S 3.28 User training on Windows client operating system security mechanisms

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Supervisor, Head of IT

The security of the data stored on Windows systems depends to a large extent on the ability of the users to properly handle the security mechanisms of the Windows systems. Users of Windows systems must receive the appropriate training in order to use these mechanisms effectively, whereby a concept is required to do so.

Security mechanisms from the user's perspective

When operating Windows systems, the user can be relieved of a large part of the security-related settings if the administrator performs the corresponding preparations and pre-settings. In order to achieve uniform and verifiable system configurations, such an approach is indispensable (see S 2.326 Planning the Windows XP, Vista and Windows 7 group policies).

Some security-related settings, though, can be specified by the user himself. This includes specifying the access rights to his/her own files and directories. The access rights can be denied or granted to individual users or user groups. If the access rights configured for a user contradict each other, access is denied. This would be the case if the user is a member of both groups A and B and access is allowed for group A, but is denied for group B, for example. In general, the rights granted to a user so the user can access his own files are pre-set by the administrator, and these rights are automatically transferred to new files and folders. However, since users are normally allowed to change these access rights, it is necessary to train every user accordingly (see also S 4.149 File and share authorisation under Windows for more information). The policies of the institution should define which users are allowed to make which settings or whether changing the access rights by the user is prohibited in general. It is recommended to have at least the mobile client users trained on how to grant access rights to their data. For users with stationary clients, this can be agreed upon optionally.

Another point that must be covered in such a user training programme is the use of the Encrypting File System (EFS). In addition to informing the users on how to avoid pitfalls when using the EFS, the training programme should also place special emphasis on the extent to which EFS can protect the confidentiality of the data in the files and provide information about the limits of this protection (see also S 4.147 Secure use of EFS under Windows). When using Windows Vista and Windows 7, the users should also be informed of the possibilities offered through the simultaneous use of EFS and BitLocker for hard drive encryption. The users must be taught how to manage the encryption information in order to ensure that the data is available at all times.

When using BitLocker for hard drive encryption (see S 4.337 Use of BitLocker drive encryption), the user training programme should also deal with the level of protection of confidentiality that can be reached with it. Furthermore, the procedure selected for user authentication for BitLocker when starting Windows Vista or Windows 7, the significance of the recovery password, and the limits of the protection provided should be explained to the users in the training programme.

Windows Vista and Windows 7 offer different data backup methods (see S 6.76 Creation of a contingency plan for failure of a Windows network).

The user must be informed of which data backup methods he/she must use. Furthermore, the user must know where to find the backed up data, how he/she can access these backups when needed, and what he/she needs to do to restore his/her data.

Contents of the training programme

The following bullet points summarise necessary training contents for the users being able to safely handle Windows systems:

Use of access rights in the NTFS file system

• Protection of files using access rights
• Inheritance of access rights
• Copying and moving files
• Transferring ownership of a file to another user
• Raising awareness for the limitations of the file protection obtained using access rights
• Users with administrative rights can override access rights.
• When direct access to the hardware is possible (e. g. while removing a hard disk), it is also possible to override the access rights.
• Files are not protected during transmission over the network.
• Significance, mode of operation, and operation of user account control (see S 4.340 Use of Windows User Account Control UAC in Windows Vista and higher) in case users encounter it.

Use of the integrated Windows firewall

• Method of operation and the type of protection it provides

Use of EFS (see also S 4.147 Secure use of EFS under Windows)

• Benefits of EFS (EFS offers additional protection of the confidentiality of files)
• Operation of EFS
• The problems associated with "subsequent encryption"
• Suitable password selection (password quality is essential to the effectiveness of EFS)
• Use of an additional start password using syskey (essential when using local user accounts)
• Raising awareness of the limitations of the protection offered by EFS
• Users with administrative rights can override the encryption.
• Files stored in encrypted form are not protected during transmission over the network, unless EFS is used with WebDAV.
• Use of EFS in addition to BitLocker in Windows Vista and Windows 7, if encryption is necessary when the system is running
• Use of BitLocker in Windows Vista and Windows 7
• Encrypted and unencrypted partitions
• The protection offered by BitLocker is only available when the system is switched off (offline encryption).
• Appropriate handling of the authentication resources (USB stick and/or PIN)
• Purpose and appropriate handling of the recovery password when it is necessary for users to be able to access the password
• Reaction to BitLocker error messages, especially when they relate to the detection of integrity violations

Other security instructions

• Secure deletion of files (see S 4.56 Secure deletion under Windows operating systems also to be used in Windows 2000, Windows XP, Windows Vista, and Windows 7
• Security instructions relating to the automatic recognition of CD-ROMs and the Autostart function (see S 4.57 Disabling automatic CD-ROM recognition)
• Security instructions for securely handling removable media such as USB storage media (see S 4.200 Handling of USB storage media and particularly when using Windows Vista and Windows 7 S 4.339 Prevention of unauthorised use of removable media under Windows Vista and Windows 7).
• Security instructions for securely using specific security technologies in Windows XP, Windows Vista, and Windows 7 such as the Security Centre / Action Centre, the Windows Firewall, and WPA (WiFi Protected Access)
• Significance, mode of operation, and operation of user account control (see S 4.340 Use of Windows User Account Control UAC in Windows Vista and higher) in case users encounter it.

Review questions:

• Is there a concept for the user training programme regarding the security of Windows client operating systems?
• Do the users receive instructions on how to grant access rights to their own files?
• Do the users receive information about the security mechanisms (e.g. encryption with EFS and BitLocker) available in the tools used and how to use these mechanisms?
• Do the users receive information and training on the data backup methods available?
• Do the users receive training on the use of the Windows Firewall?