Basic Maintenance, Security, and Troubleshooting Encrypting Your Data The lecture notes described a scenario in which a user’s laptop is stolen and how easy it is to install another operating system on the machine in order to access all of the folders through the second operating system’s administrator account. So how does one protect from this type of intrusion? The answer is to encrypt your data. There are two ways. The first method is EFS or Encrypting File System. The Encrypting File System (EFS) is a feature of Windows that you can use to encrypt files and folders on your hard drive to provide a secure format of storage. EFS is a core file encryption technology used only on NTFS volumes. An encrypted file cannot be used unless the user has access to the keys required to decrypt the file. The files do not have to be manually encrypted or decrypted each time you use them. They will open and close just like any other file. Once EFS is enabled, the encryption is transparent to the user. Using EFS is similar to using permissions on NTFS files or folders. However, a user who gets physical access to encrypted files would still be unable to read them because they are stored in an encrypted form. EFS-enabled files cannot be accessed by the administrator of another operating system either, because the files are encrypted by a key that is singular to the operating system that encrypted them. To encrypt a file or folder, follow these steps. 1. Select the file or folder you want to encrypt. 2. Right-click the file or folder. 3. Choose Properties. 4. Click the Advanced button. For more information on EFS go to http://technet.microsoft.com/en-us/library/dd163562.aspx. BitLocker EFS has a major shortcoming: It encrypts only at the folder/file level. It doesn’t prevent your computer from booting up, though, and allowing someone to install a second operating system. In addition, the files are only encrypted as long as they reside on an NTFS partition. If someone manages to copy/paste them to a USB drive or some other non-NTFS drive, the encryption goes away. With the release of Windows 7, Microsoft introduced BitLocker. It was only included with Windows 7 Ultimate, and not with the Pro edition which is the most popular version for companies and organizations. Thankfully, Microsoft included this feature with the Pro version of Windows 8. BitLocker protects all of the drives on a computer in their entirety. BitLocker helps ensure that users can read the data on the drive and write data to the drive only when they have either the required password, smart card credentials, or keys. You can select which drives you want BitLocker to protect and which ones you want to be open. If you encrypt the system volume using BitLocker, the computer will not boot without the proper credentials to access the encryption. There are some prerequisites to using BitLocker to protect the system volume. It is best if your computer’s BIOS supports TPM. If your computer is TPM- compatible, BitLocker will prompt the user for a password or PIN – Personal Identification Number – like the PIN you type in for your ATM machine. If your computer isn’t TPM-compatible, then the computer will prompt you to insert a USB drive into the computer which contains the required key which would have been installed during the BitLocker configuration wizard. You will know if your computer is TPM- compatible when you try to configure BitLocker. If it isn’t, you will receive an alert like this one. So what happens if a user loses this USB stick or forgets his or her PIN? Well, the user can’t access his or her computer. For this reason, it is imperative to remember your PIN or keep track of your USB stick. A computer doesn’t need to be TPM-compliant to encrypt non-system volumes. These can be encrypted by a simple PIN or password. For more information on BitLocker, visit any or all of these links. http://windows.microsoft.com/en-us/windows-8/bitlocker#1TC=t1 http://www.techrepublic.com/blog/networking/configure-bitlocker-encryption-on-non-tpm-windows- systems/2248 http://www.eightforums.com/tutorials/21522-bitlocker-password-change-reset-windows-8-a.html Administrator and Guest Account When you install a Windows operating system, you are asked to create a password for the Administrator account. The administrator account has complete reign over the local computer. For this reason, it is critical that a complex password be configured. It is also important to change the name of the administrator account as well; after all, everyone familiar with the Windows operating system knows that the administrator account is called Administrator by default, so they are already halfway there in guessing what the administrative logon is. Use a fictitious first and last name, in the same format as your other user names. By default, the Windows operating system shows the username of the last user who logged on. This is out of convenience so the previous user needs only to type in the password. This is a possible security weakness, however, since someone can merely attempt to type in passwords to log on as the previous user. A security-minded network policy should prevent this from occurring. This can be implemented within the Windows registry. Go to http://support.microsoft.com/kb/114463 to learn how to accomplish this. The Windows operating system also comes with a default GUEST account. The Guest account allows users who do not have an account to log on as a guest. This account is disabled by default, and should remain disabled, but hiding the account by renaming it adds an additional layer of protection against unauthorized access just like the Administrator account. The screenshot below shows a Windows 7 machine. The down arrows beside the Administrator and Guest accounts indicate that these users are disabled. Windows Updates The second Tuesday of every month is known as “Patch Tuesday.” It is when Microsoft releases Windows updates for all of its various operating systems for workstations and servers. Applying the latest Microsoft Windows updates and keeping your Windows PC up-to-date is always a good idea and is especially important if you use the Internet. There are different kinds of updates. Security updates, also known as critical updates, protect against vulnerabilities to malware or security exploits. Attackers wanting to break into systems can exploit such vulnerabilities. Recommended updates are analogous to Critical updates, but should be considered mandatory, and they must be deployed quickly. Other updates correct errors (http://en.wikipedia.org/wiki/Software_bug) that aren't related to security, or they enhance functionality. The updates released on Patch Tuesday are usually security updates. Users are recommended to install critical updates as soon as they are released. Another type of update is a service pack. A service pack is a periodic update that corrects problems in one version of a product. In addition to correcting known problems, service packs provide tools, drivers, and updates that extend product functionality, including enhancements developed after the product was released. Specifically, service packs are designed to get software users to the current code base for the product in question. Service packs keep the product current, and they update and extend a computer's functionality. Service packs may also contain a limited number of customer-requested design changes or features. Users are recommended to install service packs as soon as they are released. Service packs are released only after being thoroughly tested by Microsoft. Should you ever call Microsoft support about an issue with your computer or server, one of their first questions is what service pack you are running for your operating system. Sometimes they will have you update to the latest service pack if you haven’t already done so before moving forward with your case. There are two other types of update categories: regular and optional. These updates address a specific issue and should only be installed if those issues are being experienced. They may also introduce new features that will make your operating system run more efficiently but are not mandatory by any means. This is because these types of updates are untested within live environments, meaning that Microsoft is unsure how these updates coexist with other applications and software environments. Large enterprise environments should have a test environment and test all Windows updates to ensure that new updates don’t create further problems. Many servers and workstations have crashed due to installation of a single Windows update. Windows Update is an application that is accessed from the Start Menu. The screen below shows the opening interface of the Windows Update console screen. In the example above, the green check mark indicates that this computer is up-to-date, as optional updates are not considered critical. The next screen allows the user to determine how Windows Updates will occur on the machine. Note below the different ways to manage Important Windows Updates. The option, Install Updates Automatically, puts the operating system in charge of installing updates. Many times these updates will require a reboot to complete the installation; in this case, the user will receive an alert like the one shown below. If the user is away from the computer and can’t respond, the computer will reboot the computer automatically at some point. Should the user configure Windows updates to be installed manually, the interface will show a message like the one below.