Which option enables you to share files easily among multiple users on a single windows system?

Sharing Resources Securely

Windows uses NTFS to make the folders and files in a specific user's personal folders (Documents, Music, Pictures, and so on) private. In other words, only the user who created those documents can access those documents. Members of the Administrators group can override this behavior, but members of the Users group (standard users) can not. On a shared Windows machine, you'll need to take extra steps and actively share resources to make them available to multiple users. Here's a scenario. The Snyder family has a computer in the media room that acts as a media server. It has accounts for each family member. The family could be smart and run something that makes sharing music easy, like iTunes, but they stuck with Windows Media Player. Each user needs access to the shared collection of MP3 files.

Windows Vista and 7 make sharing with everyone very simple through the Public libraries for Documents, Music, Pictures, and Videos. Open Windows Explorer and click the down arrow next to one of the Libraries folders; for example, click the down arrow next to Music to see My Music and Public Music (see Figure 14-29). Every user can access anything saved in the Public Music folder.

Windows 8/8.l versions have the same Libraries as Windows Vista/7, but they are not visible by default. Right-dick on some white space in File Explorer and select Show libraries (see Figure 14-30).The Libraries folders show up just fine.

Windows 10 does not work this way, and, in fact, all modern versions of Windows give you much more granular options for securely sharing specific folders with specific users.

NOTE Sharing gets more interesting and complicated when you put a computer into a network setting.We'll cover network sharing and accessing of shared resources in depth in Chapter 21. So the next obvious question follows: How do you share non-library folders with one or more users on a single computer? The next sections walk through the details.

Sharing a Folder

Probably the easiest part of the whole securely sharing process is the sharing itself. There's more than one way to do this, so let's first look at the most tedious way. Select the folder you wish to share, right-dick on it, and select Properties I Sharing tab. From here, select Advanced Sharing. Click on the Share this folder checkbox and give the folder a network share name (see Figure 14-31).

Next, click on the Permissions button. By default, all new Windows shares only have Read permission. Here is where you set your share to Full Control, as shown in Figure 14-32. Note that the Change checkbox automatically gets checked. Click OK twice to get back to the Properties folder, and let's go to step two. Add/Edit Users and/or Groups

It's now time to add users and groups and set their NTFS permissions_ Head over to the Security tab. You'll notice it has two sections: the top section is a list of users and groups that currently have NTFS permissions to that folder, and the bottom section is a list of NTFS permissions for the currently selected users and groups (see Figure 14-33) . To add a new user or group, click the Edit button. In the Permissions dialog box that opens, you can not only add new users and groups but also remove them and edit existing NTFS permissions (see Figure 14-34).

While the method just shown works for all versions of Windows, it's a tad old-fashioned. Windows provides yet another method for sharing that's less powerful but easier to use. To use this method, pick anything you want to share (even a single file) in Windows Explorer/File Explorer. Then simply right-dick on it and select Share (or Share

with) ISpecific people. This opens the File Sharing dialog box, shown in Figure 14-35,

where you can select specific user accounts from a drop-down list.

Once you select a user account, you can then choose what permission level to give to that user. You have two choices: Read and Read/Write (see Figure 14-36). Read simply means the user has read-only permissions. Read/Write gives the user read and write permissions and the permission to delete any file the user-contributed to the folder.

NOTE If the computer in question is on a Windows domain, the File Sharing dialog box differs such that you can search the network for user accounts

in the domain. This makes it easy to share throughout the network. See Chapter 21 for the details.

Locating Shared Folders

Before you walk away from a computer, you should check for any unnecessary or unknown (to you) shared folders on the hard drives. This enables you to make the computer as secure as possible for the user. When you look in Windows Explorer/File Explorer, shared folders don't just jump out at you, especially if they're buried deep within the file system. A shared C: drive is obvious, but a shared folder all the way down in D:tempbackupSimonsecret share would not be obvious, especially if none of the parent folders were shared.

[]- Windows comes with a handy tool for locating all of the shared folders on a computer, regardless of where they reside on the drives.The Computer Management console in the Administrative Tools has a Shared Folders option under System Tools. Under Shared Folders are three options: Shares, Sessions, and Open Files. Select Shares to reveal all of the shared folders (see Figure 14-37).

You can double-dick on any share to open the Properties dialog box for that folder. At that point, you can make changes to the share such as users and permissions just as you would &om any other sharing dialog box. Administrative Shares

A close look at the screenshot in Figure 14-37 might have left some of you with raised eyebrows and quizzical looks. What kind of share is ADMIN$ or C$?

Every version of Windows since Windows NT comes with several default shares, notably all hard drives not optical drives or removable devices, such as thumb drives-plus the o/osystemrooto/o folder (usually C:Windows) and a couple of others, depending on the system. These administrative shares give local administrators administrative access to these resources, whether they log on locally or remotely. (In contrast, shares added manually are called local shares.)

Administrative shares are odd ducks. You cannot change the default permissions on them_ You can delete them, but Windows will re-create them automatically every time you reboot_ They're hidden, so they don't appear when you browse a machine over the network, though you can map them by name_ Keep the administrator password safe, and these default shares won't affect the overall security of the computer. NOTE Administrative shares have been exploited by malware programs, especially because many users who set up their computers never give the administrator account a password . Starting with Windows XP Home,

Microsoft changed the remote access permissions for such machines_ If you log on to a computer remotely as administrator with no password, you get guest access rather than administrator access_ That neatly nips potential exploits in the bud.

Protecting Data with Encryption

The scrambling of data through encryption techniques provides the only true way to secure your data from access by any other user_ Administrators can use the Take Owner ship permission to seize any file or folder on a computer, even those you don't actively share_ Thus, you need to implement other security measures for that data that needs to be ultra secure. Depending on the version of Windows, you have between zero and three encryptions tools: Windows Home editions have basically no security features_ Advanced editions of Windows add a system that can encrypt files and folders called Encrypting File System. Finally, the most advanced editions feature drive encryption through BitLocker_

Encrypting File System

The professional editions of Windows offer a feature called the Encrypting File System (EFS}, an encryption scheme that any user can use to encrypt individual files or folders on a computer_

You can encrypt a file or folder in seconds. Just right-dick on the file or folder you want to encrypt and select Properties_ In the Properties dialog box for that object, select the General tab and click the Advanced button (see Figure 14-38) to open the Advanced Attributes dialog box_ Click the checkbox next to Encrypt contents to secure data (see Figure 14-39) . Click OK to close the Advanced Attributes dialog box and then click OK again on the Properties dialog box, and you've locked that file or folder from any user account aside from your own. NOTE Encryption is just one possible attribute of a file.You can also make files hidden, read-only, and more, all from a file or folder's Properties dialog box.You'll learn more about attributes in Chapter 16. As long as you maintain the integrity of your password, any data you encrypt by using EFS is secure from prying eyes_ That security comes at a potential price, though, and your password is the key. The Windows security database stores the password (securely, not plain text, so no worries there), but that means access to your encrypted files is based on that specific installation of Windows_ If you lose your password or an administrator resets your password, you're locked out of your encrypted files permanently_ There's no recovery. Also, if the computer dies and you try to retrieve your data by installing the hard drive in another system, you're likewise out of luck. Even if you have an identical user name on the new system, the security ID that defines the user account will differ from what you had on the old system.

NOTE Remember the password reset disk we discussed earlier in the chapter? If you use EFS, you simply must have a valid password reset disk in the event of some horrible catastrophe.

And one last caveat. If you copy an encrypted file to a drive formatted as anything but NTFS, you'll get a prompt saying that the copied file will not be encrypted. If you copy to a drive with NTFS, the encryption stays- The encrypted file even if on a removable disk will only be readable on your system with your login.

Bitlocker Drive Encryption

Windows Ultimate and Enterprise editions, and Windows 8/8_ l Pro, offer full drive encryption through BitLocker Drive Encryption. BitLocker encrypts the whole drive, including every user's files, so it's not dependent on any one account. The beauty of BitLocker is that if your hard drive is stolen, such as in the case of a stolen portable computer, all of the data on the hard drive is safe. The thief can't get access, even if you have a user on that system who failed to secure his or her data through EFS. BitLocker requires aspecialTrusted Platform Module (TPM) chip on the motherboard to function. The TPM chip validates on boot that the computer has not changed that you still have the same operating system installed, for example, and that the computer wasn't hacked by some malevolent program _ The TPM also works in cases where you move the BitLocker drive from one system to another_ If you have a legitimate BitLocker failure (rather than a theft) because of tampering or

moving the drive to another system, you need to have a properly created and accessible recovery key or recovery password_ The key or password is generally created at the time you enable BitLocker and should be kept somewhere secure, such as a printed copy in a safe or a file on a network server accessible only to administrators_

To enable BitLocker, double-dick the BitLocker Drive Encryption icon in the Classic Control Panel, or select Security in Control Panel Home view and then click Turn on BitLocker (see Figure 14-40).

BitLocker to Go enables you to apply BitLocker encryption to removable drives, like USB-based flash drives. Although it shares a name, BitLocker to Go applies encryption and password protection, but doesn't require a TPM chip. Still, every little bit counts when it comes to securing data.

Beyond Sharing Users and Groups

As you've just seen, users and groups are powerful tools for authenticating users to systems as well as authorizing NTFS permissions, but that's not where their power ends. There are two more areas where we use users and groups to go beyond logging on to a system or sharing folders and files: security policies and User Account Control. Let's discuss security policies first and then cover User Account Control. Security Policies

Security policies are just rules we apply to users and groups to do, well, just about everything but NTFS permissions . Would you like to configure your system so that the Accounting group can only log on between 9 A.M. and 5 P.M.? There's a security policy for that. How about forcing anyone who logs on to your system to use a password that's at least eight characters long? There's a security policy for that as well. Windows provides thousands of preset security policies that you may use simply by turning them on in a utility called Local Security Policy.

All versions of Windows have the Local Security Policy utility.You may access this tool through Control Panel IAdministrative Tools I Local Security Policy, but all of us cool

kids just open a command line and run secpol.msc_ However you choose to access this tool, it will look something like Figure 14-41.

EXAM TIP Local security policies are incredibly powerful so powerful that one could make a career out of understanding all they cando_ We're covering just enough on the Local Security Policy editor to cover a few basic questions on the CompTIA A+ 220-902 exam_

Local Security Policy has a number of containers that help organize the many types of policies on a typical system_ Under each container are sub-containers or preset policies. As an example, let's set a local security policy that causes user passwords to expire every 30 days better known as account password expiration or password age.To do this, open up the Account Policies container and then open the Password Policy sub-container. Look at the Maximum password age setting. On almost all versions of Windows your local user accounts passwords expire after 42 days. You can easily change this to 30 days just by double-clicking on Maximum password age and adjusting the setting in the Properties dialog box, as shown in Figure 14-42. You can also set the value to 0 and the password will never expire_

NOTE This setting only works for your local user accounts_

User Account Control

When picking the poster child for the "327 Reasons We Hated Vista" list, I'll bet most folks put Vista's UserAccount Control (UAC) at the very top. Vista's UAC manifested as a pop-up dialog box that seemed to appear every time you tried to do anything on a Windows Vista system (see Figure 14-43). It's too bad that UAC got such a bad rap. Not only is UAC an important security update for all versions of Windows, it is also a common feature in both Mac OS X and Linux/Unix_ Figure 14-44 shows the equivalent feature on a Mac.

If every other major operating system uses something like UAC, why was Microsoft slammed so hard when they unveiled UAC in Windows Vista? The reason was simple: Windows users are spoiled rotten, and until UAC came along, the vast majority of users had no idea how risky their computing behavior was.

The problem started years ago when Microsoft created NTFS. NTFS uses robust user accounts and enables fine control over how users access files and folders but at a cost: NTFS in its pure form is somewhat complicated.

User accounts have always been a bit of a challenge. The only account that can truly do anything on a Windows system is the administrator. Sure, you can configure a system with groups and assign NTFS permissions to those groups and this is commonly done on large networks with a full-time IT staff but what about small offices and home networks? These users almost never have the skill sets to deal with the complexities of users and groups, which often results in systems where the user accounts are all assigned administrator privileges by default and that's when it gets dangerous (see Figure 14-45). User Account Control enables users to know when they are about to do something that has serious consequences. Here are some examples of common actions that require

administrator privileges:

• Installing and uninstalling applications

• Installing a driver for a device (e_g_, a digital camera driver)

• Installing Windows Updates

• Adjusting Windows Firewall settings

• Changing a user's account type • Browsing to another user's directory Before Vista, Microsoft invented the idea of the Power Users group to give users almost all of the power of an administrator account (to handle most of the situations just described) without actually giving users the full power of the account. Assigning a user to the Power Users group still required someone who knew how to do this, however, so most folks at the small office/home level simply ignored the Power Users group (see Figure 14-46).

Clearly, Microsoft needed a better method to prevent people from running programs that they should not run. If users have the correct privileges, however or the ability to "escalate" their privileges to that of an administrator then they should be able to do what they need to do as simply as possible. Microsoft needed to make the following changes:

• The idea of using an administrator account for daily use needed to go away.

• Any level of account should be able to do anything as easily as possible.

• If a regular account wants to do something that requires administrator privileges, the user of the regular account will need to enter the administrator password.

• If a user with administrator privileges wants to run something that requires administrator privileges, the user will not have to reenter his or her password, but the user will have to respond to an ''.Are you sure? "-type dialog box so he or she appreciates the gravity of the action thus, the infamous UAC dialog box_ NOTE Both Linux and Mac OS X have been using a UAC function for a long time-it's called sudo.Check it out in Chapter 16. How UAC Works

Sorry, but if you want to talk about UAC, you have to see how it all started with Vista_ Since Vista was the first Windows OS with UAC, it has some of the classic "version 1.0" problems_ Forgive me for the Vista references, but you need to see the Vista way of UAC to appreciate why it works the way it does in the most modern versions of Windows. UAC works for both standard user accounts and administrator accounts_ If a standard

user attempts to do something that requires administrator privileges, he or she sees a UAC dialog box that prompts for the administrator password (see Figure 14-47).

If a user with administrator privileges attempts to do something that requires administrator privileges, a simpler UAC dialog box appears, like the one shown in Figure 14-48.

NOTE The official name for the UAC dialog box is the "UAC consent prompt:' When the UAC consent prompt appears in Vista,the rest of the desktop darkens and you cannot take any other action until you respond to the consent prompt.

Interestingly, Vista has not one but four different UAC prompts, depending on the program/feature you wish to run, as outlined in Table 14-2.

In all versions of windows, blocked programs generate a scary-looking, red-bannered dialog box like the one shown in Figure 14-49- Note you can click 0K in Windows Vista (or Close in Windows 7/8/8_1/10) or look at more details (if available)_

Unverified programs lack any form of certificate to validate. In this case, you get a yellow-bannered dialog box warning you the application is unsigned and giving you two options: allow the program to run (Yes) or not (No). See Figure 14-50 for an example of this.

Verified programs aren't part of the core of Vista and are usually written by third parties. These programs do have valid, verified certificates. You can identify the dialog box by its gray-blue banner (see Figure 14-51).

Published by Vista programs are written as part of the core of Vista and show up with a teal-bannered dialog box (see Figure 14-52).

UAC uses small shield icons to warn you ahead of time that it will prompt you before certain tasks, as shown in Figure 14-53. Microsoft updated this somewhat redundant feature in subsequent versions of Windows, as you'll soon see. UAC gives users running a program an opportunity to consider their actions before they move forward. It's a good thing, but spoiled Windows users aren't accustomed to something that makes them consider their actions. As a result, one of the first things everyone learned how to do when Vista came out was to turn off UAC.

How to Turn Off UAC

You can turn off UAC in a number of ways in Windows_ Here are the two most common ways:

1. In the User Accounts Control Panel applet, you'll see an option to Turn User Account Control on or off (see Figure 14-54) . Select this option and uncheck the checkbox to turn UAC off Check the checkbox to turn it on again.

2. You can also configure UAC from the Tools tab in the System Configuration utility (msconfig); Figure 14-55 shows how to accomplish this in Windows Vista_

UAC in Windows Vista worked well, but it startled users. Suddenly, users had to deal with UAC, and they didn't like that. Most users simply turned UAC off and added it to the reasons to not like Windows Vista.

UAC in Modern Windows

Microsoft may be a huge company, but it still knows how to react when its customers speak out about features they don't like. Windows 7 unveiled a more refined, less "in-your-face" UAC that makes the feature much easier to use. This is the version of UAC used in all later versions of Windows as well.

A More Granular UAC

Microsoft did some research on why UAC drove users nutS, concluding that the problem wasn't UAC itSelf but the 'Tm constantly in your face or you can turn me off and you get no help at all" aspect.To make UAC less aggressive, Microsoft introduced four UAC levels.To see these levels, go to the User Accounts applet and select Change User Account Control settings, as shown in Figure 14-56. When you select this option, you see the dialog box in Figure 14-57.

In Figure 14-57, you can see a slider with four levels. The top level (Always notify) means you want UAC to work exactly as it does in Vista, displaying the aggressive consent form every time you do anything that typically requires administrator access. The bottom option (Never notify) turns off UAC. The two levels in the middle are new and are very similar. Both of them do the following:

• Don't notify me when I make changes. • Notify me only when programs try to makes changes.

The only difference is in how they show the change_ The second-from-top level will display the typical consent form, but only when programs try to make changes_ The third-from-top level displays a consent form, but where the normal consent form dims your desktop and doesn't allow you to do anything but address the form, this consent form just pops up like a normal dialog box_ EXAM TIP Make sure you know what each of the four UAC levels does_

Program Changes Versus Changes IMake

So what's the difference between a program making a change and you making a change? Take a look at Figure 14-58- In this case, Windows 7 is set to the second-from-top option. A program (the very safe and, judging by the color of the banner, verified) Adobe Download Manager is attempting to install a feature into Internet Explorer. Because this is a program trying to make changes, the UAC consent form appears and darkens the desktop-

If you lower the UAC to the third-from-top option, you still see a consent form, but now it acts like a typical dialog box, as shown in Figure 14-59.

EXAMTIP The default behavior for UAC in Windows 7 is the second-from-top option,which results in a screen similar to Figure 14-58.

A program such as the Adobe program described earlier is very different from a feature

you want to change. Notice the shields, as shown in earlier figures.

Each of these options isn't a program each is merely a feature built into Windows. Those shields tell you that clicking the feature next to a shield will require administrator privileges. If you were to pick the Vista-strength UAC option, you'd get a UAC consent prompt when you click one of those features. If you set UAC to any of the three lower settings, however, you'd go straight to that feature without any form of UAC consent prompt. Of course, this isn't true if you don't have administrator privileges. If you're a standard user, you'll still be prompted for a password, just as in Vista. Overall, the improvements to UAC in Windows 7 show that it has a place on everyone's computer_ UAC might cause an occasional surprise or irritation, but that one more "Are you sure?" could mean the difference between safe and unsafe computing. So go ahead, turn UAC back on in Windows!It's well worth the small inconvenience. Chapter Review

Questions

1. Which tool or mechanism defines what resources a user may access and what he or she may do with those resources?

A. Authentication through user accounts and passwords

B. Authorization through user accounts and passwords

C. Authentication through NTFS

D. Authorization through NTFS

2.

Which is the best password for the user Joy, who has a pet named Fido and a birth date ofJanuary 8, 1982?

A. joy1982

B. joylovesfido

C.

1982cutie

D. oddvr88*

3. How can you encrypt an entire drive, including files and folders belonging to other users?

A. EFS

B. User Account Control

C. Administrative Shares

D. BitLocker

4. What feature in Windows 7 opens a consent prompt for standard users to enter administrator credentials to accomplish various tasks reserved for the latter group?

A. User Access Command

B. User Access Control

C. User Account Command

D. User Account Control

Chapter 14: Users, Groups, and Permissions

611

5. Which permission enables an administrator to change the ownership of a file without knowing the user account password for that file?

A. Change permission

B. Change Ownership permission

C. Ownership permission

D. Take Ownership permission

6.

You copy a file &om a folder on a hard drive formatted as NTFS, with permissions set to Read for everyone, to a USB thumb drive formatted as FAT32. What effective permissions does the copy of the file have?

A. Read-only for everyone

B. Full Control for everyone

C. None

D. You can't copy a file &om an NTFS drive to a FAT32 drive. 7.

Which of the following commands is used to change file permissions in Linux?

A. chmod

B. chown

C. users

D. pwn

8.

Which tool in Windows 8.1 enables you to create a new user account based on a global Microsoft account?

A. User Accounts in Control Panel

B. Users and Groups in Control Panel

C. Settings charm

D. Users charm

9.

Which option enables you to share files easily among multiple users on a single Windows 8 system?

A. Place the files in the Public Libraries.

B. Place the files in the Public Shares.

C. Place the files in the EFS folders.

D. You cannot.Windows locks down sharing on a single system.

10. Which of the following file systems enables you to encrypt files, thus making them unviewable by any account but your own?

A. EFS

B. FAT

C. FAT32

D. OSR

Answers

1. D. Authorization through NTFS defines resources a user may access and what he or she can do with those resources_

2.

D. Of the choices listed, oddvr88* would be the best password; it has a non alphanumeric character, which makes it more difficult for a hacker to crack

3. D. BitLocker Drive Encryption enables you to encrypt an entire drive, including files and folders belonging to other users_

4. D. The User Account Control feature in Windows 7 provides a consent prompt for standard users to enter administrator credentials to accomplish various tasks normally reserved for the Administrators group-

5. D.The Take Ownership permission enables an administrator to change the ownership of a file without knowing the user account password for that file.

6.

C.The key here is that you are copying from an NTFS hard drive to a FAT32 USB drive_ Copying from an NTFS-based partition to a FAT- or FAT32-based partition creates two copies of the object; the copy of the object in the new location has no effective permissions at all.

7. A. The chmod command enables you to change file permissions in Linux_

8. C.The Settings charm in Windows 8.1 enables you to create a new user account based on a global Microsoft account.

9. A. The Public Libraries make it easy to share files among multiple users of a single system_

10. A. The Encrypting File System (EFS) enables you to encrypt files, making them unviewable by any account but your own.