Search icon Close icon
Search icon
Subscription
0
Cart icon
Close icon
You have no products in your basket yet
Arrow left icon
All Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Newsletters
Free Learning
Arrow right icon
Windows 10 for Enterprise Administrators

You're reading from  Windows 10 for Enterprise Administrators

Product type Book
Published in Sep 2017
Publisher Packt
ISBN-13 9781786462824
Pages 314 pages
Edition 1st Edition
Languages
Concepts
Authors (3):
Richard Diver Richard Diver
Profile icon Richard Diver
LinkedIn
Richard Diver is a senior technical business strategy manager for the Microsoft Security Solutions group, focused on developing security partners. Based in Chicago, Richard works with advanced security and compliance partners to help them build solutions across the entire Microsoft platform, including Microsoft Sentinel, Microsoft Defender, Microsoft 365 security solutions, and many more. Prior to Microsoft, Richard worked in multiple industries and for several Microsoft partners to architect and implement cloud security solutions for a wide variety of customers around the world. Any spare time he gets is usually spent with his family.
See other products by Richard Diver
Manuel Singer Manuel Singer
Profile icon Manuel Singer
LinkedIn
Manuel Singer works as a Senior Premier Field Engineer for Windows Client at Microsoft and is based in Germany. He has more than 10 years of experience in system management and deployment using Microsoft technologies. He specializes in client enterprise design, deployment, performance, reliability, and Microsoft devices. Manuel works with local and international top customers from the private and public sector to provide professional technical and technological support.
See other products by Manuel Singer
Jeff Stokes Jeff Stokes
Profile icon Jeff Stokes
LinkedIn
Jeff Stokes is a Windows / Microsoft Engineer currently employed at Microsoft. He specializes in Operating System Health, Reliability, and Performance. He is skilled in Windows Deployment with MDT (Microsoft Deployment Toolkit) and has exceptional skills in VDI (Virtual Desktop) and performance analysis. He is an active writer and blogger and loves technology.
See other products by Jeff Stokes
View More author details

Table of Contents (11) Chapters

Preface 1. Installation and Upgrading 2. Configuration and Customization 3. User Account Administration 4. Remote Administration Tools 5. Device Management 6. Protecting Enterprise Data in BYOD Scenarios 7. Windows 10 Security 8. Windows Defender Advanced Threat Protection 9. Advanced Configurations 10. RedStone 3 Changes

User Account Administration

In this chapter, we will cover the concepts and technologies that enable the secure and productive use of the Windows 10 operating system as well as the advanced options available to secure the user account credentials and prevent unauthorized system configuration changes and software installation.

We will explore the following topics:

  • Windows account types
  • Account privileges
  • Local Administrator Password Solution
  • Creating policies to control local accounts
  • Managing user sign in options
  • Exploring security settings available with Mobile device management (MDM)
  • User Account Control
  • Windows Hello for Business
  • Credential Guard
  • Privileged Access Workstation

Windows account types

The Windows 10 operating system supports five types of accounts, each used to enable different functionality:

  • System account: These accounts are used to run background services and are assigned specific permissions. They are not used to log in to the system, but may be used remotely. Domain-joined computers may have additional service accounts assigned to enable central administration.
  • Local user account: By default, at least one local user account is created to run as the local administrator when first configuring the operating system. Depending on how Windows is installed, this account may be a generic account, such as administrator, or it could be named after the first user that completes the first-time run wizard and they choose not to register a Microsoft account. These accounts are governed by the local password policies, which can be configured via...

Account privileges

Each account can be assigned a range of specific privileges, from a standard user account (with no systems access) to a full local administrator account. Gaining access to administrative rights on the Windows operating system is one of the key attack vectors that needs to be prevented in every organization, and even personal PCs. Administrative rights are required when changing configurations or installing software, both of which should not be carried out by users, and therefore all user accounts should be restricted to standard user accounts only.

Where there is genuine need for a user to be granted local admin rights on a computer, they should never be assigned to the user's main account that they use for gaining access to email, documents, and websites. This leads to the potential for a user to open a document, or click on a hyperlink, that contains...

Local Admin Password Solution

If a single password is configured for the local admin accounts across all domain-joined computers, there is a high risk that it can be used in a widespread attack to install malware, elevate privileges, or gain access to sensitive files. To resolve this issue, Microsoft offers the Local Admin Password Solution (LAPS). This works by setting a different random password on every computer in the domain and storing that password in AD. Administrators can choose who can access those passwords in order to support the PCs.

The solution is built into AD and doesn't require any other supporting technologies or licenses. LAPS uses the Group Policy client-side extension (CSE) that you install on managed computers to perform all management tasks. The solution's management tools provide easy configuration and administration.

Once configured, you can...

Create policies to control local accounts

If you enable local admin accounts, for users that require them, you should also enforce a set of policies to ensure the local accounts have strong authentication standards. On domain joined computers, Group Policy can be used to specify the settings of the local account policy, which contains two subsets:

  • Password Policy: These policy settings determine the controls for local account passwords, such as enforcement and lifetimes
  • Account Lockout Policy: These policy settings determine the circumstances and length of time for which an account will be locked out of the system when the password is entered incorrectly

Password policy

The password policy enforces specific values that control...

Manage user sign in options

Windows 10 Enterprise offers a range of configurable options to manage the account logon process. Some of the features are designed to increase security, others are to improve the user experience.

The following settings can be configured via GPO to ensure a consistent approach across all domain-joined computers:

Setting name

Description

Turn on convenience PIN

This setting should be disabled as it causes the password to be cached in the system vault; instead, use the Hello for Business feature, which we will see later in this chapter.

Turn off picture password sign in

This policy should be enabled to prevent the use of this feature. Picture password sign in enables the user to sign in with a unique gesture based on their picture, but also causes the user's password to be cached in the system vault. Windows Hello for Business is...

Mobile device management security settings 

If you are managing your computers with an Mobile device management (MDM) solution, such as Microsoft Intune, you have the following security settings available:

Setting name

Details

Required password type

Specifies the type of password that's required, such as alphanumeric or numeric only.

Required password type - Minimum number of character sets

Specifies how many different character sets must be included in the password. There are four character sets: lowercase letters, uppercase letters, numbers, and symbols. However, for iOS devices, this setting specifies the number of symbols that must be included in the password.

Minimum password length

Configures the minimum required length (in characters) for the password.

Number of repeated sign in failures to allow before the device is wiped

Wipes the...

User Account Control

UAC is a fundamental security control that helps mitigate the impact of malware, yet some enterprise administrators disable User Account Control (UAC) at the request of the users, because it is seen as annoying and unnecessary prompts that get in the way of productivity. The feature has improved greatly since it was first launched (as part of Windows Vista), so we encourage you to ensure this is enabled across all managed computers in your environment.

With UAC enabled, Windows 10 prompts for consent, or prompts for credentials of a valid local administrator account, before starting a program or task that requires a full administrator access token. This prompt ensures that no malicious software can be silently installed.

If the user is logged on with local admin rights (which is not recommended), the consent prompt is presented when a user attempts to perform...

Windows Hello for Business

Passwords are renowned as one of the main causes for weak security in most computer systems. Passwords may be reused across multiple systems (including social networks and weak websites), they may be created based on guessable information that can be socially engineered or cracked using specialized software, or most likely stored in a database that is then compromised and shared across the cyber criminal community. So no matter how well we educate users to create more complex passwords that are changed frequently, there is always going to be a risk of compromise of the password, which can then be used to gain access to systems, impersonating a valid user.

The best defense against this type of risk is to deploy multi-factor authentication (MFA) mechanisms: a method of authentication that requires the user to provide more than just a password to gain...

Credential Guard

Credential Guard is unique to Windows 10 Enterprise and Windows Server 2016, and designed to protect against OS-level attempts to read credentials. It uses hardware and virtualization-based security to isolate secrets so that only privileged system software can access them. Credential Guard protects NTLM password hashes, Kerberos Ticket-Granting Tickets, and credentials stored by applications.

Usually, Windows stores secrets in the Local Security Authority (LSA), in process memory. With Credential Guard enabled, the LSA process in the operating system talks to a new component called the isolated LSA process that stores and protects those secrets. Data stored by the isolated LSA process is protected using virtualization-based security and is not accessible to the rest of the operating system. You can consider the isolated LSA as running like a small virtual machine...

Privileged Access Workstation

If you really want to take security seriously, then you need to provide the highest levels of security for your privileged accounts, to prevent malicious behavior through compromised access. Microsoft has developed a complete set of guidance material on how to configure specific workstations used by administrators, and other privileged accounts, to carry out sensitive tasks such as systems administration and high-value financial transactions.

In this model, the computers are designated specifically for privileged access, blocking any other accounts from logging on interactively or via the network. Instead of logging on to the computer as a standard user and elevating privileges to gain access to sensitive information and systems, the user logs onto the PAW computer directly with the privileged account and carries out the tasks required.

This system...

Summary

Windows 10 Enterprise provides the tools required to provide a secure environment to access sensitive and valuable information and systems.

There are many options to consider when creating and securing local user accounts that will gain authorized access to your systems. The most important factors are:

  • Never log in to computers with local admin rights enabled, use run-as to elevate rights with a separate administrative account
  • Never log in to a client computer with domain-privileged accounts, limit logging on to trusted IT PCs only, such as PAW
  • Ensure all administrative account passwords are unique across computers, complex, and changed regularly

In the next chapter, we will explore remote administration for troubleshooting and remote assistance.

lock icon The rest of the chapter is locked
arrow left Previous Chapter
Chapter 1 of 11
Next Chapter arrow right
You have been reading a chapter from
Windows 10 for Enterprise Administrators
Published in: Sep 2017 Publisher: Packt ISBN-13: 9781786462824
© 2017 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at AU $19.99/month. Cancel anytime}

Authors (3)

Left arrow icon
Profile icon Richard Diver
LinkedIn
Richard Diver is a senior technical business strategy manager for the Microsoft Security Solutions group, focused on developing security partners. Based in Chicago, Richard works with advanced security and compliance partners to help them build solutions across the entire Microsoft platform, including Microsoft Sentinel, Microsoft Defender, Microsoft 365 security solutions, and many more. Prior to Microsoft, Richard worked in multiple industries and for several Microsoft partners to architect and implement cloud security solutions for a wide variety of customers around the world. Any spare time he gets is usually spent with his family.
Read more
See other products by Richard Diver
Profile icon Manuel Singer
LinkedIn
Manuel Singer works as a Senior Premier Field Engineer for Windows Client at Microsoft and is based in Germany. He has more than 10 years of experience in system management and deployment using Microsoft technologies. He specializes in client enterprise design, deployment, performance, reliability, and Microsoft devices. Manuel works with local and international top customers from the private and public sector to provide professional technical and technological support.
See other products by Manuel Singer
Profile icon Jeff Stokes
LinkedIn
Jeff Stokes is a Windows / Microsoft Engineer currently employed at Microsoft. He specializes in Operating System Health, Reliability, and Performance. He is skilled in Windows Deployment with MDT (Microsoft Deployment Toolkit) and has exceptional skills in VDI (Virtual Desktop) and performance analysis. He is an active writer and blogger and loves technology.
See other products by Jeff Stokes
Right arrow icon

Other recommended products

Related to this chapter
Left arrow icon
Installing and Configuring Windows 10: 70-698 Exam Guide
Installing and Configuring Windows 10: 70-698 Exam Guide
This guide provides an excellent collection of tips and tricks to get the job done in Windows 10. It is designed to confirm what you already know, while at the same time updating your knowledge of Windows 10. Although it provides usable content for everyone, at its heart it’s made for IT professionals seeking to strengthen their Windows 10 skills.
Jan 2019 16 hours 20 minutes
Microsoft Exam MD-100 Windows 10 Certification Guide
Microsoft Exam MD-100 Windows 10 Certification Guide
Written in a clear, succinct way with self-assessment questions, exam tips and mock exams with detailed answer explanations, this book covers different facets of upgrading and deploying Windows 10. You will learn about managing devices and data, configuring connectivity, security and maintain Windows 10 with updates and recovery.
May 2020 14 hours 44 minutes
Deploying Microsoft System Center Configuration Manager
Deploying Microsoft System Center Configuration Manager
It becomes important to plan, design, and deploy configurations when administrators know that Configuration Manager interacts with a number of infrastructure components such as Active Directory Domain Services, network protocols, Windows Server services, and so on.
Sep 2017 12 hours 32 minutes
Microsoft 365 Mobility and Security - Exam Guide MS-101
Microsoft 365 Mobility and Security - Exam Guide MS-101
The MS-101 exam is part of the Microsoft 365 Certified: Enterprise Administrator Expert certification path in which users learn to evaluate, plan, migrate, deploy, and manage Microsoft 365 services. This book offers complete, up-to-date coverage of the MS-101 exam so you can take them with confidence, fully equipped to pass the first time.
Nov 2019 10 hours 24 minutes
Mastering Windows Security and Hardening
Mastering Windows Security and Hardening
Securing and hardening your Windows environment will enhance protection to secure your company’s data and users. This book will provide the knowledge you need to secure the Windows environment. Windows Security and Hardening covers the best practices you can implement in real-world scenarios.
Jul 2020 19 hours 4 minutes
Microsoft 365 Certified Fundamentals MS-900 Exam Guide
Microsoft 365 Certified Fundamentals MS-900 Exam Guide
Microsoft? ?365? ?Certified? ?Fundamentals certification demonstrates your knowledge of cloud services in general and the SaaS cloud model. This MS-900 exam guide, filled with practice questions, exam patterns, and mock tests, will help help you pass the exam on the first go and get to grips with adopting core Microsoft 365 services and cloud concepts.
Feb 2020 11 hours 24 minutes
Getting Started with Nano Server
Getting Started with Nano Server
Want to improve your ability to deploy a new VM and install and deploy container apps within minutes? You have come to the right place! The objective of this book is to get you started with Nano Server successfully. The journey is quite exciting, since we are introducing you to a cutting edge technology that will revolutionize today’s data centers.
Jun 2017 13 hours 32 minutes
Microsoft 365 Security Administration: MS-500 Exam Guide
Microsoft 365 Security Administration: MS-500 Exam Guide
MS-500: Microsoft 365 Security Administration offers complete, up-to-date coverage of the MS-500 exam so you can take it with confidence, fully equipped to pass the first time.
Jun 2020 22 hours 24 minutes
Mastering Windows Group Policy
Mastering Windows Group Policy
Windows Group Policy has been one of the most powerful yet underutilized tools in our corporate networks for many years. It is an incredible centralized management tool, and almost everyone already has it up and running in their environments.This book will help you become familiar with what Group Policy has to offer and learn how to make better use of it in your day job.
Nov 2018 13 hours 36 minutes
Windows Server 2019 Administration Fundamentals
Windows Server 2019 Administration Fundamentals
Windows Server 2019 is the latest version of the server operating system developed by Microsoft. It offers some unique features such as improved container services, storage, security, and administration. This book covers all the fundamental aspects of the Windows Server 2019 administration and also prepares you for the MTA 98-365 exam.
Oct 2019 14 hours 12 minutes
System Center 2016 Virtual Machine Manager Cookbook
System Center 2016 Virtual Machine Manager Cookbook
Microsoft System Center Virtual Machine Manager (SCVMM) focuses on efficiency with multiple features to help administrators consolidate physical servers within a centrally virtualized environment. This book will allow you to implement the Microsoft System Center family of components effectively and efficiently.
Feb 2018 18 hours 44 minutes
Installation, Storage, and Compute with Windows Server 2016: Microsoft 70-740 MCSA Exam Guide
Installation, Storage, and Compute with Windows Server 2016: Microsoft 70-740 MCSA Exam Guide
This practical guide covers 70-740 exam objectives required for MCSA: Windows Server 2016 certification. Additionally, this certification guide will come in handy when preparing to take the exam 70-743: Upgrading Your Skills to MCSA: Windows Server 2016.
Feb 2019 11 hours 0 minutes
Right arrow icon

Personalised recommendations for you

Based on your interests and search pattern
Left arrow icon
Designing and Implementing Microsoft Azure Networking Solutions
Designing and Implementing Microsoft Azure Networking Solutions
Designing and Implementing Microsoft Azure Networking Solutions Exam Ref AZ-700 is an all-encompassing guide to the AZ-700 exam and contains all the information you need to succeed in the world of virtual networking with Azure. With this book, you will be fully prepared for the exam and the world of cloud networking.
Aug 2023 17 hours 28 minutes
Microsoft 365 Security, Compliance, and Identity Administration
Microsoft 365 Security, Compliance, and Identity Administration
The Microsoft 365 Security, Compliance, and Identity Administration is a comprehensive guide that helps you employ Microsoft 365's robust suite of features and empowers you to optimize your administrative tasks.
Aug 2023 21 hours 0 minutes
Zero Trust Overview and Playbook Introduction
Zero Trust Overview and Playbook Introduction
Get started on Zero Trust with this step-by-step playbook and learn everything you need to know for a successful Zero Trust journey with tailored guidance for every role, covering strategy, operations, architecture, implementation, and measuring success. This book will become an indispensable reference for everyone in your organization.
Oct 2023 8 hours 0 minutes
The Self-Taught Cloud Computing Engineer
The Self-Taught Cloud Computing Engineer
This self-study book helps you master multiple clouds, including AWS, Azure, and GCP, and serves as a roadmap to becoming a certified cloud computing expert. The book will guide you to develop a professional cloud career by helping you build a broad cloud knowledge base, developing hands-on cloud computing skills, and getting cloud certified.
Sep 2023 15 hours 44 minutes
Technology Operating Models for Cloud and Edge
Technology Operating Models for Cloud and Edge
This book will help you build and create ownership of a technology operating model, as well as connect your leadership with engineering and operations, keeping your internal and external customers in mind. It provides practical tips on why, where, and how to make the cloud and edge platform paradigm sing for you, your team, and your organization.
Aug 2023 7 hours 36 minutes
Azure Architecture Explained
Azure Architecture Explained
Azure is the preferred platform to build mission-critical and secure apps. This book provides comprehensive coverage of essential Azure products, services, and solutions vital for every solution architect's success. Elevate your knowledge and master the critical components of Azure to excel in your role with Azure Architecture Explained.
Sep 2023 14 hours 52 minutes
Pentesting Active Directory and Windows-based Infrastructure
Pentesting Active Directory and Windows-based Infrastructure
This practical guide helps you explore the pentesting of Microsoft infrastructure in detail, and enhances your offensive skillset by showing you the different ways to perform security assessment. This book will help blue teamers and IT engineers get up to speed with possible security issues they may encounter in their Windows environments.
Nov 2023 12 hours 0 minutes
Practical Ansible
Practical Ansible
In Practical Ansible, you'll work with the latest release of Ansible and learn to solve complex issues quickly with the help of task-oriented scenarios. You'll start by installing and configuring Ansible to automate monotonous and repetitive IT tasks and get to grips with concepts such as playbooks, inventories, plugins, collections, and network modules.
Sep 2023 14 hours 0 minutes
Windows 11 for Enterprise Administrators
Windows 11 for Enterprise Administrators
Microsoft’s launch of Windows 11 is a step toward satisfying the enterprise administrator’s needs for better management and enhanced user experience customization. This book provides the enterprise administrator with the knowledge needed to fully utilize the advanced feature set of Windows 11 Enterprise.
Oct 2023 9 hours 32 minutes
The Linux DevOps Handbook
The Linux DevOps Handbook
This book is for software and IT professionals seeking knowledge on Linux systems and DevOps practices. This book will provide you with guidance and tools to learn and gain proficiency in managing Linux-based infrastructures and knowledge of DevOps.
Nov 2023 14 hours 16 minutes
Right arrow icon