CompTIA A_ Certification All-In-One Exam Guide, Seventh Edition - Michael Meyers [459]
Figure 26-1 CMOS access password request
Hardware Authentication Smart cards and biometric devices enable modern systems to authenticate users with more authority than mere passwords. Smart cards are credit-card-sized cards with circuitry that can identify the bearer of the card. Smart cards are relatively common for such tasks as authenticating users for mass transit systems, for example, but are fairly uncommon in computers. Figure 26-2 shows a smart card and keyboard combination.
People can guess or discover passwords, but forging someone’s fingerprints is a lot harder. The keyboard in Figure 26-3 authenticates users on a local machine by using fingerprints. Other devices that will do the trick are key fobs, retinal scanners, and PC cards for laptop computers. Devices that require some sort of physical, flesh-and-blood authentication are called biometric devices.
Figure 26-2 Keyboard- mounted smart card reader being used for a commercial application (photo courtesy of Cherry Corp.)
Figure 26-3 Microsoft keyboard with fingerprint accessibility
* * *
NOTE How’s this for full disclosure? Microsoft does not claim that the keyboard in Figure 26-3 offers any security at all. In fact, the documentation specifically claims that the fingerprint reader is an accessibility tool, not a security device. Because it enables a person to log on to a local machine, though, I think it falls into the category of authentication devices.
Clever manufacturers have developed key fobs and smart cards that use radio frequency identification (RFID) to transmit authentication information so users don’t have to insert something into a computer or card reader. The Privaris plusID combines, for example, a biometric fingerprint fob with an RFID tag that makes security as easy as opening a garage door remotely! Figure 26-4 shows a plusID device.
NTFS, not FAT32!
The file system on a hard drive matters a lot when it comes to security. On a Windows machine with multiple users, you simply must use NTFS or you have no security at all.
Figure 26-4 plusID (photo courtesy of Privaris, Inc.)
Not just primary drives but also any secondary drives in computers in your care should be formatted as NTFS, with the exception of removable drives such as the one you use to back up your system.
When you run into a multiple-drive system that has a second or third drive formatted as FAT32, you can use the CONVERT command-line utility to go from FAT to NTFS. The syntax is pretty straightforward. To convert a D: drive from FAT or FAT32 to NTFS, for example, you’d type the following:
CONVERT D: /FS:NTFS
You can substitute a mount name in place of the drive letter in case you have a mounted volume. The command has a few extra switches as well, so at the command prompt, type a /? after the CONVERT command to see all of your options.
Users and Groups
Windows uses user accounts and groups as the bedrock of access control. A user account is assigned to a group, such as Users, Power Users, or Administrators, and by association gets certain permissions on the computer. Using NTFS enables the highest level of control over data resources.
Assigning users to groups is a great first step in controlling a local machine, but this feature really shines once you go to a networked environment. Let’s go there now.
User Account Control Through Groups
Access to user accounts should be restricted to the assigned individuals, and those who configure the permissions to those accounts must remember the Principle of Least Privilege discussed in Chapter 16, “Securing Windows Resources”: Accounts should have permission to access only the resources they need and no more.