CompTIA A+

Security Implementation on a Windows Device

Introduction
Lab Topology
Exercise 1 - Manage Microsoft Defender Antivirus
Exercise 2 - Manage Windows Defender Firewall
Exercise 3 - BitLocker and EFS
Exercise 4 - Users and Groups in Windows
Exercise 5 - Login Options for Windows Systems
Exercise 6 - NTFS vs. Share Permissions
Exercise 7 - Run as Administrator vs. Standard User
Review

Introduction
A+
Security
Firewall
Defender Antivirus
Users and Groups
Login Options
UAC
Bitlocker
EFS

Welcome to the Security Implementation on a Windows Device Practice Lab.

In this module, you will be provided with the instructions and devices needed to
develop your hands-on skills.

Security and privacy are dependent on an operating system that protects your system
and data from the moment it boots up, providing fundamental chip-to-cloud security.
Windows security has improved over the years, with extensive security measures
designed to keep you safe.
Learning Outcomes
In this module, you will complete the following exercises:

Exercise 1 - Manage Microsoft Defender Antivirus

Exercise 2 - Manage Windows Defender Firewall
Exercise 3 - BitLocker and EFS
Exercise 4 - Users and Groups in Windows
Exercise 5 - Login Options for Windows Systems
Exercise 6 - NTFS vs. Share Permissions

After completing this module, you should be able to:

Activate/Deactivate Microsoft Defender Antivirus and Update Virus Definitions

Activate & Deactivate Windows Defender Firewall
Create a Rule Blocking a Port
Block a Program through the Windows Defender Firewall
Allow a Program through the Windows Defender Firewall
Activate BitLocker To Go
Configure BitLocker Settings via GPO
Create an Encrypting Files System (EFS)

After completing this module, you should have further knowledge of:

Users and Groups in Windows

Different Methods of Log on Protections and Options
NTFS vs. Share Permissions
Run as Administrator vs. Standard User

Exam Objectives
The following exam objectives are covered in this module:

2.5 Given a scenario, manage and configure basic security settings in the Microsoft
Windows OS

Defender Antivirus
Firewall
Users and groups
Login OS options
NTFS vs. share permissions
 Run as administrator vs. standard user
BitLocker
BitLocker To Go
Encrypting File System (EFS)

Lab Duration
It will take approximately 1 hour and 30 minutes to complete this lab.

The completion time of this module exceeds our usual 1-hour timeframe. Please
ensure you have taken into consideration how long this module will take to
complete.

Help and Support

For more information on using Practice Labs, please see our Help and Support
page. You can also raise a technical support ticket from this page.

Click Next to view the Lab topology used in this module.

Lab Topology
During your session, you will have access to the following lab configuration.

Depending on the exercises, you may or may not use all of the devices, but they are
shown here in the layout to get an overall understanding of the topology of the lab.

PLABDC01 - (Windows Server 2019 - Domain Controller)

PLABWIN10 - (Windows 10 - Domain Member Workstation)
PLABWIN11 - (Windows 11 - Domain Member Workstation)
PLABSUSE - (SUSE - Standalone Server)
PLABUBUNTU - (Ubuntu - Standalone Server)
PLABANDROID - (Android OS - Android Device)

Click Next to proceed to the first exercise.

Exercise 1 - Manage Microsoft Defender Antivirus
Microsoft Defender Antivirus is a built-in anti-malware program in Windows. It was
first made available as a free anti-spyware download for Windows XP, and later came
pre-installed with Windows Vista and Windows 7. It has matured into a
comprehensive antivirus program that is included with Windows 8 and later editions,
replacing Microsoft Security Essentials.

Defender Antivirus was a graphical desktop software prior to Windows 10. Users may
now administer Defender Antivirus directly through the Windows Security app or
PowerShell, starting with Windows 10 and Windows Server 2016. Microsoft Defender
Antivirus is part of the Microsoft Defender for Endpoints suite of products.

In this exercise, you will learn to activate and deactivate Microsoft Defender Antivirus.
You will also update the virus definitions to be current.

Learning Outcomes
After completing this exercise, you should be able to:

Activate/Deactivate Microsoft Defender Antivirus and Update Virus Definitions

Your Devices
You will be using the following devices in this lab. Please power these on now.

PLABDC01 - (Windows Server 2019 - Domain Controller)

PLABWIN10 - (Windows 10 - Domain Member Workstation)
PLABWIN11 - (Windows 11 - Domain Member Workstation)

Task 1 - Activate/Deactivate Microsoft Defender Antivirus and

Update Virus Definitions

Antivirus is crucial to the health of the system, but they can be disabled temporarily
for the following reasons:

When installing another antivirus software onto the PC

Interference with other applications
 Optimizing your PC performance
Concerns over privacy

In this task, the Microsoft Defender Antivirus will be accessed. You will turn the
program on and off as well as update the virus definitions. The different types of scans
available will be covered, and a quick scan will be conducted.

Note: In the operating system, there are numerous ways to get to the same
location. Each exercise and task completed will close all open windows. In the
next exercise, a new path to opening the tools will be executed to demonstrate
the various ways to access the tools.

Step 1
Connect to PLABWIN10.

Click the Start charm and type the following:

windows security

Select Windows Security from the Best match pop-up menu.

 Figure 1.1 Screenshot of PLABWIN10: Displaying entering the required
search text and selecting Windows Security from the Best match pop-up
menu.

Step 2
In the Windows Security window, select Virus & threat protection.
 Figure 1.2 Screenshot of PLABWIN10: Displaying selecting Virus & threat
protection in the Windows Security window.

Step 3
From the Windows Security - Virus & threat protection window, click Manage
settings under the Virus & threat protection settings category.
 Figure 1.3 Screenshot of PLABWIN10: Displaying selecting Manage settings
under the Virus & threat protection settings category in the Windows
Security window.

Step 4
In the Windows Security - Virus & threat protection settings pane, toggle the
slider to Off under Real-time protection.
 Figure 1.4 Screenshot of PLABWIN10: Displaying turning off real-time
protection in the Windows Security - Virus & threat protection settings pane.

Note: Turning off real-time protection will disable the Microsoft Defender
Antivirus. You can temporarily disable this feature, but it will automatically
turn back on after a short time.

Step 5
Now, slide the Real-time protection settings towards On.
 Figure 1.5 Screenshot of PLABWIN10: Displaying enabling real-time
protection in the Windows Security - Virus & threat protection settings pane.

Note: The Microsoft Defender Antivirus is now enabled again.

Step 6
Click the back arrow in the top left corner to return to the previous window.
 Figure 1.6 Screenshot of PLABWIN10: Displaying clicking the back arrow in
the Windows Security - Virus & threat protection settings window.

Step 7
Navigate to Services, and locate the Windows Update service.

Right-click Properties to start it.

Step 8
In the Windows Security - Virus & threat protection window, scroll down to the
Virus & threat protection updates section.

Click Check for updates.

 Figure 1.7 Screenshot of PLABWIN10: Displaying the Windows Security
window and selecting Check for updates under the Virus & threat protection
updates section.

Step 9
From the Windows Security - Protection updates pane, you can view the
Security intelligence version, when the version was created, and when the last
update was run.

Click Check for updates.

 Figure 1.8 Screenshot of PLABWIN10: Displaying clicking Check for updates
in the Windows Security - Protection updates pane.

Step 10
The system will now check to see if there are updates and will install the newest virus
definitions.
 Figure 1.9 Screenshot of PLABWIN10: Displaying checking for updates in
the Windows Security - Protection updates pane.

Step 11
The virus definitions have now been updated.

Return to the previous window by clicking the back arrow in the upper left corner of
the screen.
 Figure 1.10 Screenshot of PLABWIN10: Displaying clicking the back arrow in
the Windows Security - Protection updates window.

Step 12
Back on the Windows Security - Virus & threat protection pane, you can run a
Quick scan by default.

More options are available by clicking the Scan options link below the Quick scan
button.

Click Scan options.

 Figure 1.11 Screenshot of PLABWIN10: Displaying the Windows Security -
Virus & threat protection pane and clicking Scan options under the Current
threats section.

Step 13
In the Windows Security - Scan options pane, scroll down to view the following
options:

Quick scan - This is a fast scan that checks the folder in your system for
common threats.
Full scan - It’s an in-depth scan that checks all files and running programs on
your computer. It can sometimes take longer than an hour to perform, depending
on the number of files that needs to be checked.
Custom scan - Allows the user to specify the files and folders to be scanned.
Microsoft Defender Offline scan - This will restart your device and help to
remediate the system with up-to-date threat definitions. The estimated time will
be about 15 minutes.

Click Scan now to run a quick scan.

 Figure 1.12 Screenshot of PLABWIN10: Displaying the Windows Security -
Protection history pane and selecting Scan now.

Step 14
In the Windows Security - Scan options pane, allow the scan to run.
 Figure 1.13 Screenshot of PLABWIN10: Displaying the Windows Security -
Scan options pane with the quick scan running.

Step 15
Notice that 9 files were scanned, and 0 threats were found.

Note: The number of files scanned can vary from what’s shown on the
screenshot.
 Figure 1.14 Screenshot of PLABWIN10: Displaying the Windows Security -
Scan options pane with the results of the quick scan performed.

Note: The process that was just completed in Windows 10 is the same process
in Windows 11. For more practice, switch to the PLABWIN11 device and follow
the same steps.

Close all open windows.

Note: In the operating system, there are numerous ways to get to the same
location. In this module, various ways to access the different settings will be
demonstrated.

Exercise 2 - Manage Windows Defender Firewall

Windows Firewall is a host-based firewall that applies security on a computer by
blocking unauthorized access to its services and decreasing its exposure to potentially
destructive network probes when connected to the Internet or a local intranet.

Windows Firewall is managed using two applications. Namely, Windows Firewall

(known as Windows Defender Security Center in Windows 10) and Windows Defender
Firewall with Advanced Security. Windows Defender Firewall with Advanced Security
includes features for creating rules for granular control of Inbound and Outbound
traffic. It has Connection Security Rules for creating IPsec policies and network
isolation. It has been available in versions of Windows dating back to Windows Vista.

Internet Protocol security (IPsec) is supported by Windows Defender Firewall,

allowing you to require authentication from any device attempting to communicate
with your device. Devices that can't be authenticated as trusted devices can't
communicate with your device when authentication is required. You can also use IPsec
to encrypt particular network traffic to prevent it from being read by network packet
analyzers that a malicious user could use to connect to the network.

The Windows Defender Firewall has the following advantages:

Defend against network security attacks. The Windows Defender Firewall

minimizes the device's attack surface, adding another layer to the defense-in-
depth approach. Reducing a device's attack surface improves manageability and
reduces the chances of a successful attack.
Protects sensitive information and intellectual property.
Increases the value of current investments. There is no need for additional
hardware or software because Windows Defender Firewall is a host-based firewall
that comes with the operating system.

In this exercise, you will activate and deactivate the Windows Defender Firewall. You
will also create a rule to block a port and block/allow a program through the firewall.

Learning Outcomes
After completing this exercise, you should be able to:

Activate & Deactivate Windows Defender Firewall

Create a Rule Blocking a Port
Block a Program through the Windows Defender Firewall
Allow a Program through the Windows Defender Firewall

Your Devices
You will be using the following devices in this lab. Please power these on now.

PLABDC01 - (Windows Server 2019 - Domain Controller)

PLABWIN10 - (Windows 10 - Domain Member Workstation)
PLABWIN11 - (Windows 11 - Domain Member Workstation)

Task 1 - Activate & Deactivate Windows Defender Firewall

In this task, the Windows Defender Firewall will be accessed. You will activate and
deactivate the firewall and view the various profiles that are available to set rules for.

Step 1
Connect to PLABWIN11.

Right-click the Start charm and select Settings.

Figure 2.1 Screenshot of PLABWIN11: Displaying right clicking the Windows

start charm and selecting Settings.
Step 2
In the Settings window, click Privacy & security in the left pane.

Figure 2.2 Screenshot of PLABWIN11: Displaying selecting Privacy &

security in the Settings window.

Step 3
From the Settings - Privacy & security pane, click Windows Security.
 Figure 2.3 Screenshot of PLABWIN11: Displaying selecting Windows
Security in the Settings - Privacy & security pane.

Step 4
In the Settings - Privacy & security > Windows Security pane, click Firewall
& network protection.
 Figure 2.4 Screenshot of PLABWIN11: Displaying selecting Firewall &
network protection In the Settings - Windows Security pane.

Step 5
In the Windows Security - Firewall & network protection pane, you have the
following profiles available to set rules for in the firewall:

Domain - The domain profile is used in networks where the host system may
connect to a domain controller and authenticate.
Private - It’s a user-assigned profile. The private profile is used to designate
private or home networks.
Pubic/Guest - This is the default profile and is used to identify public networks
like Wi-Fi hotspots at coffee shops, airports, and other places.

Click the Domain network profile to access the profile and view further
configuration options.
 Figure 2.5 Screenshot of PLABWIN11: Displaying the Windows Security -
Firewall & network protection pane and selecting the Domain network
profile.

Step 6
The Windows Security - Domain network window is displayed.

Within each profile, you can turn the firewall protection on or off. You can also block
all Incoming connections by enabling the checkbox Block all incoming
connections, including those in the list of allowed apps.

The Windows Defender Firewall can be turned off for the following reasons:

If you have another software firewall installed on your computer that you would
like to use over the Windows Defender Firewall.
When you're trying software installations, networking, and other things and can't
get them to work, deactivating the firewall can be used as a troubleshooting step
because everything could be perfect except for a particular firewall rule.
You want to set up a honeypot.
Click the back arrow in the upper left corner of the Windows Security - Domain
network window.

Figure 2.6 Screenshot of PLABWIN11: Displaying the Windows Security -

Domain network window and selecting the back arrow.

Note: Turning off Microsoft Defender Firewall may leave your device and your
network more vulnerable to unauthorized access. If you need to use an app that
is being blocked, you can allow it through the firewall rather than turning the
firewall off.

Keep the Windows Security - Firewall & network protection window open.

Task 2 - Create a Rule Blocking a Port

In this task, the Windows Defender Firewall Microsoft Management Console (MMC)
will be accessed, and its additional capabilities will be discussed. You will create a rule
for the firewall to block a port and view the various profiles that are available to set
rules up for.
Step 1
Ensure you are connected to PLABWIN11, where the Windows Security -
Firewall & network protection window is open.

On the Firewall & network protection pane, click the Advanced settings link
towards the bottom of the pane to access the Windows Defender Firewall Microsoft
Management Console (MMC) snap-in.

Figure 2.7 Screenshot of PLABWIN11: Displaying the Windows Security -

Firewall & network protection window and selecting Advanced settings.

Note: If the focus does not automatically shift to the Windows Defender
Firewall with Advanced Security window, click the Windows Defender
Firewall icon on the Taskbar.

Step 2
Click the Windows Defender Firewall with Advanced Security icon on the
taskbar to open it.

Figure 2.8 Screenshot of PLABWIN11: Displaying clicking the Windows

Defender Firewall with Advanced Security icon on the taskbar.

Step 3
In the Windows Defender Firewall with Advanced Security window, the
following can be configured:

Inbound Rules - Used to configure rules for traffic coming into the system
Outbound Rules - Used to configure rules for traffic leaving the system
Connection Security Rules - Used to configure extra layers of authentication
and security
Monitoring - Shows each profile along with pertinent information to logging
and monitoring

Click Inbound Rules on the left pane.

 Figure 2.9 Screenshot of PLABWIN11: Displaying the Windows Defender
Firewall with Advanced Security window and clicking Inbound Rules on the
left pane.

Step 4
In the Actions pane on the right, click New Rule.
 Figure 2.10 Screenshot of PLABWIN11: Displaying the Windows Defender
Firewall with Advanced Security window and clicking New Rule on the
Actions pane.

Step 5
On the New Inbound Rule Wizard, rules can be set up to control program and port
access. Predefined rules can be configured as well as custom rules.

You will now configure the system to block inbound requests from Telnet.

From the New Inbound Rule Wizard - Rule Type page, select the Port radio
button and click Next.
 Figure 2.11 Screenshot of PLABWIN11: Displaying selecting Port and clicking
Next in the New Inbound Rule Wizard - Rule Type page.

Step 6
On the Protocol and Ports page, the method of data movement is specified. Select
TCP.

Under the Does this rule apply to all local ports or specific local ports?
section, select Specific local ports and type the following:

23

Click Next.
 Figure 2.12 Screenshot of PLABWIN11: Displaying the Ports and Protocols
page with the required settings performed and the Next button selected.

Step 7
On the Action page, select Block the connection.

Click Next.
 Figure 2.13 Screenshot of PLABWIN11: Displaying the Action page with the
required settings performed and the Next button selected.

Step 8
From the Profile page, leave the default selections and click Next.
 Figure 2.14 Screenshot of PLABWIN11: Displaying the Profile page with the
default selections and the Next button selected.

Step 9
On the Name page, type the following for the Name field:

Block Inbound Telnet

Type the following for the Description field:

Block Inbound Telnet port number 23

Click Finish.
 Figure 2.15 Screenshot of PLABWIN11: Displaying the Name page with the
required settings performed and the Finish button selected.

Step 10
Back on the Windows Defender Firewall with Advanced Security window,
notice that the top rule now listed on the Inbound Rules pane is the Block
Inbound Telnet rule that was just created.

You can cut, copy, disable or view the properties of a rule by right-clicking on the
particular rule and selecting the required option.

Right-click on the Block Inbound Telnet rule and select Delete to remove the rule.
 Figure 2.16 Screenshot of PLABWIN11: Displaying the Windows Defender
Firewall with Advanced Security window. The newly created rule is right-
clicked, and Delete selected from the context menu.

Note: Clicking Properties allows you to further configure and adjust the rule.

Step 11
Click Yes on the Are you sure you want to delete these rules? caution box.
 Figure 2.17 Screenshot of PLABWIN11: Displaying clicking Yes on the Are
you sure you want to delete these rules caution box.

Keep the Windows Defender Firewall with Advanced Security window open.

Task 3 - Block a Program through the Windows Defender

Firewall

In this task, the Windows Defender Firewall will be accessed. You will block a program
in the firewall and view the various profiles that are available to set rules for.

Step 1
In PLABWIN11, the Windows Defender Firewall with Advanced Security
window is open.

Click New Rule in the Actions pane on the right.

 Figure 2.18 Screenshot of PLABWIN11: Displaying the Windows Defender
Firewall with Advanced Security window and selecting New Rule from the
Actions pane.

Step 2
In the New Inbound Rule Wizard - Rule Type page, ensure the Program option
is selected.

Click Next.
 Figure 2.19 Screenshot of PLABWIN11: Displaying the New Inbound Rule
Wizard - Rule Type page with the Program option selected and the Next
button highlighted.

Step 3
On the Program page, you can either choose to click all programs and apply rules to
all connections on the system that match other rule properties, or you can choose an
individual application.

Select the This program path option and click Browse.

 Figure 2.20 Screenshot of PLABWIN11: Displaying the Program page with
the required settings performed and the Browse button selected.

Step 4
Click OK on the Location is not available pop-up box.
 Figure 2.21 Screenshot of PLABWIN11: Displaying clicking OK on the
Location is not available pop-up box.

Step 5
In the Open dialog box, navigate to the following path:

Local Disk (C:) > Windows > System32

Scroll down and select xcopy.

Click Open.
 Figure 2.22 Screenshot of PLABWIN11: Open dialog box is displayed,
showing the required application highlighted and the Open button selected.

Note: Xcopy was chosen to demonstrate here because it is a non-essential

application that will not interfere with the system’s operation.

Step 6
Back on the Program page, click Next.
 Figure 2.23 Screenshot of PLABWIN11: Displaying the Program page with
the required program path populated and the Next button highlighted.

Step 7
On the Action page, click the Allow the connection if it is secure option.

Click Next.
 Figure 2.24 Screenshot of PLABWIN11: Displaying the Action pane with the
required option selected and the Next button selected.

Step 8
From the Users page, enable the Only allow connections from these users
checkbox under the Authorized users section.

Click Add.

Note: Users can be authorized or excluded. This field is not a mandatory field
to be filled.
 Figure 2.25 Screenshot of PLABWIN11: Displaying the Users page with the
required checkbox enabled and the Add button selected.

Step 9
In the Select Users, Computers, or Groups dialog box, type the following in the
Enter the object names to select field:

Admin

Click Check Names.

 Figure 2.26 Screenshot of PLABWIN11: Displaying the Select Users,
Computers, or Groups dialog box, showing the required settings performed
and the Check Names button selected.

Step 10
From the Multiple Names Found dialog box, select the first Administrator
option.

Click OK.
 Figure 2.27 Screenshot of PLABWIN11: Displaying the Multiple Names
Found dialog box with Administrator selected and the OK button
highlighted.

Step 11
Back in the Select Users, Computers, or Groups dialog box, click OK.
 Figure 2.28 Screenshot of PLABWIN11: Displaying clicking OK in the Select
Users, Computers, or Groups dialog box.

Step 12
On the Users page, click Next.
 Figure 2.29 Screenshot of PLABWIN11: Displaying clicking Next on the
Users page.

Step 13
On the Computers page, users can select specific computers to apply the rule.

Leave the default settings and click Next.

Note: Computers can be authorized or excluded. This field is not a mandatory

field to be filled.
 Figure 2.30 Screenshot of PLABWIN11: Displaying clicking Next on the
Computers page.

Step 14
On the Profile page, click Next.
 Figure 2.31 Screenshot of PLABWIN11: Displaying clicking Next on the
Profile page.

Step 15
On the Name page, type the following for the Name field:

Allow xcopy Admin Secure

Type the following for the Description field:

Allow xcopy for administrator if the connection is secure

Click Finish.
 Figure 2.32 Screenshot of PLABWIN11: Displaying the Name page with the
required settings performed and the Finish button highlighted.

Step 16
Notice the top rule that is now listed on the Inbound rules pane is the Allow Xcopy
Admin Secure rule that was just created.

Note: If the Windows Defender Firewall with Advanced Security

window doesn’t open automatically, restore it from the taskbar.

Right click and select Delete to remove the rule.

Click Yes on the Are you sure you want to delete these rules? caution box.
 Figure 2.33 Screenshot of PLABWIN11: Displaying the Windows Defender
Firewall with Advanced Security window. The newly created rule is right-
clicked, and Delete selected from the context menu.

Close all open windows.

Note: The process that was just completed in Windows 11 is the same process in
Windows 10. For more practice, switch to the PLABWIN10 device and follow
the same steps.

Task 4 - Allow a Program through the Windows Defender

Firewall

In this task, you will allow a program through the Windows Defender Firewall.

Step 1
Connect to PLABWIN11.

Click the Start charm and type the following:

 windows defender firewall

Select Windows Defender Firewall from the Best match pop-up menu.

Figure 2.34 Screenshot of PLABWIN11: Displaying selecting Windows

Defender Firewall from the Best match pop-up menu.

Step 2
In the Windows Defender Firewall window, click the Allow an app or feature
through Windows Defender Firewall on the left pane.
 Figure 2.35 Screenshot of PLABWIN11: Displaying clicking Allow an app or
feature through Windows Defender Firewall In the Windows Defender
Firewall window.

Step 3
From the Allow apps to communicate through Windows Defender Firewall
window, review the list of applications you can choose to allow to communicate
through the firewall. You can choose each profile type and allow through only when
those conditions are met.

Once you have reviewed the applications, click Cancel.

 Figure 2.36 Screenshot of PLABWIN11: Displaying clicking Cancel in the
Allow apps to communicate through Windows Defender Firewall window.

Close all open windows.

Exercise 3 - BitLocker and EFS

BitLocker Drive Encryption is an encryption feature provided by Windows to protect
your data, particularly when lost or stolen. Windows has a long history of providing
solutions for at-rest data protection. BitLocker has recently added encryption for
both full drives and portable drives. Windows consistently improves data security by
improving existing options and introducing new ones.

BitLocker provides the most protection when combined with a Trusted Platform
Module (TPM) version 1.2 or later. TPM is a hardware component included in many
newer computers by computer manufacturers. It works with BitLocker to protect
user data and ensure that a computer was not tampered with while the system was
turned off.
BitLocker To Go is BitLocker Drive Encryption for portable storage devices. This
feature encrypts the following data: USB flash drives, external hard disk drives, SD
memory cards, and other drives that have been formatted with the NTFS, FAT16,
FAT32, or exFAT file systems. As with BitLocker, you can open BitLocker To Go
encrypted drives on another computer by using a password or smart card.

Typically, the Windows security model's access control to file and directory objects is
sufficient to prevent unauthorized access to sensitive information. However, if a laptop
containing sensitive data is lost or stolen, the security of that data may be jeopardized.
Encrypting files improves security.

The Encrypted File System, or EFS, adds another layer of security to files and
directories. It uses a public-key system to provide cryptographic protection for
individual files on NTFS file system volumes.

Note that the following items cannot be encrypted:

System files
Transactions
System directories
Root directories
Files that are compressed

In this exercise, you will learn about BitLocker, BitLocker To Go and EFS.

Learning Outcomes
After completing this exercise, you should be able to:

Activate BitLocker To Go
Configure BitLocker Settings via GPO
Create an Encrypting Files System (EFS)

Your Devices
You will be using the following devices in this lab. Please power these on now.

PLABDC01 - (Windows Server 2019 - Domain Controller)

PLABWIN10 - (Windows 10 - Domain Member Workstation)
PLABWIN11 - (Windows 11 - Domain Member Workstation)
Task 1 - Activate BitLocker To Go

In this task, BitLocker To Go will be used to encrypt the thumb drive plugged into the
PLABWIN10 device.

Since BitLocker To Go is used for portable drives, no TPM module on the motherboard
will store a copy of the encryption keys. Instead, a password-based encryption will be
created. Once the proper password is entered, the drive can be decrypted.

Step 1
Connect to PLABWIN10.

Click the File Explorer icon on the taskbar.

Figure 3.1 Screenshot of PLABWIN10: Displaying clicking the File Explorer

icon on the taskbar.

Step 2
On the File Explorer window, select This PC on the left pane.

Figure 3.2 Screenshot of PLABWIN10: Displaying selecting This PC from the

File Explorer window.

Step 3
Right click PLABWIN10HDD1(E:) under the Devices and drives section.

Select Turn on BitLocker from the context menu.

 Figure 3.3 Screenshot of PLABWIN10: Displaying right-clicking
PLABWIN10HDD1(E:) and selecting Turn on BitLocker in the File Explorer
window.

Step 4
In the BitLocker Drive Encryption (E:) - Choose how you want to unlock
this drive page, you can use the following options to unlock the drive:

Password
Smart Card

Note: Ensure you choose the correct encryption based on the recommended
settings in a real-life situation.

Here you will enable the Use a password to unlock the drive checkbox.

Type the following into both the Enter your password and Reenter your
password textboxes:
Passw0rd
Click Next.

Figure 3.4 Screenshot of PLABWIN10: Displaying the BitLocker Drive

Encryption (E:) - Choose how you want to unlock this drive page with the
required password typed in and the Next button highlighted.

Step 5
From the How do you want to back up your recovery key? page, click Print
the recovery key.
 Figure 3.5 Screenshot of PLABWIN10: Displaying selecting Print the
recovery key in the How do you want to back up your recovery key? page.

Step 6
In the Print dialog box, select Microsoft Print to PDF.

Click Print.
 Figure 3.6 Screenshot of PLABWIN10: Displaying the Print dialog box with
the required option selected and the Print button highlighted.

Step 7
In the Save Print Output As dialog box, select Documents on the left pane.

Type the following in the File name text box:

BitLocker Key 2

Click Save.
 Figure 3.7 Screenshot of PLABWIN10: Displaying the Save Print Output As
dialog box with the required File name typed in and the Save button
highlighted.

Step 8
Back on the How do you want to back up your recovery key? page, click Next.
 Figure 3.8 Screenshot of PLABWIN10: Displaying clicking Next on the How
do you want to back up your recovery key? page.

Step 9
In the Choose how much of your drive to encrypt page, ensure Encrypt used
disk space only option is selected.

Click Next.
 Figure 3.9 Screenshot of PLABWIN10: Displaying the Choose how much of
your drive to encrypt page with the required option selected and the Next
button highlighted.

Step 10
From the Choose which encryption mode to use page, ensure the New
encryption mode is selected.

Click Next.
 Figure 3.10 Screenshot of PLABWIN10: Displaying the Choose which
encryption mode to use page with the required option selected and the Next
button highlighted.

Step 11
In the Are you ready to encrypt this drive? page, read the information and click
Start encrypting.
 Figure 3.11 Screenshot of PLABWIN10: Displaying the Are you ready to
encrypt this drive? page with the Start encrypting button selected.

Step 12
Back on the File Explorer window, PLABWIN10HDD1(E:) now has a lock icon.

Right-click PLABWIN10HDD1(E:) and select Manage BitLocker.

 Figure 3.12 Screenshot of PLABWIN10: Displaying right-clicking ISO(D:)
and selecting Manage BitLocker in the File Explorer window.

Step 13
On the BitLocker Drive Encryption window, you will see there are a few more
options available under the Fixed data drives section since you have an encrypted
drive.

Back up your recovery key

Change password
Remove password
Add smart card
Turn on auto-unlock
Turn off BitLocker

Click Turn off BitLocker.

On the pop-up box, click Turn off BitLocker.

Close the BitLocker Drive Encryption window.

Figure 3.13 Screenshot of PLABWIN10: Displaying clicking Turn off

BitLocker in the Turn off BitLocker pop-up box.

Close all open windows.

Task 2 - Configure BitLocker Settings via GPO

In this task, you will create a Group Policy that will enforce BitLocker on the disk
volumes of the PLABWIN10 device.

To configure BitLocker settings using group policy objects, follow these steps:

Step 1
Connect to PLABDC01.

The Server Manager Dashboard automatically opens upon logon.

Click on the Tools menu and select Group Policy Management.

 Figure 3.14 Screenshot of PLABDC01: Displaying Tools > Group Policy
Management menu-options selected in the Server Manager window.

Step 2
On the Group Policy Management console, expand Forest: Practicelabs.com >
Domains.

Right-click on Practicelabs.com and select Create a GPO in this domain, and

Link it here…
 Figure 3.15 Screenshot of PLABDC01: Displaying the Group Policy
Management console. Practicelabs.com is right-clicked, and Create a GPO in
this domain, and Link it here option is selected from the context menu.

Step 3
On the New GPO dialog box, type the following for the Name field:

BitLocker for desktops

Click OK.

Note: If you get a Group Policy Management Console message box,

enable the Do not show this message again checkbox and click OK.
 Figure 3.16 Screenshot of PLABDC01: Displaying the New GPO dialog box
with the required Name typed in and the OK button highlighted.

Step 4
Locate the Security Filtering section on the bottom right pane.

Select the Authenticated Users group and click Remove button.

 Figure 3.17 Screenshot of PLABDC01: Displaying the Security Filtering pane
on the Bitlocker for desktops console with the required settings performed
and the Remove button highlighted.

Step 5
On the Do you want to remove this delegation privilege? caution box, click
OK.
 Figure 3.18 Screenshot of PLABDC01: Displaying the Do you want to remove
this delegation privilege? caution box with the OK button highlighted.

Step 6
Click OK on the Group Policy Management caution box.
 Figure 3.19 Screenshot of PLABDC01: Displaying clicking OK on the Group
Policy Management caution box.

Step 7
Once again, on the Security Filtering section, click Add…
 Figure 3.20 Screenshot of PLABDC01: Displaying the Security Filtering pane
on the Bitlocker for desktops console with the Add button highlighted.

Step 8
On the Select User, Computer or Group dialog box, click Object Types…
 Figure 3.21 Screenshot of PLABDC01: Displaying clicking Object Types on
the Select User, Computer, or Group dialog box.

Step 9
On the Object Types dialog box, enable the Computers checkbox.

Click OK.
 Figure 3.22 Screenshot of PLABDC01: Displaying the Object Types dialog
box with the required settings performed and the OK button highlighted.

Step 10
Back on the Select User, Computer or Group dialog box, click in the Enter the
object name to select textbox and type the following:

plabwin10

Click Check Names.

 Figure 3.23 Screenshot of PLABDC01: Displaying the Select User, Computer,
or Group dialog box with the required values typed in, and the Check Names
button highlighted.

Step 11
The computer name PLABWIN10 is now underlined. This means that the computer
account is a member of the Practicelabs.com domain.

Click OK.
 Figure 3.24 Screenshot of PLABDC01: Displaying the Select User, Computer,
or Group dialog box with the object name resolved and the OK button
highlighted.

Step 12
PLABWIN10$ (PRACTICELABS\PLABWIN10$) is now added in the Security
Filtering section.

This means that BitLocker for desktops group policy will apply only to the
PLABWIN10 computer.
 Figure 3.25 Screenshot of PLABDC01: Displaying the Security Filtering pane
on the Bitlocker for desktops console listing the device added for BitLocker
security.

Step 13
Under the Practicelabs.com node, right-click on Bitlocker for desktops GPO
link and choose Edit…
 Figure 3.26 Screenshot of PLABDC01: Displaying right clicking the
BitLocker for desktops node and selecting Edit on the Group Policy
Management console.

Step 14
On the Group Policy Management Editor window, expand Computer
Configuration > Policies > Administrative Templates > Windows
Components > BitLocker Drive Encryption then click on Operating System
Drives.

On the details pane on the right side, right-click on Require additional

authentication at start-up and choose Edit.
 Figure 3.27 Screenshot of PLABDC01: Displaying right clicking a policy
setting and selecting Edit on the Group Policy Management Editor console.

Step 15
From the Require additional authentication at start-up window, click the
Enabled option.

Click OK.
 Figure 3.28 Screenshot of PLABDC01: Displaying the Require additional
authentication at startup console with the required settings performed and
the OK button highlighted.

Step 16
Close the Group Policy Management Editor and Group Policy Management
console.

Keep the Server Manager > Dashboard window open.

 Figure 3.29 Screenshot of PLABDC01: Displaying the Group Policy
Management Editor console with the Close icon at the top-right corner
highlighted.

Step 17
After configuring the GPO settings for BitLocker on a Windows 10 device, you will
need to prepare the disk volumes that will be encrypted on the target workstation.

Connect to PLABWIN10.

Click the File Explorer icon on the taskbar.

 Figure 3.30 Screenshot of PLABWIN10: Displaying selecting the File
Explorer icon on the taskbar.

Step 18
On the File Explorer window, right-click This PC and select Manage.
 Figure 3.31 Screenshot of PLABWIN10: Displaying right-clicking This PC
and selecting Manage on the File Explorer Window.

Step 19
On the Computer Management console, locate the Storage node and click on
Disk Management.
 Figure 3.32 Screenshot of PLABWIN10: Displaying the Computer
Management console with the Computer Management > Storage > Disk
Management node path selected.

Step 20
There will be several drives available to use.

Hover your mouse over the partition on Disk 1 and right click. Select Properties
from the context menu.
 Figure 3.33 Screenshot of PLABWIN10: Displaying right-clicking on Disk
and selecting Properties in the Computer Management window.

Step 21
On the PLABWIN10HDD1 (E:) Properties dialog box, change the name of the
drive by replacing the name in the text box to:

BitLocker volume

Click OK.
 Figure 3.34 Screenshot of PLABWIN10: Displaying the Bitlocker volume(E:)
Properties dialog box with the required settings performed and the OK
button highlighted.

Step 22
After a few seconds, the Computer Management console now displays BitLocker
volume (E:).

Disregard any screen notification about formatting a new disk by clicking Cancel.

Close the Computer Management console.

 Figure 3.35 Screenshot of PLABWIN10: Displaying the Computer
Management console listing the newly created simple volume.

Step 23
You will be redirected back to the File Explorer window. Click This PC on the left
pane.

Notice the BitLocker volume (E:) is now available for data storage on the right
pane.
 Figure 3.36 Screenshot of PLABWIN10: Displaying the File Explorer window
listing the newly created volume.

Step 24
To encrypt the selected disk volume using BitLocker, you must have administrative
privileges on the computer.

Right-click on BitLocker volume (E:) and select Turn on BitLocker.

 Figure 3.37 Screenshot of PLABWIN10: Displaying right-clicking on
Bitlocker volume (E:) and selecting Turn on BitLocker on the File Explorer
window.

Step 25
On the BitLocker Drive Encryption (E:) - Choose how you want to unlock
this drive page, enable the Use a password to unlock the drive checkbox.

On the Enter your password and Reenter your password text boxes, type:

Passw0rd
Click Next.
 Figure 3.38 Screenshot of PLABWIN10: Displaying the Bitlocker Drive
Encryption (E:) - Choose how you want to unlock this drive page with the
required password typed in and the Next button highlighted.

Step 26
On the How do you want to back up your recovery key? page, select Print the
recovery key.

Note: The recovery key is required if the administrator forgets the password or
loses the smart card to access the encrypted drive.
 Figure 3.39 Screenshot of PLABWIN10: Displaying the How do you want to
back up your recovery key? page with the Print the recovery key option
selected.

Step 27
On the Print page, ensure Microsoft Print to PDF is selected and click Print.

On the Save Print Output As dialog box, select the Documents folder on the left
pane.

In the File name text box, type:

BitLocker Key 3

Click Save.
 Figure 3.40 Screenshot of PLABWIN10: Displaying the Save Print Output as
dialog box with the file name typed in and the Save button highlighted.

Step 28
Back on the How do you want to back up your recovery key? page, click Next.
 Figure 3.41 Screenshot of PLABWIN10: Displaying the How do you want to
back up your recovery key? page with the Next button highlighted.

Step 29
From the Choose how much of your drive to encrypt page, ensure Encrypt
used disk space only option is selected.

Click Next.
 Figure 3.42 Screenshot of PLABWIN10: Displaying the Choose how much of
your drive to encrypt page with the required option selected and the Next
button highlighted.

Step 30
On the Choose which encryption mode to use page, ensure the New
encryption mode is selected.

Click Next.
 Figure 3.43 Screenshot of PLABWIN10: Displaying the Choose which
encryption mode to use page with the required option selected and the Next
button highlighted.

Step 31
On the Are you ready to encrypt this drive? page, click Start encrypting.
 Figure 3.44 Screenshot of PLABWIN10: Displaying the Are you ready to
encrypt this drive? page with the Start encrypting button highlighted.

Step 32
Click Close when the Encryption of E: is complete message box pops up.
 Figure 3.45 Screenshot of PLABWIN10: Displaying the Encryption of E: is
complete message box with the Close button selected`.

Step 33
Back on the File Explorer window, notice the BitLocker icon is now appended to
BitLocker volume (E:) drive.

The drive is still in the unlocked state, as indicated by the icon.

 Figure 3.46 Screenshot of PLABWIN10: Displaying the File Explorer window
with the BitLocker icon appended to the Bitlocker volume (E:) drive.

Step 34
Right-click on BitLocker volume (E:) and select Manage BitLocker.
 Figure 3.47 Screenshot of PLABWIN10: Displaying right-clicking an on
Bitlocker volume (E:) and selecting Manage BitLocker on the File Explorer
window.

Step 35
On the BitLocker Drive Encryption window, click in the address bar and type:

Shutdown /r /t 0

Press Enter.

The PLABWIN10 device will restart.

Note: Before reconnecting to the PLABWIN10 device, wait for about 1 minute
to let the PC complete the restart.
 Figure 3.48 Screenshot of PLABWIN10: Displaying the BitLocker Drive
Encryption window with the required command typed-in in the address bar.

Step 36
After 1 minute, reconnect to the PLABWIN10 device.

When signed on to PLABWIN10, click the File Explorer icon on the taskbar.
 Figure 3.49 Screenshot of PLABWIN10: Displaying clicking the File Explorer
icon on the taskbar.

Step 37
In the File Explorer window, notice that Local Disk (E:) on the right pane is now
locked.

Right-click on Local Disk (E:) and select Unlock Drive…

 Figure 3.50 Screenshot of PLABWIN10: Displaying right-clicking a locked
bitlocked drive and selecting Unlock Drive on the File Explorer window.

Step 38
On the BitLocker (E:) dialog box, type:

Passw0rd
Click Unlock.
 Figure 3.51 Screenshot of PLABWIN10: Displaying the BitLocker (E:) dialog
box with the required password typed in, and the Unlock button highlighted.

Step 39
The Bitlocker volume (E:) drive is now unlocked.
 Figure 3.52 Screenshot of PLABWIN10: Displaying the File Explorer window
with the Bitlocker volume (E:) drive unlocked.

Close all open windows.

Task 3 - Create an Encrypting Files System (EFS)

The EFS feature in Windows allows you to easily encrypt and decrypt files on your
NTFS drives. If you use this tool to encrypt files, no one else will be able to access them
unless they have your password.

One of the tool's benefits is that you can encrypt a specific folder rather than the entire
hard drive partition. In addition, if you move a file to an EFS-encrypted folder, the file
will be encrypted automatically.

The encryption attribute of a folder, like compression, affects the files that you copy or
move between encrypted and non-encrypted folders, as well as the files and folders
that you rename. The encryption attribute has the following effects when copying,
moving, and renaming objects:
 Transferring encrypted folders or files to unencrypted folders (NTFS
volumes) - The copies are encrypted regardless of the destination folder's
encryption setting. When copying to another computer, the objects are encrypted
only if the destination computer allows it. Remote encryption is not enabled by
default in a domain environment, so the destination computer must be trusted for
delegation.
Transferring unencrypted folders or files to encrypted folders (NTFS
volumes) - When folders or files are copied or moved using the Explorer
interface, they are encrypted. This applies to copies made on the same computer
as well as copies made on a remote computer that supports encryption. The COPY
console command encrypts the destination file, whereas the MOVE command
simply renames it.
Transferring encrypted and unencrypted files to FAT volumes -
Windows displays a prompt informing you that the files cannot be encrypted and
offers you the option of copying or moving the files, thereby losing the encryption.
When you use the Backup utility to back up the files to a Backup file (BKF) on a
FAT volume, this is an exception. The file remains encrypted in the backup set in
this case.
The encryption attribute is unaffected by renaming a folder or file - As
a result, you can rename an encrypted folder or file while it is still encrypted.
Furthermore, you can rename the encrypted folder or file in a different location
(essentially a move operation), and the folder or file will remain encrypted, even
if it is renamed in an unencrypted NTFS folder.

In this task, you will create folders and text documents and view what happens to their
encryption attribute when they are moved or copied.

Step 1
Connect to PLABWIN11.

Right click on the desktop, point to New and select Folder.

 Figure 3.53 Screenshot of PLABWIN11: Displaying right-clicking on the
desktop and selecting New > Folder menu options.

Step 2
Rename the folder to the following:

Encrypted
 Figure 3.54 Screenshot of PLABWIN11: Displaying the newly created
Encrypted folder.

Step 3
Repeat Steps 1 and 2 to create another new folder.

Rename the second folder to:

Unencrypted
 Figure 3.55 Screenshot of PLABWIN11: Displaying the PLABWIN11 desktop
with the newly created folders.

Step 4
Right click on the desktop, point to New and select Text Document.

Rename the new Text Document to:

Encrypted
 Figure 3.56 Screenshot of PLABWIN11: Displaying the newly created
Encrypted Text Document.

Step 5
Create a second Text Document as was done in the previous steps and rename it to:

Unencrypted
 Figure 3.57 Screenshot of PLABWIN11: Displaying the PLABWIN11 desktop
with the newly created text documents.

Step 6
Right click the Encrypted folder and select Properties.
 Figure 3.58 Screenshot of PLABWIN11: Displaying right-clicking the
Encrypted folder and selecting Properties.

Step 7
In the Encrypted Properties dialog box, click the Advanced button.
 Figure 3.59 Screenshot of PLABWIN11: Displaying clicking the Advanced
button in the Encrypted Properties dialog box.

Step 8
On the Advanced Attributes dialog box, enable the Encrypt contents to secure
data checkbox.

Click OK.
 Figure 3.60 Screenshot of PLABWIN11: Displaying the Advanced Attributes
dialog box with the required setting performed and the OK button
highlighted.

Step 9
Click OK on the Encrypted Properties dialog box.
 Figure 3.61 Screenshot of PLABWIN11: Displaying clicking OK on the
Encrypted Properties dialog box.

Step 10
Right click on the Encrypted text document and select Properties.

Repeat steps 7 to 10 to encrypt the text document.

 Figure 3.62 Screenshot of PLABWIN11: Displaying right-clicking the
Encrypted text document and selecting Properties.

Step 11
On the Encryption Warning caution box, ensure Encrypt the file and its
parent folder option is selected.

Click OK.
 Figure 3.63 Screenshot of PLABWIN11: Displaying the Encryption Warning
caution box with the required option selected and the OK button highlighted.

Step 12
Move the Encrypted text document into the Unencrypted folder by clicking and
dragging it to the folder.
 Figure 3.64 Screenshot of PLABWIN11: Displaying moving the Encrypted
text document to the Unencrypted folder.

Step 13
Right click on the Unencrypted folder and select Properties.
 Figure 3.65 Screenshot of PLABWIN11: Displaying right-clicking on the
Unencrypted folder and selecting Properties.

Step 14
In the Unencrypted Properties dialog box, click Advanced.
 Figure 3.66 Screenshot of PLABWIN11: Displaying clicking Advanced on the
Unencrypted Properties dialog box.

Step 15
Notice that the Encrypt contents to secure data checkbox is unticked. Adding the
encrypted file had no bearing on the encryption status of the folder. The file, however,
is still encrypted inside the folder.
 Figure 3.67 Screenshot of PLABWIN11: Displaying the Advanced Attributes
dialog box.

Step 16
Click OK to close the Advanced Attributes and the Unencrypted Properties
dialog boxes.

Now, move the Unencrypted text document into the Encrypted folder.
 Figure 3.68 Screenshot of PLABWIN11: Displaying moving the Unencrypted
text document into the Encrypted folder.

Step 17
Double-click the Encrypted folder to open it.

In the Encrypted folder window, you can see the encryption symbol on the
Unencrypted text document.

Right click the text document and select Properties.

 Figure 3.69 Screenshot of PLABWIN11: Displaying right-clicking on the
Unencrypted text document and selecting Properties in the Encrypted
window.

Step 18
In the Unencrypted Properties dialog box, click Advanced.
 Figure 3.70 Screenshot of PLABWIN11: Displaying the Unencrypted
Properties dialog box with the Advanced button selected.

Step 19
In the Advanced Attributes dialog box, you can see that moving an unencrypted file
into an encrypted folder makes the file encrypted. This is due to the file inheriting the
permissions that were set on the parent folder, including encryption.

Click OK to close the Advanced Attributes and the Unencrypted Properties

dialog boxes.
 Figure 3.71 Screenshot of PLABWIN11: Displaying the Advanced Attributes
dialog box with the OK button selected.

Step 20
Back on the Encrypted folder window, right-click the Unencrypted text file that
has been encrypted and select the Copy icon.
 Figure 3.72 Screenshot of PLABWIN11: Displaying right-clicking on the
Unencrypted text document and selecting Copy in the Encrypted folder
window.

Step 21
Right-click anywhere on the details pane and select Paste (or press the Ctrl+V keys
on the keyboard).

Notice the Unencrypted - Copy text document retained its encrypted properties.
 Figure 3.73 Screenshot of PLABWIN11: Displaying the Encrypted folder
showing the Unencrypted text document with the encrypted icon.

Step 22
Right click the Unencrypted - Copy text document that has been encrypted and
select Copy.

Minimize the File Explorer window.

Right-click anywhere on the desktop and select Paste.

The Unencrypted - Copy text document retained its encrypted properties even after
moving it to a different location.
 Figure 3.74 Screenshot of PLABWIN11: The Unencrypted text file that has
been encrypted is copied and pasted onto the desktop to demonstrate the
encryption continuing to the copied file.

Close all open windows.

Exercise 4 - Users and Groups in Windows

Windows provides different user accounts and groups that allow you to control the
type of permissions a particular type of user or group can have. For example, you can
control the types of files and folders that can be accessed, the tasks that a particular
user or group is authorised to perform and the devices or resources that can be used.

In this exercise, you will learn about the different types of users and groups in
Windows.

Learning Outcomes
After completing this exercise, you should have further knowledge of:

Users and Groups in Windows

Your Devices
This exercise contains supporting materials for A+ (220-1102).

Identify Users and Groups in Windows

Microsoft Account
When you sign in to your Microsoft account, you gain access to all of Microsoft's
premier services. You should already have a Microsoft account if you use any of the
following services: Outlook.com, Office, Skype, OneDrive, Xbox Live, Bing, Microsoft
Store, Windows, or MSN. Your Microsoft account allows you to manage everything in
one location. You can update your privacy and security settings, track the health and
safety of your devices, and earn rewards by keeping track of your subscriptions and
order history. Everything is saved in the cloud and is accessible across devices,
including iOS and Android. All the services offered by Microsoft can be accessed
through a single account.

Default Local User Accounts

They are pre-installed accounts on the PC that are created when you install Windows.
The default local user accounts cannot be removed or deleted after Windows is
installed. Furthermore, default local user accounts do not grant access to network
resources. They are used to manage access to the resources of the local server based on
the rights and permissions assigned to the account. The Users folder in Windows
contains the default local user accounts as well as the local user accounts that you
create. In the local Computer Management Microsoft Management Console, the Users
folder is located in the Local Users and Groups folder (MMC). The following accounts
are available:

Administrator Account - It is the default local Administrator account. Every

computer has a user account called Administrator, which is created during the
Windows installation process. The account has complete access to the local
computer's files, directories, services, and other resources. It also has the ability
to create additional local users, assign user rights, and assign permissions. By
 changing the user rights and permissions, the Administrator account can take
control of local resources at any time. Although the default Administrator account
cannot be deleted or locked out, it can be renamed or disabled.
Guest Account - During installation, the Guest account is disabled by default.
The Guest account allows infrequent or one-time users who do not have an
account on the computer to temporarily sign in with limited user rights to the
local server or client computer. The Guest account does not have a password. This
account is supposed to be used by guests, and if there were a password, they
would be able to log in anytime. Due to this, there is an inherent risk because
there is no authentication to prove a user’s identity. As a best practice, this
account should be disabled.
Help Assistant Account - The Help Assistant account is a default local account
that is activated when you launch a Remote Assistance session. The purpose of
the account is to enable remote users to be able to help resolve users' issues. The
Remote Assistance session, which is requested by a user, is used to connect to
another computer running the Windows operating system. To request remote
assistance, a user sends an invitation from their computer, via e-mail or as a file,
to a person they seek help from. When the user accepts the invitation to a Remote
Assistance session, the default Help Assistant account is created to give the
person providing assistance limited access to the computer. If not in use, the best
practice is to have the account disabled.
Default Account - The Default Account, also known as the Default System
Managed Account (DSMA), is a built-in account that first appeared in Windows
10 version 1607 and Windows Server 2016. The DSMA is a well-known type of
user account. It is a user-agnostic account that can be used to run processes that
are multi-user aware or user-agnostic.

Groups
The main goal of creating User Groups in Windows is to make managing multiple
users in a large and complex computing environment easier. Medium and large
companies will each have different structures, but there will be some similarities.
Likely there are going to be different divisions in the company. For instance, there may
be an HR department, a sales department, a production department, Senior
management, etc. Groups can be made for each of these departments, and each of our
user accounts can be applied to the group. So can computer workstations. Groups
allow us the ability to make the process more manageable and apply restrictions to
what users can do. Instead of manually configuring New User account settings, System
Administrators can simply add new employees to existing User Groups, and New User
Accounts will automatically inherit the privileges and security settings of their
assigned User Group. Similarly, whenever changes to privileges or security settings are
required, system administrators will be able to make

Administrators - Administrators have complete and unrestricted access to the

computer/domain.
Guests - Users in this group are infrequent or one-time users who do not have an
account on the computer. They can temporarily sign in with limited user rights to
the local server or client computer.
Power Users - Members of this group have similar permissions to the
administrator's group but would require authorisation from a member of the
administrator's group to perform any changes to the system.
Standard Users - Members of this group have restricted permissions that affect
only the user's computer. For example, they can change their password and
desktop settings and view or modify files and folders stored in their personal and
public folders. The administrators set the permissions for standard users.

Exercise 5 - Login Options for Windows Systems

Windows provides different types of login options for users. The following login
options can be used:

Username and password

Personal identification number (PIN)
Fingerprint
Facial recognition
Single sign-on (SSO)

In this exercise, you will learn about the different login options.

Learning Outcomes
After completing this exercise, you should have further knowledge of:

Different Methods of Log on Protections and Options

Your Devices
This exercise contains supporting materials for A+ (220-1102).

Different Methods of Log on Protections and Options

Windows Hello
Windows Hello allows Windows 10 & Windows 11 users to authenticate themselves
securely using biometrics such as fingerprint, iris scan, or facial recognition. The sign-
in mechanism is essentially an alternative to passwords, and it is widely regarded as a
more user-friendly, secure, and dependable method of accessing critical devices,
services, and data than traditional password logins.

To enable Windows Hello in Windows 10, navigate to Start > Settings > Accounts >
Sign-in options, choose the Windows Hello method you want to use, and then click Set
up. If you don't see Windows Hello in the Sign-in options, it's possible that it's not
available for your device.

Figure 5.1: Displaying the Windows Hello PIN option in the Settings - Sign-
in options window.

Personal Identification Number (PIN)

A PIN is a code that can be used to sign in to Windows. It should at least have 4
characters and usually contains digits. However, you can configure Windows 10 to
accept PINs that contain letters (both uppercase and lowercase) and special characters
such as! or? When you set a PIN, Windows checks to see if you're using easy-to-guess
patterns like 1234 or 0000, and it doesn't let you use them as your PIN. The PIN is
linked to your user account and can be used instead of the password to authenticate.
However, before you can use a PIN to log in to Windows, you must first create a
password.

Single Sign-On (SSO)

Single sign-on (SSO) is a method that allows a user to log on to a network once,
authenticate themselves and then use various network services and applications
without having to log in again. The user is authenticated with a directory service, such
as Active Directory, which is also integrated with the various applications and services
on the network. Therefore, being authenticated once, the user need not log on
separately to these services and applications.

When SSO is implemented, the users will not need a different set of credentials to log
on to different applications or web applications, and a single user account from a
centralized directory can be used. This is more secure than storing a different account
on the collaboration tool itself.

Username and Password

To authenticate users, usernames and passwords are combined. There are some
features that can be enabled to aid in password security:

- Password History - This security setting is used to determine how many unique new
passwords should a particular account have before a previously used password can be
reused. The value must be between 0 and 24 passwords. This ensures that the old
password is not reused constantly and aids in security.

- Maximum Password Age - Here, you can specify the period (in days) a password can
be used before it can expire. The passwords can be set to expire for days between 1 and
999. If the number of days is set to 0, the password will never expire.

- Minimum Password Age - This setting is used to specify the number of days a
password should be used before you can change it.

- Minimum Password Length - In this security setting, you can specify the minimum
number of characters your password should contain.
- Password Complexity - When this security setting is enabled, passwords should meet
the following minimum criteria:

Should not contain parts of the user’s name or user ID

Should at least be 6 characters long
Contains at least three characters from the following categories - uppercase
characters, lowercase characters, numbers, and special characters.

Exercise 6 - NTFS vs. Share Permissions

Permissions are rules that can be created for the system. Different types of
permissions can be applied and have differing effects at different operating system
levels.

In this exercise, you will learn about NTFS and share permissions and how the User
Account Control (UAC) helps protect the PC.

Learning Outcomes
After completing this exercise, you should have further knowledge of:

NTFS vs. Share Permissions

Your Devices
This exercise contains supporting materials for A+ (220-1102).

NTFS vs. Share Permissions

NTFS File System

The file system determines how information is saved onto the drive. Different file
systems have different capabilities and limitations due to how they were built and the
technology available during that time. NTFS is an abbreviation for New Technology
File System. NTFS is the most recent file system used by the Windows operating
system for file storage. Before NTFS, File Allocation Table 32 (FAT32) was the
preferred file system for Windows. The NTFS file system is more secure than FAT and
supports larger file sizes and hard drives. With the release of Windows NT 3.1 in 1993,
Microsoft first introduced NTFS. NTFS permissions are used to control who has access
to the files and folders stored in NTFS file systems. The following permissions are
available:

Full control - Users can read, write, modify, and delete files and subfolders. Users
can also change the permissions settings for all files and subdirectories.
Modify - Allows users to read and write files and subfolders, as well as delete
them.
Read and Execute - Users can view and execute files and scripts.
List Folder Contents - Allows for the viewing and listing of files and subfolders, as
well as the execution of files; inherited only by folders.
Read - Allows users to view the contents of a folder and its subfolders.
Write - Allows users to add files and subfolders and write to files.

Folder Sharing
A share occurs when you share a folder and want to set the permissions for that folder.
Share permissions, in essence, determine the type of access others have to the shared
folder across the network.

Full Control - Allows users to "read," "change," and "edit" permissions, as well as
take ownership of files.
Change - The user can read, execute, write, and delete folders/files within the
share.
Read - Users can view the contents of the folder by selecting Read.

User Account Control (UAC)

User Account Control (UAC) is an important part of Microsoft's overall security
strategy. UAC lessens the impact of malware. To make changes, each app that requires
the administrator access token must ask for permission. When UAC is enabled,
Windows 10 or Windows 11 prompts for consent or credentials from a valid local
administrator account before beginning a program or task that requires a full
administrator access token. This prompt ensures that no malicious software is
installed silently.

When a user attempts to perform a task that requires the user's administrative access
token, the consent prompt appears. Making your primary user account a standard user
account is the recommended and more secure method of running Windows 10 or
Windows 11 without having to overuse the administrator account as the primary
account. Running as a standard user contributes to the overall security of a managed
environment.

Exercise 7 - Run as Administrator vs. Standard

User
As discussed earlier, administrators have extra abilities assigned to them in the
operating system.

In this exercise, best practices with Administrator and User accounts will be discussed.

Learning Outcomes
After completing this exercise, you should have further knowledge of:

Run as Administrator vs. Standard User

Your Devices
This exercise contains supporting materials for A+ (220-1102).

Run as Administrator vs. Standard User

Windows, like other operating systems, will require an administrator account to

perform system setting modifications on a computer, such as installing a new
program, managing disk volumes, creating users or groups, and other tasks that will
affect your computer's performance.

When you select "Run as Administrator," UAC is bypassed, and the application is
launched with full administrator access to your entire system. Due to the access that is
given to the administrator account in the operating system, the account has access and
the ability to change things normal users can’t. Some applications and built-in
programs in Windows require this access. In order to combat this, a feature was
created, Run as Administrator. It allows administrators to use a standard account for
their everyday operations but elevate their status when a task requires it. They will
need to enter their credentials to authenticate and gain the rights and permissions.
With this approach, the user will only use the privileged account when performing
system-related tasks and will revert to an ordinary user once the task is completed.

Figure 7.1: Displaying selecting the Run as administrator option for

Command Prompt in Windows 10.

Review
Well done, you have completed the Security Implementation on a Windows
Device Practice Lab.

Summary
You completed the following exercises:

Exercise 1 - Manage Microsoft Defender Antivirus

Exercise 2 - Manage Windows Defender Firewall
Exercise 3 - BitLocker and EFS
 Exercise 4 - Users and Groups in Windows
Exercise 5 - Login Options for Windows Systems
Exercise 6 - NTFS vs. Share Permissions

You should now be able to:

Activate/Deactivate Microsoft Defender Antivirus and Update Virus Definitions

Activate & Deactivate Windows Defender Firewall
Create a Rule Blocking a Port
Block a Program through the Windows Defender Firewall
Allow a Program through the Windows Defender Firewall
Activate BitLocker To Go
Configure BitLocker Settings via GPO
Create an Encrypting Files System (EFS)

You should now have further knowledge of:

Users and Groups in Windows

Different Methods of Log on Protections and Options
NTFS vs. Share Permissions
Run as Administrator vs. Standard User

Feedback

Shutdown all virtual machines used in this lab. Alternatively, you can log out of
the lab platform.