Sunday, October 28, 2012

Chapter 9 Working with Workgroups and Domains


 
 
Authentication - verify ID - "Can I see your ID please"
Authorization - giving permission - cashier enters code in register granting permission for purchase
User rights - this is not a part of permissions - specific OS tasks that can be performed by designated users or system admin:
·         Backups
·         System shut down
·         Allow log on through terminal services
Groups - giving permissions by using groups instead of individual users is less work for administrators; easier to give and take away permissions.
Two way of assigning permissions in Windows depending on experience/expertise
·         User accounts - for inexperienced users
·         Local users and groups - full access to local users and groups for the more experienced user

Three main user profiles:
·         Local - automatically created
·         Roaming - stored on shared server - accessible from anywhere on network
·         Mandatory - roaming profile that is a read-only profile - users can change how it looks while they are logged on - once they log off, the profile reverts back to original setup
Domain vs. workgroup
·         Main difference - users log on to domain once rather than each computer individually
·         Access network resources, the individual computer hosting the resource send authorization requests to the domain controller rather than handing all requests
Properties sheet for local users has 3 tabs where the domain user properties sheet has 15 allowing significantly more information about user and network resources.
Local groups that are built-in can have their properties modified, change names and new permissions, but it's a better to leave the built-ins with the default. Create your own and assign permissions needed. See table on page 332 for built-in local groups and their capabilities. Local groups are defined by what they cannot do:
·         Can only be used on computer where they were created
·         Local users from same computer can be members of local groups
·         When computer is part of AD DS domain - local groups can have domain users and domain global groups as members
·         Local groups can't have other local groups as members - domain groups can be members
·         Assign permissions to local groups only when controlling access to resources on local computer
·         If windows server is functioning as a domain controller - can't create local groups here
Special identity - placeholder for users with similar characteristics - see page 333 for table of Special Identities and their constituents

Saturday, October 27, 2012

Chapter 8 Managing and Monitoring Windows 7 Performance


The first part of the chapter reviewed Windows Update Types, which are one of the following forms:

·         Hotfixes

·         Security updates

·         Cumulative updates or rollups

·         Service packs

The updates are classified in the following categories of importance:

·         Important

·         Recommended

·         Optional

·         Device drivers - usually updated from manufacturers website

In large organizations, admins may delay running the updates until after testing them on one workstation to ensure applications will still work properly, or, they may wait several weeks to allow any bugs to be worked out.

·         Home users or small offices may install updates automatically, which is the recommended method.

·         You can also set up to download the updates, but let the user decide when to install.

·         Check for updates and let user decide if they want to download them.

·         Never check for updates - NOT recommended.

WSUS - windows server update services

·         Downloads updates and stores in a database for admin evaluation

·         Select updates to deploy and which computers to deploy them to

·         This allows update to be downloaded once from the Internet - reduces bandwidth usage

·         Distributes using LAN

Event Viewer displays log info gathered by the OS and in a graphical application.  They can be information, error, warnings or critical. Windows logs:

·         Application

·         Security

·         Setup

·         System

·         Forwarded events

Performance Monitor displays performance counters as reports, bar graph or line graph. You can add counters to create customized performance trackers. 4 pieces of info need to be added to create a counter:

·         Computer

·         Performance object

·         Performance counter

·         Instance

The type of information that is collected should determine the view used. If the counter variables are considerably different, or if there is several different categories, it may be more meaningful to display as a report or as a histogram. To create an effective display:

·         Limit number of counters

·         Modify counter display properties

·         Choose counters with comparable values

A data collector set (DCS) is used to create a baseline so you have readings to compare to a future instance.

To monitor programs and configuration settings that may be causing negative effects on system performance, you need to use the System Configuration tool by typing msconfig in the start menu search box.

Friday, October 19, 2012

Chapter 7 Working with Applications


Internet Explorer (IE) - compatibility mode enables browser to display older pages properly. The broken window icon that is just to the right of the address box signals that some features on the page may not be displaying properly.  By setting the policies for Compatibility view can fix the problem. The following settings are available and detailed information is on page 229:

·         Turn on IE 7 Standards mode

·         Turn off compatibility view

·         Turn on IE standards mode for local Internet

·         Turn on Compatibility view  button

·         Include updated Web site lists from Microsoft

·         Use policy list of IE explorer sites

Add-Ons  are software components that interact with basic functions of the web browser. Details are on page 229 and can be accessed from menu bar or tools

·         Toolbars and extensions

·         Search providers

·         Accelerators

·         InPrivate Filtering

Accelerators - enable users to send content to other resources - page 234 - By enabling the Use policy accelerators, users can access only the set accelerators that are deployed through Group Policy and they are unable to add or delete Accelerators. If you use disable or not configure the Use Policy Accelerator, users will have access to any accelerators they have installed, which is what the director wants to prevent. Disable overrides enable.

·         Deploy non-default Accelerators

·         Deploy default Accelerators

·         Turn off Accelerators

·         Use Policy Accelerators

Protected mode - IE is in protected mode by default - prevents attackers from accessing important system resources by only allowing access to low integrity disk locations. Little damage can be done b/c access denied to vital system areas.

·         Cookies

·         Temporary files

·         History

Protected mode incompatibilities can be resolved by (page243):

·         Moving the site to the trusted site zone

·         Disable protected mode - this is not recommended

·         Modify the application

Security zones - different security zones available with different privileges (page 243) after assigning web sites to the different zones, the security settings of the zones can be modified, but, all the web sites in that zone will be affected (page 243):

·         Internet - sites that do not fall into the other categories

·         Local Intranet

·         Trusted sites

·         Restricted zones

Smartscreen filter - examines web page traffic for phishing activities and displays warning when detected. Smartscreen filters by (page 246):

·         Online lookup of phishing sites

·         Online lookup of download sites

·         Onsite analysis

InPrivate - can block providers from gathering information. It also prevents an administrator from being able to track where users are going.

InPrivate Filtering - prevents third party sites from gathering information about browsing practices. If InPrivate Filtering is enabled, InPrivate filtering will be disabled in all browsing sessions and in Private filtering data will not be collected.

·         Block specific providers or all from gathering information

 

 

 

Sunday, October 7, 2012

Chapter 6 - Sharing Resources


Permissions in Windows 7 - a collection of permissions are called ACEs - access control entries that are stored in an ACL - access control list. Permission are stored as part of the component being protected, not the security principal being granted access.  There are 4 permission systems:

·         NTFS - controls access to files/folders stored on an NTFS volume

·         Share - controls access to files/folders shared over a network

o   Must have NTFS and share permissions in order to access files/folders over a network

·         Registry - controls access to parts of Windows registry - in order to modify registry settings, user must have permissions

·         Active directory - controls access to parts of AD  - permissions are required when servicing computers that are a part of a domain

You can allow or deny permissions. Combining both in the same hierarchy is too confusing/difficult to figure out what the effective permissions are for the specific component

Inheriting permissions - passing permissions downward from parent to child or, folder to files.

·         Can be turned off

·         Denying permissions that are inherited overrides any allow permissions

Permissions when copying and moving files are affected differently:

·         Copying NTFS files/folders to same or different NTFS volume, new copy inherits permissions from parent folder at new location

·         Moving NTFS files/folders to new location on same NTFS - existing permissions move with

·         Moving NTFS files/folders to new location on different NTFS - inherit permissions from the parent folder at new location

Effective permissions are combination of Allow and Deny permissions, whether assigned, inherited, or received through a group membership - sometimes these permissions conflict:

·         Allow permissions are cumulative  

·         Deny permissions override Allow permissions

·         Explicit permissions take priority over inherited permissions

Ownership - every file/folder has an owner. The owner is the user that created the element, but, any account possessing the Take Ownership special permission (or Full Control, can take ownership of the file/folder.

·         Combination of certain permissions can lock out a file/folder - allowing NO ONE to have access - but, there is a "back door" that allows the Owner access


Windows is very specific with their print/printer/print device/print driver/print server terminology:

·         Print device - actual printer hardware

·         Printer - software interface which computes communicate with the print device

·         Print server - computer that receives print jobs and sends to print devices

·         Printer driver - convert print jobs to commands for specific print device

To share printers, network discovery and file and printer sharing must be enabled in Network and Sharing Center.


Create printer on workstation and share it with the network - configure printer to function as a printer pool using IP addresses.