However, a domain only uses one database, known as Active Directory, which is normally stored on one or more domain controller servers. The domain allows for centralized administration of all users, groups, and resources on the network. When a user logs onto the domain, they can access resources throughout the domain with the same logon. This is called single sign-on. A user account allows a user to log on to a computer or domain that can be authenticated and authorized for access to resources that are on the computer or domain. Because each user account should only be assigned to one user, it allows you to assign rights and permissions to that user within the domain, and allows you to track what they are doing.
When you first install Windows the system creates two user accounts that you can administer from the User Accounts menu in the control panel.
The first of these users is the Administrator account, which is an account with full access to files, directories, and all other resources on the computer. This account cannot be deleted. In new installations of Windows 7, this account is disabled. If, during an upgrade from Windows Vista, Windows 7 finds that the only active administrator account is the default one it will be left enabled. By default this account cannot log on to the computer if it booted in safe mode.
The second default Windows account is the guest account, this is designed for users who do not need to log on to the computer very often. Though this user has very limited permissions, you should always be careful about enabling this account as it opens up a possible security. This account is also disabled when Windows 7 is first installed.
When you create any additional accounts you can either create them with administrator privileges or limited privileges.
When you set up Windows 7 you are required to set up an administrator account, to allow you to set up the computer and install any programs that you need.
Windows 7 provides default groups that you can add users to, the users then inherit the permissions of the group.
- Administrators - These users have unrestricted access to everything on the computer.
- Backup Operators - These users are able to overrun file and folder permissions in order to perform backups.
- Event Log Readers - Users in this group can read data in the event logs.
- Power Users - These users are included for backwards compatibility.
- Replicator - Users in this group are used to support replication in a domain environment.
- Remote Desktop Users - These users can access other PC's remotely.
- Performance Monitor Users - Users in this group can access performance monitor counters, both locally and remotely.
- Cryptographic Operators - These users are able to perform cryptographic tasks. This group is only used when Windows 7 is deployed in a configuration called common criteria mode. When Windows 7 is deployed in this mode, Administrators can read, write and execute everything, apart from policies related to cryptography of IPsec.
- Distributed COM Users - Users in this group are able to manipulate Distributed COM objects locally.
- Network Configuration Operators - Users in this group can change TCP/IP address settings.
- Performance Log Users - Users in this group can schedule the logging of performance counters, enable trace providers and collect event trace data.
To configure authentication methods, click start, type Firewall in the box and select Windows Firewall with Advanced Security.
In the main windows select Windows Firewall Properties (I've marked this one out because it took me ages to find it!)
Select the IPSec Settings tab at the top of the Window, and select Customize.
From the list select the authorization method you would like to use.
- Computer and User (Kerberos V5) - This requires the computer and currently logged on user to be authenticated using domain credentials. This method only works with other computers that can use Authenticated IP (AuthIP), including Windows 7, Windows Vista, Windows Server 2008 and Windows Server 2008 R2. User authentication using Kerberos is not support by IKE v1 (Internet Key Exchange v1)
- Computer (Kerberos V5) - This option configures your computer to use and require the authentication of another computer using domain credentials. This method can be used with any computer that uses IKE v1 and supports older versions of windows.
- User (Kerberos V5) - This option configures your computer to use and require the authentication of the currently logged on user, using domain credentials. This method only works with other computers that can use AuthIP, and user-based Kerberos V5 authentication is not supported by IKE v1.
- Computer (Kerberos V5)
- Computer (NTLMv2) - Like Computer authentication using Kerberos, this option configures your computer to use and require authentication using domain credentials. However, unlike computer authentication using Kerberos, this will only work with other computers that support AuthIP.
- Computer Authentication using this certification authority (CA) - This option requires you to enter the identification of a certification authority, and configures you computer to use and require authentication using a certificate issued by the selected CA. You can also choose to accept only healthy certificates and then certificates issued by a NAP server can also be used.
- Preshared Key - This method of authentication is not recommended. It requires you to enter a preshared key which configures your computer to authenticate exchanging the preshared keys. This is only included for backwards compatibility and testing.
- User (Kerberos V5)
- User (NTLMv2) - This works in the same way as computer authentication using NTLMv2
- User health certificate from this certification authority (CA) - This method requires you to enter the identification of a CA and configures your computer to use user-based authentication using a certificate issued by the selected CA. You can also select to enable certification account mapping, enabling certificate association with users in the Active Directory database, so that you can allow or deny users access.
- Computer health certificate from this certification authority (CA) - This method requires you to enter the identification of a CA, and configures the computer to use and require authentication by using a certificate which is issued by the selected CA. You can also select Accept only health certificates, so only certificates that include the system health authentication enhanced key usage provided in a NAP infrastructure can be used for this rule.
When you store credentials in Windows 7, Windows then logs you in automatically with the usernames and passwords that you have provided.
To open the Credential Manager, open the control panel and type Credential Manager into the search bar. Click on the link that comes up.
Click on Add A Windows Credential
Enter the username and password of the account you would like to set to automatically log in.
When you click OK and go back to the main screen, you should see the credential in the list.
And that is it my friends, a simple guide to configuring authentication in Windows 7!
No comments:
Post a Comment