the privacy statement by clicking I Accept.
The following process describes how health startup measurements are sent to the Health Attestation Service.
1. The device initiates a request with the remote device Health Attestation Service, usually a Microsoft cloud service such as Microsoft Intune. 2. The client sends the startup log with associated digital certificates. 3. The remote device Heath Attestation Service then: Verifies that the certificate is valid. Verifies the integrity of the submitted log. Parses the properties in the TCG log. Issues a device health token that contains the health information, the device ID, and the boot counter information. The device health token is encrypted and signed. 4. The device stores the health token locally.
To set up Microsoft Passport, after users have configured Windows Hello and signed in using their biometric features (or PIN), they register the device. The registration process is as follows.
1. The user creates an account on the device; this can be a local account or a domain account. 2. The user signs in using the account. 3. The user sets up PIN authentication for the account
The requirements for Device Guard are as for Credential Guard. These are:
64-bit version of Windows 10 Enterprise. UEFI 2.3.1 or greater. Secure Boot. Virtualization features: Intel VT-X, AMD-V , and SLAT must be enabled. A VT-d or AMD-Vi input-output memory management unit. A TPM: Windows 10 version 1511 supports both TPM 1.2 and TPM 2.0, but earlier versions of Windows 10 support only TPM 2.0. Firmware lock.
After you connect your Microsoft account with your local account, you can
Access personal Microsoft cloud services, including OneDrive, Outlook.com, and other personal apps. Use the Microsoft account to access Microsoft Intune, Microsoft Office 365, and Microsoft Azure. Download and install apps from the Microsoft Store. Sync your settings between devices that are linked to your account
When a user signs in to an AD DS domain, they provide their user credentials to a domain controller.
As a result of successful authentication, the authenticating domain controller issues Kerberos tickets to the user's computer. The user's computer uses these tickets to establish sessions with server computers that are part of the same AD DS forest. Essentially, if a server receives a session request, it examines the Kerberos ticket for validity. If valid in all respects, and issued by a trusted authenticating authority, such as a domain controller in the same AD DS forest, a session is allowed.
To help protect against this possibility, 64-bit versions of both Windows 10 Enterprise and Windows 10 Education editions have a feature called
Credential Guard, which implements a technology known as virtualizationassisted security; this enables Credential Guard to block access to credentials stored in the Local Security Authority.
You can use MDM policies or GPOs to configure settings for Microsoft Passport in your organization.
For example, you can configure a policy that enables or disables the use of biometrics on devices affected by the policy. You can also impose rules on PINs so that, for example, a PIN must consist of five characters, including digits and lowercase letters
In earlier versions of Windows, it was necessary to sign in using an administrative account to perform administrative tasks. This often led to users signing in with administrative accounts at all times, even when performing standard user tasks, such as running apps or browsing Internet websites
However, being signed in with administrative privilege at all times poses a security risk because it provides for the possibility of malicious software exploiting administrative access to files and other resources. Windows 10 provides UAC to help mitigate this threat.
These Kerberos tickets, and related security tokens such as NTLM hashes, are stored in the Local Security Authority, a process that runs on Windowsbased computers and handles the exchange of such information between the local computer and requesting authorities.
However, it is possible for certain malicious software to gain access to this security process and, hence, exploit the stored tickets and hashes.
If Windows 10 detects an Internet connection during setup, you are prompted to specify your Microsoft account details
However, you can link your Microsoft account to a local or AD DS domain account after setup is complete.
When you sign in using an administrative account, UAC inhibits the account's access to that of a standard user, only elevating the account's privileges to administrative level when required, and only after prompting the user for permissions to do so
In addition, if a user signs in with a standard user account and attempts to perform a task requiring administrative privileges, UAC can prompt the user for administrative credentials.
There are a number of ways you can connect your users' devices to your organization's network infrastructure, depending on your requirements
In small networked environments, the simplicity of creating and using a workgroup is usually sufficient. In larger organizations, the desirability of centralizing security settings for connected devices means that using an AD DS domain is the logical option. Understanding when to use workgroups and domains is important, and you must know how to connect your users' devices to these environments.
Depending on your Microsoft account options, you can receive an email to a designated account for confirmation purposes, or you might choose to receive a text message to your cell phone.
In this instance, the Microsoft account is configured with a cell phone for verification. On the Help Us Protect Your Info page, enter the required information, click Next, and follow the instructions on your Windows 10-based device to enter the code that you receive on your cell phone. Verification is then complete.
However, the following tasks require elevation.
Install or remove apps. Install a device driver not included in Windows or Windows Update. Modify UAC settings. Open Windows Firewall in Control Panel. Add or remove user accounts. Restore system backups. Configure Windows Update settings.
Windows Hello works with Microsoft Passport to authenticate users and enable them to access your network resources. It provides the following benefits
It helps protect against credential theft. Because a malicious person must have both the device and the biometric information or PIN, it becomes more difficult to access the device. Employees don't need to remember a password any longer. They can always authenticate using their biometric data. Windows Hello is part of Windows 10, so you can add additional biometric devices and authentication policies by using GPOs or mobile device management (MDM) configurations service provider (CSP) policies.
To avoid authentication with passwords, Microsoft provides an authentication system called
Microsoft Passport This enables secure authentication without sending a password to an authenticating authority, such as an AD DS domain controller.
Pairing of Credentials and Devices
Microsoft Passport pairs a specific device and a user credential. Consequently, the PIN the user chooses is associated only with the active account and that specific device.
It is important that when users attempt to connect their devices to your organization's network, you can determine that those devices are secure and conform to organizational policies regarding security settings and features.
Microsoft provides two features in Windows 10 that can help you meet the goal of allowing only secured devices to connect to your organization's network. These features are Device Guard and Device health attestation.
The available settings are
Never Notify Me When In this setting, UAC is disabled. This means that users signing in with Standard accounts cannot perform administrative tasks because there is no means to prompt for credentials with which to perform those tasks. Users signing in with administrative accounts can perform any task requiring elevation, without a prompt for consent. Notify Me Only When Apps Try To Make Changes To My Computer (Do Not Dim Desktop) In this mode, users are prompted, but Windows does not switch to Secure Desktop while awaiting user consent. This is less secure. Notify Me Only When Apps Try To Make Changes To My Computer (Default) In this mode, users are prompted, and Windows switches to Secure Desktop while awaiting user consent. This is more secure. Always Notify Me When This is the most secure but most intrusive setting. Users are prompted not only for application installations, but also any time they make Windows settings changes.
When a user performs a task requiring elevation, depending on settings, UAC can prompt the user in two ways for elevation
Prompt for consent This appears to administrators in Admin Approval Mode when they attempt to perform an administrative task. It requests approval to continue from the user. Prompt for credentials This appears to standard users when they attempt to perform an administrative task.
Using the Settings App
The preferred way to manage local accounts in Windows 10 is by using the Settings app. From Settings, click Accounts Assigning a picture to your account. Adding accounts for email, calendar, and contacts. Adding a Microsoft account. Adding a workplace or school account, such as a Microsoft Office 365
The user now has a PIN gesture defined on the device and an associated protector key for that PIN gesture.
The user can now securely sign in to their device using the PIN and then add support for a biometric gesture as an alternative for the PIN. The gesture could be facial recognition, iris scanning, or fingerprint recognition, depending on available hardware in the device. When a user adds a biometric gesture, it follows the same basic sequence as mentioned earlier. The user authenticates to the system by using the PIN and then registers the new biometric. Windows generates a unique key pair and stores it securely. The user can then sign in using the PIN or a biometric gesture.
When users access a website, online service, or server computer on a network, they might need to provide user credentials to access those sites and services. Windows can store the credentials to make it easier for users to access those sites and services later.
These credentials are stored in secure areas known as vaults.
Offline domain join is useful when you are adding computers to a domain from a regional data center that has limited connectivity to the main data center where domain controllers reside
To add a computer to a domain by using the offline domain join procedure, use the Djoin.exe command-line tool.
A workgroup is sometimes described as a peer-to-peer network, in which each device has its own set of user and group accounts, its own security policy, and its own resources that can be shared with others.
To establish a workgroup, you must define the workgroup name. You do this on each computer that will be part of the workgroup
In addition to requiring the appropriate edition of 64-bit editions of Windows 10, the following are the requirements for implementing Credential Guard.
Unified Extensible Firmware Interface (UEFI) 2.3.1 or greater Secure Boot Virtualization features: Intel VT-X, AMD-V , and SLAT must be enabled A VT-d or AMD-Vi input-output memory management unit A TPM: Windows 10 version 1511 supports both TPM 1.2 and TPM 2.0, but earlier versions of Windows 10 support only TPM 2.0 Firmware lock
To manage user accounts by using Computer Management, right-click Start and then click Computer Management. Expand the Local Users And Groups node and then click Users. To create a new user, right-click the Users node and click New User.
User Name Full Name Password User Must Change Password At Next Logon User Cannot Change Password Password Never Expires Account Is Disabled
After you have configured sign-in options, it is important to understand how user credentials are stored and protected.
Users must sign in not only to Windows 10 but to websites and online services, most of which do not use the user's Windows 10 credentials.
If a Windows 10-based device is joined to your AD DS domain, users can access your organization's resources by using the same credentials they signed in to their device with, without needing to reenter them.
Users who are using devices that are not domain-joined that connect to resources in your organization must enter credentials for each resource to which they attempt a connection. This can be frustrating for users that want to use their own devices.
Generally, a Windows 10 device might be considered healthy if it is configured with appropriate security features and settings
Windows 10 Enterprise includes the Device Health Attestation feature, which can help you determine the health of devices connecting to your corporate network. The requirements for Device Health Attestation are the same as for Device Guard with the exception that TPM 2.0 is required. However, you also require a cloud-based service such as Microsoft Intune to enable the necessary MDM features and device policies to enforce health attestation on your users' devices.
A Microsoft account provides you with an identity that you can use to sign in on multiple devices and access online services
You can also use the account to synchronize your personal settings between your Windows-based devices.
You can view the installed accounts, including the default accounts, by using the Computer Management console
You can also use the net user command-line tool and the get-wmiobject -class win32_useraccount Windows PowerShell cmdlet to list the local user accounts.
If you need to add a new account, click the Family & Other Users tab and then click Add Someone Else To This PC
You must then enter that person's email address, typically the address they use to sign in to Office 365, OneDrive, Skype, Xbox, or Outlook.com.
After a user has completed the registration process, Microsoft Passport generates
a new public-private key pair on the device known as a protector key. If installed in the device, the Trusted Platform Module (TPM) generates and stores this protector key; if the device does not have a TPM, Windows encrypts the protector key and stores it on the file system. Microsoft Passport also generates an administrative key that is used to reset credentials if necessary.
After you are signed in, it is important to ensure that your user account operates as
a standard user account and is only elevated to an administrative level when needed. User Account Control (UAC) can help you control administrative privilege elevation in Windows 10.
Authorization takes place
after a security principal has been authenticated and is the process of granting access to a resource for an identified security principal
UAC is enabled by default
but you can configure and, if necessary, disable UAC by using Control Panel or Group Policy Objects (GPOs) in an AD DS domain environment
Admin Approval Mode
is the process whereby a user signed in with an administrative account operates in the context of a standard user until a task is attempted that requires administrative privilege. At that time, the user receives the configured prompt—by default, a prompt for consent.
Local accounts, as the name suggests, exist in the local accounts database on your Windows 10 device
it can only be granted access to local resources and, where granted, exercise administrative rights and privileges on the local computer.
Windows 10 supports the ability for you to sign in using
local accounts, Active Directory Domain Services (AD DS) domain accounts, and Microsoft accounts.
On a domain controller
open Group Policy Management and locate the appropriate GPO. Open the GPO for editing and navigate to Computer Configuration \ Policies \ Windows Settings \ Security Settings \ Local Policies \ Security Options and then locate the settings in the details pane that have the User Account Control prefix.
After you have installed the necessary hardware devices, to set up Windows Hello
open Settings, click Accounts, and then, on the Sign-in Options page, under Windows Hello, review the options for face, fingerprint, or iris. If you do not have Windows Hello-supported hardware, the Windows Hello section does not appear on the Sign-in Options page.
To implement GPOs to configure Microsoft Passport settings in your organization
open the appropriate GPO for editing and navigate to Computer Configuration / Policies / Administrative Templates / Windows Components / Microsoft Passport For Work. Edit and configure the appropriate values.
To view stored credentials,
select the appropriate website or online service from the list and expand the entry by clicking the Down Arrow. Click Show to view the stored password and click Remove if you no longer want to store the entry. You are prompted to reenter your user account password before you can perform either of these actions.
A workgroup is a small collection of computer devices that can share resources
setup and sharing resources in a workgroup requires significant manual intervention. Unlike a domain, there is no centralization of user accounts and related security policies and settings
To use the preceding procedure to add a computer to a domain, the computer you are adding must be online and must be able to communicate with a domain controller. It is possible to add a computer to a domain if the computer you want to add is offline
this process is known as offline domain join.
In addition to configuring UAC settings locally
you can also use GPOs in an AD DS environment.
After digitally signing the trusted apps
you must enable the required hardware and software features in Windows 10. Assuming your devices meet the hardware requirements, and you have enabled the required software features in Windows 10 (Hyper-V Hypervisor and Isolated User Mode), using Control Panel, you can use GPOs to configure the required Device Guard settings. Open the appropriate GPO for editing and navigate to Computer Configuration \ Policies \ Administrative Templates \ System \ Device Guard.
To implement Windows Hello
your devices must be equipped with appropriate hardware. For facial recognition and iris scanning, suitable cameras must be present in the Windows 10 device. For fingerprint recognition, your devices must be equipped with a fingerprint scanner.