Windows 7 / Security and Privacy

---

Authenticate the User

Authentication is the process of verifying that users or objects are as they are represented to be. In its simplest form, computer user authentication entails validating a username and password against a stored entry, as is done in a stand-alone computer. In its fullest form, user authentication entails using sophisticated authentication methods to validate a potential user, possibly using a smart card or biometric device anywhere in a network against credentials in Active Directory. For objects, such as documents, programs, and messages, authentication requires using certificate validation. In Windows Server 2008, all three forms of authentication are available, and both user forms employ a single signon concept that allows users, once authenticated, to access other services within the local computer or the network, depending on their environment and permissions, without having to reenter their username and password.

In the normal default installation, when a Windows Server 2008 computer is started, there is a request to press ctrl-alt-del. This stops all programs running on the computer except the request to enter your username and password. The purpose of stopping all programs is to prevent a Trojan horse program from capturing your username and password. If the username/password combination that is entered is not correct, you are given five opportunities to correct it, after which the computer is frozen for 30 seconds. You are then alternately given one opportunity and then five opportunities, separated by 30 seconds of inactivity, and then the pattern is repeated to correctly enter a username and password. This pattern makes it more difficult to break a password because you can't just repeatedly try a new password.

Once a username and password are entered, they must be authenticated. This can be done at either the local computer, where the user will be limited to that computer, or at a server supporting a network, possibly with Active Directory, in which case the user will have access to the network.

Local Computer User Authentication

To have a username and password accepted on a local stand-alone computer, a user account with that username and password must have been previously entered into the Local Users and Groups database, which is in the Security Account Manager (SAM) file of HKEY_LOCAL _MACHINE in the Registry. Here are the steps to set up a user account:

NOTE: If you are on an Active Directory domain controller, you will not have a Local Users And Groups in Computer Management. You must use Active Directory Users And Computers.

1. While logged on as an Administrator, click Start | Administrative Tools | Computer Management. The Computer Management window opens.
2. In the left pane, open System Tools | Local Users And Groups, click Users, right-click in the right pane, and click New User to open the New User dialog box.
3. Enter a username of up to 20 characters. It cannot contain just periods or spaces; it can't contain " / \ [ ] : ; | = , + * ? < > @; and leading spaces or periods are dropped.
4. Enter a full name, a description (optional), a password of up to 14 casesensitive characters, its confirmation, and then select what the user mustgt; do with the password. A password should be at least eight characters long and be a mixture of upper- and lowercase letters, numbers, and special characters.
5. When you have successfully entered the information, click Create and then click Close. You will now be able to log off as Administrator and log on as your new user. Try that to make sure it works.

With the entry of this single username and password, the new user will be able to do anything that is within that user's level of permission on that single computer. If the computer subsequently is connected to a network, the account has to be reestablished there for the user to be able to use the network.