Windows Security Settings – CompTIA A+ 220-1102 – 2.5

Windows includes a number of different security features to keep your data safe. In this video, you’ll learn about authentication options, NTFS vs. Share permissions, implicit and explicit permissions, and more.


Before you can use most operating systems, you have to log in, and Windows is no exception. There are a number of different options for logging in. One is with accounts that are stored on that local device. We refer to these as local accounts and they will log in to just that specific Windows device. Windows also supports the ability to use your Microsoft account. So if you’ve configured an account on the Microsoft Cloud, you can use that account to log in to your local device.

This also helps to integrate between multiple Microsoft technologies, such as Skype, Office, OneDrive, and others. And of course, if you’re in an office or enterprise, you’re logging in with your Windows domain credentials. The details of these accounts are stored in different places for a local account everything will be stored under your local users and groups. In there, you’ll have a list of all of the users who can log in on this device and the rights and permissions that particular account might have.

Each user can then be added to a number of groups to provide them with rights and permissions. For example, a user might be added to the administrators group to give them administrative access on that device. Or they might be part of the event log reader’s group or the remote management users group. One of the most common login credentials is the username and password.

Once you log into Windows, you have other options available for authentication, such as a personal identification number or pin so that you don’t have to remember your username and password. You would simply put in a personal identification number directly on the login screen. Windows also includes biometrics for logging in. If your device has a camera, you can use facial recognition. And of course on a Windows domain, it’s a single sign on. So once you put in your username and password first thing in the morning, you can connect to other resources without having to input that credential again.

If you want to add or change the methods you’re using for login, you can follow the settings under accounts and sign in options for facial recognition, fingerprint recognition, a personal identification number, use a security key with the USB connection, a password, or a picture password. On a local device, the rights and permissions that you have to files and other objects on that drive are based on the permissions associated in NTFS.

Under every file or folder in NTFS there is a Security tab and you can specify the groups or users that have access to that object and what rights and permissions they might have. If you’re connecting across the network, then you’re also subject to a different set of permissions called share permissions. Those are permissions associated with the access to that share across the network. And then once you have access to that device, you also have to take into account the NTFS permissions for that user.

Between both of these, the most restrictive access is the one that has the priority. So if you’re connecting over a network to a share and that share has full access to a folder but the NTFS permissions set it to read only, then the only access you would be read only. You also have to remember that NTFS permissions are inherited from the parent. So even if you don’t explicitly assign rights and permissions to a folder or a file, it will use the permissions associated with its parent.

The only time where that’s different is if you take an NTFS file or folder and you move it to a different folder on the same volume. In that case, Windows changes a pointer to where that file is located but keeps the same permissions that it originally had. Here are the two different permission screens for NTFS and share permissions. On the left side are the NTFS permissions, and you can see in NTFS, you have a large number of permissions that you can configure with full control, modify, read and execute, list folder contents, and others.

With share permissions, you’re still assigning users and groups to that object, but the options for permissions are full control, change, and read. Explicit permissions are permissions that we assign to objects that are in the file system. Inherited permissions are permissions that are automatically associated with that object and are based on the parent of that particular object. So if I was to assign permission to a music folder, any folders underneath that music folder would inherit the permissions of the parent.

This also applies if I deny access to a folder, then all of the folders underneath will also have denied access because it has inherited the permissions of the parent. But I can also pick any of these folders and assign an explicit permission, which overrides the inherited permission that was created from the parent. By default in Windows, not every user has access to every part of the operating system. And when you’re using Windows as a normal user, there are certain things that are restricted in the operating system.

To be able to edit system files, install services, and provide enhanced functions, you would need to have an elevated account or an administrator right to be able to perform that function. This is even true if you’ve been assigned administrator rights on that particular device, that those rights don’t go into effect until you explicitly tell Windows that you would like to do something as the administrator.

So if you are starting an application and you would like to run it with elevated rights and permissions, you would right mouse click on the application and choose Run As Administrator. Or you can select the application inside of Windows and one of the options will be to run as administrator. You may have seen a message pop up in Windows about rights and permissions, and what you’re able to do as a normal user versus an administrator.

The message that appears was created because of user account control, or UAC. This is a function inside of Windows that intentionally limits capabilities for users so that those features can be approved before it’s run. For a standard user if you want to use the network or change your password, you may be presented with a UAC window. If you’re an administrator and you’re installing applications or updating a device driver, you might also see the UAC window appear.

The screen that pops up is called secure desktop and it gives you the opportunity to understand exactly what changes are to be made to the operating system and what the potential risk might be in making those changes. This is something that should only appear if you’re performing particular functions in the operating system. If you’re using a normal application and suddenly a user account control window appears, you want to look very carefully at what it’s asking and then decide whether this should have elevated permissions or not.

One powerful security feature in Windows is the ability to encrypt everything that’s on a Windows volume. This is done through a utility called BitLocker. BitLocker encrypts everything on your Windows system, including your personal files and the operating system itself. This means if you’re traveling with a laptop and the laptop is lost or stolen, all of the data on that laptop will be safe. Even if someone was to remove the storage drive from that laptop and move it to a different system, they would still not have any access to the data because everything on that drive is encrypted.

Windows also knows how easy it is to lose a USB drive so it has a BitLocker option called BitLocker To Go that can encrypt all of the data that you’re writing to a USB flash drive. If you don’t want to encrypt the entire window’s volume but there are certain files or folders that you’d like to encrypt, you can use EFS or the encrypting file system. This is a capability built in to NTFS which means most people running Windows will be able to take advantage of EFS.

Like BitLocker, EFS will work in all Windows editions except the home editions of Windows. The encryption key that’s used when you click the option to encrypt contents to secure data is based on your username and password. So when you log in, you’ll effectively have access to all of your encrypted information. And if someone administratively reset your password, there is a possibility that you would lose access to all of this EFS encrypted data.