when you turn on your Windows computer you're prompted with a login screen This is where you gain access to your desktop and to all of the resources associated with your account If you're logging in with a user that is defined on the local computer we refer to that as a local account This is the type of account that you've configured on your systems that you might use at home When you log into Windows at home it may prompt you to log in with your local account When you installed Windows you may have chosen to synchronize it with your Microsoft account This means that you can synchronize all of these settings between different devices and use the same username and password across all of those devices And if you're working at a business you're probably logging in with your domain account This is very similar to a Microsoft account but instead of the account being managed with the Microsoft cloud the account is instead managed with your local organization's Windows domain You'll often hear people refer to this as logging in with their domain login or with their Active Directory credentials If you'd like to see all of the local users that are defined on your computer you can go to computer management and choose the option for local users and groups This will provide a list of all of the users and all of the groups that are defined on this local computer Even if you've not configured any accounts on this Windows device there are a few that are enabled by default One of these accounts is the administrator account That is the account that has full access to the system There might also be a guest account and most guest accounts are usually configured to have limited access to the operating system And then there might be a standard user Here's my user account Professor And that is the normal account I would use for logging into this Windows system If you click the groups tab you'll see a large number of groups that are enabled by default on your Windows system You might recognize some of these group names For example there is an administrator group a backup operators group a guest group and there is a power users group Power users is a group that's been around in Windows for a very long time and it was originally designed to have some additional capabilities over a normal user But these days we don't generally use the power users group but it is still included in the list for backwards compatibility When you log in you may be presented to put in your username and your password These are probably the most common authentication credentials that you'll find but there are other options when you log in You might be asked for a personal identification number or a PIN and you need to input the PIN to log into the system There might also be biometrics so your device might have a fingerprint reader or it might perform facial recognition with your camera And there could be a single sign on option especially if you're working in a business because you have a Windows domain that can allow you to log in one time in the morning and have access to all of the devices and resources you need on that network without having to put those credentials again constantly throughout the day One of the biggest problems we have with authentication is people have to put in a username and a password Many people might use an easy to remember or relatively weak password or they might not remember their password and end up writing it down and putting on a yellow sticky that's on their monitor Neither of those is a best practice for security So we've had to think about ways to make the login process easier One of those methods is to use passwordless authentication This means we are able to authenticate into our system but we don't use a password to provide that authentication That solves your problem with weak passwords or passwords being written down but still provides security for the people logging into their system You might already be using some type of passwordless authentication When you start your computer it might do facial recognition or it might use a security key that you plug into a USB drive There's also functions within Windows called Windows Hello which is a series of authentication options which may not require a password This may not be the primary form of authentication You might have required a username and password on your initial login but any subsequent loginins may be using some type of passwordless authentication Or you might need to use multiple passwordless authentication functions to be able to log in if you're not using your username and password Here's some of the options available for passwordless authentication in Windows using Windows Hello Windows Hello supports facial recognition fingerprint recognition a personal identification number and then you could also use a security key or a picture password And of course there is always the option to sign in with your account's actual password In Windows there are a number of different ways to provide access to different files and folders on our local computer For example if you were to look at the properties of a folder that is on your system this happens to be one in my documents folder and the folder name is called reports You can see a number of different users that have access to this particular folder And you can set up rights and permissions for each individual user or group We refer to the rights and permissions of these documents on the local file system as NTFS permissions This is the NT file system permissions But of course people can access a number of those files and folders from outside of your local computer across the network When you make those files and folders available across the network they're referred to as a Windows share And there is a different set of rights and permissions if you are providing access through a window share across the network So the question then becomes if there is a certain right and permissions set for NTFS and a different set of rights and permissions for a share permission which one of those wins in Windows the most restrictive setting wins So if any of these files or folders have been set to deny that will override any other allow settings Also keep in mind that your NTFS permissions apply to all of the files and folders underneath that particular setting For example I might have many other folders underneath the reports folder and I might add new files into the reports folder at any time These NTFS permissions that I've created for the reports folder will also apply to all of the folders underneath the reports folder and to all of the files that I add at any time into the reports folder The only time this is different is if you move a file into this folder from the same volume If you move a file or folder on that same volume it keeps the original permissions Let's look at the difference between the NTFS permissions that we have on the left and the share permissions that we have on the right for the same folder which is the users professor documents reports folder On our local machine we have an everyone group and in that everyone group we provided full access to that particular folder So anyone on this local device is able to have full control which includes modify read and execute list folder contents read and write permissions If someone was to connect to this folder from across the network they would be using the share permissions along with those NTFS permissions But notice that the share permissions do not provide the same type of permissions as the NTFS permissions Notice that the share permissions have read access for everyone but it does not have change or full control That means if somebody logs in locally to this computer they have full access to the reports folder But if they connect to the reports folder from across the network using the share permissions they only have read access When you are configuring specific permissions for a folder we refer to that as explicit permissions This means you have selected a specific resource and you have configured rights and permissions for that specific resource But it is possible that other files and folders that are in the file system could also take those same rights and permissions For example if you have additional child folders within that single parent folder all of the child folders will inherit the permissions that you set for that parent This means if we have a music folder that contains individual folders for separate artists we can set permissions for the music folder and those permissions will be propagated down through all of the child folders Anytime you are manually configuring explicit permissions those will take priority over anything that may have been inherited So let's say we've set up a music folder but we've configured it with no access for anyone else And of course in Windows all of the child folders will inherit that same configuration that we set on the music folder If we then manually go into the music folder and we explicitly change one of those it no longer has the inherited permissions and it now takes the explicit permissions that we've defined for that single folder As a Windows user you have access to run applications start your browser close out different applications and shut down your system But there may be certain tasks that require additional rights and permissions For example if you're editing a system file installing a new application or modifying a service you might need administrator rights To be able to use these administrator rights and permissions you need to specify that you'd like to use them Even if your user account has been added to the administrators group you still must explicitly say that you want to use the administrator to run a particular application The way that you would run an application as an administrator is you would right mouseclick on the name of the application and choose the option to run as administrator On my Windows machine I can go down to the search type in cmd This brings up the command prompt And you can see the options to run the command prompt are to open it or to run as administrator There are also other options in here to open the file location pin to start and pin to taskbar You can also right mouse click on the icon itself and you have the same options available to run as administrator and the others One of the reasons that we don't want someone always using their account as the administrator is because malicious software can take advantage of those elevated rights and permissions But we still need a way to make changes to our system throughout the day One of the ways that Windows provides this is through user account control or UAC If you're running with your normal user account and you access resources across the network or modify the profile settings for your account you don't need any type of elevated rights or permissions But if you begin to install applications or services or you want to make changes to a Windows system application you may require administrator access One of the ways that Windows can provide you with that elevated access is through the user account control Windows account control can be manually configured to always notify you for any of these prompts or to never provide any UAC prompts on your screen When you get a UAC prompt it will put a box like this on your screen that says "Do you want to allow this app to make changes to your device?" And you'll either need to be part of the administrators group or you'll need to provide administrator credentials to be able to perform this task One of the things that security professionals are always concerned about is someone gaining access to the data that might be on your storage drive This might be especially true with things like laptops and mobile devices that can be taken anywhere and very often can be lost or stolen One of the ways that you can prevent somebody from gaining access to the data that's on that device is to use some type of full disk encryption or FDE In Windows full disk encryption is enabled through the use of Bit Locker Bit Locker will encrypt an entire volume including the operating system all of your personal files and anything else you store on that volume This means if you lose your laptop and somebody does gain access to that storage device they would not be able to access or understand anything on that storage device because all of the contents have been encrypted Even if they were to remove your hard drive or your SSD from a laptop and plug it into a different computer they still would not have access to all of this encrypted data There's also similar Bit Locker functionality available for USB flash drives This is called Bit Locker to Go and it will encrypt all of your data on that very small flash drive This means if you lose the flash drive and somebody does find it they will not have access to any of your encrypted data Instead of encrypting the entire volume you also have the option for just encrypting a series of files or folders This is done in the file system of Windows itself And we call this the encrypting file system If you're running NTFS as the file system you'll see this option when you look at the attributes for a file or a folder This is available in all Windows editions except the home editions and it uses your username and password to provide the security that's used for the encryption If you forget your password or somebody administratively resets the password on that system then you will lose access to all of that encrypted data So it's important to always have a backup of your system so that you never lose access to any of this important data