What is the process of controlling access to resources such as computers files or printers called quizlet?

is an access control policy determined by a computer system, not by a user or owner. Permissions are predefined in the MAC model.

The MAC model defines sensitivity labels that are assigned to subjects (users) and objects (files, folders, hardware devices, network connections, and so on).

An object's label dictates what level of clearance is needed to access it, also known as a trust level (this is also known as data labeling).

Smart card

Photo ID

Something You Have authentication controls include physical items that you have on your possession, such as a smart card, photo ID, token device, or swipe card.

Something You Know authentication requires you to provide a password, PIN, pass phrase, or the answer to a cognitive question (such as your mother's maiden name).

Something You Are authentication uses a biometric system, such as a fingerprint, retina scan, voice recognition, keyboard, or writing recognition.

Authorization is the process of controlling access to resources such as computers, files, or printers. When managing access to resources, be aware of the following:
> A group is an object that identifies a set of users with similar access needs. Microsoft systems have two kinds of groups: distribution and security. Only security groups can be used for controlling access to objects.
> When you assign permissions to a group grants those same permissions to all members of the group.
> On a Microsoft system, a user right is a privilege or action that can be taken on a system, such as logging on, shutting down, backing up the system, or modifying the system date and time.
> Permissions apply to objects (files, folders, printers, etc.), while user rights apply to the entire system (the computer).

In the client-server model, each host has a specific role in the network. Servers provide services such as file storage, user management, security configuration, and printing. Clients request services from servers. The client-server model is known as domain networking in a Windows environment.

Some key domain networking facts include the following:

> Domain networking uses the concept of security principals. These are entities such as users, computers, and resources.
> A Windows domain is a collection of security principals that share a central authentication database known as Active Directory (AD).
> The Active Directory database is located on one or more servers in the domain.
- The servers running the Active Directory database are called domain controllers (DCs).
- Hosts must run a supported version of the Windows operating system to join a domain.
- The distinguished name of the domain is composed of the domain name along with the top-level domain name from DNS.
> Domains are much more efficient and scalable than workgroups due to a centralized management structure and function.
- Objects represent resources such as users, computers, and printers.
- Objects are used to define security attributes such as access, availability, and use limitations within the domain.
- Objects can be organized in container objects.
- An organizational unit (OU) is a type of container object used to logically organize network resources and simplify administration.

Some drawbacks of the client-server network model include increases in the following areas:
> Cost to implement due to specialized hardware and software requirements
> Planning time required for implementation
> Complexity of implementation
> Knowledge required to manage the implementation

With Windows 10, Microsoft's preferred method of signing onto a system is to use a Microsoft account. Microsoft accounts use a single sign-on system. This means that you can sign into different systems while maintaining the same user settings and password. You can even access your favorites websites. Microsoft accounts also provide synchronized access to other Microsoft services such as Office 365, Outlook, Skype, OneDrive, Xbox Live, Bing, and Microsoft Store.

Microsoft accounts can be created using an existing email address or by signing up for a Microsoft email address. You can also use a phone number instead of an email address. If your Windows system was originally configured to sign in using a local account, you can switch to a Microsoft account by doing the following:

1. Select the Start menu and go to Settings > Accounts > Your info.
2. Select Sign in with a Microsoft account instead. (Note: if you see Sign in with a local account instead, you're already using your Microsoft account.)
3. Follow the prompts to switch to your Microsoft account. If needed, you can create a Microsoft account at this time.

To switch from a Microsoft account back to a local account, right-click Start and go to Settings > Accounts > Your info. Then select Sign in with a local account instead and follow the prompts.

In addition to local and Microsoft account sign-ins, you can also sign into a Windows system using a domain account. Domain accounts are created and stored in Active Directory on a domain controller server. This provides central management of users and group.

When using a domain user account to sign into your system, the username and password entered are sent to the domain controller. The domain controller then checks to see if the username and password submitted match the credentials it has for that particular user. If they do match, it sends a message back to the local system verifying the credentials, and the user is allowed to sign into the system. Before a user can sign in using a domain account, the domain user account must have already been created in Active Directory and the computer must have been joined to the desired domain.

To sign in using a domain account, you need to specify the domain to which you want to sign into. If this is the first time you are signing into the domain, or you want to make sure you are signing into the correct domain, select Other user from the sign-in screen. From this dialog, a known domain will be shown.

If the domain shown is the one you want to use, enter the username and password in the applicable fields. However, if the domain listed is not correct, you can change domains by specifying the correct domain in the username field using the syntax of domain\username. For example, to sign into the ACME domain using the Admin account, in the username field you would type AMCE\Admin. As soon as you type the backslash, the name of the domain is shown in the Sign in to area.

You are the IT administrator for a corporate network. You have just installed Active Directory on a new Hyper-V guest server named CorpDC. You have created an Active Directory structure based on the company's departmental structure. While creating the structure, you added a Workstations OU in each of the departmental OUs. After further thought, you decide to use one Workstations OU for the entire company. As a result, you need to delete the departmental Workstations OUs.
In this lab, your task is to delete the following OUs on CorpDC:
> Within the Marketing OU, delete the Workstations OU.
> Within the Research-Dev OU, delete the Workstations OU.
> Within the Sales OU, delete the Workstations OU.

Complete this lab as follows:

1. Access the CorpDC server.
a. From Hyper-V Manager, select CORPSERVER.
b. From the Virtual Machines pane, double-click CorpDC.

2. Delete the applicable OUs.
a. From Server Manager, select Tools > Active Directory Users and Computers.
b. Select View > Advanced Features.
*This enables the Advanced feature, allowing you to disable the OU from accidental deletion.
c. From the left pane, expand CorpNet.local > the_parent OU.
d. Right-click the OU that needs to be deleted and then select Properties.
e. Select the Object tab.
f. Clear Protect object from accidental deletion and then select OK.
g. Right-click the OU to be deleted and then click Delete.
h. Click Yes to confirm the OU's deletion.
i. Repeat steps 2c - 2h to delete the remaining OUs.

3. From the Active Directory Users and Computers menu bar, select View > Advanced Features to turn off the Advanced Features view.

You are the IT administrator for a small corporate network. You recently added an Active Directory domain to the CorpDC server to manage network resources centrally. You now need to add user accounts in the domain.

In this lab, your task is to create the following user accounts on CorpDC:
| User | Job Role | Departmental OU |

Use the following user account naming standards and specifications as you create each account:
> Create the user account in the departmental OU corresponding to the employee's job role.
> User account name: First name + Last name
> Logon name: firstinitial +
> Original password: asdf1234$ (must change after the first logon)
> Configure the following for the temporary sales employee:
- Limit the logon hours to allow logon only from 8:00 a.m. to 5:00 p.m., Monday through Friday.
- Set the user account to expire on December 31st of the current year.

Complete this lab as follows:

1. Access Active Directory Users and Computers on the CorpDC server.
a. From Hyper-V Manager, select CORPSERVER.
b. From the Virtual Machines pane, double-click CorpDC.
c. From Server Manager's menu bar, select Tools > Active Directory Users and Computers.
d. Maximize the window for better viewing.

2. Create the domain user accounts.
a. From the left pane, expand CorpNet.local.
b. Browse to the appropriate OU.
c. Right-click the OU and select New > User.
d. In the First name field, enter the user's first name.
e. In the Last name field, enter the user's last name.
f. In the User logon name field, enter the user's logon name (use firstinitial + ).
g. Select Next.
h. In the Password field, enter asdf1234$.
i. In the Confirm password field, enter asdf1234$.
j. Make sure User must change password at next logon is selected and then click Next.
k. Select Finish to create the object.
l. Repeat steps 3e-3m to create the additional users.

3. Modify user account restrictions for the temporary sales employee.
a. Right-click Borey Chan and select Properties.
b. Select the Account tab.
c. Select Logon hours.
d. From the Logon Hours dialog, select Logon Denied to clear the allowed logon hours.
e. Select the time range of 8:00 a.m. to 5:00 p.m., Monday through Friday.
f. Select Logon Permitted to allow logon.
g. Select OK.
h. Under Account expires, select End of.
i. In the End of field, use the drop-down calendar to select 31 December of the current year.
j. Select OK.

You are the IT administrator for a small corporate network. You recently added an Active Directory domain on the CorpDC server to manage network resources centrally. Organizational units in the domain represent departments. User and computer accounts are in their respective departmental OUs.
Over the past few days, several personnel changes have occurred that require changes to user accounts.
In this lab, your task is to use the following information to make the necessary user account changes on CorpDC:
> Mary Barnes from the Accounting Department has forgotten her password, and now her account is locked.
- Unlock the account.
- Reset the password to asdf1234$.
- Require a password change at the next logon.
> Mark Woods has been fired from the accounting department. Disable his account.
> Pat Benton is returning to the Research-Dev department from maternity leave. Her account is disabled to prevent logon. Enable her account.
> Andrea Simmons from the Research-Dev department has recently married.
- Rename the account Andrea Socko.
- Change the last name to Socko.
- Change the display name to Andrea Socko.
- Change the user logon and the pre-Windows 2000 user logon name to asocko
> For all users in the Support OU (but not the SupportManagers OU), allow logon only to the Support computer..

Complete this lab as follows:

1. Access Active Directory Users and Computers on the CorpDC server.
a. From Hyper-V Manager, select CORPSERVER.From the Virtual Machines pane, double-click CorpDC.
b. From Server Manager's menu bar, select Tools > Active Directory Users and Computers.
c. Maximize the window for better viewing.

2. From the left pane, expand CorpNet.local.

3.Unlock the Mary Barnes account.
a. From the left pane, select Accounting.
b. Right-click Mary Barnes and select Reset Password.
c. In the New password field, enter asdf1234$.
d. In the Confirm password field, enter asdf1234$.
e. Make sure User must change password at next logon is selected.
f. Make sure Unlock the user's account is selected.
g. Select OK.
h. Select OK to confirm the changed.

4. Disable the Mark Woods account.
a. From the right pane, right-click Mark Woods and select Disable Account.
b. Select OK to confirm the change.

5. Enable Pat Benton's account.
a. From the left pane, select Research-Dev.
b. From the right pane, right-click Pat Benton and select Enable Account.
c. Select OK to confirm the change.

6. Rename the Andrea Simmons account.
a. Right-click Andrea Simmons and select Rename.
b. Enter Andrea Socko and press Enter. This opens the Rename User dialog.
c, In the Last name field, enter Socko.
d. In the User logon name field, replace the old name with asocko.
e. Select OK.

7. Configure user account restrictions.
a. From the left pane, select Support.
b. From the right pane, press Ctrl and select both the Tom Plask and Janice Rons users to edit multiple users at the same time.
*From the left pane, select Support.
c. Right-click the user accounts and select Properties.
d. Select the Account tab.
e. Select Computer restrictions.
f. Select Log On To.
g. Select The following computers.
h. In the Computer name field, type Support.
i. Select Add.
j. Select OK.
k. Select OK.

You are the IT administrator for the CorpNet domain. You have decided to use groups to simplify the administration of access control lists. Specifically, you want to create a group containing the department managers.
In this lab, your task is to use Active Directory Users and Computers to complete the following actions on the CorpDC server:
> In the Users container, create a group named Managers. Configure the group as follows:
- Group scope: Global
- Group type: Security
> Make the following users members of the Managers group: | Organization Unit | Username |

Complete this lab as follows:

1. Access Active Directory Users and Computers on the CorpDC server.
a. From Hyper-V Manager, select CORPSERVER.
b. From the Virtual Machines pane, double-click CorpDC.
c. From Server Manager's menu bar, select Tools > Active Directory Users and Computers.
d. Maximize the window for better viewing.

2. In the Users container, create a group named Managers.
a. From the left pane, expand and select CorpNet.local > Users.
b. Right-click the Users container and select New > Group
*You can also create a new group by selecting the Create a new group in the current container icon found in the ribbon.
c. In the Group name field, enter Managers.
*A pre-Windows 2000 group name is created automatically, but it can be changed.
d. Under Group scope, make sure Global is selected.
e. Under Group type, make sure Security is selected and select OK.

3. Add user accounts to the Managers group.
a. From the left pane, ensure that the Users container is still selected.
b. From the right pane, right-click Managers and select Properties.
c. Select the Members tab.
d. Select Add.
e. In the Enter the object names to select field, enter all the usernames. Use a semicolon to separate each name.
*Example: Steve Hoffer; Peter Williams; Princess Diana
f. Select Check Names.
g. Select OK to add the users and close the dialog.
h. Select OK to close the Managers Properties dialog.
*You can also add individual users to a group by right-clicking the user and selecting Add to a group.

You have been asked to perform administrative tasks for a computer that is not a member of a domain. To increase security and prevent unauthorized access to the computer, you need to configure specific password and account lockout policies.
In this lab, your task is to use the Local Security Policy to configure the following password and account lockout policies:
> Configure password settings so that the user must:
- Cycle through 10 passwords before reusing an old one.
- Change the password every 90 days.
- Keep the password at least 14 days.
- Create a password at least eight characters long.
- Create a password that meets complexity requirements, such as using uppercase letters, lowercase letters, numbers, or symbols.
> Configure the account lockout policy to:
- Lock out any user who enters five incorrect passwords.
- Unlock an account automatically after 60 minutes.
- Configure the number of minutes that must elapse after a failed logon attempt to 10 minutes.

Complete this lab as follows:

1. Using Windows Administrative Tools, access the Local Security Policy.
a. Select Start.
b. Locate and expand Windows Administrative Tools.
c. Select Local Security Policy.
d. Maximize the window for easier viewing.

2. Configure the password policies.
a. From the left pane, expand Account Policies and then select Password Policy.
b. From the center pane, expand the Policy column.
c. Double-click the policy to be configured.
d. Configure the policy settings.
e. Click OK.
f. Repeat steps 2c-2e to configure the additional password policies.

3. Configure the account lockout policies.
a. From the left pane, select Account Lockout Policy.
b. From the center pane, expand the Policy column.
c. Double-click the policy to be configured.
d. Configure the policy settings (if needed, answer any prompts shown).
e. Click OK.
f. Repeat steps 3c-3e to configure the additional lockout policies.

> Disable and/or remove unnecessary accounts installed on the operating system by default, or disable specific user accounts that are no longer needed.
> Prohibit the use of generic user accounts. Generic accounts, such as guest or administrator accounts in Windows, should be disabled.
> Shared accounts:
- Increase the likelihood of the account being compromised. Because the account is shared, users tend to take security for the account less seriously. For example, one organization found that the passwords for shared user accounts proliferated to the point where hundreds of current and former employees knew them.
- Make password management more difficult. Because password changes must be communicated to multiple users, many system administrators avoid making any password changes at all. If the password is well known, employees (including former employees that no longer need access to the account) may still know the password.
- Reduce responsibility for the account. Because users view the account as communal, users may do things with the account that they would not do with their personal account.
- Destroy audit trails for the account. Because multiple users are associated with the account, it can be difficult to identify who is actually responsible for actions performed with the account.
- Make it difficult to monitor the account for unusual activity. Because multiple users are associated with the account, it is much more difficult to define behaviors that are normal and behaviors that are abnormal. This is problematic because identifying abnormal account activity is key to detecting attacks on your systems.

You work as the IT administrator for a growing corporate network. The Research and Development Department is working on product enhancements. Last year, some secret product plans were compromised. As a result, the company decided to implement smart cards for logon to every computer in the Research and Development Department. No user should be able to log onto the workstation without using a smart card.

In this lab, your task is to perform the following on CorpDC:
> Enforce the existing Research-DevGPO linked to the Research-Dev OU.
> Edit the Research-DevGPO and configure the following local security setting policies located in the Computer Configuration section:
| Policy | Setting |
*Certificate auto-enrollment has already been enabled for the domain.

Complete this lab as follows:

1. Access the CorpDC server.
a. In Hyper-V Manager, select CORPSERVER.
b. Double-click CorpDC.

2. Enforce the existing Research-DevGPO.
a. From Server Manager, select Tools > Group Policy Management.
b. Maximize the window for better viewing.
c. From the left pane, expand Forest: CorpNet.local > Domains > CorpNet.local > Group Policy Objects.
d. From the left pane, select the Research-DevGPO.
e. From the Scope tab under Links, right-click Research-Dev and then select Enforced.

3. Edit Research-DevGPO polices.
a. From the left pane, right-click Research-DevGPO and then select Edit.
b. Maximize the window for better viewing.
c. Under Computer Configuration, expand Policies > Windows Settings > Security Settings > Local Policies.
d. Select Security Options.
e. From the right pane, double-click the policy and select Properties.
f. Select Define this policy setting.
g. Select additional parameters to configure the policy setting.
h. Select OK.
i. Repeat steps 3e-3h to configure the additional policy setting.

TACACS+ was originally developed by Cisco for centralized remote access administration. TACACS+:
> Provides three protocols, one each for authentication, authorization, and accounting. This allows each service to be provided by a different server.
> Uses TCP port 49.
> Encrypts the entire packet contents, not just authentication packets. The client-server dialogs are also encrypted.
> Supports more protocol suites than RADIUS.
> Requires remote access servers to become TACACS+ clients to the backend TACACS+ server, similar to a RADIUS solution.

TACACS was originally developed in 1984 by BBN Technologies. The current version of the protocol standard, TACACS+, was developed by Cisco Systems but is supported by many vendors, such as BlueCat Networks, IBM, Netgear, and more.

TACACS and Extended Terminal Access Controller Access-Control System (XTACACS) are older protocols developed before TACACS+. While they sound similar, they are different and less-secure protocols.

An authentication protocol identifies how credentials are submitted, protected during transmission, and validated. Instead of a simple username and password, some authentication protocols require certificates and digital signatures for proof of identity.

> A certificate is a digital document that identifies a user or a computer. The certificate includes a subject name, which is the name of a user or a computer.
> Certificates are obtained from a public key infrastructure (PKI). A PKI is a collection of hardware, software, policies, and organizations that create, issue, and manage digital certificates.
> A PKI is made up of certificate authorities (CAs), also called certification authorities. A CA:
- Accepts certificate requests
- Verifies the information provided by the requester
- Creates and issues the certificate to the requester
- Revokes certificates, which invalidates them
- Publishes a list of revoked certificates known as the certificate revocation list (CRL)
> You can obtain certificates from a public CA such as DigiCert or install your own PKI and CAs to issue certificates to users and computers in your organization.
> Computers accept any certificate issued by a trusted CA as valid. By default, most computers trust well-known public CAs. If you configure your own PKI, you need to configure each computer in your organization to trust your own CAs.
> A digital signature is a digital document that is altered so that it could have come only from the subject identified in the certificate. A certificate obtained from a PKI is signed by the CA that issued the certificate. The digital signature of the issuing CA is included in the certificate.
> A computer that receives a certificate verifies the issuing CA's signature. If the CA is trusted, the computer will accept the user or computer's identity.

The following table describes various authentication methods used for network authentication. Many of these use some form of challenge/response mechanism.

What is the process of controlling access to resources such as computer files or printers called?

Which of the following identifies the type of access that is allowed or denied for an object quizlet?

Which of the following is an example of rule based access control?

Which of the following commands is used to change the current group ID during a login session?