sign in sign up
<<
Home , Encrypting File System

LAB 1 CONFIGURING DISK AND FILE

THIS LAB CONTAINS THE FOLLOWING EXERCISES AND ACTIVITIES:

Exercise 1.1 Encrypting Files with EFS

Exercise 1.2 Configuring the EFS Recovery Agent

Exercise 1.3 Encrypting a Volume with BitLocker

Lab Challenge Backing Up and Restoring EFS Certificates

BEFORE YOU BEGIN The lab environment consists of student workstations connected to a local area network, along with a that functions as the domain controller for a domain called adatum.com. The computers required for this lab are listedCOPYRIGHTED in Table 1-1. MATERIAL Table 1-1 Computers required for Lab 1

Computer Computer Name Server (VM 1) LON-DC1 Server (VM 2) Windows Server 2016 LON-SVR1 Server (VM 3) Windows Server 2016 LON-SVR2

In addition to the computers, you will also require the software listed in Table 1-2 to complete Lab 1.

1

744_Lab01_WS.indd 1 7/26/18 3:58 PM 2 70-744: Securing Windows Server 2016

Table 1-2 Software required for Lab 1

Software Location Lab 1 student worksheet Lab01_worksheet.docx (provided by instructor)

Working with Lab Worksheets Each lab in this manual requires that you answer questions, shoot screen shots, and perform other activities that you will document in a worksheet named for the lab, such as Lab01_worksheet.docx. You will these worksheets on the book companion site. It is recommended that you use a USB flash drive to store your worksheets, so you can submit them to your instructor for review. As you perform the exercises in each lab, open the appropriate worksheet file using Word, fill in the required information, and then save the file to your flash drive.

SCENARIO After completing this lab, you will be able to:

■■ Encrypt files with EFS

■■ Configure the EFS Recovery Agent

■■ Encrypt a volume with BitLocker

■■ EFS certificates

Estimated lab : 100 minutes

Exercise 1.1 Encrypting Files with EFS Overview For files that are extremely sensitive, you can use Encrypting (EFS) to encrypt the files. In this exercise, you will encrypt a file using Encrypting File System (EFS), which is a built-in feature of NTFS. Mindset Encryption is a way to add an additional layer of security. If a laptop is stolen and the hard drive is put into another system where the thief or hacker is an administrator, the files could not be read without the proper key. To encrypt individual documents, you can use EFS. Completion time 50 minutes

ENCRYPTING FILES WITH EFS

1. Log in to LON-SVR1 as the adatum\administrator user account with the password Pa$$w0rd. The Server Manager console opens.

2. On LON-SVR1, create a C:\Data folder.

744_Lab01_WS.indd 2 7/26/18 3:58 PM Lab 1: Configuring Disk and File Encryption 3

3. Create a text file in the C:\Data folder named test.txt file. Open the text file, your name in the file, close the file, then click Save to save the changes.

4. Right-click the C:\Data folder and choose Properties. The Properties dialog box opens.

5. On the General tab, click Advanced. The Advanced Attributes dialog box appears, as shown in Figure 1-1.

Figure 1-1 Configuring advanced attributes

6. Select the Encrypt contents to secure data check box. Click OK to close the Advanced Attributes dialog box.

7. Click OK to close the Properties dialog box.

8. When Windows prompts you to confirm the changes, click OK.

Question Which icon is used for the Data folder? 1

Question Which icon is used for the test.txt file? 2

9. Right-click the C:\Data folder and choose Properties. The Properties dialog box opens.

10. Under the General tab, click Advanced. The Advanced Attributes dialog box opens.

11. Clear the Encrypt contents to secure data check box. Click OK to close the Advanced Attributes dialog box.

12. Click OK to close the Properties dialog box.

13. When you are prompted to confirm attribute changes, click OK.

744_Lab01_WS.indd 3 7/26/18 3:58 PM 4 70-744: Securing Windows Server 2016

SHARING FILES PROTECTED WITH EFS WITH OTHER USERS

1. Log in to LON-DC1 as adatum\administrator with the password of Pa$$w0rd. Server Manager starts.

2. In Server Manager, click Tools > Users and Computers. The Active Directory Users and Computers console opens.

3. Right-click the Users node and choose New > User.

4. Create a new user with the following parameters:

First Name: User1

User logon name: User1

Click Next.

5. In the Password and Confirm password text boxes, type Pa$$w0rd. Click to select Password never expires. When an Active Directory Domain Services dialog box appears, click OK. Click Next.

6. When the user is ready to be created, click Finish.

7. Under the Users node, double-click User1. The User1 Properties dialog box opens.

8. Click the Member Of tab.

9. Click the Add button. In the Select Groups dialog box, type domain admins and then click OK.

10. Click OK to close the User1 Properties dialog box.

11. On LON-SVR1, right-click the Data folder and choose Properties.

12. In the Data Properties dialog box, click the Security tab.

13. Click the Edit button.

14. In the Permissions for Data dialog box, click the Add button.

15. In the Select Users, Computers, Sevice Accounts, or Groups dialog box, in the Enter the object names to select text box, type User1 and then click OK.

16. Select User1 and then clicAllow Full control.

17. Click OK twice .

18. On LON-SVR1, sign out as administrator.

19. On LON-SVR1, log in as adatum\User1 with the password of Pa$$w0rd.

744_Lab01_WS.indd 4 7/26/18 3:58 PM Lab 1: Configuring Disk and File Encryption 5

20. Open the C:\Data folder, right-click the test.txt file and choose Properties.

21. On the General tab, click Advanced. The Advanced Attributes dialog box opens.

22. Click the Encrypt contents to secure data check box. Click OK to close the Advanced Attributes dialog box. Click OK to close the Properties dialog box.

23. When you are prompted to confirm that you want to encrypt the file and its parent folder, click OK.

24. If an Access Denied message appears, click Ignore, click Continue, click OK, and then click Ignore. Click OK. If an Access Denied message appears again, click Ignore All. Upon comple- tion of this step, the test.txt file should odisplay a lock icon.

25. On LON-SVR1, log out as User1 and log in as adatum\administrator with the password of Pa$$w0rd.

26. Open the C:\Data folder.

27. Double-click the Test.txt file.

Question Which error message is displayed? 3

28. Click OK to close the message and then close Word.

29. Right-click the test.txt file and choose Properties.

30. Click the Security tab.

Question Which permissions does the Administrator have? 4

Question Why was the adatum\administrator not able to open the file? 5

31. On the General tab, click the Advanced button, clear the Encrypt check box, and then click OK.

32. Click OK to close the text.txt Properties dialog box.

Question Were you able to decrypt the file? 6

33. In the Error Applying Attributes dialog box, click Cancel.

34. On LON-SVR1, log off as Administrator and log in as User1 with the password of Pa$$w0rd.

35. Open the C:\Data folder.

744_Lab01_WS.indd 5 7/26/18 3:58 PM 6 70-744: Securing Windows Server 2016

36. Right-click the test.txt file and choose Properties. The Properties dialog box displays.

37. Click the Advanced button to open the Advanced Attributes dialog box.

38. Clear the Encrypt contents to secure data check box and then click OK.

39. Click OK to close the Properties dialog box. If you are prompted to provide administrator permission to change these attributes, click Continue. If a message displays indicating an error occurred applying attributes to the file, click Ignore.

40. Log off as User1 and log in as adatum\administrator with the password of Pa$$w0rd.

41. Open the C:\Data folder.

42. Right-click the Test.txt file and choose Properties.

43. Click the Advanced button to open the Advanced Attributes dialog box.

44. Click the Encrypt contents to secure data check box. Click OK to close the Advanced Attributes dialog box.

45. Click OK to close the Properties dialog box. When it you are prompted to confirm that you want to apply these changes to the folder and its contents, click OK.

46. Right-click the test.txt file and choose Properties. Click the Advanced button to open the Advanced Attributes dialog box.

47. Click the Details button. The User Access to test.txt dialog box displays.

48. Click the Add button. In the Encrypting File System dialog box, click User1 and then click View Certificate.

49. In the Certificate dialog box, click the Details tab.

Question What is the Certificate used for? Hint: Look the Enhanced Key 7 Usage field.

50. Click OK to close the Certificates dialog box.

51. Click OK to close the Encrypting File System dialog box.

Question Looking at the User Access to test.txt dialog box, who has a 8 Recovery Certificate?

52. Take a screen shot of the User Access to test.txt dialog box by pressing Alt+PrtScr and then paste it into your Lab01_worksheet file in the page provided by pressing Ctrl+V.

[ screen shot over this text]

744_Lab01_WS.indd 6 7/26/18 3:58 PM Lab 1: Configuring Disk and File Encryption 7

53. Click OK to close the User Access to test.txt dialog box, click OK to close Advanced Attributes dialog box, and then click OK to close test Properties box.

54. On LON-SVR1, log off as Administrator and log in as User1.

55. Open the C:\Data folder and double-click the test.txt file.

Question Did the file open? 9

56. Close the test.txt file.

57. On LON-SVR1, log off as User1.

End of exercise. Remain logged in to LON-DC1.

Exercise 1.2 Configuring the EFS Recovery Agent Overview In this exercise, you will configure EFS Recovery Agents so that you can EFS encrypted files although the agent is not the owner of the file. Mindset When an employee leaves the company, that employee’s files might be encrypted, which means they are unreadable to any other user. Using an EFS recovery agent, you can recover those files and make them available to the user or users who have replaced the departed user. Completion time 10 minutes

1. On LON-DC1, click the button and then click the Windows PowerShell tile.

2. For the lab environment, in the Windows PowerShell window, execute the following commands:

Certutil -setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE

3. In Server Manager, click Tools > Certification Authority.

4. Right-click AdatumCA and choose All Tasks > Stop Service.

5. Right-click AdatumCA and choose All Tasks > Start Service.

6. Close Certificate Authority.

7. On LON-DC1, log off as adatum\administrator and log in as adatum\user1 with the password of Pa$$w0rd. Server Manager opens.

8. In Server Manager, click Tools > Management. The Group Policy Management console opens.

9. In the Group Policy Management console, expand the Domains node and then expand Adatum.com.

744_Lab01_WS.indd 7 7/26/18 3:58 PM 8 70-744: Securing Windows Server 2016

10. Right-click the Default Domain Policy and choose Edit.

11. In the Group Policy Management Editor window, expand Computer Configuration\Policies\ Windows \Security Settings\Public Key Policies\ (see Figure 1-2).

Figure 1-2 Opening the GPO public key policies

12. Click, then right-click Encrypting File System and choose Create Data Recovery Agent.

13. Click the Encrypting File System node. Take a screen shot of the Group Policy Management Editor by pressing Alt+PrtScr and then paste it into your Lab01_worksheet file in the page provided by pressing Ctrl+V.

[copy screen shot over this text]

14. On LON-DC1, log off as adatum\User1.

Question What is needed for a user to become a data recovery agent? 10

End of exercise.

744_Lab01_WS.indd 8 7/26/18 3:58 PM Lab 1: Configuring Disk and File Encryption 9

Exercise 1.3 Encrypting a Volume with BitLocker Overview In this exercise, you will create a new volume and then use BitLocker to encrypt the entire volume. Mindset EFS will encrypt only individual files; BitLocker can encrypt an entire volume. Therefore, if you want to encrypt an entire drive on a laptop, you can use BitLocker. Completion time 20 minutes

1. Log in to LON-SVR2 as the adatum\administrator user account.

2. If Server Manager does not open, open Server Manager..

3. In Server Manager, click Manage > Add Roles and Features. The Add Roles and Feature Wizard opens.

4. On the Before you begin page, click Next.

5. Select Role-based or feature-based installation and then click Next.

6. On the Select destination server page, click Next.

7. On the Select server roles page, click Next.

8. On the Select features page, select BitLocker Drive Encryption.

9. In the Add Roles and Features Wizard dialog box, click Add Features.

10. On the Select Features page, click Next.

11. On the Confirm installation selections page, click Install.

12. When BitLocker is installed, click Close.

13. Restart the LON-SVR2.

14. Click the Start button and then click the tile.

15. Click System and Security > BitLocker Drive Encryption. The BitLocker Drive Encryption window opens, as shown in Figure 1-3.

16. Click the down arrow next to the D drive. Then click Turn on BitLocker. A BitLocker Drive Encryption (D:) window opens.

17. On the Choose how you want to unlock this drive page, click to select the Use a password to unlock the drive. Type a password of Pa$$w0rd in the Enter your password text box and the Reenter your password text box. Click Next.

744_Lab01_WS.indd 9 7/26/18 3:58 PM 10 70-744: Securing Windows Server 2016

Figure 1-3 Opening the BitLocker settings

Question With a laptop, which chip is used to create cryptographic keys and 11 encrypt them so that they can only be decrypted by the chip?

18. On the How do you want to back up your recovery key? page, click Save to a file.

19. In the Save BitLocker recovery key as dialog box, type \\LON-DC1\Software\ before BitLocker Recovery Key .txt and then click Save. Click Next.

20. On the Choose which encryption mode to use page, answer the following question and then click Next.

Question By default, which encryption mode is selected? 12

21. On the Are you ready to encrypt this drive? page, click Start encrypting.

22. When the drive is encrypted, take a screen shot of the BitLocker window by pressing Alt+PrtScr and then paste it into your Lab01_worksheet file in the page provided by pressing Ctrl+V.

[copy screen shot over this text]

23. Close the BitLocker Drive Encryption window. If you’re prompted to the disk, click Cancel.

End of exercise.

744_Lab01_WS.indd 10 7/26/18 3:58 PM Lab 1: Configuring Disk and File Encryption 11

Lab Challenge Backing Up and Restoring EFS Certificates Overview In this Lab Challenge, you will back up an EFS certificate that you will later restore after you delete the certificate. Mindset You administer a standalone computer that failed and had to be rebuilt. The computer included files that were encrypted with EFS. Fortunately, you backed up the files to a removable drive. After you rebuilt the computer, you copied the files from the removable drive. Although you are using the same username and password that you used before, you cannot open the files because they are encrypted. Unfortunately, there is not much you can do unless you have the EFS certificates with the correct keys to decipher the documents. Therefore, it is important that you always have a backup of the EFS certificates in case the system needs to be replaced. Completion time 20 minutes

BACKING UP THE EFS CERTIFICATES

1. Log in to LON-SVR1 as adatum\administrator. Server Manager opens.

2. Click the Start button and then click Windows PowerShell.

3. From the Windows PowerShell prompt, execute the certmgr.msc command. The certmgr con- sole opens.

4. In the left pane, double-click Personal and then click Certificates.

5. In the main pane, right-click the certificate that lists Encrypting File System under Intended Purposes and choose All Tasks. Click Export.

6. In the Certificate Export Wizard, click Next.

7. On the Export Private Key page, click Yes, export the private key and then click Next.

8. On the Export File Format page, click Next.

9. On the Security page, click the Password check box and, in the Password and Confirm password text boxes, type the Pa$$w0rd. Click Next.

Question What is the difference between the cer format and the pfx format 13 when backing up digital certificates?

10. On the File to Export page, in the File name text box, type C:\Cert.pfx. Click Next.

11. Take a screen shot of the Completing the Certificate Export Wizard by pressing Alt+PrtScr and then paste it into your Lab01_worksheet file in the page provided by pressing Ctrl+V.

[copy screen shot over this text]

744_Lab01_WS.indd 11 7/26/18 3:58 PM 12 70-744: Securing Windows Server 2016

12. When the wizard is complete, click Finish.

13. When the export is successful, click OK.

RESTORING THE EFS CERTIFICATE

1. Right-click the Administrator certificate and choose Delete. When you are prompted to confirm that you want to delete the certificate, read the warning and then click Yes.

2. Right-click Certificates and choose All Tasks > Import.

3. When the Certificate Import Wizard starts, click Next.

4. On the File to Import page, type c:\cert.pfx, and then click Next.

5. If you are prompted to provide a password, type Pa$$w0rd in the Password text box and then click Next.

6. On the Certificate Store page, click Next.

7. On the Completing the Certificate Import Wizard page, click Finish.

8. When the import is successful, click OK.

9. Take a screen shot of the Certificates console by pressing Alt+PrtScr and then paste it into your Lab01_worksheet file in the page provided by pressing Ctrl+V.

[copy screen shot over this text]

10. Close Certificate Manager and then close the Command Prompt.

End of lab.

744_Lab01_WS.indd 12 7/26/18 3:58 PM