Lesson 2: Windows 7 Authentication and Authorization CHAPTER 9 493
Lesson 2: Windows 7 Authentication
and Authorization
When a user forgets his password, he is unable to log on to his computer. If he cannot log on
to his computer, he cannot do his job. In this lesson, you learn about the methods Windows 7
provides through which you can deal with a forgotten password, from the preventative
creation of a password reset disk to having a member of the Administrators local group log
on and reset the password. Passwords are not the only way that you can authenticate to
a client running Windows 7. Windows 7 supports multifactor authentication, primarily by
including drivers that support the Personal Identity Verification (PIV) smart card standard
and policies that can require a smart card to log on. In this lesson, you also learn about a new
feature named Credential Manager. Credential Manager allows you to back up, restore, and
manage saved credentials, such as those for Web sites and terminal services servers. You also
learn about assigning user rights and configuring password policies.
After this lesson, you will be able to:
n
Back up and restore credentials with Credential Manager.
n
Administer certificates with Certificate Manager.
n
Use runas to run commands with alternate credentials.
n
Configure account and smart card policies.
n
Resolve authentication issues.
Estimated lesson time: 40 minutes
Credential Manager
Credential Manager stores logon user name and passwords for network resources, including
file servers, Web sites, and terminal services servers. Credential Manager stores user name
and password data in the Windows Vault. You can back up the Windows Vault and restore it
on other computers running Windows 7 as a method of transferring saved credentials from

one computer to another. Although Credential Manager can be used to back up some forms
of digital certificates, it cannot be used to back up and restore the self-signed Encrypting File
System (EFS) certificates that Windows 7 generates automatically when you encrypt a file. For
this reason, you must back up EFS certificates using other tools. You will learn about backing
up EFS certificates later in this lesson.
As Figure 9-11 shows, it is possible to add credentials to the Windows Vault by selecting
Remember My Credentials in the Windows Security dialog box. Whenever you choose to
remember your credentials, using Windows Internet Explorer, Windows Explorer, or Remote
Desktop Connection, Credential Manager transfers them to the Windows Vault.
4 9 4 CHAPTER 9 Authentication and Account Control
FIGURE 9-11 Remember My Credentials
You can also preemptively add credentials to Windows Vault for resources prior to actually
accessing them. To add credentials to the Windows Vault, perform the following steps:
1. Open Credential Manager by typing Credential Manager into the Search Programs
And Files text box and then clicking Credential Manager on the Start menu.
2. Click the Add a Windows Credential item.
3. In the Add a Windows Credential dialog box, shown in Figure 9-12, enter the Internet
or network address, user name, and password of the credential that you want stored in
the Windows Vault.
FIGURE 9-12 Adding a Windows Credential
To modify an existing password or to remove an existing credential, click the credential
within Credential Manager and then click either the Edit item or the Remove From Vault item,
respectively. You can see these items in Figure 9-13. Clicking Edit allows you to modify the
Lesson 2: Windows 7 Authentication and Authorization CHAPTER 9 495
user name and password stored in the vault. You would use the edit functionality to update
an existing stored password. It is important to note that the existing password is not displayed
but is shown as a series of dots. You cannot use Credential Manager to determine what an
existing stored password is—only that the password itself is stored.
FIGURE 9-13 Editing and removing credentials
You can use the Back Up Vault and Restore Vault items, shown in Figure 9-13, to back up

and restore credential data, or to transfer credential data between computers. This can be
especially useful if a user has a significant number of credentials stored on their computer
running Windows 7 and does not want to have to re-enter all of them when they move to
a new computer. The backup process involves pressing the Ctrl, Alt, and Del keys at the same
time to enter the backup password to protect the credentials on the Secure Desktop. You
must also press Ctrl, Alt, and Del keys to enter the password on the Secure Desktop that you
assigned to the backup when restoring the Windows Vault. You will back up and restore the
Windows Vault in the practice at the end of this lesson.
Using Runas to Run Programs as Another User
The Runas command-line utility enables you to run programs using the credentials of another
user. To run the application named Application.exe with an option, enclose the application
and the option within quotation marks. To run the program application.exe /option as user
Kim_Akers on computer Canberra, issue the command:
Runas /user:Canberra\Kim_Akers "application.exe /option"
4 9 6 CHAPTER 9 Authentication and Account Control
When you enter this command, you have to enter the password of the target account.
Once you have done this, the application runs using the target user’s security context.
The default setting loads the target user’s profile. You can also use the /profile option to force
the target user’s profile to be loaded. When the target user’s profile is loaded, you can access
files encrypted to the target user’s account because the EFS certificates are stored with the
user profile data. Use the /noprofile option to stop the profile being loaded.
The /savecred option allows you to save the credentials of the target user account. You
have to enter the password the first time you use the /savecred option. To access stored
credentials with future Runas commands, use the /savecred option and specify the account
name. Saved credentials are stored within the Windows Vault and can be managed using
Credential Manager. To use runas with the /savecred option, use the command:
Runas /savecred /user:computername\user name "application.exe /option"
You cannot use the Runas command to execute an application that requires elevation
if the target user account is configured to prompt for consent or prompt for credentials.
You can use the Runas command to execute an application that requires elevation if the

target user account is the built-in administrator account. The built-in administrator account
is disabled by default, but it can be enabled through Group Policy. To run the Local Group
Policy Editor console from a standard user account when the built-in administrator account
has been enabled using Group Policy, use the command:
runas /user:administrator "mmc gpedit.msc"
You can use the /savecred option to save the local Administrator account credentials so
that they can be used automatically in the future. You should be careful when doing this
because of the security risk that it poses.
Configuring User Rights
You can configure user rights through the Computer Configuration\Windows Settings\
Security Settings\Local Policies\User Rights Assignment node of Group Policy. This node
contains 44 policies, most of which relate to operating system functions that are unlikely to
be tested on the 70-680 exam. Most administrators configure user rights by adding users to
specific local groups rather than by modifying specific user rights group policies. For example,
you can allow a user to back up files and directories by assigning them to the Backup
Operators group rather than by modifying the Back Up Files and Directories policy. The same
applies to using Remote Desktop. You can add a user account to the Remote Desktop Users
group, or you can modify the Allow Log On Through Remote Desktop Services policy. It is
usually easier to add members to the appropriate local groups because it is easier to keep
track of which users have been assigned specific rights by examining group membership than
it is to examine Group Policy settings. The Windows 7 built-in groups that you can add users
to as a method of assigning them rights are as follows:
n
Administrators Members of this group have unrestricted access to the client running
Windows 7.
Lesson 2: Windows 7 Authentication and Authorization CHAPTER 9 497
n
Backup Operators Members of this group are able to override file and folder access
restrictions for the purpose of backing up data.
n

Cryptographic Operators Members of this group are able to perform cryptographic
operations. This policy is used only when Windows 7 is deployed in a special
configuration called common criteria mode. In this mode administrators are able to
read and write all settings except those related to the cryptography of IPsec policy.
n
Distributed COM Users Members of this group are able to manipulate Distributed
COM objects on this computer.
n
Event Log Readers Members of this group can read data stored in the event logs.
n
Network Configuration Operators Members of this group can change Transmission
Control Protocol/Internet Protocol (TCP/IP) address settings.
n
Performance Log Users These users can schedule the logging of performance
counters, enable trace providers, and collect event traces.
n
Performance Monitor Users These users can access performance counter data locally
and remotely.
n
Power Users This group is included for backward compatibility.
n
Remote Desktop Users Members of this group are able to log on remotely through
remote desktop.
n
Replicator This group is used to support file replication in domain environment.
More Info DEFAULT LOCAL GROUPS
You can learn more about the default local groups by navigating to the following Microsoft
TechNet Web site: You should be
aware that some of the groups on this list are relevant only to domain environments.
Quick Check

n
How can you delete credentials that you stored when using Runas with the
/savecred option?
Quick Check Answer
n
You can delete the credentials using Credential Manager.
Smart Cards
Smart cards store digital certificates that you can use for authentication. Smart cards are more
secure than authenticating using user names and passwords. This is because it is possible for
someone else to learn and use a person’s user name and password without that person being
aware of it, but it is very difficult for someone else to possess a smart card without the owner
4 9 8 CHAPTER 9 Authentication and Account Control
of the smart card becoming aware of the fact that she no longer has it. If a smart card is
missing, an administrator can revoke the certificate stored on the smart card. This makes the
missing smart card useless.
Windows 7 supports the PIV standard that was issued by the National Institute of
Standards and Technology (NIST). Support for this standard allows Windows 7 to obtain
drivers for smart cards from Windows Update or a PIV-compliant mini-driver that is
included with Windows 7. The advantage of this is that you can use smart cards directly with
Windows 7 without requiring specific vendor software.
Smart cards allow you to implement multifactor authentication on clients running
Windows 7. Multifactor authentication requires a user to authenticate using two or more
separate methods. The user might have to provide a user name/password and smart card,
or a user name/password and biometric ID, such as a fingerprint. The most common form of
multifactor authentication used with clients running Windows 7 in enterprise environments
is smart card and password authentication. Biometric authentication is more likely to be used
on portable stand-alone clients running Windows 7 and cannot be integrated into Active
Directory Domain Services (AD DS) without third-party products.
More Info BIOMETRICS IN WINDOWS 7
Although Biometric authentication is unlikely to be tested on the 70-680 exam, you can

learn more about support for Biometrics at the following Microsoft TechNet Web page:
/>Windows 7 has the following policies related to smart cards. These policies are located
in the Computer Configuration\Windows Settings\Security Settings\Local Policies\Security
Options node and are as follows:
n
Interactive Logon: Require Smart Card When this policy is enabled, users are able to
log onto the computer only using a smart card. When the policy is disabled, which is
the default setting, users can log on using any method.
n
Interactive Logon: Smart Card Removal Behavior This policy allows you to
determine how the computer reacts when a user removes his smart card. The default
setting is for no action to be taken if a smart card is removed. The other options that
are available are:
•
Lock Workstation When you implement this setting, Windows 7 locks the
screen if the user removes the smart card. The user can only unlock the screen by
reinserting the smart card.
•
Force Logoff When you implement this setting, the user is forcibly logged off.
•
Disconnect If A Remote Desktop Services Session This policy applies to what
is known as Terminal Services sessions hosted on Windows Server 2008. Terminal
Services is renamed Remote Desktop Services in Windows Server 2008 R2. This
policy forces a disconnection from the Remote Desktop Services session when the
user removes his smart card.
Lesson 2: Windows 7 Authentication and Authorization CHAPTER 9 499
More Info SMART CARDS IN WINDOWS 7
To learn more about using smart cards with Windows 7, consult the following Microsoft
TechNet Web page: />Account Policies
Password and account lockout policies, which can be found under the Computer

Configuration\Windows Settings\Security Settings node of Group Policy, allow you to configure
how passwords work on clients running Windows 7. You can use these policies to configure
settings such as the length of time a user can use the same password before needing to
change it, whether accounts are locked out after a number of invalid passwords are entered,
and whether passwords must meet a set of complexity requirements.
You can configure the following password policies:
n
Enforce Password History Use this policy to ensure that people do not use a small
set of passwords that they rotate through each time they are asked to update their
password. When you configure the Enforce Password History, Windows 7 remembers
a certain number of prior passwords and does not allow users to set their new
password to one they have used previously. When configuring this policy, you specify
how many passwords Windows remembers.
n
Maximum Password Age The maximum number of days that a person can keep the
same password. Once this limit expires, users must change their password. If a user
account has the Password Never Expires setting enabled (not recommended), it is not
subject to this policy.
n
Minimum Password Age Use this policy to require that a new password be kept for
a minimum number of days before the user is allowed to change it. This stops users
from rapidly changing passwords so that they can go through their existing password
history and end up keeping the same password they had before they were asked to
change it the first time.
n
Minimum Password Length Use this policy to ensure that passwords have
a minimum number of characters.
n
Password Must Meet Complexity Requirements Use this policy to require passwords
to include three of the following: uppercase letters, lowercase letters, numbers, and

symbols. When you enforce this policy, passwords also cannot contain part of the
user’s first name, last name, or user name.
n
Store Passwords Using Reversible Encryption Use this policy only if you are using
older applications that use older authentication technologies. This policy makes
password storage less secure.
You can configure the following account lockout policies:
n
Account Lockout Duration Use this policy to configure the length of time an account
is locked out before a user can attempt to log in again.
5 0 0 CHAPTER 9 Authentication and Account Control
n
Account Lockout Threshold Use this policy to configure the number of times a user
can enter an incorrect password before Windows locks out the account.
n
Reset Account Lockout Counter After Use this policy to specify the period in which
Windows records invalid logon attempts. For example, if you set this period to 30 minutes
and the Account Lockout Threshold policy is set to 3, three invalid logon attempts in
30 minutes triggers a lockout whereas three invalid logon attempts in 31 minutes will not.
A valid logon automatically resets the account lockout counter.
Resolving Authentication Issues
The most common authentication issue that users face is that they have forgotten their
password. There are two methods that you can use to deal with this problem: password
reset disks and resetting user account passwords. Password reset disks, which can include
universal serial bus (USB) storage devices, have the advantage that they allow a user to recover
a forgotten password without losing encrypted data. The downside of password reset disks is
that you must create one prior to the password being lost. Another disadvantage is that they can
be used by anyone to recover that specific account’s password, so they must be kept in a secure
location because anyone who has access to the disk can gain access to the user’s computer.
You can create a password reset disk, which can store password reset data on a floppy

disk or a USB flash disk, by using the Create A Password Reset Disk item in the User Accounts
Control Panel. Clicking the Create A Password Reset Disk item starts the Forgotten Password
Wizard. When you use the wizard, you check which removable storage device you will store
the data on and then enter the current user account password, as shown in Figure 9-14.
You can activate the Password Reset Wizard once an incorrect password is entered on the
Windows 7 logon screen. When using this wizard, the user specifies the password reset disk’s
location (either floppy disk or USB device) and then enters the new password. The user still
has access to all her encrypted data.
FIGURE 9-14 Creating a password reset disk
Lesson 2: Windows 7 Authentication and Authorization CHAPTER 9 501
If a user has forgotten her password and there is no password reset disk available, it will be
necessary to change the password. This can be done through the Users node of the computer
management console or by using the Manage Accounts option within the User Accounts
control panel. Only members of the local Administrators group can change another user’s
password. When you change a user’s password, the user loses all access to EFS-encrypted
files, personal certificates, and stored passwords that are stored with the Windows Vault in
Credential Manager, as displayed in Figure 9-15. If the user has backed up these passwords
and certificates, it is possible to recover some items by restoring the Windows Vault. If the
user has backed up her EFS key, she can access her encrypted files by restoring that key.
You will learn about backing up and restoring EFS keys later in this lesson. It is also possible
for an administrator to recover EFS-encrypted files if there is an existing EFS recovery agent
configured for the computer. You learned about creating EFS recovery agents in Chapter 8,
“BranchCache and Resource Sharing.”
FIGURE 9-15 Change Password warning
If you have configured account lockout policies, a user may have his account locked out if
he enters an incorrect password the number of times specified in the policy. You can unlock
the account by editing the account properties using the Computer Management Console and
removing the check next to the Account Is Locked Out setting, as shown in Figure 9-16. Only
members of the local Administrators group can unlock accounts. Unlocking an account does
not reset the account password and has no impact on stored credentials or EFS certificates.

A user that has an unlocked account still needs to remember his password before he is able to
log on to the computer running Windows 7.
5 0 2 CHAPTER 9 Authentication and Account Control
FIGURE 9-16 Account lockout
Managing Certificates
Although you cannot use Credential Manager to back up EFS certificates, Windows 7 includes
three other tools that you can use to perform this task. These are the Certificates Console
(Certmgr.msc), the Manage File Encryption Certificates tool, and the Cipher.exe command-
line tool. Each of these tools can be used to back up or export an existing EFS certificate to
a password-protected PFX file. This PFX file can then be imported on other computers, or
back to the original computer if necessary, either by using these tools, or double-clicking the
PFX file using Windows Explorer.
Most users will use the Manage Your File Encryption Certificates tool, shown in Figure 9-17,
to back up their EFS certificates because it is easier to use than other tools. This tool comprises
a wizard that can be used either to back up your certificates or to configure EFS to use a smart
card. The tool is accessed by typing Manage File Encryption Certificates into the Search
Programs And Files text box. Using the wizard, you select the certificate that you want to
back up, the location where the backup will be stored, and the password used to protect the
backup.
The Certificates console, shown in Figure 9-18, can also be used to back up EFS certificates.
This console can be opened by typing certmgr.msc into the Search Programs And Files
text box. Certificates can be exported to password-protected PFX files by right-clicking the
certificate that you want to export and then clicking Export. This console is less likely to
be used by normal users because it is less intuitive than the Manage Your File Encryption
Certificates tool. You have to remember that your EFS certificate is stored under the
Personal\Certificates node, something that might not be obvious to a non-technical user.