CompTIA®A+ Practical Exam Notes : Basic Windows Os Security Settings

3. Computer Security

3.3 Basic Windows OS security settings

BitLocker To Go: Encryption is a key component in any operating system security plan. With the help of the newly improved BitLocker, Windows 7 users can have more control over the encryption of their hard drives. Microsoft's BitLocker even automatically encrypts new data while it's running. It's a hands-off tool that should improve security in Windows 7.

BitLocker To Go is new to Windows 7. Rather than encrypting just the desktop, BitLocker To Go allows users to encrypt portable hardware, like external hard drives and USB keys. It's probably one of the best new security features in Windows 7. More users than ever are going mobile. Data is at risk whenever that happens.

BitLocker To Go helps to limit the spread of sensitive data to malicious hands.

BitLocker Drive Encryption is a full disk encryption feature included with the Ultimate and Enterprise editions of Microsoft's Windows Vista and Windows 7 desktop operating systems. It is designed to protect data by providing encryption for entire volumes. The algo loads before the OS, and protects the entire volume. OS files can't be put in a volume that uses BitLocker.

To make all files in the directory myfiles to be read only, the command is "ATTRIB C:\MYFILES +r"

If you encrypt a folder on an NTFS volume, all files and subfolder created in the encrypted folder are not automatically encrypted. However, you will be prompted whether you want to encrypt all the subfolders and their content. If you choose YES, they will also be encrypted.

Also note that you can't encrypt a file or folder that is compressed. If you want to encrypt a file or folder that is compressed, you need to first decompress the file or folder and then encrypt. Only NTFS volumes support file or folder encryption.

You can set the following attributes using ATTRB command:

1. System

2. Hidden

3. Read-only

4. Archive

'+' sets and attribute

'-' clears an attribute

Correct syntax is

ATTRIB [+R -R] [+A -A] [+S -S] [+H -H] [PATH] [FILESPEC] [/S]

/s Processes files in all directories in the specified path.

Encrypting File System (EFS)keeps your documents safe from intruders who might gain unauthorized physical access to your sensitive stored data by stealing your laptop or Zip disk, or by other means.

Windows 7 BitLocker and the Encrypting File System (EFS) are two robust security features designed to protect the system and user data. When comparing BitLocker and EFS:

1. BitLocker encrypts volumes, whereas EFS only encrypts files.

2. BitLocker does not require user certificates, but EFS does.

3. BitLocker protects the operating system from modification, whereas EFS does not.

The following reserved characters can't be used in Windows file names:

* < (less than)

* > (greater than)

* : (colon)

* " (double quote)

* / (forward slash)

* \ (backslash)

* | (vertical bar or pipe)

* ? (question mark)

* * (asterisk)

By using latest Windows update, it is possible to secure the operating system from any known bugs.

Windows Security Center also shows the status of software designed to protect against spyware, In addition to it's own software, Windows Security Center can monitor security products from multiple companies and show you which are enabled and up to date.

For local administrators, only the built-in administrator account can be used to perform a remote install. Since this account is disabled by default, use the "net user administrator /active:yes" command from the command console. This will enable this account to install applications remotely.

Login time restrictions: Even if the login and password are available, the user may be ignorant of the same. You need to take the login information from the user directly before proceeding with any work.

BIOS Password: In the BIOS the supervisor password will prevent someone from reconfiguring the BIOS settings without the proper password.

The BIOS password is stored in CMOS memory that is maintained while the PC is powered off by a small battery, which is attached to the motherboard. Refer to the motherboard manual to find the jumper that clears the BIOS password. Alternatively, if you remove this battery, all CMOS information (including the BIOS password) will be lost.

The company policy requires that the password be changed every month. It is highly recommended that the password be remembered. It is a bad practice to alternate between two known passwords.

Create a group, and give privileges to group members to make required changes to workstations. Add the user accounts to this group.

Account Management: On a stand-alone computer or a computer that is a member of a workgroup, a user account establishes the privileges assigned to each user. The three user accounts available are: Administrator, Limited, and Guest. The important features of these accounts are as given below:

Administrator account:

  • Can create and delete user accounts on the computer.
  • Can change other users' account names, passwords, and account types.

Standard account:

  • A standard user account lets a person use most of the capabilities of the computer, but permission from an administrator is required if you want to make changes that affect other users or the security of the computer.
  • When you use a standard account, you can use most programs that are installed on the computer, but you can't install or uninstall software and hardware, delete files that are required for the computer to work, or change settings on the computer that affect other users.

Guest account:

  • Cannot install software or hardware, but can access applications that have already been installed on the computer.
  • Cannot change the guest account type.
  • You should disable any guest accounts on your system as they can provide information to hackers and increase your security risk.

User level security gives better control of resource on user to user basis. Share level security assign passwords to the resources rather than the users and is less secure.

Previous   Contents   Next