Case Scenarios CHAPTER 8 473
Chapter Review
To further practice and reinforce the skills you learned in this chapter, you can perform the
following tasks:
n
Review the chapter summary.
n
Review the list of key terms introduced in this chapter.
n
Complete the case scenarios. These scenarios set up real-world situations involving the
topics of this chapter and ask you to create a solution.
n
Complete the suggested practices.
n
Take a practice test.
Chapter Summary
n
HomeGroups allow for the sharing of resources on home networks.
n
You can manage shared folders centrally using the Computer Management console.
n
Libraries are virtual collections of folders that host similar content.
n
NTFS permissions determine which files a user or group can access on a computer.
n
Print permissions determine what rights a user has to manage a printer or documents.
n
BranchCache is a technology that speeds up branch office access to files in remote
locations through the caching of previously accessed files on the branch office network.
Key Terms
Do you know what these key terms mean? You can check your answers by looking up the

terms in the glossary at the end of the book.
n
BranchCache
n
Encrypting File System (EFS)
n
HomeGroup
n
library
Case Scenarios
In the following case scenarios, you apply what you’ve learned about subjects covered in
this chapter. You can find answers to these questions in the “Answers” section at the end of
this book.
4 7 4 CHAPTER 8 BranchCache and Resource Sharing
Case Scenario 1: Permissions and Encryption
A computer running Windows 7 Enterprise named Waverley has two NTFS-formatted
volumes, volume C and volume D. The folder C:\Share is shared and has 15 subfolders and
hundreds of files. Many of these folders have unique NTFS permissions. You want to move this
folder so that it is hosted on volume D because volume C is running out of space. One of the
users of computer Waverley will be changing to computer Warrandyte. This user has copied
a large number of EFS-encrypted files onto a NTFS-formatted USB flash device.
With these facts in mind, answer the following questions:
1. What steps can you take so that the user is able to read the encrypted files on the USB
flash device on computer Warrandyte?
2. What steps can you take to ensure that it is possible to recover all files that are
encrypted in future?
3. What steps can you take to move the shared folder to volume D?
Case Scenario 2: Configuring Contoso Branch Offices
You are trying to make the use of WAN bandwidth between Contoso’s head office in
Melbourne and branch offices in Wangaratta and Traralgon more efficient. All client

computers at Contoso have Windows 7 Enterprise installed. Users turn their computers
on and off during the day. If possible, you want to store any BranchCache data so that it
is always available. There is a Windows Server 2008 R2 RODC at the Traralgon site named
rodc.traralgon.contoso.internal, and there is a Windows Server 2008 RODC named rodc.
wangaratta.contoso.internal at the Wangaratta site. You do not plan on upgrading any server
operating systems in the near future.
With these facts in mind, answer the following questions:
1. Which BranchCache mode should you use at the Wangaratta branch office?
2. Which BranchCache mode should you use at the Traralgon branch office?
3. What steps do you need to take to prepare server rodc.traralgon.contoso.internal to
support BranchCache?
Suggested Practices
To help you master the exam objectives presented in this chapter, complete the following
tasks.
Configure Shared Resources
Perform this practice when logged on to computer Canberra with the Kim_Akers user
account.
Take a Practice Test CHAPTER 8 475
n
Configure a shared printer. Create a local group named PrinterManagers and assign
the Manage Printers permission to this group.
Configure File and Folder Access
Perform both of these practices when logged on to computer Canberra with the Kim_Akers
user account.
n
Practice 1 Use Gpedit.msc and Cipher.exe to configure and assign an EFS recovery
agent certificate.
n
Practice 2 Create a file named Gamma.txt. Use Icacls.exe to assign the Modify (Deny)
permission to the file. Use Robocopy.exe to copy Gamma.txt to a new folder while

retaining its original permissions.
Configure BranchCache
Perform this practice when logged on to computer Canberra with the Kim_Akers user
account.
n
Configure computer Canberra using the Netsh command to use local caching only.
Take a Practice Test
The practice tests on this book’s companion DVD offer many options. For example, you
can test yourself on just one exam objective, or you can test yourself on all the 70-680
certification exam content. You can set up the test so that it closely simulates the experience
of taking a certification exam, or you can set it up in study mode so that you can look at the
correct answers and explanations after you answer each question.
More Info PRACTICE TESTS
For details about all the practice test options available, see the section entitled “How to
Use the Practice Tests,” in the Introduction to this book.

CHAPTER 9 477
CHAPTER 9
Authentication
and Account Control
U
ser Account Control (UAC) is a tool for administrators that alerts you to the fact that
what you are trying to do requires administrator privileges. You should not be surprised
to encounter a UAC prompt when modifying firewall rules. You would be justifiably wary if
you encounter a UAC prompt when trying to open a picture of a cat eating a cheeseburger
sent to you by your aunt. One of these tasks should require administrator privileges and one
of them should not. UAC can protect your computer from malware because it allows you
to notice when a program or document that should not require administrative privileges
requests them. UAC rarely affects normal users because, by definition, normal users should
not be doing anything that requires administrator privileges. In the first part of this chapter,

you learn how to configure UAC for your environment so that it warns you when necessary
but keeps out of your way the rest of the time.
Passwords are the primary method through which you secure a computer running
Windows 7. The strength of a password is directly proportional to the strength of the
security it provides. If passwords are not secure enough for your environment, you can
configure Windows 7 to require a smart card before it allows users to log on. Privileges
allow users to perform tasks. You can assign privileges, such as allowing a user to back up
a computer in its entirety by adding them to the appropriate group or by configuring the
appropriate Group Policy. In the second part of this chapter, you learn how to configure
password policies, resolve authentication problems, assign privileges, and back up and
restore saved credentials.
Exam objectives in this chapter:
n
Configure User Account Control (UAC).
n
Configure authentication and authorization.
Lessons in this chapter:
n
Lesson 1: Managing User Account Control 479
n
Lesson 2: Windows 7 Authentication and Authorization 493
4 7 8 CHAPTER 9 Authentication and Account Control
Before You Begin
To complete the exercises in the practices in this chapter, you need to have done the following:
n
Installed Windows 7 on a stand-alone client PC named Canberra, as described in
Chapter 1, “Install, Migrate, or Upgrade to Windows 7.”
real World
Orin Thomas
T

he UAC prompt doesn’t appear capriciously. UAC lets you know if software
is doing something suspicious. If you are messing around with the guts of
your operating system, you should expect a couple of UAC prompts. This is
because you are making substantive changes to the operating system, and you
need administrator privileges to do that. However, if you are doing something
normal with your computer, such as playing a game or running a word processor
(something that shouldn’t require administrative privileges), and you are prompted
by UAC, your first thought shouldn’t be “Oh, not that annoying prompt again!” You
should be thinking, “Now what on Earth made it do that?” Normal programs do not
require administrative privileges to run. This is the key thing to understand about
UAC. If UAC does interrupt when you are doing something that isn’t related to your
computer configuration, you should get suspicious. UAC is a red flag, a warning you
should pay attention to. UAC is the computer’s way of asking you, “Are you sure you
want to let this program have administrative rights?” The answer to this question is
important. To take control of your computer, malware needs to elevate its privileges
so that it can run with administrative rights. Malware authors have a whole bag of
tricks that they use to try to get you to run their programs. Sometimes malware
try to get you to execute it by piggybacking on another program that you run on
a regular basis. You run the program, thinking it is something else and then bang,
pwnd! UAC cannot stop you from running the malware, but it warns you when
the program tries to do something that requires admin privileges. If you do get
prompted when you are doing something that you should be able to do without
administrator rights, UAC lets you proceed if you so choose. Of course, if your
computer does end up infected with malware, you won’t be able to say that you
weren’t warned.
Lesson 1: Managing User Account Control CHAPTER 9 479
Lesson 1: Managing User Account Control
User Account Control (UAC) is a tool that you will likely use only if your user account is
a member of the local administrators group. This is because UAC is disabled by default for
standard users, which means that standard users do not, by default, encounter a UAC prompt.

UAC settings can be tailored to better meet the needs of your organization. In this lesson, you
learn how to configure UAC so that it does not have to run on the Secure Desktop, how to
require administrators to enter their credentials rather than just clicking OK, and to configure
UAC so that administrators assisting standard users can access elevated privileges.
After this lesson, you will be able to:
n
Configure local security policies related to UAC.
n
Configure behavior of the User Account Control elevation prompt.
n
Configure the behavior of Secure Desktop.
Estimated lesson time: 40 minutes
User Account Control (UAC)
UAC is a security feature of Windows 7 that informs you when the action that you want to
undertake requires an elevation of privileges. If you logged on with a user account that was
a member of the local administrators group in previous versions of Microsoft Windows, such
as Windows XP, you automatically had administrator-level access at all times. This, by itself,
was not a problem because recommended good practice was that people logged on with
accounts that were members of the local administrator group only when they needed to do
something related to administration. The problem with this is that people tended to use their
administrator account as their normal user account. It was convenient for them because they
did not have to log off and log on again each time they wanted to do something related to
systems administration. Unfortunately, this behavior presented a security problem because
any program run by a user logged on with an administrative account runs with the rights and
privileges of that user. UAC resolves this problem by allowing a user that is a member of the
local Administrators group to run as a standard user most of the time and to briefly elevate
their privileges so that they are running as administrators when they attempt to carry out
specific administration-related tasks.
To understand UAC, you need to understand the following concepts:
n

Privilege elevation All users of clients running Windows 7 run with the rights of
a standard user. When a user attempts an act that requires administrative privileges,
such as creating a new user account, her rights need to be raised from those of
a standard user to those of an administrative user. This increase in rights is termed
privilege elevation. UAC is a gateway to privilege elevation. It allows users who are
members of the local Administrators group to access administrative rights, but ensures
that the person accessing the Administrative rights is aware that they are doing so.
4 8 0 CHAPTER 9 Authentication and Account Control
This privilege elevation occurs only for a specific task. Another task executed at the
same time that also requires privilege elevation generates its own UAC prompt.
n
Admin Approval mode Admin Approval mode is where an administrator must give
explicit approval for elevation to occur by responding to the UAC prompt. The UAC
prompt might require either clicking yes, called prompting for consent, or entering
a user name and password, which is called prompting for credentials.
n
Secure Desktop Secure Desktop ensures that malware is unable to alter the display of
the UAC prompt as a method of tricking you into allowing administrative access. When
you configure UAC to use the Secure Desktop, the desktop is unavailable when a UAC
prompt is triggered. You must respond to the UAC prompt before you can interact
with the computer. The dimmed screen is actually a screen shot of the current desktop,
which is why if you have video running in the background and a UAC prompt uses
Secure Desktop, the video appears to freeze. If you do not respond to a UAC prompt
on a Secure Desktop after 150 seconds, Windows automatically denies the request for
privilege elevation, and the computer returns to the standard desktop.
UAC Settings
You can determine how intrusive UAC is by configuring the User Account Control Settings
dialog box, shown in Figure 9-1. You can access this dialog box from the User Accounts control
panel by clicking the Change User Account Control Settings item. The dialog box consists of
a slider that allows you to adjust UAC notifications between Always Notify and Never Notify.

FIGURE 9-1 User Account Control Settings
Lesson 1: Managing User Account Control CHAPTER 9 481
If you make an adjustment using this slider, you are prompted by UAC informing you
that the program named UserAccountControlSettings is trying to make a change to your
computer. You can see this dialog box in Figure 9-2. This dialog box is a security measure that
ensures that malware is unable to modify your UAC settings without you being aware of it.
If you see this message and you have not modified UAC yourself, it is likely that malware is
attempting to compromise the integrity of your computer.
FIGURE 9-2 UAC settings change warning
The settings that you can configure using the slider do the following:
n
Always Notify This is the most secure setting. You are prompted before programs
make changes to your computer or Windows settings that require administrator
permissions. During notification, your desktop appears dimmed. This is because Secure
Desktop has become active. You must respond to the UAC prompt before it is possible
to do anything else with the computer. If you do not respond to the UAC prompt after
150 seconds, Windows automatically denies the request for privilege elevation, and the
computer returns to the standard desktop.
n
Notify Me Only When Programs Try To Make Changes To My Computer When this
option is set, you are prompted before programs make changes to your computer or
Windows settings that require administrator permissions. Notification occurs on the
Secure Desktop. If you do not respond to the UAC prompt after 150 seconds, Windows
automatically denies the request for privilege elevation.
n
Notify Me Only When Programs Try To Make Changes To My Computer (Do Not Dim
My Desktop) With this option, you are prompted before programs make changes
that require administrator permissions. You are not prompted if you try to make
changes to Windows settings that require administrator permissions using programs
that are included with Windows. You are prompted if a program that is not included

with Windows attempts to modify Windows settings.
n
Never Notify When logged on as an administrator, you are not notified before
programs make changes to your computer or to Windows settings. If you are logged on
as a standard user, any changes that require administrative privileges are automatically
denied.
4 8 2 CHAPTER 9 Authentication and Account Control
Quick Check
n
What is the difference between the Always Notify Me And Dim My Desktop Until
I Respond and Always Notify Me UAC settings?
Quick Check Answer
n
The Always Notify Me And Dim My Desktop Until I Respond setting uses Secure
Desktop in conjunction with UAC. When the more secure option is in effect, you
must respond to the UAC prompt before you can continue to use your computer.
If the Always Notify Me setting is enabled, you can continue working without
having to respond directly to the UAC prompt.
User Account Control Policies
You primarily manage UAC settings through Group Policy. The UAC policies are all located
in the Computer Configuration\Windows Settings\Security Settings\Local Policies\Security
Options node. There are 10 policies, all of which are prefixed by the name User Account
Control, as shown in Figure 9-3.
FIGURE 9-3 User Account Control policies
In the next few sections, you learn more about these policies and how they influence the
operation of User Account Control.
UAC: Admin Approval Mode For The Built-In
Administrator Account
UAC: The Admin Approval Mode For The Built-In Administrator Account policy controls how
Administrator Approval mode works for the built-in Administrator account. The built-in

Administrator account is disabled by default, so this policy is relevant only if you have enabled