DOCSLIB.ORG

Encryption Overview: Full Disk Encryption (FDE) File/Folder

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Encryption Overview: Encryption is a method used to protect information from unauthorized users. The data is converted from readable format to unreadable format called cipher-text. Even though an unauthorized user obtains a copy of this cipher-text he will not be able to convert it back to readable format. Only the authorized users with knowledge of the relevant key (e.g. password) will be able to convert it back to readable format. This document details various encryption techniques and tools used to protect data-at- rest (e.g. files stored on computer) as well as data-in-transit (e.g. an email), and which is best suited for different use cases. Full Disk Encryption (FDE) Full disk encryption (FDE), also known as whole disk encryption, protects all data stored on a hard drive, including the computer’s operating system. Access is permitted to the disk after a successful authentication with a username and/or password. Once this one-time authentication at log in is completed, any file the user wants to access is decrypted on-the-fly in memory and then presented to the user. This type of encryption provides good protection for lost and stolen devices since the entire disk is encrypted until an authorized user provides the password/key to decrypt. But once the user is logged in to the system, any file can be accessed without requiring repeated authentications. However, FDE does not protect the files when they are removed from the disk (e.g. Sending a file as an email attachment). FDE should be used along with File/Folder Encryption (explained in next section) to effectively secure confidential data. Additionally, FDE tools can also help in encrypting USB flash drives. Microsoft and Apple both include encryption tools in their operating systems for full disk encryption: • Microsoft BitLocker—BitLocker is designed to run on the Windows 7 and 10 platforms. • Apple FileVault 2—FileVault 2 is designed to run on Mac OSX Lion or later platforms. • VeraCrypt – VeraCrypt is a free open source tool for disk encryption suitable for Windows, MAC OSX, and Linux. File/Folder Encryption File/folder encryption protects individual files or folders on a disk. Access is permitted to the file or folder once proper authentication is provided. Microsoft includes file/folder encryption in Windows OS and MS Office tools. There are various software tools which have inbuilt capabilities of encrypting files (e.g. Adobe Acrobat). Some of the tools are mentioned below: • Microsoft Encrypting File System (EFS) — The Encrypting File System (EFS) by Microsoft uses standard cryptographic algorithms to encrypt and decrypt files and folders. Files stored on a shared computer can only be encrypted or decrypted by the user account that possesses the cryptographic key. This ensures that files on a shared computer can be protected from being viewed by all users. Note: EFS-encrypted files are decrypted when sending across a network and hence sharing is not secure. • Microsoft Office Encryption — Microsoft Office includes built-in solutions for encrypting and protecting Office documents, workbooks, and presentations. Microsoft Office documents can be encrypted with a strong password and is suitable for sharing since the file remains encrypted while in transit. More information about Microsoft Office encryption is available here. Note: Microsoft Office applications prior to 2010 use password protection features that are not secure. • 7-Zip — 7-Zip is an open source software used to compress or zip files with the option for encryption. Files or folders are encrypted with a strong password and are suitable for sharing. • Adobe Acrobat — Adobe Acrobat provides support for encrypting PDF files with a strong password and is suitable for secure sharing. Note: Adobe Acrobat prior to version 10.0 uses password protection features that are not secure. • Open Office Suite — This MS Office alternative tool provides options to encrypt a file with a password. This article provides details on encrypting a file in OpenOffice Write and Calc tools. Alternatively, steps to password-encrypt and export a file in PDF format are given here. • LibreOffice — This is another MS Office alternative tool which provides options to encrypt the files with password. This article provides more details on encrypting the files. Note: When sharing password-encrypted files, the password should be sent to the recipient separately from the file itself. Call, text, or IM the recipient to share the password. Virtual Disk Encryption Virtual disk encryption is the process of creating an encrypted container, which can hold many files and folders, and permitting access to the data within the container only after proper authentication is provided. Once authenticated, the virtual disk is mounted and accessible. Virtual disk encryption is suitable for creating an encrypted container on your hard drive. Note: The files are encrypted when they are stored in the container. Once they are moved out of container (e.g. attached to an email), they are no longer encrypted. • Veracrypt — Veracrypt is an open-source virtual disk encryption software for creating encrypted containers for files and folders. The step-by-step guide is available here. USB Flash Drives, Disks, CD/DVD Encryption Software tools discussed in earlier sections such as VeraCrypt, BitLocker, FileVault etc. have capability to encrypt the contents of removable media such as USB Flash Drives, memory card etc. Self-encrypting drives are also available eliminating the need to install additional encryption software. Alternatively, individual files can be encrypted using tools like 7Zip, Adobe Acrobat, MS Office Suite and then moved to removable media. When unattended, the removable media should be stored in a secured and locked location (e.g. cabinets, lock boxes, etc.) where access is limited to users on a need-to-know basis. Mobile Device Encryption It is NOT recommended to use a mobile device to store or transfer confidential data. Major mobile device vendors and operating systems such as Android and iOS, support full device encryption. Make sure you are using some form of device lock (pin, password, biometric), and the device encryption is enabled. Please visit device manufacture’s website for more details on enabling above mentioned security features. Text, IM Encryption It is recommended to use only the trusted Instant Messaging platforms e.g. Microsoft Teams/Skype, which provide encryption in transit. Email Encryption To send confidential data as an email attachment, it is recommended to use inbuilt file encryption features available in Microsoft Office or other file encryption tools such as 7Zip, and encrypt the file with a password. In this case only the attachment is encrypted. Do not share any confidential data in message body. The corresponding password can be shared via Text Message/Call. Network Traffic Sharing the information on the network e.g. uploading documents to a website, accessing a website, taking a remote control session etc. can be done in secured fashion using encryption. Few recommendations; • SSH should be used instead of Telnet for remote terminal sessions. • While accessing internet sites or uploading files to trusted websites, make sure the communication is happening using “HTTPS” protocol. It can be verified by clicking on the lock symbol that appears next to the address bar in most of the browsers. Also, the URL in address bar starts with “https://” Note: Confidential data can only be uploaded and shared, based on the classification of the data and with trusted and authorized parties and applications. • Wireless Network Access: In ‘Open’ and ‘Guest’ wireless networks (e.g. free wireless provided by coffee shops) the data travels unencrypted over the air (from your device to the wireless Access Point), making it vulnerable to interception. It is recommended to use Northeastern’s VPN to encrypt and secure all the communication when you are connected to such unsecured networks. VPN A Virtual Private Network (VPN) provides secure and encrypted access to Northeastern resources from a remote computer (e.g. from home or connected to coffee shop wireless network). Northeastern uses Palo Alto GlobalProtect software as the VPN client. More information on VPN is available here and the guide to install VPN client is available here. Quick Reference Guide No. Scenario Recommended Action 1 I want to email an excel sheet with sensitive Encrypt the file: Open the MS Excel file > Go to data (e.g. SSN, Tax Details) to internal OR "File" tab > Info > Select "Protect Workbook" > external parties Input a one-time use password (different from all other accounts). Share the password to individual receiver through IM (MS Teams) or Text/Call. 2 I want to email multiple documents with Download and Install 7Zip tool. Copy the files to sensitive data but I don’t want to a folder. Encrypt the folder using 7Zip. Follow individually encrypt files this guide. Share the password through IM (MS Teams) or Text/Call them. 3 I have to share confidential research data of First, archive and Encrypt with password using large size with my team member tools such as 7Zip. Use OneDrive to securely upload the data and share only with the team member. You can also use any removable storage media to transfer the encrypted data. Share the password using different channel - Text /Call/IM 4 Can I use OneDrive to securely share the Yes. Follow this guide. Please note once the file files with internal users? is downloaded it is not encrypted. For “High Risk” 7 “Medium risk” data use one of the file/folder encryption tools (e.g.7Zip) and then upload to OneDrive for sharing. 5 I want to access NUnet resources from my Make sure you are using GlobalProtect VPN to laptop/phone while I am travelling connect to NUnet network resources 6 I often work on confidential documents Use BitLocker (Windows) or FileVault2 (MAC OS) which are stored on my laptop in different to enable Full-Disk encryption on your laptop.
Recommended publications
  • NTFS • Windows Reinstallation – Bypass ACL • Administrators Privilege – Bypass Ownership

    NTFS • Windows Reinstallation – Bypass ACL • Administrators Privilege – Bypass Ownership

    Windows Encrypting File System Motivation • Laptops are very integrated in enterprises… • Stolen/lost computers loaded with confidential/business data • Data Privacy Issues • Offline Access – Bypass NTFS • Windows reinstallation – Bypass ACL • Administrators privilege – Bypass Ownership www.winitor.com 01 March 2010 Windows Encrypting File System Mechanism • Principle • A random - unique - symmetric key encrypts the data • An asymmetric key encrypts the symmetric key used to encrypt the data • Combination of two algorithms • Use their strengths • Minimize their weaknesses • Results • Increased performance • Increased security Asymetric Symetric Data www.winitor.com 01 March 2010 Windows Encrypting File System Characteristics • Confortable • Applying encryption is just a matter of assigning a file attribute www.winitor.com 01 March 2010 Windows Encrypting File System Characteristics • Transparent • Integrated into the operating system • Transparent to (valid) users/applications Application Win32 Crypto Engine NTFS EFS &.[ßl}d.,*.c§4 $5%2=h#<.. www.winitor.com 01 March 2010 Windows Encrypting File System Characteristics • Flexible • Supported at different scopes • File, Directory, Drive (Vista?) • Files can be shared between any number of users • Files can be stored anywhere • local, remote, WebDav • Files can be offline • Secure • Encryption and Decryption occur in kernel mode • Keys are never paged • Usage of standardized cryptography services www.winitor.com 01 March 2010 Windows Encrypting File System Availibility • At the GUI, the availibility
  • Operating System Boot from Fully Encrypted Device

    Operating System Boot from Fully Encrypted Device

    Masaryk University Faculty of Informatics Operating system boot from fully encrypted device Bachelor’s Thesis Daniel Chromik Brno, Fall 2016 Replace this page with a copy of the official signed thesis assignment and the copy of the Statement of an Author. Declaration Hereby I declare that this paper is my original authorial work, which I have worked out by my own. All sources, references and literature used or excerpted during elaboration of this work are properly cited and listed in complete reference to the due source. Daniel Chromik Advisor: ing. Milan Brož i Acknowledgement I would like to thank my advisor, Ing. Milan Brož, for his guidance and his patience of a saint. Another round of thanks I would like to send towards my family and friends for their support. ii Abstract The goal of this work is description of existing solutions for boot- ing Linux and Windows from fully encrypted devices with Secure Boot. Before that, though, early boot process and bootloaders are de- scribed. A simple Linux distribution is then set up to boot from a fully encrypted device. And lastly, existing Windows encryption solutions are described. iii Keywords boot process, Linux, Windows, disk encryption, GRUB 2, LUKS iv Contents 1 Introduction ............................1 1.1 Thesis goals ..........................1 1.2 Thesis structure ........................2 2 Boot Process Description ....................3 2.1 Early Boot Process ......................3 2.2 Firmware interfaces ......................4 2.2.1 BIOS – Basic Input/Output System . .4 2.2.2 UEFI – Unified Extended Firmware Interface .5 2.3 Partitioning tables ......................5 2.3.1 MBR – Master Boot Record .
  • Mobiceal: Towards Secure and Practical Plausibly Deniable Encryption on Mobile Devices

    Mobiceal: Towards Secure and Practical Plausibly Deniable Encryption on Mobile Devices

    2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks MobiCeal: Towards Secure and Practical Plausibly Deniable Encryption on Mobile Devices Bing Chang∗, Fengwei Zhang†, Bo Chen‡, Yingjiu Li∗, Wen-Tao Zhu§, Yangguang Tian∗, Zhan Wang¶ and Albert Ching ∗School of Information Systems, Singapore Management University, {bingchang, yjli, ygtian}@smu.edu.sg †Department of Computer Science, Wayne State University, [email protected] ‡Department of Computer Science, Michigan Technological University, [email protected] §Data Assurance and Communications Security Research Center, Chinese Academy of Sciences, [email protected] ¶RealTime Invent, Inc. i-Sprint Innovations Abstract—We introduce MobiCeal, the first practical Plausibly searched and copied when he was crossing a border, and he Deniable Encryption (PDE) system for mobile devices that can was inspected for seven times during five years [26]. defend against strong coercive multi-snapshot adversaries, who The existing PDE systems on mobile devices [21], [34], may examine the storage medium of a user’s mobile device at different points of time and force the user to decrypt data. [35], [43], [27], [20] are not resilient against such multi- MobiCeal relies on “dummy write” to obfuscate the differences snapshot attacks since they hide sensitive data in the ran- between multiple snapshots of storage medium due to existence domness initially filled across the entire disk. By comparing of hidden data. By incorporating PDE in block layer, MobiCeal storage snapshots at different points of time, a multi-snapshot supports a broad deployment of any block-based file systems on adversary may detect any unaccountable changes to the ran- mobile devices.
  • PV204: Disk Encryption Lab

    PV204: Disk Encryption Lab

    PV204: Disk encryption lab May 12, 2016, Milan Broz <[email protected]> Introduction Encryption can provide confidentiality and authenticity of user data. It can be implemented on several different layes, including application, file system or storage device. Application encryption examples are PGP or ZIP compression with password. Encryption of files (inside filesystem or through independent layer like Linux eCryptfs) provides more generic solution. Yet some parts (like filesystem metadata) are still unencrypted. However this solution provides encrypted data with private key per user. (Every user can have own directory encrypted by own key.) Encryption of the low-level storage (disk) is called Full Disk Encryption (FDE). It is completely transparent to the user (no need to choose what to encrypt – the whole disk is encrypted). The encrypted disk behaves as the same as a disk without encryption. The major disadvantage is that everyone who knows the password can read the whole disk. Often we combine FDE with another encryption layer. The primary use of FDE is to provide data confidentiality in power-down mode (stolen laptop does not leak user data). Once the disk is unlocked, the main encryption key remains in system, usually directly in system RAM. Exercise II will show how easy is to get this key from memory image of system. Another disadvantage of FDE is that it usually cannot guarantee integrity of data. Encryption is fully transparent and length-preserving, the ciphertext and plaintext device are of the same size. There is no space to store any integrity information. This allows attacks by direct modification of ciphertext.
  • Active @ UNDELETE Users Guide | TOC | 2

    Active @ UNDELETE Users Guide | TOC | 2

    Active @ UNDELETE Users Guide | TOC | 2 Contents Legal Statement..................................................................................................4 Active@ UNDELETE Overview............................................................................. 5 Getting Started with Active@ UNDELETE........................................................... 6 Active@ UNDELETE Views And Windows......................................................................................6 Recovery Explorer View.................................................................................................... 7 Logical Drive Scan Result View.......................................................................................... 7 Physical Device Scan View................................................................................................ 8 Search Results View........................................................................................................10 Application Log...............................................................................................................11 Welcome View................................................................................................................11 Using Active@ UNDELETE Overview................................................................. 13 Recover deleted Files and Folders.............................................................................................. 14 Scan a Volume (Logical Drive) for deleted files..................................................................15
  • Crypto Wars of the 1990S

    Crypto Wars of the 1990S

    Danielle Kehl, Andi Wilson, and Kevin Bankston DOOMED TO REPEAT HISTORY? LESSONS FROM THE CRYPTO WARS OF THE 1990S CYBERSECURITY June 2015 | INITIATIVE © 2015 NEW AMERICA This report carries a Creative Commons license, which permits non-commercial re-use of New America content when proper attribution is provided. This means you are free to copy, display and distribute New America’s work, or in- clude our content in derivative works, under the following conditions: ATTRIBUTION. NONCOMMERCIAL. SHARE ALIKE. You must clearly attribute the work You may not use this work for If you alter, transform, or build to New America, and provide a link commercial purposes without upon this work, you may distribute back to www.newamerica.org. explicit prior permission from the resulting work only under a New America. license identical to this one. For the full legal code of this Creative Commons license, please visit creativecommons.org. If you have any questions about citing or reusing New America content, please contact us. AUTHORS Danielle Kehl, Senior Policy Analyst, Open Technology Institute Andi Wilson, Program Associate, Open Technology Institute Kevin Bankston, Director, Open Technology Institute ABOUT THE OPEN TECHNOLOGY INSTITUTE ACKNOWLEDGEMENTS The Open Technology Institute at New America is committed to freedom The authors would like to thank and social justice in the digital age. To achieve these goals, it intervenes Hal Abelson, Steven Bellovin, Jerry in traditional policy debates, builds technology, and deploys tools with Berman, Matt Blaze, Alan David- communities. OTI brings together a unique mix of technologists, policy son, Joseph Hall, Lance Hoffman, experts, lawyers, community organizers, and urban planners to examine the Seth Schoen, and Danny Weitzner impacts of technology and policy on people, commerce, and communities.
  • Self-Encrypting Deception: Weaknesses in the Encryption of Solid State Drives

    Self-Encrypting Deception: Weaknesses in the Encryption of Solid State Drives

    Self-encrypting deception: weaknesses in the encryption of solid state drives Carlo Meijer Bernard van Gastel Institute for Computing and Information Sciences School of Computer Science Radboud University Nijmegen Open University of the Netherlands [email protected] and Institute for Computing and Information Sciences Radboud University Nijmegen Bernard.vanGastel@{ou.nl,ru.nl} Abstract—We have analyzed the hardware full-disk encryption full-disk encryption. Full-disk encryption software, especially of several solid state drives (SSDs) by reverse engineering their those integrated in modern operating systems, may decide to firmware. These drives were produced by three manufacturers rely solely on hardware encryption in case it detects support between 2014 and 2018, and are both internal models using the SATA and NVMe interfaces (in a M.2 or 2.5" traditional form by the storage device. In case the decision is made to rely on factor) and external models using the USB interface. hardware encryption, typically software encryption is disabled. In theory, the security guarantees offered by hardware encryp- As a primary example, BitLocker, the full-disk encryption tion are similar to or better than software implementations. In software built into Microsoft Windows, switches off software reality, we found that many models using hardware encryption encryption and completely relies on hardware encryption by have critical security weaknesses due to specification, design, and implementation issues. For many models, these security default if the drive advertises support. weaknesses allow for complete recovery of the data without Contribution. This paper evaluates both internal and external knowledge of any secret (such as the password).
  • Computer and Information Security Pointer​ to Homework 2

    Computer and Information Security Pointer​ to Homework 2

    Computer and Information Security (ECE560, Fall 2020, Duke Univ., Prof. Tyler Bletsch) Pointer to Homework 2 Updated 2020-09-07:​ Clarified SSH key format Question 0: Accessing the Homework (0 points, but necessary) Homework 2 is encrypted with three stages of encryption. You’ll need to use both your Windows VM and a new Kali Linux VM. The stages are: 1. The inner layer is a VeraCrypt encrypted disk image to be opened in Windows that ​ ​ contains a link to Homework 2; I explain how to find the key for this later in this document. You get to the inner layer by decrypting the outer layer. 2. The outer layer is encrypted with AES and is available for each student on the course ​ ​ site; the secret key is randomly generated per each student and is distributed by the Encrypted Thing Giver web app. ​ 3. The Encrypted Thing Giver accepts an RSA public key, encrypts the random secret ​ ​ key using this public key. As owner of the corresponding private key, you’ll be able to decrypt it in order to obtain the AES key for the outer layer. The steps below will walk you through this crypto journey. You will need to show your work later, so keep notes! Make an SSH key pair You will need an SSH key pair. If you already created one, you can use it as-is (provided it is RSA-based, but most are). If you don’t have an SSH key pair, research how to create one with ssh-keygen. You may wish to do this on your local system, as you can set it up to let you SSH into Duke machines without a password (optional -- see Appendix A at the end of this document).
  • Zenworks 2017 Update 4 Troubleshooting Full Disk Encryption January 2019

    Zenworks 2017 Update 4 Troubleshooting Full Disk Encryption January 2019

    ZENworks 2017 Update 4 Troubleshooting Full Disk Encryption January 2019 This document provides troubleshooting guidelines for common problems related to ZENworks Full Disk Encryption. If, after completing the troubleshooting steps, the problem is not resolved, you should contact Technical Support (https://www.novell.com/support/) for additional help. 1 Windows PE Emergency Recovery Disk (ERD) is not working Make sure you have installed the correct WAIK architecture (32-bit vs 64-bit) (Windows 7 only) If you manually created the ERD, use the PowerShell script provided in the Cool Solutions “Windows Powershell script to create a Windows PE emergency recovery disk for ZENworks Full Disk Encryption” article. Try creating the ERD using the ADK for Windows instead of Windows AIK. See “Creating a Windows PE Emergency Recovery Disk” in the ZENworks Full Disk Encryption Emergency Recovery Reference. Try burning the ERD to a DVD rather than a CD. 2 Issues with PBA login or boot sequence After pre-boot authentication occurs, the BIOS or UEFI settings must be correctly set for Windows. With unusual DMI hardware configurations, the standard ZENworks PBA boot method and Linux kernel configuration used to provide the BIOS settings, might not work, resulting in hardware that does not function correctly or is not recognized by Windows. Beginning in ZENworks 2017 Update 2, the Full Disk Encryption Agent includes DMI menu options to repair the boot sequence for issues relating to these DMI configurations. This menu is accessible by using the Ctrl + G keyboard command at a brief point when Full Disk Encryption is shown during a device restart.
  • Disk Encryption with 100Gbe Crypto Accelerator

    Disk Encryption with 100Gbe Crypto Accelerator

    Disk Encryption with 100GbE Crypto Accelerator Chelsio T6 vs. Intel AES-NI vs. Software Enabled Encryption Executive Summary Chelsio Crypto Accelerator is a co-processor designed specifically to perform computationally intensive cryptographic operations more efficiently than general-purpose CPUs. Servers with system load, comprising of cryptographic operations, see great performance improvement by offloading crypto operations on to the Chelsio Unified Wire adapter. Chelsio’s solution uses the standard crypto API framework provided by the operating system and enables the offloading of crypto operations to the adapter. This paper showcases the disk encryption acceleration capabilities of Chelsio T6 adapters by comparing its performance with Intel AES-NI and software encryption. Chelsio solution excels with 100Gbps Crypto rate performance for both encryption and decryption with less than 50% CPU usage. Chelsio’s T6 encryption solution assures complete data protection to datacenters, while providing substantial savings on CPU and memory. Chelsio Disk Encryption Offload The Terminator 6 (T6) ASIC from Chelsio Communications, Inc. is a sixth generation, high performance 1/10/25/40/50/100Gbps unified wire engine which offers crypto offload capability for AES and SHA variants. Chelsio’s disk encryption solution is a special case of data at rest protection where the storage media is a sector-addressable device. Chelsio offloads the AES-XTS mode, which is designed for encrypting data stored on hard disks where there is no additional space for an integrity field. AES-XTS builds on the security of AES by protecting the storage device from many dictionary and copy/paste attacks. Chelsio crypto driver registers with the kernel crypto framework with high priority and ensures that any disk encryption request is offloaded and processed by T6 adapter.
  • Speeding up Linux Disk Encryption Ignat Korchagin @Ignatkn $ Whoami

    Speeding up Linux Disk Encryption Ignat Korchagin @Ignatkn $ Whoami

    Speeding Up Linux Disk Encryption Ignat Korchagin @ignatkn $ whoami ● Performance and security at Cloudflare ● Passionate about security and crypto ● Enjoy low level programming @ignatkn Encrypting data at rest The storage stack applications @ignatkn The storage stack applications filesystems @ignatkn The storage stack applications filesystems block subsystem @ignatkn The storage stack applications filesystems block subsystem storage hardware @ignatkn Encryption at rest layers applications filesystems block subsystem SED, OPAL storage hardware @ignatkn Encryption at rest layers applications filesystems LUKS/dm-crypt, BitLocker, FileVault block subsystem SED, OPAL storage hardware @ignatkn Encryption at rest layers applications ecryptfs, ext4 encryption or fscrypt filesystems LUKS/dm-crypt, BitLocker, FileVault block subsystem SED, OPAL storage hardware @ignatkn Encryption at rest layers DBMS, PGP, OpenSSL, Themis applications ecryptfs, ext4 encryption or fscrypt filesystems LUKS/dm-crypt, BitLocker, FileVault block subsystem SED, OPAL storage hardware @ignatkn Storage hardware encryption Pros: ● it’s there ● little configuration needed ● fully transparent to applications ● usually faster than other layers @ignatkn Storage hardware encryption Pros: ● it’s there ● little configuration needed ● fully transparent to applications ● usually faster than other layers Cons: ● no visibility into the implementation ● no auditability ● sometimes poor security https://support.microsoft.com/en-us/help/4516071/windows-10-update-kb4516071 @ignatkn Block
  • Copyrighted Material

    Copyrighted Material

    Index Note to the Reader: Throughout this index boldfaced page numbers indicate primary discussions of a topic. Italicized page numbers indicate illustrations. IUSR_computername account, 274–275 Numbers disabling, 61 mapping certificates to, 283–286 3DES, 125–126, 416, 494 user accounts, configuring for 802.1x standard (IEEE), 181–184, 494 delegation, 46 authentication for, 182 ACEs (Access Control Entries) combining VPNs with, 190 authentication for clients, 494 802.11a standard (IEEE), 494 in Discretionary Access Control List, 7 vs. 802.11b, 170 Active Directory (AD), 3, 494 802.11b standard (IEEE), 494 assigning GPO to container in, 28 for certificate store, 404 Configuration container for certificate templates, 360 A mapping certificates to accounts, 283–286 Access Control Entries (ACEs), 494 in mixed mode, 324 in Discretionary Access Control List, 7 publishing certificates through, 404–409 Access Control List (ACL), 494 in child domain, 406–409 Access Control Settings dialog box, 16 from standalone online CA, 404–406 Auditing tab, 16, 440 to view published certificates and CRLs, “Access Is Denied” error message, 420 358–359 access point, 494. See also wireless access Active Directory domain controller point (WAP) client security to traffic, 226–229 access token, 260, 494 testing, 227–229 account lockout policy, in security Active Directory domains templates, 9 Properties dialog box, General tab, 228 account logon events, tracking, 15, 445 trust relationships, 271–273, 272 account management events, tracking, 15, Active Directory object, auditing, 18 445–446 Active Directory Properties dialog box, 228 Account Policies Active Directory Sites and Services (ADSS), security template configuration, 12, 5, 494 12–14, 13 configuration, 407–408 in security templates, 9 Active Directory Users and Computers (ADUC), accountability trail, 14 COPYRIGHTED5, MATERIAL494 accounts Active Server Pages (ASP), SUS and, 111 Administrator account, renaming, 55, 56 AD.