Setting UAC to always notify ensures that users are alerted whenever an application attempts to make changes to the system or install software, significantly enhancing security by preventing unauthorized changes.

Active Directory Federation Services (ADFS) enables Single Sign-On (SSO), allowing users to log in once and gain access to all corporate resources and applications without being prompted to log in again at each of them, enhancing productivity and user experience.

The Administrator account type provides full access to the computer and network settings, allowing system administrators to install software, manage user accounts, and change system settings.

allowing the specific application to communicate through the firewall without lowering the security for other applications. This option ensures that only designated traffic for the finance application is permitted, maintaining overall system security.

By using the “Advanced Security Settings” for the folder and enabling inheritance, you ensure that all subfolders and files within it automatically inherit the parent folder’s NTFS permissions, simplifying management and ensuring consistent security settings.

Windows Hello is the feature in Windows 10 that supports biometric sign-in options, including facial recognition. It provides a personal, secure experience for users to access their devices using a quick, facial scan.

By enabling Windows Defender Antivirus and configuring it to automatically update its definitions, you ensure that the system is protected against the latest threats without manual intervention. Windows Defender Antivirus is designed to automatically update its definitions through Windows Update, but configuring this setting through Group Policy ensures consistency and compliance across all company computers.

By assigning the “Modify” permission and explicitly denying the “Delete” permission, team members can create, read, and modify files but are prevented from deleting any files within the shared folder. This configuration ensures collaborative work on project files while protecting against data loss due to deletions.

Using the Encrypting File System (EFS) to encrypt the files allows only authorized users to access the encrypted documents, providing a high level of security for sensitive data without affecting the accessibility for authorized finance team members.

The “Password Must Meet Complexity Requirements” setting in Group Policy enforces the creation of passwords that include a mix of uppercase and lowercase letters, numbers, and symbols. This setting ensures that user passwords are strong and resistant to common password attacks, enhancing the security of the domain-joined workstations.

The Task Scheduler allows you to create and manage automated tasks on Windows, including scheduling Windows Defender Antivirus to perform a full scan at specified times, ensuring that all systems are regularly checked for malware.

This method is user-friendly and ensures that the external drive is encrypted with BitLocker, adhering to the company’s new policy.

The Modify permission allows users to read, write, execute, and modify files but does not allow them to delete files. It strikes a balance between providing sufficient access for team members to work collaboratively on project files while safeguarding against the accidental or intentional deletion of critical data.

Creating a custom rule to allow incoming connections on ports 80 (HTTP) and 443 (HTTPS) ensures that the web application is accessible over the internet while maintaining security by not opening unnecessary ports.

Adding the application to the list of allowed apps in Windows Firewall is the most direct and secure method to ensure it can access the internet. This is done through the Control Panel under “System and Security” -> “Windows Defender Firewall” -> “Allow an app or feature through Windows Defender Firewall.

The Power user account type, while not specifically present in the latest versions of Windows 10, traditionally offered a middle ground, providing users with more privileges than a Standard user account (like running legacy applications) without the full range of administrative rights. For modern systems, adjusting permissions or using compatibility settings is the way to manage this requirement.

BitLocker To Go is specifically designed for encrypting external drives, such as USB flash drives, ensuring that data stored on these devices is protected against unauthorized access if the drives are lost or stolen.

A Standard User account is ideal for interns or any user who requires access to resources but should not have the ability to make significant changes to the system, such as installing software or altering system settings. This account type ensures a level of security and control over the system’s configuration while providing the necessary access to perform daily tasks.

Software Restriction Policies in Group Policy allow administrators to control which applications can and cannot be executed on company computers, providing a method to enforce security policies and prevent the execution of unauthorized software.