Copyright (c) 2025 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

3.1.2. Configure and apply basic Microsoft Windows OS security settings. (Obj. 2.2)

šŸ’” First Principle: Leveraging built-in OS security features is the first line of defense in hardening a workstation.

Before you even think about third-party security software, you must master the powerful security tools built directly into the Windows operating system. Properly configuring these features creates a strong baseline of security for any workstation. The most critical areas are encryption and permissions.

Encryption is the process of scrambling data so it can only be read by someone with the correct key. Windows Pro and Enterprise editions offer two main types:

  • BitLocker Drive Encryption: This provides full-disk encryption. It encrypts the entire Windows operating volume, protecting all files, including system files, temporary files, and user data. It's often paired with a TPM (Trusted Platform Module) chip on the motherboard, which securely stores the encryption keys. If a BitLocker-enabled laptop is stolen, the drive is nothing more than a paperweight to the thief; the data is completely inaccessible.
  • EFS (Encrypting File System): This provides file-level encryption. A user can right-click a specific file or folder on an NTFS-formatted drive and encrypt it. The encryption is tied to that user's account certificate. This is useful for protecting specific sensitive files on a shared computer, but BitLocker is the superior solution for overall device protection.

Permissions control who can do what with files and folders. In Windows, you'll manage two sets:

  • NTFS Permissions: These apply to users who are logged in locally to the machine. They are very granular, allowing you to set permissions like Read, Write, Modify, and Full Control for specific users and groups.
  • Share Permissions: These apply to users accessing a folder over the network. They are simpler: Read, Change, and Full Control. When a folder is shared, the most restrictive permission wins. If a user has "Full Control" in NTFS permissions but only "Read" in Share permissions, they will only be able to read the files when accessing the folder over the network.

Technician's Action Plan: Scenario: You are provisioning a new laptop for an executive who travels frequently. They will be storing sensitive company financial reports on it. You also need to create a shared folder on the network server for the finance team.

  1. Harden the Laptop (BitLocker): The top priority is protecting the data on the laptop in case of loss or theft.
    • Ensure the laptop has Windows 11 Pro and a TPM chip.
    • Open the Control Panel and go to "BitLocker Drive Encryption".
    • Turn on BitLocker for the C: drive.
    • Crucially, save the recovery key to a secure location (e.g., the user's Microsoft account, a USB drive stored in a safe, or print it). Explain to the user that this key is their only way to access their data if something goes wrong with the TPM.
  2. Create the Secure Network Share:
    • On the file server, create a new folder called "FinanceData".
    • Set NTFS Permissions: Right-click the folder -> Properties -> Security. Remove the default "Users" group. Add the "Finance Team" security group and grant it "Modify" permissions. Add the "Finance Managers" group and grant it "Full Control". This follows the principle of least privilege.
    • Set Share Permissions: Right-click the folder -> Properties -> Sharing -> Advanced Sharing. Share the folder. Click "Permissions". Remove "Everyone". Add the "Finance Team" group and grant it "Change" permission. Add "Finance Managers" and grant "Full Control".
  3. Verify Access: Log in as a standard finance team member and confirm they can create and edit files in the share, but not change permissions. Log in as a finance manager and confirm they can do everything. Log in as someone from the Sales team and confirm they cannot access the share at all.

Reflection Question: Explain how the "most restrictive permission wins" rule applies when both NTFS and Share permissions are configured for a shared folder.