The Administrator account is the most powerful of all accounts in Windows. It has the power to do everything from the smallest task all the way to removing the OS.

The Windows Super User.

Because of the great power the Administrator account holds— plus the fact that’s it’s always created no matter what— it’s always being targeted by attackers.

Disable + Rename the default guest account created at installation for security reasons.

Standard users can be temporarily elevated to Administrator Level by entering in admin credentials to a pop-up user account control prompt

⁠

Administrators Group

Members of this group have complete and total administrative rights

Power User

Originally Microsoft wanted to create a group in Windows whose members were not as powerful as members of the Administrators group, but still more powerful than standard users, so they created the Power Users group.

The idea was that members of the Power User group would be given Read + Write permission to the system, allowing them to install most software but keeping them from changing key operating system files.

This makes it a good group for programmers and junior administrators

This group has been removed from Windows 7+ operating systems, but its still available to be used for backwards compatibility with Windows XP.

Guest

The Guest account is created by default (and should be disabled) and is a member of the Guests group.

For the most part, members of the Guest group have the same rights as a standard user, except they can’t get into log files.

The best reason to make users members of the guests group is to give them access to the system only for a limited time.

Disable + Rename the default guest account created at installation for security reasons. Attackers can get into this account and elevate the privileges to administrator rights.

Standard User

The Standard User account provides the best balance between security + privilege.

Standard Users are allowed to run applications, perform common actions, and access common areas of the OS without needing administrative intervention.

Activities that require access to system components, such as adding hardware or a software program, will trigger a UAC prompt, and in some cases will require the administrator password

Members of this group have Read + Write permission rights to their own profile. They cannot make system-wide Registry settings or do much harm outside of their own account.

By default, standard users belong to the Users group.

New users are created as standard users by default.

NTFS vs Share Permissions

When you’re accessing a file on the operating system, your access to that file is either controlled by NTFS permissions or Share Permissions.

The Main difference between NTFS and Share permissions is that NTFS permissions are assigned locally to the file system itself. Meaning if you’re accessing the file locally on the computer, the NTFS permissions will apply.

While Share permissions are a completely different set of permissions for somebody accessing the file across the network. Meaning these permissions apply only if you’re accessing a network shared folder.

You can have a different set of permissions for someone accessing these files locally (NTFS), and a different set of permissions for someone accessing these files across the network via a network share (Share)

Image

⁠

Ex. On the Left, you’ll see NTFS permission and one the Right, you’ll see Share Permissions.

NTFS Permissions

NTFS (New Technology File System) was created to address security problems, handle growing disk sizes, and add more stability.

NTFS tracks security in ACLs (Access Control Lists). ACLs can hold permissions for local users and groups.

A FAT32 file system can be turned into a NTFS file system without losing data (FAT32→ NTFS), but you can’t do the reverse.

You’ll never be able to go from NTFS → FAT32 without losing all your data. Basically, you can upgrade perfectly fine, but you can’t downgrade and still keep your data.

Can assign permissions at the individual folder and file level.

Share Permissions

Can only be assigned to the folder level only.

Share permissions only go in effect when the user connects to the resource via the network.

Permissions are applied to network shared folders

Allow Vs Deny (NTFS Permission Levels)

Within NTFS, permissions for objects fall into 1 of 3 categories: Allow, Deny, or not configured.

Allow is used when you want the group selected to perform that action.

Not configured is when the group is not allowed to perform that action, but isn’t explicitly being denied from doing so. It can still gain permission through inheritance.

Deny is when you specifically prohibit the group from performing that action. There’s no way the group can perform the action, not even through inheritance. When used, Deny holds the most weight out of all permission levels.

Permissions are also cumulative

If a user is a member of Group-A (which has read permissions) and a member of Group-B (which has write permissions) then the user has Read + Write permissions.

Effective Permissions

Whenever a user accesses a file share, both the share permissions and NTFS permissions interact with each other to form the effective permission for the user.

The Effective Permission is the permission rule that goes into effect.

The Effective Permission (The permission that goes into effect) is always the one that grants the user the least amount of power.

So lets say Dan wants to access a blue folder.

His permission levels locally (NTFS) are set to Full Control.

But his permission levels for accessing it over the network (Share) are set to read-only.

We take the two permissions (Full Control + Read-only) and choose the most restrictive, in this case, it’s Read-Only.

Read-Only is the Effective Permission.

Deny

If a user’s permission level is explicitly set to Deny, then the most restrictive permission level is Deny. Making Deny the Effective Permission.

Deny will always be the most restrictive permission level, making it the Effective Permission anytime it’s used.

Moving vs Copying Folders + Files

Copying

When you copy a file/folder, you create a new entity.

A copy of a file will have the permissions assigned to it that are already in place at the new location of the file, regardless of which permissions were on the original file.

Moving

When you move a file, you are simply relocating it, and its still considered one entity.

A moved file, will attempt to keep the same permissions as is had in the original file’s location.

Special Scenarios

Differences will occur if the same permissions can’t exist in the new location. This is common when you’re moving from one file system to another.

Ex. Moving a file from a NTFS file system to a FAT32 file system causes all of the permissions the file had from NTFS, to be lost.

But moving a file from FAT32 → NTFS will cause the new permissions that are set in NTFS, to be added to the file.

*Remember! You can never go from NTFS back down to FAT32 without losing everything! But you can go from FAT32 up to NTFS and gain new things.*

File & Folder Attributes

Since the introduction of FAT, file and folder attributes have existed in the filesystem.

The Basic set of attributes can still be found in both FAT & NTFS and are very useful for the operating system.

Read-Only

The read-only attribute is used to make a file or folder read-only.

If the Read-Only attribute is present, regardless of the permission level of the file or folder a user has, users can only read it.

Useful to protect files from being overwritten or deleted.

Hidden

The Hidden attribute makes files and folders disappear when using Windows File Explorer utility, using the defaults, or using the dir command in command prompt.

The files still function and is still apart of the system, but they just don’t appear by default.

Useful when you want to hide a file or folder from the average user.

System

The System Attribute marks files and folders as critical system files.

Thanks to NTFS, this attribute isn’t really used anymore.

Archive

The Archive attribute identifies a file as having been modified since it’s last backup.

This attributes simply states that this file needs to be backed-up immediately.

New NTFS Attributes

Indexing

Indexing is used to catalog and improve the search capabilities of your files on your drive.

Once files are indexed, you can search for them more quickly by name, date, or other attributes.

When you turn on indexing for a folder, you’ll be prompted as to whether you want the existing files in the folder to be indexed.

Compression

Compression is used to save space on a drive.

NTFS file + folders can be dynamically compressed and uncompressed, often saving a great deal of space on the drive.

When you turn on compression for a folder, you’ll be prompted as to whether you want the existing files in the folder to be compressed.

If you choose this option, windows automatically compresses the subfolders and files. If not, only new files created in the folder are compressed.

Encryption

Encryption lets you secure files so that no one else can view them. You encrypt files by encoding them with a key to which only you have access, regardless of the permission level.

Useful when you’re worried about the wrong eyes seeing extremely sensitive information, but in general encryption isn’t really necessary due to the the permission level security provided by NTFS.

Attributes vs Permissions

A permission is a security control that can apply to individual users or groups of users when accessing a file, while an attribute applies to the file itself.

Attributes apply to the file itself, not the user accessing the file. So any attributes applied to the file also apply to everyone.

Ex. The compression attribute compresses the file itself to save space. Once the file is compressed, anybody who accesses the file will have to un-compress it, to access it.

Shared File and Folders

You can share folders and the files included in the folders, by right-clicking the files or folder and choosing Give Access To from the drop-down menu and selecting specific people.

You can then choose whom you share it with and also configure the permission levels they’re gonna have.

It’s important that when you use this method to share files and folders, remember that the share permissions are set to Full Control for the Everyone group.

⁠

Administrative Shares vs Local Shares

Administrative Shares

Administrative shares are hidden shares automatically created on all Windows operating systems on the network for admin purposes.

It’s created so that administrators can have remote access to every disk volume on the entire network.

They allow administrators to manage multiple computers and access drives and folders on remote computers, without having those remote drives actually shared to their PCs.

They always end with a dollar sign ($) to make them hidden

There’s one share for each volume on a hard drive: c$, d$, and so on.

There’s also access to the root folder admin$ (C:\WINDOWS) and print$ (where the print drivers are located).

Local Shares

Local Shares are shares that are created locally by the administrator user of a particular computer, for a particular computer.

The term Local Shares is used to differentiate between the automated Administrative Shares and any Manually created Shares.

Permission Inheritance

Inheritance is the default permission structure that’s in effect in Windows unless a specific setting is created to override it (Explicit Permission).

Permission levels are propagated (passed down) from the Folder to the Files within the folder

Set a permission once, it applies to everything beneath.

image of permission inheritance

⁠

A user who has Read + Write permissions in one folder will have them in all the subfolders (folders below) unless a specific change has been made to one of the subfolders.

By a specific change, I mean an Explicit Deny on one of the sub folders.

Image of Explicit Permission

⁠

Permission Propagation

Permission propagation occurs when a folder is shared by its owner, and you choose to disable inheritance.

Whenever you disable inheritance, you then have to choose what new permission levels you want this shared file or folder to have.

Upon sharing, the owner can change the permission levels. This will affect how the files and folders within the container are treated by the computer.

System Files and Folders

System Files are usually flagged with the Hidden attribute, meaning they don’t appear when a user displays a folder.

System files are critical to the function of the OS, so you should not change the hidden attribute on a system file unless absolutely necessary.

If they are visible, users might delete them (maybe in an attempt to make space on the drive).

Most of them are not delete-able, but it’s best to extra cautious.

User Authentication

Users can log into the local OS if they have an account (Normally with Username/Password login credentials) and they will receive a local Access Token.

The Access Token the user is granted is only locally important to the OS.

Ex. For a Local Administrator that authenticates to an OS, He is only the Administrator of that operating system and has no further network permissions.

Every Windows OS has a local database and authentication system called the SAM (Security Account Manager).

Active Directory makes this process easier for end users and lowers the amount of leg work the administrators have to do.

Access to the system can be verified through created groups and the created group membership each user has.

All users will login into Windows Domain using their centrally created Active User account

When an end user logins into Active Directory, they are given a network access token (also called a Kerberos Token).

The network access token can be used to authenticate through all the servers and workstations across the entire domain (network). This token is also referred to as the user’s Globally Unique Identifier (GUID).

Network Access Token — Kerberos Token — GUID, is all the same.

Single Sign-On (SSO) is more than often used in large corporate settings where users may be required to remember multiple usernames/passwords for multiple applications.

The purpose for Single Sign-On is to give users access to all the applications and systems they need all at once as soon as they login.

Sometimes used in conjunction with RADIUS to authenticate to the entire network’s resources

Useful because once a user has used SSO, they have access to all the resources on the network at once.

Problematic because once a user has used SSO, they have access to all the resources on the network at once.

Also managed through Keberos

Running as an Administrator vs Running as a Standard User

All end users should always login as standard users for security reasons (remember the principle of least privilege).

This protects the local operating system and potentially the entire network.

Some applications can only be ran as Administrators due to security reasons, so in the case that you have to right-click, and run as an Admin.

A UAC (User Account Control) window will pop up as last minute verification for whatever you’re doing. Once you type in your admin credentials or simply select ‘Yes’, the standard user will then receive the administrative token to complete the task.

UAC allows the user to run as a standard user with the ability to escalate privileges.

⁠

BitLocker

Windows also supports full hard drive encryption

Only Administrators can use BitLocker

It requires a TPM (Trusted Platform Module) .

A chip on the motherboard that safely stores the encryption key so that the key is not stored on the encrypted disk.

Even if the hard drive is completely separated from the rest of the PC, it will still remain fully encrypted and will stay encrypted until someone decrypts it with the TPM.

This prevents hard drives from being dissected and prevents information from being stolen when placed on a different system.

BitLocker To-Go

You can also protect removable drives with BitLocker To-Go.

It provides the same encryption tech used in regular BitLocker, but on a USB flash drive.

You can turn on BitLocker-To-Go by inserting USB drives into the computer and opening up the BitLocker Drive Encryption Control Panel applet, and then set the password.

Once it’s enabled and you plug the USB into a different PC, just enter in the password you created in the control panel applet to access the contents of the flash drive.

EFS

EFS (Encrypting File System) is the encryption technology used in NTFS volumes to encrypt individual files.

EFS used certificates to encrypt the data.

All users can use EFS, it doesn’t require any special hardware, and can be used in conjunction with BitLocker for further security.

⁠

Want to print your doc?
This is not the way.

Try clicking the ⋯ next to your doc name or using a keyboard shortcut (

CtrlP

) instead.