Critical Security Concepts

And one of the best examples of this, if you haven't seen the film Catch Me If You Can, that's a great example of the con man. The con man who gets confidential information often, through some nefarious means. Mostly though, and at the core of it, is the con man's willingness to exploit people's trust. And that could be pretending to be somebody they're not, masquerading, or impersonation and you will see both those terms. And they're synonymous, right? They mean the same thing. I'm with the company, I'm a delivery guy, I'm a repair person.

 

The best example of that was what happened at the customs office for the Australians a few years ago. And these two fellows showed up dressed in uniforms of the service people. And they said to the security guard, there's something wrong with the server, we need to take it into the shop. And the security guard on the security footage, you can actually see the guard gets them a cart, like a mail cart so that they can wheel the server out. And then holds the door open for them as they wheel that server out into the cold Australian Outback night never to be seen again. On it the personally identifying information of 2 million naturalized Australians, huge kerfuffle. But that's the kind of thing that these folks do, tailgating, piggybacking.

 

You got a secure office, you got a badge in and out. Everywhere you go, every door has got a badge reader. And if your badge doesn't work on that door, you're not supposed to go through that door. So don't hold the door for other people. I know it seems rude, but it's not rude when it's a question of security, and everybody should understand that.

 

Now, the most common kinds of social engineering attacks that we see today are Phishing attacks. And these commonly come in in the form of emails. And the emails appear maybe to be from somebody that you know or some business that you've done business with in the past. But they redirect you to a malicious website where your credentials will be stolen or that kind of thing.

 

There's sophisticated form of this called a Spear phishing attack. And this is when you get an email that appears to come from somebody in your company, right? It's all artifice, but it appears to come from an internal address. If you try to block the sender, your email application tells you it's from an internal address, and those can't be blocked. But it's not, and maybe it'll say something like, there's an attachment. You're supposed to read the attachment, and the new corporate policy has it encrypted. So for security purposes to decrypt the attachment you'll have to enter your network credentials. And as soon as they do that boy, their credentials are in the hands of the enemy. Targeted attacks, spear phishing.

 

Shoulder surfing – I've seen this kind of thing, where somebody is just standing too close for comfort at the ATM, and what they're really doing is over your shoulder, they're trying to get your pin, right? Shoulder surfing is just the actual looking over somebody's shoulder when they think nobody is looking. You're in the airport, you're entering your network credentials, is anybody paying attention to you? You don't know. And if you sat in a busy airport right in the center seat, there's no telling who's behind you and who can see right over your shoulder.

 

And Dumpster diving, we gotta be careful about what we throw away, and how we throw it away, and how secure that garbage is. Because these guys won't hesitate. Some of the best information they'll get is in the dumpster. And so how we dispose of and what we dispose of, can become critically important these days if we don't want that data to fall into the wrong hands.

 

How do we address this? This is really, because it targets the weakest link in the chain, your end user. Then education and training for the end users is your best defense against this sort of thing. And these attacks are getting increasingly sophisticated. Really, some of those spear phishing emails that are crafted from an internal email address, they look like they're from an internal email address. And sometimes of course they are, because some other piece of malware is on the user's machine. And it's leveraged his credentials to send the email in the first place.

 

So what we want to do, Security training for end users. Bring everybody up to speed, let them know what's going on. Awareness training for groups with sensitive positions. And this extends not just to what's a phishing email look like today. But it extends to that realm of in really sensitive positions, where there's lots of money or access to information about money. We need to be careful about who comes into our lives out of nowhere and what the implications of that could be.

 

Technical security training for the IT staff, right? This should be top of mind for everybody. And advanced security training for security practitioners, as well as Specialized training for senior management. So often senior management tends not to be technically savvy, and so we want to spend a little more time with them because they're going to be targets. If you've got a company that's worth a few dollars, they're going to be targets.

 

And one group of those are password attacks. And password attacks take a couple of forms. The principal forms are Brute force and Dictionary attacks. And a brute force attack is just guessing, right? [Video description begins] Essentially, a brute force attack involves guessing a password. [Video description ends] When we say the malware that performs the brute force attack Probes the complete keyspace. That means, if I take standard 108 keyboard, only so many of those keys are available for passwords, right? And depending on whether you're using complexity rules or not. The special characters are or are not. And if the attacker knows that, he can rule those out right away, which exponentially improves his chances.

 

These dictionary attacks, these are pre-computed, most likely passwords. Most commonly used passwords, right, Password with a capital P, passWord with a capital W, passworD with a capital D, et cetera, right? And it will just run through the most likely iterations of the most common password. And they're good, right? I saw one on a standard Windows 7, 2 gig of RAM laptop. Cracked over 2 million passwords in an hour, like craziness, right?

 

Many of the attacks these days are not simply a brute force or dictionary attack, but rather they're a Hybrid attack. They start with the dictionary. And then they move onto another attack type, commonly a brute force. [Video description begins] So, a hybrid attack moves from a dictionary attack to a strategic attack. [Video description ends]

 

If I've got the password hash, this is the difference between a Rainbow table and these others, the others don't have a password, or the hash, or anything, right? They've got a username, or names, and they're attempting to crack that person's password, live authentication. Now, a rainbow table assumes that you have the hash.

 

Now, you know, say in Windows, your password is never stored, the system never stores your password. When you input your password, an algorithmic set runs against the password and it generates a hash value. And it's the hash value that's stored in active directory or in the security accounts manager database, not your actual password. And so, if I get your computer I get ahold of your computer or if I snoop your authentication traffic in the right fashion, I may be able to acquire your password hash.

 

Well, now I got a rainbow table, and the rainbow table is the hash equivalence to the plain text variance. And so, if you've got a 14 character password, and I've got the hash with a rainbow table, I can have that password cracked in less than three minutes. And that's the big difference between a rainbow table and the others. You've got a hash of the password, you're not guessing the password.

 

Man-in-the-middle attacks, an attacker interposes themselves between you and someone that you legitimately want to talk to. Maybe it's a website. Some of these have become quite sophisticated. So in spite of the use of, say SSL, with HTTPS, some man-in-the-middle attacks can have the plain text HTTP responses generated to themselves. It appears to you like you're talking in secure encrypted text, but you're not. And this guy in the middle is decrypting those responses.

 

Then Spoofing, which commonly is also referred to as masquerading, as is impersonation. And they can spoof just about anything these days, guys. They'll spoof MAC addresses, they'll spoof IP addresses, they'll spoof the ARP response. They'll spoof the Referer, and that's spelled right for the attack. [Video description begins] The presenter points to the spelling of "Referer" which is "R E F E R E R." This is also referred to as "ref tar." [Video description ends]

 

This is when you get referred to a website, say you do a search and you got some results, and I could go over here. Well, when you get referred to a malicious referer site, or what they also call ref tar attack, you don't know that you're no longer seeing what you think you're seeing. You think you hit the back button and you went back to Google page, but you didn't. The referer where you've been referred to now has captured your experience and has presented to you a false Google page. And from there on pretty much whatever you do, you're doing it in this virtual environment that the attacker has created. And that's the wrong place to be, every time.

 

Caller ID, they spoof telephone numbers. The Russians, in the Black Sea last year, were found to be guilty of GPS spoofing. They were spoofing the GPS satellites and they were feeding incorrect navigation data into the ships on the Black Sea.

 

And then this last one I included, because it does come up sometimes in conversation. And you should know it's not a threat. File-sharing poisoning, this is actually an anti-piracy measure. So copyright holders will place worthless copies of their stuff online on these file-sharing sites. So I spend time downloading the Tom Petty album to find out that it's not Tom Petty, or it's garbage, it doesn't play. And so, that's not an attack, but it is a kind of spoofing that does come up in conversation, people want to know what it is. To the best of my knowledge it's not on the A+ test.

 

Non-compliant systems, for a number of reasons, if you've got older legacy systems in your place. See that bullet point there, May be a threat to your business' future. Your competition is moving everything to a hyper-responsive cloud data center. They can provision resources, they can scale up at a moment's notice. They are highly reactive. And in this time in history, never has the pressure to be highly reactive been more real for many businesses today.

 

And the big concern that I have when I see businesses that made significant investments in technology back in the 90s, say. And all the data that drives that businesses in that proprietary database. And that database is not secure. It does not support the common standards. There may be undisclosed exploits out there in the wild that we don't even know about, right? Because, let's say that the database was built to run on Windows 2000. Well, even the extended support contracts with Microsoft have ended for Windows 2000.

 

So if I'm running it on Windows 2000, and out there is some hacker that's got an exploit for Windows 2000 that was never patched, that I don't even know about, right? I'm a sitting duck. And that's our big concern. This is my big concern with legacy technology. [Video description begins] So, undisclosed exploits are also referred to as end-of-life attacks. A non-compliant system isn't secure and doesn't support common standards. [Video description ends]

 

Zombie computers are ones that are compromised. They're under the hacker's control. They're commonly used maliciously for things like distributed denial-of-service attacks, [Video description begins] A Distributed Denial of Service attack is also referred to as DDoS, for short. [Video description ends] which we saw back in October of 2016. Where the DYN DNS servers, DYN is a DNS service provider. Huge, huge company that really provides a lot of the name resolution on the public Internet. And they manage the DNS records for companies like Facebook, is a great example. Amazon is another good example. And so, when their DNS servers came under attack back in October 2016, they essentially shut down the public Internet in Western Europe and Eastern North America for about four hours on that Thursday afternoon, I think it was a Thursday. I want to say it was a Thursday or Friday morning maybe, Thursday night into Friday morning, I think. Anyway, it doesn't matter.

 

What that was, was an example of the Mirai botnet. And a botnet is just when I've got 100,000 zombies out there, and I can tell them all to do the same thing at the same time. Which in this case was a distributed denial-of-service attack. Denial-of-service attack is when you just overwhelm the servers so that they can't respond. And this particular attack vector used IoT devices, the Internet of Things device. [Video description begins] To recap, a Denial of Service, or DoS, and DDoS attack floods targets with requests and causes a target to become immobile. [Video description ends]

 

Now, this is the thing that, I saved this for last, because this is the thing that keeps me up at night. [Video description begins] He highlights the Zero-day attack, which occurs when software is issued without a patch or fix. [Video description ends] This is the thing that worries us the most. And the best example of this that we ever saw was Zotob, the Zotob worm. Which if you remember, that was Super Patch Tuesday of August 2005, the 16th.

 

And that was a Tuesday, right? Because what happened was, Microsoft came out with a plug-and-play patch for Windows Server 2000. And two kids, and I mean kids, one was 17 years old, one was 19 years old. One in Morocco, one in Poland, had never met before, reverse engineered that patch and they adapted, I think it was R Bot. Which was a bot that had been out the year before. And the exploit code for that plug-and-play patch was available for download 17 hours after the plug-and-play patch was uploaded. And so within 24 hours, zero-day, the same day, that the patch was released, it was reverse-engineered into an exploit. Which meant, of course, that that day every device that had not yet applied the patch, which was everyone, was vulnerable to that attack.

 

Now, the initial attack factors were fairly benign. But the subsequent, once the exploit code was up, and the copycats kicked in, then we saw the variance. Zotob A, B, Z, and these were increasingly malicious to the point where at the cost of $2 million a day. I'm aware of one automobile manufacturing facility in Detroit that was shut down for three days. Three days, nine shifts, no work for those guys. And a cost to the company of about $2 million a day. $6 million cost them that day.

 

So, guys, these are the threats that face us today. One thing that's not in this section but that you should be aware of, is ransomware. When I think about the real concerns today, that's one. You know, in 2016, companies paid out about a $1 billion to these guys. In 2017, it was 2 billion. For 2018, it's estimated that it's going to be 5 billion, in that range. So, there's money in it. And whenever there's money in it, everybody's going to want to come to the table.

 

In this demonstration we want to take a look at the built-in users and groups. And to that end, and by way of introduction, I've opened the power users menu. And you can do that with the Windows key plus the X. [Video description begins] This menu includes options such as Apps and Features, System, and Computer Management. [Video description ends]

 

So Win+X opens this power users menu. And if I'm in the power users group, I have access to all of these tools. Disk Management, Computer Management, PowerShell. If you're not learning PowerShell, you're doing yourself a disservice, guys. Everybody ought to be spending time on PowerShell. [Video description begins] The presenter selects Computer Management and the Computer Management console opens. It includes a menu bar, toolbar, and navigation pane with nodes such as System Tools and Storage. [Video description ends]

 

So I'm going to use that menu to open up the Computer Management applet here. And in that navigation bar on the left, I look down, the fourth item is Local Users and Groups. And I see that there's a folder called Users and a folder called Groups. [Video description begins] He points to these options in the navigation pane. Users is selected and the associated contents display in the content pane. [Video description ends]

 

Now, what these are, are the local user accounts specific to this machine, right? When I look in the Local Users and Groups MMC here, I'm seeing the user objects and the group objects that are stored in the Local Security Accounts Manager database, the SAM file database. Which is stored securely in a hash function in the registry of this machine, and that is the only place that it exists. This MJMurphy account that I see here, this local account, it can only log in on this machine.

 

These built-in accounts are great tools to leverage for yourself, so for example, right, MJMurphy. If I take a look at the Properties for this object, and the center tab is Member Of. And it tells me the groups that MJMurphy is in. Power Users is one of them, Hyper-V Administrators. [Video description begins] He double-clicks the user MJMurphy in the content pane. The MJMurphy Properties dialog box opens. He clicks the Member Of tab and points to options in the Member of list box. [Video description ends] But you'll notice that this fellow is not an admin. [Video description begins] He selects Backup Operators. [Video description ends] So following the principle of administration by least privileged, I've granted to this user the rights they need to do their job, and nothing more. And I've done that just by leveraging these built-in groups.

 

A couple of things about the built-in groups, you do in terms of least privilege management. I see that this fella's in the Backup Operators group and that may concern me. Because when I make you a backup operator, not only can you override local files system security and encryption to do your backups, you can override those things to do the restores. And so putting you in these groups can give you more authority than I wanted to give you. But if I need you to do backups and restores, I put you in the Backup Operators group, easy enough.

 

And that's the great advantage to using these built-in groups. You get a defined permission set, and those are the permissions that the users get. Or I should say, it's a combination of permissions and rights. And rights are defined as the way in which you interact with the operating system. Does this user have the right to shut the machine down? Does this user have the right to change the system time? Does this user write that kind of thing? Those are user rights.

 

Now in terms of these groups, if we take a look at them for just a second. So I'm going to select the Groups choice from over on the left. [Video description begins] He clicks OK and returns to the Computer Management console. He selects Groups in the navigation pane under Local Users and Groups. [Video description ends] These are the groups that are built in on this machine.

 

You may not see all of these, because you don't have the feature sets installed to support them, [Video description begins] He points to the list of groups in the content pane. These include Administrators, Guests, Power Users, and Users. [Video description ends] for example, Docker. If you don't see a docker-users choice, you don't have Docker installed in all likelihood. [Video description begins] He points to the docker-users group, which is for users of Docker for Windows. [Video description ends] If you don't have a Hyper-V Administrators choice, you don't have the Hyper-V client installed. And so some of these become available to me when I add the feature.

 

If I come back to the Users container for a second, and these are the built-in, by default there's always a Guest account and an Administrator account, every installation of Windows. [Video description begins] He selects Users in the navigation pane under Local Users and Groups. He points to the Administrator and Guest users in the list that displays in the content area. [Video description ends] The Guest runs as a standard user, which means they don't have the rights to do things like install software. But today they can install fonts. The Administrator account is God on the machine, right, and literally can do anything on this machine that needs to be done.

 

As a security best practice, if you're in the IT business, you deliver IT services, and you have clients who are small office or home office network kind of situations. One of suggestions that's made, and this is a good rule to follow as you create your images for deployment in your corporate networks. So if you're not doing consulting, if you manage the IT services for a business, when you build your Windows image, it's not a bad idea to change the names of these objects. Because every hacker in the world knows that there's a guest account and it's disabled by default. Every hacker knows there's an administrator account and it's enabled by default.

 

Now you'll notice here I have them both disabled, because I don't need either one of them here. [Video description begins] He points to the Administrator and Guest user accounts. [Video description ends] But as a further step in this process of securing these, I could, well, go ahead and Rename them. And then create new accounts called guest and administrator that are also disabled and have no rights, no permissions, nothing to them. [Video description begins] He right-clicks the Guest account and selects Rename from the shortcut menu. The folder name becomes editable. [Video description ends] And let the hackers hack away at those, which will do them no good at all.

 

So, the first thing that I'm going to do, if I look in here, I have this folder called Windows Redstone 2019 (build 1809.) [Video description begins] The presenter opens an instance of File Explorer and points to the folder that's located in the Cold Storage drive. [Video description ends] And for those of you familiar with Server 2019, this is the build and all the installation files that I need. The ISO from which I can unpack the win files and everything, to do an installation of Windows 10 or Server 2019. In this case Server 2019.

 

Now, this folder is not currently shared on this network. So, it's only available if I'm remoted into the server on which it lives. Or if I'm logged into that server physically, interactively at the console. I want to make it available across the network because I'm going to be using this build for deployment.

 

So, I'll start by right-clicking on the directory. And there's a choice here for Properties, which is what I'm going to prefer to use. [Video description begins] The Windows Redstone 2019 (build 1809) Properties dialog box opens. The General tab is selected. [Video description ends] And I see that there's a Sharing tab and a Security tab. And what's important to recognize is that these are two different permission sets. These, the Security settings apply all the time, always. The Sharing settings only apply when I connect to this folder from across the network, right? [Video description begins] He switches between the Sharing and Security tabbed pages. [Video description ends] So, when we think about combining permission sets, what we should all recognize is that the most restrictive permission set is what will apply. The most restrictive permission set will apply when I combine permission sets.

 

So, let's take a look. Over here on the Sharing tab, I'm going to go to Advanced Sharing, rather than the kind of wizard there. [Video description begins] He clicks Advanced Sharing. The Advanced Sharing dialog box opens. [Video description ends] And I'm going to say, share this out, and I'm going to make it a simple Share name. I'm going to give it the share name of Redstone. [Video description begins] He selects the Share this folder checkbox and specifies "Redstone" in the Share name text box. [Video description ends] And then down here there's a Permissions choice, and if I hit Permissions I'm going to give Everyone Full Control. [Video description begins] He clicks Permissions and the Permissions for Redstone dialog box opens. It includes a Permissions for Everyone list box. There are three permissions: Full Control, Change, and Read. Each permission has two associated checkboxes: Allow and Deny. He selects the Allow checkboxes associated with each permission. [Video description ends]

 

Now, you may be saying yourself, well, first of all, isn't giving just everyone full control an awful lot? I can lock this thing down with the NTFS permissions. Because when the two permission sets combine, the most restrictive will win.

 

Now, I do think that it's not a good idea to be using the Everyone group. [Video description begins] He points to the Group or user names list box, where Everyone is selected. [Video description ends] And so, rather than the Everyone group what I would probably tend to do here is actually remove the Everyone group. And replace that with authenticated users. [Video description begins] He clicks Add. The Select Users, Computers, Service Accounts, or Groups dialog box opens and includes options to enter an object name. He types "authenticated users" in the Enter the object names to select text box. [Video description ends]

 

And who's in the Authenticated Users group? Anybody that's authenticated to a domain controller, [Video description begins] He clicks Check Names and the name is approved. [Video description ends] as well as computer objects that have authenticated. So, user and computer objects are in the Authenticated Users. And I'm going to give Authenticated Users Full Control. [Video description begins] He clicks OK and returns to the Permissions for Redstone dialog box. He selects Authenticated Users in the Group or user name list box. Then he selects the Allow checkboxes associated with the three permission levels: Full Control, Change, and Read. He then selects Everyone in the Group or user names list box. [Video description ends]

 

And I'm going to Remove that Everyone group. Which would include unauthenticated users, potentially users that had cracked their way onto the network. [Video description begins] He clicks Remove and the Everyone group is deleted. [Video description ends]

 

And let's come back in here. If we take a look at what these settings are: Full, Read lets me see what's in the folder. Change, lets me add new files. Full Control, lets me do all of that plus assign permissions. So, I'm giving the share permission of Full Control to basically everybody. [Video description begins] He points to the three permission levels. Then he switches to the Advanced Sharing dialog box. [Video description ends]

 

If that open door policy concerns you, don't worry, we're going to come over here to Security. [Video description begins] He clicks OK and returns to the Properties dialog box. Then he clicks the Security tab. [Video description ends] And currently, the Authenticated Users group has modified permissions here. [Video description begins] He selects Authenticated Users in the Group or user names list box. Then he points to the Permissions for Authenticated Users list box, where the Modify permission is set to Allow. [Video description ends]

 

Now, where did all these permissions come from? MJMurphy, he's got modified permissions, at least on this thing, right? [Video description begins] He selects MJMurphy in the Group or user names list box. Then he points to the Permissions for MJMurphy list box, where the Modify permission is set to Allow. [Video description ends] These permissions were inherited and inheritance is an important part of this conversation. The permissions sets are always inherited from the parent.

 

So, if we just, I'm going to close this Properties dialog box. And I'm going to right-click the drive, we're on drive D, Cold Storage, I'm going to look at the Properties for drive D for just a second. [Video description begins] He clicks Close. Windows Explorer displays. He right-clicks the Cold Storage drive and selects Properties from the shortcut menu. The Cold Storage (D:) Properties dialog box opens on the General tab. He clicks the Security tab. [Video description ends] On that Security tab, what I see are exactly what I saw in the properties for the folder. [Video description begins] He points to the Group or user names list box, which contains entries such as MJMurphy and Users. [Video description ends] Again, because those properties were inherited.

 

Now, we still have to come back to the folder. Right-click it and go to Properties, come into Security and let's lock this thing down a bit. [Video description begins] He clicks OK and returns to the File Explorer. Then he navigates to the Windows Redstone 2019 (build 1809) Properties dialog box and clicks the Security tab. [Video description ends]

 

The Authenticated Users group has Full control share permissions. [Video description begins] Authenticated Users is selected in the Group or user names list box. He clicks Edit. The Permissions for Windows Redstone 2019 (build 1809) dialog box opens on the Security tab. Authenticated Users is selected in the Group or user names list box. [Video description ends] But we want to restrict their permissions further.

 

Right now, on the NTFS side of things, I can see, when I go to edit the Authenticated Users, that these choices are not editable. [Video description begins] He points to the Permissions for Authenticated Users list box, where the Modify, Read & execute, List folder contents, and Read permissions are grayed out. [Video description ends] And the reason that they're not editable is because they're inherited permissions sets. I'd have to change them at the top of the tree or I'd have to disable inheritance. Which you can do in the Advanced, if I look for, on the Security tab, for special permissions or Advanced settings.

 

I click Advanced [Video description begins] He clicks OK and returns to the Windows Redstone 2019 (build 1809) Properties dialog box. He clicks Advanced and the Advanced Security Settings for Windows Redstone (build 1809) dialog box opens. The Permissions tab is selected. [Video description ends] and there is a choice in here to Disable inheritance, which I don't want to do just now. [Video description begins] He points to the Disable inheritance button and then clicks Cancel. He returns to the Windows Redstone 2019 (build 1809) Properties dialog box. [Video description ends]

 

If we look at what the NTFS permissions are, Read lets me see what's in the folder. Read & execute lets me see what's in the folder plus run any software that's in there. List folder contents, actually to be more precise, List folder contents lets me see what's in there. Read lets me actually open the files and read them. Write lets me change the files. Modify lets me delete files. Without the modify permission I can edit them, but I can't delete them. And then Full control lets me do all of that, plus assign permission. [Video description begins] He points to the permissions in the Permissions for Authenticated Users list box. He clicks OK and returns to the File Explorer. [Video description ends]

 

If we take a look here, here's the ISO for Windows 8. And I want to look at the Properties of that for just a second because there are these file Attributes here. [Video description begins] He right-clicks the WindowsBlue file and selects Properties from the shortcut menu. The associated dialog box opens and the General tab is selected. He points to the Attributes field, which has two checkboxes: Read-only and Hidden. [Video description ends]

 

I can make the file Read-only. I can hide it from the file system. [Video description begins] He selects the Read-only checkbox and points to the Hidden checkbox. Then he clicks the associated Advanced button. The Advanced Attributes dialog box opens. [Video description ends] Or on the Advanced tab, I can choose to either compress or encrypt. And you will note that those choices are mutually exclusive. [Video description begins] He points to the Compress or Encrypt attributes section, which has two checkboxes: Compress contents to save disk space and Encrypt contents to secure data. Neither option is selected. [Video description ends]

 

And the reason for that is because once it's compressed, I've removed a lot of zeros. Right, that's what compression does. If I've got a row of six zeros here, I just take those out and replace them with a character. That lets me know that there is a bunch of zeros that go there. If I tried to then encrypt that compressed file, that can result in some problems. So it's an either-or situation with compression and encryption.

 

 In this demonstration, we want to take a look at some of the basic functions anybody's required to be familiar with, if you're going to manage file servers. And let's start out in this fashion, you get questions about system files, and I'm going to take a look up here. You can see we're in Windows Explorer, and on the View tab, all the way at the right, there's this Options choice.

 

And I'm going to select that Options choice and look on the View tab. [Video description begins] The presenter opens Windows Explorer and clicks Options on the View tab. The Folder Options dialog box opens and the View tab is selected. It includes an Advanced settings list box with a list of settings. Each option has an associated checkbox. [Video description ends] And there's a couple of settings in here that I always have on, I always want to see the full path in the title bar, I want to see those hidden files, folders, and drives.

 

I don't want file extensions for known file types hidden, I want to see those file extensions. [Video description begins] He points to the Display the full path in the title bar checkbox, which is selected. Then he points to the Show hidden files, folders, and drives radio button, which is selected. And he points to the Hide extensions for known file types checkbox, which is clear. [Video description ends] And then this one, Hide protected operating system files.

 

I'm going to take that off, I want to see those protected operating system files. [Video description begins] He clears the checkbox and a Warning dialog box opens, cautioning that these files are required to start and run Windows and that deleting or editing them could make the computer inoperable. [Video description ends] And really, a system file is any file that has this hidden attribute, and so if I say Yes, I want to go ahead and do that. And now all of a sudden, right, things change here, if you saw it there, we get some extra directories, there is a System Volume Information that's normally hidden.

 

[Video description begins] He clicks OK on the Warning dialog box and clicks OK on the Folder Options dialog box. The File Explorer displays and he points to a series of additional files and folders that are displayed. [Video description ends] Down here, the bootmgr, the pagefile, these are all hidden files, the operating system depends on them. Now, the operating system does some other interesting things. For example, there are what we call administrative shares. Now, everybody should know Share, right? If I wanted this folder to be accessible over the network, well then, I share it out.

 

[Video description begins] He right-clicks the Share folder and selects Properties from the shortcut menu. The Share Properties dialog box opens and he clicks the Sharing tab. [Video description ends] And if I were to look in the Advanced Sharing, I can see that this folder is shared out as Share, and this might be called a local share. [Video description begins] He clicks Advanced Sharing and the Advanced Sharing dialog box opens. He points to the Settings section, where the Share name is set to "Share." He clicks OK and returns to the Share Properties dialog box. He clicks Close and returns to the File Explorer. [Video description ends]

 

I'm on the machine that it's actually hosted on and so it's local to this machine. Which should not be confused with in your home directory and in Ubuntu Distro, you'll see a local share, and that's for data files related to that user's profile, that's a different scenario entirely. Here in Windows, this is a Share that I created. Well, if I look at the properties of the C drive and we're currently looking at the contents of the C drive, I'm going to right-click on C and go to Properties. [Video description begins] The Local Disk (C:) Properties dialog box opens and the General tab is selected. [Video description ends] And if I take a look at the Sharing tab here, it tells me that it's not shared, even if I go into Advanced Sharing.

 

[Video description begins] He clicks the Sharing tab and clicks Advanced Sharing. The Advanced Sharing dialog box opens and he points to the settings, which haven't been configured. He clicks Cancel and returns to the Local Disk (C:) Properties dialog box. [Video description ends] But in point of fact, this is what we call a hidden share, all the drives on any Windows machine are hidden shares. They're administrative shares, they're shared out so that if you need to get to that drive, you can get to that drive.

 

[Video description begins] He clicks Close and returns to the File Explorer. [Video description ends] Even if there's a problem with the operating system or authentication or logging in, you can come in from across the network, hit that drive, and you should be able to get access. And you do that just from a run command, if I say, the UNC path name, so the machine name and then the share name which in this example is c$. And the window opens, this is now a second Windows Explorer window that just opened.

 

And if I look up top, in the path, I can see that it is to the hidden share C, dig it? [Video description begins] He points to c$ folder in the file path. [Video description ends] Now, look, I have this folder here called toCopy, and I want to take a look at the properties for this [Video description begins] He right-clicks the toCopy folder and selects Properties from the shortcut menu. The toCopy Properties dialog box opens on the General tab. [Video description ends] and I want to look at the Security tab.

 

Video description begins] He clicks the Security tab and clicks Edit. The Permissions for toCopy dialog box opens on the Security tab. [Video description ends] And if you look, there are just these five entries here: SYSTEM, MJMurphy, Administrators, Users. [Video description begins] He points to the Group or user name list box, which has five entries: CREATOR OWNER, SYSTEM, MJMurphy, Administrators, and Users. [Video description ends] Well, there's another group that needs access to this [Video description begins] He clicks Add and the Select Users, Computers, Service Accounts, or Groups dialog box opens. It includes options to enter object names to select. [Video description ends] and that's the ALL New York City Marketing group.

 

[Video description begins] He types "all" in the Enter the object names to select text box and clicks Check Names. The Multiple Names Found dialog box opens and he selects ALL_NYC_Marketing. He clicks OK and returns to the Select Users, Computers, Service Accounts, or Groups dialog box. The name is specified in the Enter the object names to select text box. [Video description ends] I'm going to add that group

 

[Video description begins] He clicks OK and returns to the Permissions for toCopy dialog box. The ALL_NYC_Marketing group is listed in the Group or user names list box and is selected. [Video description ends] and they get Modify permissions over this directory. [Video description begins] He selects the Allow checkbox associated with the Modify permission in the Permissions for ALL_NYC_Marketing list box. [Video description ends] Now, something comes up, I need to get this directory out of here. [Video description begins] He closes all dialog boxes and returns to the File Explorer. He points to the toCopy folder. [Video description ends]

 

Well, if I take it and let's say I put it in this Share, which is on the same drive, I just moved it in there. [Video description begins] He clicks-and-drags the toCopy folder into the Share folder. [Video description ends] If I access the properties of the Share and I access the properties of the toCopy directory, what we'll see is that these settings have not changed. All that's really happening when you move a file on the drive, is that the pointer gets updated.

 

That's it, it's the only thing, no other changes really happened. But what would happen to those permissions if I were to copy them to [Video description begins] He opens the Share folder, right-clicks the toCopy folder, and selects Properties from the shortcut menu. The Share Properties dialog box opens. He clicks the Security tab. He clicks Edit. The Permissions for Share dialog box opens and he points to the entries in the Group or user names list box. He clicks OK and returns to the Share Properties dialog box. He clicks OK and returns to the File Explorer. [Video description ends] a different drive?

 

If I took that folder out of there and I moved it to a completely different drive, I'm going to put it right in the root of the Cold Storage Drive there. Now if we examine the Properties of this folder and look at the Security tab, notice that the ALL New York Marketing group is not listed. [Video description begins] He clicks-and-drags the toCopy folder and drops it on the Cold Storage (D:) drive. [Video description ends]

 

Now, all I did was move that from one drive to another, but moving it from one drive to another is not a move, it's a copy. And the reason for that and point of fact, if I looked back up here at [Video description begins] He right-clicks the toCopy folder and selects Properties. The toCopy Properties dialog box opens. He clicks the Security tab and points to the entries in the Group or user names list box. [Video description ends] the Local Disk (C:) and I open up Share, I can see that the file's still there.

 

[Video description begins] He clicks Close and returns to the File Explorer. [Video description ends] If I drag-and-drop between drives, that's actually a copy, no matter what I do, just a drag-and-drop will recreate the file new. [Video description begins] He navigates to the Share folder on the Local Disk (C:) drive and points to the toCopy folder that's available. [Video description ends]

 

And when I file gets created new, what happens? It inherits the permissions from its parents, and so it gets the permissions on the new drive every time. Well, wait a minute, if I right-click it and I drag it over to Hot Storage, then I get a choice to move it here. Okay, so if I move it here, I see that it disappears from the original location. What happens to the permissions? Now, if we come over to the E drive, Hot Storage, remember, this was a move.

 

[Video description begins] He clicks-and-drags the toCopy folder to the Hot Storage (E:) drive. A menu opens with options such as Copy here and Move here. [Video description ends] If I look at the Properties of the directory, Security tab, [Video description begins] He selects Move here. Then he points to the Share folder on the Local Disk (C:) drive, where the toCopy folder is no longer displayed. [Video description ends] now, look at that, no ALL New York group.

 

Again, it's inheriting the permission set from the E drive, and you may ask, well, why? You moved it, it wasn't a copy, but a move across drives [Video description begins] He selects Hot Storage (E:) in the navigation pane. Then he right-clicks the toCopy folder and selects Properties. The toCopy Properties dialog box opens and he clicks the Security tab. He clicks Edit and the Permissions for toCopy dialog box opens on the Security tab. He points to the Group or user names list box. [Video description ends] is actually a delete from the file system of the first drive, and a create new on the file system of the second drive.

 

And so any time I'm going across drives, I want to think of that delete and create action that's happening because each drive has its own file system. And when I'm creating those files new, they've got to get pointers. If I'm moving it on the same drive, the attributes of the file remain the same. And because I've only updated the pointer, I haven't created the file new. This is a look at some of the core features, the basic things you need to be able to manage file servers today.

 

 Single sign-on, that's an experience that can be configured in lots of different ways, depending on what the other authentication bucket is. So if you have cloud services, like Office 365, for example, you can integrate that authentication mechanism into your Active Directory authentication. And how you do this for each third-party product changes.

 

What's important to recognize, at this point, what single sign-on is and why it's valuable to users. It's valuable to users because it's hard to remember all these passwords. Now these single sign-on solutions may include password synchronization and certainly the Windows Office 365 solution does. And so I can set up connector. And that, over that connector the passwords will be synchronized to the other authentication bucket. Now, and that makes life easy for your users, right? That's the whole idea.

 

Now run as administrator and run as standard user, everybody should be logging in when they come into work with a standard user account. And that is a non-administrative account. You may be an administrator. You may be God on your network, but when you're logged in and you're checking email and you're surfing the Internet, or doing whatever, you don't need all those rights. And if your account gets compromised at that time, then the hacker who's in possession of your credentials will be an administrator as well. And so I want to avoid that issue and make sure that I'm logged in as a regular user. And then when I need to perform some administrative task, I'm going to go into the Command Prompt, I'm going to run some command line that requires administrative rights. [Video description begins] A Windows desktop displays and the Start menu is open. [Video description ends]

 

I can right-click on that object, and then if I look on the More menu, there's a choice to Run as a different user or Run as administrator. [Video description begins] The presenter right-clicks the Command Prompt tile and a shortcut menu opens. He selects More and a flyout menu opens. He points to the available options. [Video description ends] And I can make these choices, right?

 

So for example, I have another account, Run as a different user, and that User name, and that user is an administrator, all over the place. I can provide the credentials for that account. [Video description begins] He selects Run as different user and a Windows Security dialog box opens with options to enter user credentials. He enters a username and password and clicks OK. An error is returned. [Video description ends] And I'm told in here that the referenced account is currently locked out and may not be logged into.

 

Well, that's a concern to me, right? Because I didn't lock it out. How did it get locked out? [Video description begins] He clicks Cancel and the Windows Security dialog box closes. [Video description ends] So what I'm going to do is I'm going to unlock that account first. And so we'll come into Active Directory Users and Computers. I'm going to switch over to the Server Manager console. And then from the Tools menu in the upper right-hand corner, I'll select Active Directory Users and Computers. [Video description begins] He navigates to an instance of Server Manager, which opens on the Dashboard. He selects Active Directory Users and Computers from the Tools menu and the associated console opens. A navigation pane is available and the EarthFarm.com tree is expanded. An IT USERS folder is selected. Three users are listed in the content pane. [Video description ends]

 

And the only way that an account gets locked out is if the user tried to enter their password more times than the policy allows, than your account lock out policy allows. [Video description begins] He right-clicks the user MJMurphy in the content pane. A shortcut menu opens with options such as Add to a group, Rename, and Properties. [Video description ends] And if I right-click that and come into Properties and then look on the Account page, Unlock account. This account is currently locked out of this Active Directory. Okay, so I'm going to unlock that account. Say OK. [Video description begins] He selects Properties and the MJMurphy Properties dialog box opens on the General tab. He clicks the Account tab and selects the Unlock account checkbox. He clicks OK and returns to the Active Directory Users and Computers console. [Video description ends]

 

Now normally when you're in that situation, you can also reset the user's password, which I should show you that function, too, while we're in here. [Video description begins] He reopens the Start menu, right-clicks the Command Prompt tile and selects More - Run as different user. A Windows Security dialog box opens with instructions to enter credentials for the given user. He enters the credentials, clicks OK, and an administrator instance of the Command Prompt opens. [Video description ends]

 

Boom, and so now this process, this command line window, is running not under my currently logged in credentials, but under the MJMurphy credentials. That's the idea with that. And that's an account that has the rights to perform that action. [Video description begins] He returns to the Server Manager and selects Active Directory Users and Computers from the Tools menu. The associated console opens. The IT USERS folder is selected and three users display in the content pane, including MJMurphy. [Video description ends] And so if I just come back in here, if this user maybe had forgotten their password, that's why they got locked out. [Video description begins] He points to MJMurphy in the content area. [Video description ends]

 

You can right-click on the object and say Reset Password. [Video description begins] A Reset Password dialog box opens with options to specify and confirm a new password, or unlock the user's account, for instance. [Video description ends] And there is a choice built into this console to unlock the user's account. [Video description begins] He selects the Unlock the user's account checkbox. [Video description ends] And so I could have done both in one shot right there but unlocking the account did the trick.

 

In this demonstration, we want to take a look at the configuration of BitLocker and BitLocker To Go. And the distinction there, of course, is BitLocker is applied to the internal drives of the machine, and BitLocker To Go can be applied to a USB device. And when we're talking about BitLocker, that's full-volume encryption, right? That means that the entire drive and all of its contents are encrypted.

 

Now the beauty of this, frankly, is it's completely transparent to the user. You see me doing these demonstrations. Is there ever a time that we've been hung up for an encryption problem or decryption problem or anything of that sort? Not once, it doesn't happen. I've never seen it happen.

 

So I've just opened the Start menu, and I'll just type bitlocker and Manage BitLocker comes right in the list there. And I'll select that, and maximize that window so that we can see what's in here. [Video description begins] The presenter types the search term in the search field on the taskbar and selects Manage BitLocker from the search results. A Control Panel window opens and the BitLocker Drive Encryption page displays. [Video description ends]

 

And what you see is that every drive here is currently BitLocked. [Video description begins] He points to the list of drives, including the operating system drive, fixed data drives, and removable data drives, where BitLocker is On. [Video description ends] BitLocker is on for the Operating system drive, for the fixed data drive, and for the Removable data drives. And so these drives are all currently protected with BitLocker drive encryption.

 

Now there is a choice here to back up the recovery key. [Video description begins] He points to the following link in the Operating system drive section: Back up your recovery key. [Video description ends] And having the recovery keys backed up is absolutely critical. If this machine, the fan were to break and the motherboard cracked, how would I decrypt the drive? How would I get the data off that drive? Well, I'd pull the drive out, throw it in the USB enclosure. And then I'd need to be able to provide the recovery key. Go into the recovery console and the recovery mode, provide the recovery key, boom, I get my data back. Without that recovery key, I'm going to be in some trouble.

 

Now when you run through the wizard on this, and it prompts you to save the key. It prompts you to print it to a file, save it to an encrypted location on the network, and save it to your cloud-based account, if you have one. And it's not suggesting you do one of the three, it's suggesting you do all three. And I'm going to make that suggestion as well, that if we're going to use Bitlocker, and absolutely everybody should be using BitLocker. There's no two ways about that, and it's really just as simple as coming in here and turning it on.

 

Now you notice that this F: drive BitLocker is locked. [Video description begins] He points to the F drive, which is a removable data drive. [Video description ends] And I can unlock it in a couple of ways, here in the Manage BitLocker or if I come out into Windows Explorer, I see the drive is listed with all my other drives. And I am prompted for the password to unlock the drive. [Video description begins] He opens an instance of File Explorer and selects the Local Disk (F:) drive in the navigation pane. A BitLocker (F:) dialog box opens with a prompt to specify the password to unlock the drive. [Video description ends]

 

If I go ahead and provide that password, the password gets accepted, the decryption keys are made available to BitLocker, the drive gets decrypted and displayed for me. Just that fast, right? Everything on this drive is encrypted. It's all got to be decrypted to display it to me but look how readily that happens. [Video description begins] He enters a password and clicks Unlock. The contents of the drive display in the content area. [Video description ends]

 

Right here is my BitLocker Recovery Key. You should never do this, by the way, is save it to the drive. These keys are actually for a different machine entirely, but you should not do that. [Video description begins] He points to a Text Document, which contains a BitLocker Recovery Key. [Video description ends] Because this drive is a USB drive, it's using BitLocker To Go. And again, without that password or without this recovery key, I'm going to have a lot of trouble getting back to this data.

 

This is a best practice for your laptops and your servers. Desktops don't go missing like laptops, so the risk of data breach there is not as significant. But certainly for the laptops and the servers, every drive should be encrypted today using BitLocker.

 

So any drive formatted with NTFS supports EFS. So for example, here in Windows Explorer, if I look in the left-hand navigation pane, I can see my D: drive, which I call Cold Storage. This is for long-term storage of big files like WIM files, ISOs, that sort of thing. [Video description begins] An instance of File Explorer is open. The presenter right-clicks the Cold Storage (D:) drive in the navigation pane. A shortcut menu opens with options such as Open in new window, Share with, and Properties. [Video description ends]

 

So if I right-click on Cold Storage and go to its Properties, I can see on the General tab that the disk is formatted for NTFS. [Video description begins] The Cold Storage (D:) Properties dialog box opens. He points to the file type. [Video description ends] So I can encrypt any folder and its contents here and that's precisely what I want to do. I want to make sure that I encrypt whole folders, not individual files. And the reason for that is because when you open a file, you get a temp file. If you only encrypt the file, the temp file is not encrypted. And if somebody had cracked their way onto my machine that data was sensitive, they'd be able to pull it out of the temp file. [Video description begins] He clicks OK and returns to the File Explorer. [Video description ends]

 

So, here I have a folder called Encrypted. And if I right-click that folder and go to its Properties, on the first tab of the Properties dialog box, the General tab, there's an Advanced button. [Video description begins] He clicks Advanced and the Advanced Attributes dialog box opens. It includes options to configure archive and index attributes and compress and encrypt attributes. [Video description ends] And if I hit that, it gives me the option of either encrypting or compressing. And those are mutually exclusive [Video description begins] The Compress or Encrypt attributes section has two checkboxes: Compress contents to save disk space and Encrypt contents to secure data. Neither checkbox is selected. [Video description ends] and so I'm going to say encrypt the contents to secure the data. [Video description begins] He selects the Encrypt contents to secure data checkbox and clicks OK. He returns to the File Explorer. [Video description ends]

 

Now nothing much has happened. Something may have happened on your machine, if you are following along. If I take a look up here in the ribbon under the View menu, on the far-right, there is an Options choice. [Video description begins] He clicks the Options drop-down button. A menu opens with two options: Change folders and search options, and Google Toolbar. [Video description ends] And if I Change folder and search options and on the View tab in here, there are a couple of these settings that I always turn on or turn off depending. [Video description begins] He selects Change folders and search options and the Folder Options dialog box opens. He selects the View tab and points to the Advanced settings list box, which includes a series of settings. Each setting has an associated checkbox or radio button. [Video description ends]

 

I always want to see the full path in the title bar. [Video description begins] He points to the Display the full path in the title bar checkbox, which is selected. [Video description ends] I want to show hidden files, folders, and drives. [Video description begins] He points to this radio button, which is selected. [Video description ends] I don't want to Hide empty drives. I don't want to Hide file extensions for known file types, personally. These are personal choices here. [Video description begins] He points to two checkboxes that aren't selected: Hide empty drives and Hide extensions for known file types. [Video description ends] I don't want protected operating system files hidden. [Video description begins] He points to the Hide protected operating system files (Recommended) checkbox, which isn't selected. [Video description ends] And I do want encrypted and compressed files to show up in a color, to set them apart. [Video description begins] He selects the Show encrypted or compressed NTFS files in color checkbox and clicks OK. He returns to the File Explorer. [Video description ends]

 

Now I can see which folders in here are compressed. They appear in blue, encrypted appear in green. [Video description begins] For instance, the Encrypted folder name displays in green and the Docker folder name is formatted in blue. [Video description ends] And this folder is currently empty. If I open it up, I can show it to you there. [Video description begins] He double-clicks the Encrypted folder. It has no contents. He clicks Back and returns to the Cold Storage (D:) drive folder. [Video description ends]

 

And over here I'm going to open up this compressed file and I'm going to Copy one of the files out of this compressed folder. [Video description begins] He double-clicks the Windows Redstone 2019 (build 1809) folder. He right-clicks the acres.dll file and selects Copy from the shortcut menu. He clicks Back and returns to the Cold Storage (D:) drive folder. [Video description ends] And I'm going to open up Encrypted and I'm going to Paste this file in here. And you'll notice that when I do that, it appears green. [Video description begins] He double-clicks the Encrypted folder, right-clicks the content area, and selects Paste from the shortcut menu. The acres.dll file is added to the folder and is formatted in green. [Video description ends] It appears as encrypted.

 

And if I look at the Properties for this file, I see that in fact it is encrypted, not compressed. [Video description begins] He right-clicks the acres.dll file and selects Properties. The acres.dll Properties dialog box opens and he clicks Advanced. The Advanced Attributes dialog box opens and he points to the Encrypt contents to secure data checkbox, which is selected. [Video description ends] And so the beauty of the encrypted folder is that anything I put in there is encrypted automatically.

 

The caution with this is that if I copy it to a USB or any non-NTFS drive, I'm going to lose that encryption. Or if I were to take it off this machine in an encrypted format somewhere else that my credentials and my recovery key, my decryption key was not available to this account, because this is a user-based file encryption methodology. And so it depends on my personal decryption and encryption keys.

 

Now it's important to note that with your network accounts, your Active Directory accounts, what I'm about to say next does not apply. But for your local user accounts, if I was logged in here right now with a local user account and I did all this EFS encryption and then I forgot my password and you had to reset my password, I would be unable to recover any of those. You get a new set, when you do a password reset on a local account, you get a new set of keys. And they don't work with the old files. And so those would be lost to me forever.  That's one of the reasons that I prefer BitLock. Not only is it full-volume, everything's encrypted, but the recovery mechanisms are better, and better managed.

 

It's worth mentioning, it's outside the scope of this discussion, but it's worth mentioning that in-group policy, there is a setting that would let you disable EFS across your domain. And if you're not going to support it, I would recommend that you do in fact turn it off. And then you never run into problem with lost files or passwords from local accounts and that sort of thing.

 

Now, it's only one small piece of the puzzle though, guys. I think about, for example, the machine password, and I'm not talking about the machine Active Directory password, but the BIOS or the UEFI interface. The base hardware or firmware that comes with the machine. And normally we don't set a password there, but you can.

 

And the folks who ought to do that are the folks who manage computer labs in high schools and colleges, where there are public computers that anybody could come in. And what you don't want them doing is getting in under the covers and making changes. And these kids, they're growing up with this stuff, they know how to do this stuff. And of course some of them want to experiment, they want to become hackers. So they see these things online. Ooh, I'll boot the machine to Linux and I'll reinstall the operating system, okay. Well now, I have two hours worth the work out of me, thank you. So, to prevent that kind that kind of thing, you can set those low-level passwords. And Microsoft would recommend that in those kinds of public places.

 

Now, for everybody else, you're going to set a domain password policy and account lockout policy. And there's only one place to do that. That's in the Group Policy Management console in the Default Domain Policy. [Video description begins] The Group Policy Management console is open. Default Domain Policy is selected in the navigation pane. [Video description ends]

 

If I come into the Default Domain Policy and I hit Edit, and we'll maximize that window. [Video description begins] The presenter right-clicks Default Domain Policy and selects Edit. The Group Policy Management Editor console opens. Default Domain Policy is selected in the navigation pane. [Video description ends] And then over on the left-hand navigation bar, there's the Computer Configuration, Policies, Windows Settings, Security Settings, Account Policies. [Video description begins] He navigates to the Account Policies settings under Computer Configuration. Three policies display in the content area. [Video description ends] And under Account Policies, we see three things, the Kerberos Policy, the Account Lockout Policy, and the Password Policy.

 

Let's start with the Kerberos Policy. Don't ever change it, don't ever edit anything in there, that's the best practice guidance from Microsoft. With one exception, if you are in one of those $260 support phone calls to Microsoft and they tell you to go in and make a change, then you do it. Other than that leave it, the best practice guidance is leave this alone.

 

The Account Lockout Policy, if I launch that, has three simple settings. [Video description begins] He selects Account Lockout Policy. Three options display: Account lockout duration, Account lockout threshold, and Reset account lockout counter after. [Video description ends] Account lockout threshold.

 

Now, if a user enters their password incorrectly five times in a row, which is not hard for the average user to do it, it happens all the time. If they enter it incorrectly 5 times in a row, that will lock their account out. [Video description begins] He double-clicks Account lockout threshold and the associated Properties dialog box opens on the Security Policy Setting tab. He points to the Account will lock after spin box, which is set to 5 invalid logon attempts. [Video description ends] And they will no longer be able to log in with that account until it is unlocked by you, the administrator. Or until the account lockout duration has passed. [Video description begins] He clicks OK and returns to the list of Account Policies. [Video description ends]

 

If I look here, there's something called the Account lockout duration. And for things like my e-commerce websites and those kinds of accounts, I might set a 30 minute lockout time. [Video description begins] He double-clicks the Account lockout duration policy and the associated Properties window opens on the Security Policy Setting tab. He types "30" in the Account is locked out for spin box. [Video description ends] And so now the user can go get a cup of coffee, come back, and now they're ready to try logging in again. If I set that value to 0, the account is locked out until the administrator unlocks it. And that's the world I want to live in. [Video description begins] He types "0" in the spin box. A note states that the account is locked until the administrator unlocks it. [Video description ends]

 

And then the last setting in here, for some folks it's hard to wrap their head around this, but follow the thinking. [Video description begins] He clicks OK and returns to the three Account Policies. [Video description ends] You and I, if I say I tried my password five times and it failed, that means I sat at the computer, I did it five times, and it failed. But the machine doesn't reckon time the way that you and I do. And so you need to tell it how long does it remember, say, the first three tries that I got wrong.

 

Let's say I try it three times in a row, I get it wrong every time. I say okay, wait a minute, I'm going to take a break here, I'm going to go get a cup of coffee. I come back an hour later. Does the computer remember those last three? Am I starting fresh? Well, it depends on what this is set to. If this is set to 30 minutes, and I come back an hour later, it's forgotten those first three attempts. Get it? [Video description begins] He opens the Reset account lockout counter after Properties dialog box. The Security Policy Setting tab is selected. He points to the Reset account lockout counter after spin box, which is set to 30 minutes. [Video description ends] That's the account lockout policy, and I think that's pretty