Chapter 6, Securing File Resources
Chapter 6, Securing File Resources
|1|Chapter Overview
Securing Access to File Resources
Securing Access to Print Resources
Planning EFS Security
Chapter 6, Lesson 1
|2|Securing Access to File Resources
|3|1.Designing Share Security
A.Share permissions
1.Used to secure network access to data
2.Can be established for folders located on FAT, FAT32, NTFS, and CDFS volumes
3.Affect only network users
4.Combine with NT file system (NTFS) permissions to totally secure file access
|4|B.Configuring share permissions
1.Introduction
a.To enable shared folders, edit the Sharing tab of the folder properties.
b.The maximum number of allowed sessions can be limited.
c.To configure precise permission settings, click Permissions.
|5|2.Standard share permissions
a.Full Control
(1)Allows the assigned security principal to create, delete, and modify any content within the shared folder
(2)If located on NTFS, allows the security principal to take ownership of or to change permissions on the files or folders within the shared folder
b.Change
(1)Allows a security principal to read, write, create, or modify any content within the shared folder
c.Read
(1)Allows a security principal to read, copy, or execute any content within the shared folder
|6|C.Changes to shares in Microsoft Windows 2000
1.With down-level clients, if a logical drive letter was assigned to a file share, a fake root directory is established at the shared folder.
2.In Windows 2000, the default behavior allows the root directory to be established at the shared folder.
3.Establishing the root directory at the shared folder provides additional security because the user cannot navigate to any folders above or at the same level in the folder hierarchy.
4.Down-level clients still require separate shares to be established for each user home directory.
|7|D.Making the decision: designing secure share permissions
1.Remove Full Control permission from the Everyone group.
a.In high-security networks, default permission assignments are an excess assignment of permissions.
b.Users should never require more than Change permission.
2.Assign share permissions to domain local groups, not to user accounts.
a.Manage share permissions by modifying group memberships rather than by editing the permissions of each shared folder.
3.Assign the maximum permission that a security principal will require for the folder hierarchy below the shared folder.
a.Shared permissions should never exceed the required level of access for all folders within the shared folder.
b.Inspect the entire folder hierarchy contained within the shared folder.
|8|E.Applying the decision: designing secure share permissions for Wide World Importers
1.Establish two separate shares for Wide World Importers.
a.Washington share: \\Washington\Applications
(1)Users: Read
(a)Users only require Read permission to find and run application software.
(2)Administrators: Full Control
(a)Full Control permission is required to modify permissions on files and to update files.
(b)Change permission can be implemented instead if administrators are not required to change permissions.
b.Dallas share: \\Dallas\Applications
(1)Graphics Users: Change
(2)Graphics Admins: Change
(a)Common Graphics global group: Lisa and David
(b)Template Admins global group: Stefan and Linda
(3)Administrators: Full Control
(a)Full Control permission is required to modify permissions on files and to update files.
(b)Change permission can be implemented instead if administrators are not required to change permissions.
|9|2.Planning NTFS Security
A.Overview
1.NTFS permissions affect both network users and users at the computer console.
2.NTFS allows permissions to be set for individual files within a folder.
3.The ability to set permissions on files allows more flexibility when designing the security model for file access.
|10|B.Changes in the Windows 2000 NTFS file system
1.Encryption
a.EFS allows file-level and directory-level encryption.
b.EFS allows a user to perform encryption.
c.Only the user who performed the encryption or a designated EFS recovery agent can decrypt protected files.
2.Quotas
a.NTFS allows storage space restrictions to be set for each volume.
b.Quotas can be applied for each user to limit the amount of disk space in which a user can store data on a volume.
3.Permission inheritance
a.Permissions propagate to subfolders and file objects within the parent folder.
b.This reduces the effort required to modify the permissions of multiple files and subfolders.
c.If permissions for a resource are inherited, they cannot be removed directly.
|11|C.Assessing NTFS permissions
1.Overview
a.Define most permissions by using the predefined permissions.
b.Predefined NTFS permissions are compilations of several special permissions.
c.Security groups are included in each ACE in the DACL.
d.The DACL contains one ACE for each level of access defined for an object.
|12|2.Predefined NTFS folder permissions
a.Full Control
b.Modify
c.Read & Execute
d.List Folder Contents
e.Read
f.Write
3.Predefined NTFS file permissions
a.Full Control
b.Modify
c.Read & Execute
d.Read
e.Write
|13|4.NTFS special permissions
a.Traverse Folder/Execute File
b.List Folder/Read Data
c.Read Attributes
d.Read Extended Attributes
e.Create Files/Write Data
f.Create Folders/Append Data
g.Write Attributes
h.Write Extended Attributes
i.Delete Subfolders And Files
j.Delete
k.Read Permissions
l.Change Permissions
m.Take Ownership
n.Synchronize
|14|D.Making the decision: designing NTFS permissions
1.Assign only the necessary permissions.
a.Ensures excess permissions are never granted
b.Prevents accidental use of excess permissions
2.Create a custom domain local group for each type of access.
a.Create separate ACEs for each type of required access.
b.User access will be based on that user’s group memberships.
3.ACEs defined directly to an object are evaluated before any inherited ACEs.
4.Within a group of explicit ACEs, access-denied ACEs are placed before access-allowed ACEs.
a.Ensures that access-denied ACEs take precedence over access-allowed ACEs
5.If there are multiple inherited ACEs, the ACEs are evaluated in the following order: from those closest to the object (first) to those farthest from the object (last).
a.Ensures that any explicit ACEs applied to the file or folder containing the file are evaluated before any inherited ACEs
6.Use security templates and Group Policy to standardize NTFS permissions.
a.Define security templates that set prescribed NTFS permissions.
b.Security templates can be imported into Group Policy to ensure that they are applied to all computers within the container where the Group Policy is applied.
E.Applying the decision: NTFS permission design for Wide World Importers
|15|1.NTFS permissions for the Washington office
a.Users: Read & Execute
(1)Separate NTFS permissions for individual files in the Microsoft Office folder are not necessary.
(2)Users are allowed to read data and execute programs.
b.Administrators: Full Control
|16|2.NTFS permissions for the Dallas office
a.\\Dallas\Applications
(1)Administrators: Full Control
(2)Graphics: Read & Execute
b.\\Dallas\Applications\Adobe Photoshop\Common Graphics
(1)Common Graphics: Modify
c.\\Dallas\Applications\Quark Express\Templates
(1)Templates: Modify
|17|3.Combining Share and NTFS Security
|18|A.Evaluating effective permissions
1.Evaluate share permissions.
2.Evaluate NTFS permissions.
3.Determine the most restrictive permissions.
B.Designing effective permissions
1.Designate either share permissions or NTFS permissions as the primary permissions.
2.Define a more granular level of security by designating the effective security through NTFS permissions.
3.Evaluate all folders below a shared folder to determine the highest level of permissions that a security group will require, and set the share permissions at that level.
|19|C.Understanding default share permissions
1.Full Control is assigned to the Everyone group by default.
2.Default share permissions should be modified if NTFS permissions are not monitored.
3.Full Control permissions include three additional abilities over the Modify permission.
a.Delete files and folders that you don’t have permission to
b.Take ownership of a file
c.Change permissions of a file
4.Full Control permissions are restricted to network administrators.
5.An effective set of default permissions for a shared folder is
a.Administrators: Full Control
b.Users: Change
c.If users require only Read access to a folder, change the Users permissions to Read rather than using Change.
6.Change permissions
a.Allow users to create, read, delete, and modify any files in the share.
b.Users cannot redefine security settings within the folder.
|20|D.Making the decision: combining share and NTFS permissions
1.Set share permissions at the highest level of permissions required for the tree below.
a.Share permissions should not provide excess privileges to a security principal.
2.Use NTFS permissions to define precise access control.
a.NTFS permissions allow protection of both files and folders.
b.Share permissions should be considered only as an entry point to the file system.
3.Always use the NTFS file system for data.
a.If NTFS is not used as the file system, the only option is to use share permissions.
b.Share permissions limit defining more specific security for files and subfolders.
4.Evaluate whether Full Control permission is appropriate.
a.Full Control allows security principals to redefine security for a resource.
b.Assign Full Control permissions only to administrators.
c.Never assign permissions greater than Modify to non-administrators.
|21|E.Applying the decision: Combining share and NTFS permissions for Wide World Importers
1.Review of initial share and NTFS permissions
a.The Washington and Dallas share and NTFS permissions do not assign excess permissions.
b.Share permission can remain set at the default.
c.Default share permissions could result in excess permissions if any of the NTFS permissions are applied incorrectly.
|22|2.Documenting initial permission assignments
a.Assists with troubleshooting problems
b.Documentation should include
(1)All folders where permissions are assigned
(2)Details on group membership
(3)Rationale for each permission assignment
Chapter 6, Lesson 2
|23|Securing Access to Print Resources
|24|1.Introduction
A.Determine who is allowed to print to a particular printer.
B.Determine the security of data as it is transmitted to the printer.
C.Protect traffic to restricted printers, such as check printers.
D.Prevent users from printing sensitive or confidential material to public printers.
|25|2.Assessing Printer Security
A.Printer permissions
1.Print
a.Can submit print jobs to a printer and have the printer process the jobs
2.Manage documents
a.Can change document order and pause or delete documents in the print queue
b.Allows users to manage their own print jobs
c.Assigned to the Creator Owner group by default
3.Manage printers
a.Can share a printer and change the printer’s properties
B.Physical security
1.When printer output security is important
a.Put print devices in a secure location.
b.Use security cards or biometric input to access the device.
|26|C.Protecting print resources
1.Use IPSec to protect data transmitted to the print server.
2.Define IPSec policies that require IPSec for any data transmissions.
3.IPSec cannot be used to print to a physical print device directly attached to the network.
4.The print device must be locally attached to the print server to ensure end-to-end security.
|27|3.Making the Decision: Ensuring Printer Security
A.To restrict access to the printer to a specific groups of users
1.Change the default permissions to allow Print permissions to only the domain local group.
2.Place users in a global group that is a member of the domain local group.
B.To delegate administration of a printer
1.Make the security principal a member of the Print Operators group.
2.Assign the Manage Printers permissions to the security principal if delegation is to be restricted to a specific printer.
C.To prevent inspection of print jobs
1.Put printers that print confidential data in restricted areas.
2.Attach the printers directly to the print server.
3.Use IPSec between the clients and the print server.
a.Network attached printers cannot use IPSec.
|28|4.Applying the Decision: Printer Security for Wide World Importers
A.Change the default share permissions to limit usage to the Graphics department.
B.Data transmissions to the film printer do not need to be protected.
Chapter 6, Lesson 3
|29|Planning EFS Security
|30|1.Introduction
A.EFS secures files that are stored locally.
B.EFS protects only the data stored on an NTFS partition.
C.EFS does not provide network transport security.
D.EFS planning should include a plan to restore data in the event that recovery keys are lost.
E.Poor EFS planning can result in the permanent loss of data.
|31|2.Overview of the EFS Process
A.Understanding the EFS encryption process
1.Knowing how the EFS process encrypts data helps to determine
a.Which user has encrypted a file using EFS
b.Who can recover an EFS encrypted file
2.Users enable the Encrypt Contents To Secure Data attribute for a file or folder.
3.Administrators can encrypt all contents of specific folders to ensure the security of confidential data.
|32|B.Encrypting EFS data
1.A File Encryption Key is generated for each file to be encrypted.
a.The File Encryption Key is used to encrypt the clear text document into an encrypted text format.
b.The encrypted document has two additional header fields: the Data Decryption Field (DDF) and the Data Recovery Field (DRF).
2.The File Encryption Key is encrypted with the user’s EFS Encryption public key.
a.Only the user who holds the matching EFS Encryption private key can decrypt the File Encryption Key.
b.The encrypted File Encryption Key is stored in the DDF.
c.EFS encrypted files cannot be shared between users.
3.The File Encryption Key is encrypted with the EFS recovery agent’s EFS Recovery public key.
a.Only the user who holds the matching EFS Recovery private key can decrypt the File Encryption Key.
b.The File Encryption Key is encrypted and stored in the DRF.
c.When more than one EFS recovery agent is defined, multiple DRFs are associated with a file.
d.The File Encryption Key is encrypted once for each EFS recovery agent.
e.Each recovery agent can decrypt only the encrypted DRF with his EFS Recovery public key.
|33|C.Decrypting EFS data
1.Original user
a.The user’s EFS Encryption private key is used to decrypt the File Encryption Key stored in the DDF.
b.The File Encryption Key is used to decrypt the encrypted document.
c.The user sees no difference in behavior when opening an encrypted or nonencrypted file.
2.EFS recovery agent
a.The EFS Recovery private key of the EFS recovery agent is used to decrypt the File Encryption Key stored in the DRF.
b.The File Encryption Key is then used to decrypt the encrypted document.
|34|3.Designating an EFS Recovery Agent
A.Introduction
1.If an EFS recovery agent is not defined, the EFS recovery attempts might fail.
a.Select the account that will be the EFS recovery agent.
b.Define the public/private key pair that will be used by the EFS process.
|35|B.The initial EFS recovery agent
1.When the computer is not a domain member
a.The initial Administrator account is configured as the EFS recovery agent by default.
(1)The initial Administrator account might or might not be named Administrator.
(2)The account name depends on the name provided during setup for the initial account at the member server or workstation.
b.The EFS Recovery certificate is a self-issued certificate created by the OS.
|36|2.When the computer is a domain member
a.The Default Domain Policy configures the domain Administrator account as the EFS recovery agent.
b.The public key for EFS encryption is the public key associated with the Administrator account of the first DC that was installed into the domain.
c.This DC’s former Security Account Management (SAM) database is used to initially populate the domain.
d.The Administrator’s EFS Recovery certificate is reconfigured as the EFS recovery agent in the Default Domain Policy.
e.The initial DC in the domain is the only computer that has the associated private key.
f.If the private key is lost, EFS encrypted files cannot be recovered.
g.To prevent the private key from being lost
(1)Export the private key to a safe location.
(2)Configure the Administrator account to have a roaming profile, and then populate the roaming profile with the contents of the Administrator’s profile from the initial DC.
g.The private key is stored in the local user profile in secured storage.
h.The information stored in the user profile is shared between multiple computers only when a roaming profile is configured.
|37|C.Configuring a custom EFS recovery agent
1.Define a new account as the EFS recovery agent.
a.The new EFS recovery agent account requires an EFS Recovery certificate but does not have to be a member of the domain Administrators group.
b.The certificate template is available from a Windows 2000 Enterprise Certification Authority (CA).
2.Import the EFS Recovery certificate into the Default Domain Policy as the domain’s Encrypted Data recovery agent.
3.The imported public key is used to encrypt the File Encryption Key stored in the DRF.
4.Multiple EFS Recovery certificates can be imported into Group Policy to create multiple EFS recovery agents.
|38|D.Configuring an empty Encrypted Data Recovery Agent policy
1.Prevent EFS encryption on the network by deleting all current EFS recovery agent certificates in the Encrypted Data Recovery Agent policy.
2.EFS encryption is not possible without defining Encrypted Data recovery agents.
3.An empty policy exists when no recovery agents are included in the Encrypted Data Recovery Agent policy.
4.The empty policy exists and is applied, but no values are assigned from it.
5.The creation of an empty policy ensures that local policy does not take precedence.
|39|E.Making the decision: planning EFS recovery agents
1.To ensure that all EFS encrypted files in a domain can be recovered
a.Define an Encrypted Data Recovery Agent in the Default Domain Policy.