Lesson 2: Windows 7 Authentication and Authorization CHAPTER 9 503
FIGURE 9-17 Backup EFS certificate
FIGURE 9-18 Certificates Console (Certmgr.msc)
EFS keys can also be backed up from the command line using the Cipher.exe command-
line utility. When you back up your key, you are provided with a warning on the desktop that
this is about to take place and are asked to provide a password to protect the exported key.
The command to back up an EFS certificate is:
Cipher.exe /x filename.pfx
5 0 4 CHAPTER 9 Authentication and Account Control
eXaM tIP
Remember what tasks you can complete with Credential Manager.
Practice Managing Credentials
The Windows Vault allows you to store login and password information. This is very useful if
you need to access resources outside a domain network and you have trouble remembering
all of the unique passwords and login names that you have to use for each different research.
In this practice, you explore the Windows Vault and the Runas utility. You get an understanding
of each utility’s function and how you might use them when deploying Windows 7 in your own
network environment.
exercise 1 Exploring Runas Credentials and Credential Manager
In this exercise, you use the Runas command to run several applications using another user’s
credentials. You save those credentials to the Windows Vault, verify that they have been
saved, and then remove them. To complete this exercise, perform the following steps:
1. Log on to computer Canberra with the Kim_Akers user account.
2. In the Search Programs And Files text box, type Credential Manager. Click Credential
Manager. Verify that no credentials are currently stored under any categories. Close
Credential Manager.
3. Open an elevated command prompt and issue the following command:
Net user Dan_Park P@ssw0rd /ADD
4. Close the elevated command prompt. Open a normal command prompt and issue the
following command, which opens Notepad:
Runas /savecred /user:Canberra\Dan_Park notepad

5. Enter the password P@ssw0rd when prompted. Close Notepad. Enter the following
command at the command prompt:
Runas /user:Canberra\Dan_Park write
6. Note that you needed to enter the password to run WordPad. Close WordPad. Enter
the following command from the command prompt to open Microsoft Paint:
Runas /savecred /user:Canberra\Dan_Park mspaint
7. Note that you did not need to enter a password because the saved credentials were
used. Close Paint.
8. In the Search Programs And Files text box, type Credential Manager. Click Credential
Manager. Click the Canberra\Dan_Park item under Windows Credentials, as shown in
Figure 9-19.
Lesson 2: Windows 7 Authentication and Authorization CHAPTER 9 505
FIGURE 9-19 Stored credentials
9. Click Remove From Vault to remove the Dan_Park credentials. Click Yes when
prompted by the Delete Windows Credential dialog box. From the command prompt,
again issue the following command:
Runas /savecred /user:Canberra\Dan_Park mspaint
10. Note that this time you must enter credentials because they are no longer stored in the
Windows Vault (though by running this command, you have again added them).
exercise 2 Adding a Credential and Backing Up and Restoring Windows Vault
In this exercise, you add a credential to the one that was added to the Windows Vault at the
end of the previous exercise. You then add yet another credential. From there, you back up
the Windows Vault, delete the existing credentials, and then restore them by restoring the
Windows Vault. To complete this exercise, perform the following steps:
1. If you have not done so already, log on to computer Canberra with the Kim_Akers user
account. Use Windows Explorer to create the directory C:\Vault.
2. In the In the Search Programs And Files text box, type Credential Manager. Click
Credential Manager.
3. Verify that the Canberra\Dan_Park (Interactive Logon) credential is present in
Credential Manager. You re-created this credential in step 9 of Exercise 1.

5 0 6 CHAPTER 9 Authentication and Account Control
4. Click Add a Windows Credential. In the Add A Windows Credential dialog box, enter
the following credentials:
n
Internet Or Network Address: Aberdeen.contoso.internal
n
User name: Sam_Abolrous
n
Password: P@ssword
5. Click OK to close the Add A Windows Credential dialog box.
6. Click the Back Up Vault item. This opens the Stored User Names And Passwords dialog
box. In the Back Up To text box, click Browse. Navigate to C:\Vault\, enter the name
Winvault, and click Save. Click Next.
7. Press Ctrl, Alt, and Delete at the same time to continue the backup on the Secure
Desktop, as shown in Figure 9-20.
FIGURE 9-20 Backup on Secure Desktop
8. Enter the backup password P@ssw0rd twice and then click Next. Click Finish.
9. Use the Credential Manager to remove the Aberdeen.contoso.internal and
Canberra\Dan_Park (Interactive Logon) credentials.
10. Click the Restore Vault item.
11. Click Browse to browse to C:\Vault\Winvault.crd and then click Next.
12. Press Ctrl, Alt, and Delete at the same time to continue restoring logon credentials on
the Secure Desktop.
13. Enter the password P@ssw0rd on the Stored User Names And Password dialog box, as
shown in Figure 9-21, and then click Next.
Lesson 2: Windows 7 Authentication and Authorization CHAPTER 9 507
FIGURE 9-21 Restoring password
14. Click Finish when you are informed that your logon credentials have been restored.
15. Close and reopen Credential Manager to verify that the deleted logon credentials have
been recovered.

Lesson Summary
n
Credential Manager allows you to manage passwords for Web sites, terminal services
and remote desktop sessions, stand-alone network resources, and smart card
certificates. You can use Credential Manager to back up and restore these credentials.
n
The Runas utility allows you to run programs using alternate credentials. You can use
the /savecred option to store the password associated with these alternate credentials.
n
You can use Certmgr.msc, Cipher.exe, or the Manage File Encryption Certificates tool to
back up EFS certificates.
n
Users can create a password reset disk to assist them if they forget their password.
Password reset disks must be created before the password is forgotten.
n
Members of the local administrators group can reset the passwords of users that have
forgotten them.
n
Group policies can be configured to enforce multifactor authentication by requiring
users to log on with smart cards.
n
You can assign rights to users by adding them to the appropriate built-in local group
or by assigning them rights through Group Policy.
5 0 8 CHAPTER 9 Authentication and Account Control
Lesson Review
You can use the following questions to test your knowledge of the information in Lesson 2,
“Windows Authentication and Authorization.” The questions are also available on the
companion CD if you prefer to review them in electronic form.
note ANSWERS
Answers to these questions and explanations of why each answer choice is correct or incorrect

are located in the “Answers” section at the end of the book.
1. You have used Runas with the /savecred option to save the credentials of an
administrator account on a client running Windows 7. You have finished performing
the tasks that you needed to and now want to remove those credentials from the
computer. Which of the following tools could you use to do this?
a. Runas
B. Credential Manager
c. The Certificates console
D. UAC settings
2. You want to ensure that users are forcibly logged off from their computers running
Windows 7 if they remove their smart cards. Which of the following policies and
settings should you configure to accomplish this goal? (Choose all that apply; each
answer forms part of a complete solution.)
a. Interactive Logon: Smart Card Removal Behavior Properties: No Action
B. Interactive Logon: Smart Card Removal Behavior Properties: Lock Workstation
c. Interactive Logon: Smart Card Removal Behavior Properties: Force Logoff
D. Interactive Logon: Require Smart Card: Enabled
3. A user has forgotten the password to the stand-alone desktop computer running
Windows 7 that she uses at your organization. The user does not have a reset disk. You
have an account on this computer that is a member of the local Administrators group.
Which of the following steps can you take to resolve this user’s authentication problem?
a. Unlock her account
B. Reset her password
c. Create a password reset disk for her account
D. Create a password reset disk for your account
Lesson 2: Windows 7 Authentication and Authorization CHAPTER 9 509
4. You want to ensure that users of stand-alone clients running Windows 7 in your
organization change their passwords every three weeks. Which of the following
policies should you configure on each computer to accomplish this goal?
a. Enforce Password History

B. Minimum Password Length
c. Minimum Password Age
D. Maximum Password Age
5. Which of the following tools can users use to back up EFS certificates created when
they encrypt a file on a stand-alone computer running Windows 7? (Choose all that
apply.)
a. Credential Manager
B. The Manage File Encryption Certificates tool
c. The Certificate Manager console
D. Cipher.exe
5 1 0 CHAPTER 9 Authentication and Account Control
Chapter Review
To further practice and reinforce the skills you learned in this chapter, you can perform the
following tasks:
n
Review the chapter summary.
n
Review the list of key terms introduced in this chapter.
n
Complete the case scenarios. These scenarios set up real-world situations involving the
topics of this chapter and ask you to create a solution.
n
Complete the suggested practices.
n
Take a practice test.
Chapter Summary
n
UAC can be configured to either prompt for credentials or prompt for consent. When
prompting for credentials, you must enter your user account password.
n

When Secure Desktop is implemented, users must respond to a UAC prompt before
being able to continue working with their computer.
n
UAC is configured through Group Policy.
n
Credential Manager stores credentials entered into Internet Explorer, Remote Desktop
Connection, and through Windows Explorer when connecting to remote servers.
You can back up and restore these credentials.
n
Password policies determine how often passwords need to be changed, whether
users are locked out for entering successive incorrect passwords, and how complex
passwords may be.
n
Forgotten passwords can be recovered using the Password Recovery Tool.
An administrator can reset a forgotten password, but credential data and encrypted
files may be lost.
n
You can back up EFS certificates using Certmgr.msc, Cipher.exe, or the Manage File
Encryption Certificates tool.
n
You can enforce multifactor authentication on a client running Windows 7 by
configuring smart card policies.
Key Terms
Do you know what these key terms mean? You can check your answers by looking up the
terms in the glossary at the end of the book.
n
multifactor authentication
n
privilege elevation
n

Secure Desktop
Case Scenarios CHAPTER 9 511
Case Scenarios
In the following case scenarios, you apply what you’ve learned about subjects covered in this
chapter. You can find answers to these questions in the “Answers” section at the end of this book.
Case Scenario 1: User Account Control at Coho Vineyard
You are developing UAC policies for the deployment of clients running Windows 7 at Coho
Vineyard. Administrators often have to help out standard users using remote assistance.
At times, it is necessary for administrators to perform actions that require elevation.
Administrators should have to provide their authentication credentials when performing an
act that triggers an elevation prompt. The administrators should be able to continue using
other parts of the operating system and should not have to respond to the elevation prompt
immediately. All approved applications at Coho Vineyard have been digitally signed by the
application publisher.
With these facts in mind, answer the following questions:
1. Which policies do you need to configure to support the elevation requirements for
administrators?
2. Which policies do you need to configure to support elevation during remote
assistance?
3. Which policy do you need to configure to ensure that only approved applications can
initiate elevation?
Case Scenario 2: Resolving Password Problems
at Wingtip Toys
Wingtip Toys has 20 people that have stand-alone computers running Windows 7. One of the
users recently had a problem where he forgot his password. You were able to reset this user’s
password, but the user lost access to several important encrypted documents as well as all
his stored Web site credentials. You are in the process of developing a policy to ensure that
this type of data loss does not happen again. You also want to ensure that users do not keep
the same passwords because several appear to have been using the same password for the
last few months without changing it, even though your company policy states that passwords

should be changed every month.
With these facts in mind, answer the following questions:
1. What steps can you take to ensure that users do not lose access to encrypted
documents or credentials if their password is reset?
2. What steps can you take to ensure that users are able to recover their own forgotten
passwords?
3. What steps can you take to ensure that users regularly change their passwords and do
not use the same small number of passwords?
5 1 2 CHAPTER 9 Authentication and Account Control
Suggested Practices
To help you master the exam objectives presented in this chapter, complete the following
tasks.
Configure User Account Control (UAC)
You should perform the first practice and then test it using one of the standard user accounts
that you have created in previous exercises. The second practice requires two computers
to test.
n
Practice 1 Configure UAC policies using the Local Security Policy console so that
standard users are prompted for credentials when performing an activity that requires
elevated privileges, such as attempting to run an elevated command prompt.
n
Practice 2 Configure UAC policies using the Local Security Policy console so that
a user in the helper role is able to respond to a UAC prompt by entering their
credentials when connected remotely using Remote Assistance. Use the computer
named Aberdeen, which you configured in Chapter 6, “Network Settings,” as the
computer from which the Remote Assistance invitation is sent.
Configure Authentication and Authorization
You should perform both of these practices. The first exercise requires you to have access to
a floppy disk or a USB storage device.
n

Practice 1 Create a password reset disk for a user account other than the Kim_Akers
user account. Use the password reset disk to log on to an account.
n
Practice 2 Use Manage File Encryption Certificates tool to back up an EFS certificate.
Take a Practice Test
The practice tests on this book’s companion CD offer many options. For example, you can test
yourself on just one exam objective, or you can test yourself on all the 70-680 certification
exam content. You can set up the test so that it closely simulates the experience of taking
a certification exam, or you can set it up in study mode so that you can look at the correct
answers and explanations after you answer each question.
More Info PRACTICE TESTS
For details about all the practice test options available, see the section entitled “How to
Use the Practice Tests,” in the Introduction to this book.