Managing File Security

18 Aug

Much of an organization’s most confidential data is stored in files and folders. Windows Server
2008, along with most recent business versions of Windows, provide two technologies for
controlling access to files and folders: NTFS file permissions and EFS. The sections that follow
give more information about these two technologies.
After this lesson, you will be able to:
■ Use NTFS file permissions to control user access to files and folders.
■ Use EFS to protect files from offline attacks.
Estimated lesson time: 40 minutes
NTFS File Permissions
NTFS file permissions determine which users can view or update files. For example, you
would use NTFS file permissions to grant your Human Resources group access to personnel
files while preventing other users from accessing those files.
The default NTFS file permissions for user and system folders are designed to meet basic
needs. These default permissions for different file types are:
■ User files Users have full control permissions over their own files. Administrators also
have full control. Other users who are not administrators cannot read or write to a user’s
files.
■ System files Users can read, but not write to, the %SystemRoot% folder and subfolders.
Administrators can add and update files. This allows administrators, but not users, to
install updates and applications.
■ Program files Similar to the system files permissions, the %ProgramFiles% folder permissions
are designed to allow users to run applications and allow only administrators
to install applications. Users have read access, and administrators have full control.
Additionally, any new folders created in the root of a disk will grant administrators full control
and users read access.
514 Chapter 11 Managing Files
The default file and folder permissions work well for desktop environments. File servers, however,
often require you to grant permissions to groups of users to allow collaboration. For
example, you might want to create a folder that all Marketing users can read and update but
that users outside the Marketing group cannot access. Administrators can assign users or
groups any of the following permissions to a file or folder:
■ List Folder Contents Users can browse a folder but not necessarily open the files in it.
■ Read Users can view the contents of a folder and open files. If a user has Read but not
Read & Execute permission for an executable file, the user will not be able to start the
executable.
■ Read & Execute In addition to the Read permission, users can run applications.
■ Write Users can create files in a folder but not necessarily read them. This permission
is useful for creating a folder in which several users can deliver files but not access each
other’s files or even see what other files exist.
■ Modify Users can read, edit, and delete files and folders.
■ Full Control Users can perform any action on the file or folder, including creating and
deleting it and modifying its permissions.
To protect a file or folder with NTFS, follow these steps:
1. Open Windows Explorer (for example, by clicking Start and then choosing Computer).
2. Right-click the file or folder, and then choose Properties.
The Properties dialog box for the file or folder appears.
3. Click the Security tab.
4. Click the Edit button.
The Permissions dialog box appears.
5. If the user you want to configure access for does not appear in the Group Or User Names
list, click Add. Type the user name, and then click OK.
6. Select the user you want to configure access for. Then, select the check boxes for the
desired permissions in the Permissions For user or group name list, as shown in Figure
11-1. Denying access always overrides allowed access. For example, if Mary is a member
of the Marketing group and you allow full control access for Mary and then deny
full control access for the Marketing group, Mary’s effective permissions will be to
deny full control.
Lesson 1: Managing File Security 515
Figure 11-1 The permissions dialog box
Exam Tip When taking the exam, expect questions where a user is granted access to a file
but denied access through a group membership. Remember that although permission
assignments are cumulative, denied access overrides all other permissions.
7. Repeat steps 5 and 6 to configure access for additional users.
8. Click OK twice.
Additionally, there are more than a dozen special permissions that you can assign to a user or
group. To assign special permissions, click the Advanced button in the Security tab of the file
or folder Properties dialog box, as shown in Figure 11-2.
To configure NTFS file permissions from a command prompt or script, use the Icacls command.
For complete usage information, type icacls /? at a command prompt.
NTFS file permissions are in effect whether users are logged on locally or accessing folders
across the network.
516 Chapter 11 Managing Files
Figure 11-2 The Security tab
Encrypting File System
NTFS provides excellent protection for files and folders as long as Windows is running. However,
an attacker who has physical access to a computer can start the computer from a different
operating system (or simply reinstall Windows) or remove the hard disk and connect it to a
different computer. Any of these very simple techniques would completely bypass NTFS security,
granting the attacker full access to files and folders.
EFS protects files and folders by encrypting them on the disk. If an attacker bypasses the operating
system to open a file, the file appears to be random, meaningless bytes. Windows controls
access to the decryption key and provides it only to authorized users.
NOTE EFS support
Windows 2000 and later versions of Windows support EFS.
The sections that follow describe how to configure EFS.
How to Protect Files and Folders with EFS
To protect a file or folder with EFS, follow these steps:
1. Open Windows Explorer (for example, by clicking Start and then choosing Computer).
2. Right-click the file or folder, and then click Properties.
The Properties dialog box appears.
Lesson 1: Managing File Security 517
3. In the General tab, click Advanced.
The Advanced Attributes dialog box appears.
4. Select the Encrypt Contents To Secure Data check box.
5. Click OK twice.
If you encrypt a folder, Windows automatically encrypts all new files in the folder. Windows
Explorer shows encrypted files in green.
The first time you encrypt a file or folder, Windows might prompt you to back up your file
encryption key, as shown in Figure 11-3. Choosing to back up the key launches the Certificate
Export Wizard, which prompts you to password-protect the exported key and save it to a file.
Backing up the key is very important for stand-alone computers because if the key is lost, the
files are inaccessible. In Active Directory environments, you should use a data recovery agent
(DRA), as described later in this section, to recover files.
Figure 11-3 Prompting the user to back up the encryption key
How to Share Files Protected with EFS
If you need to share EFS-protected files with other users on your local computer, you need
to add their encryption certificates to the file. You do not need to follow these steps to share
files across a network; EFS only affects files that are accessed on the local computer because
Windows automatically decrypts files before sharing them.
To share an EFS-protected file, follow these steps:
1. Open the Properties dialog box for an encrypted file.
2. In the General tab, click Advanced.
The Advanced Attributes dialog box appears.
518 Chapter 11 Managing Files
3. Click the Details button.
The User Access dialog box appears, as shown in Figure 11-4.
Figure 11-4 The User Access dialog box
4. Click the Add button.
The Encrypting File System dialog box appears.
5. Select the user you want to grant access to, and then click OK.
6. Click OK three more times to close all open dialog boxes.
The user you selected will now be able to open the file when logged on locally.
How to Configure EFS Using Group Policy Settings
Users can selectively enable EFS on their own files and folders. However, most users are not
aware of the need for encryption and will never enable EFS on their own. Rather than relying
on users to configure their own data security, you should use Group Policy settings to ensure
that domain member computers are configured to meet your organization’s security needs.
Within the Group Policy Management Editor, you can configure EFS settings by right-clicking
the Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies
\Encrypting File System node and then choosing Properties to open the Encrypting File
System Properties dialog box, as shown in Figure 11-5.
Lesson 1: Managing File Security 519
Figure 11-5 Defining EFS properties
This dialog box allows you to configure the following options:
■ File Encryption Using Encrypting File System (EFS) By default, EFS is allowed. If you
select Don’t Allow, users will be unable to encrypt files with EFS.
■ Encrypt The Contents Of The User’s Documents Folder Enable this option to automatically
encrypt the user’s Documents folder. Although many other folders contain confidential
information, encrypting the Documents folder significantly improves security,
especially for mobile computers, which are at a higher risk of theft.
NOTE Preventing attackers from bypassing EFS
EFS protects files when the operating system is offline. Therefore, if someone steals an
employee’s laptop at an airport, the thief won’t be able to access EFS-encrypted files—unless
the user is currently logged on. If you enable EFS, you should also configure the desktop to
automatically lock when not in use for a few minutes.
■ Require A Smart Card For EFS Select this check box to prevent the use of software certificates
for EFS. Enable this if users have smart cards and you want to require the user to
insert the smart card to access encrypted files. This can add security, assuming the user
does not always leave the smart card in the computer.
■ Create Caching-Capable User Key From Smart Card If this and the previous option are
enabled, users need to insert a smart card only the first time they access an encrypted file
during their session. If this option is disabled, the smart card must be present every time
the user accesses a file.
520 Chapter 11 Managing Files
■ Enable Pagefile Encryption Encrypts the page file. Windows uses the page file to store
a copy of data that is stored in memory, and, as a result, it might contain unencrypted
copies of EFS-encrypted files. Therefore, a very skillful attacker might find unencrypted
data in the page file if this option is disabled. Encrypting the page file can
impact performance.
■ Display Key Backup Notifications When User Key Is Created or Changed I f enabled,
Windows prompts the user to back up EFS keys when encryption keys are created or
changed.
■ Allow EFS To Generate Self-Signed Certificates When A Certification Authority Is Not
Available If disabled, client computers will need to contact your certification authority
(CA) the first time an EFS file is encrypted. This would prevent users who are disconnected
from your network from enabling EFS for the first time. To allow EFS to retrieve
a certificate from a CA instead of generating a self-signed certificate, you should configure
a CA and enable autoenrollment. For detailed instructions, perform Practice 1 in this
lesson.
Additionally, you should consider configuring the following EFS-related Group Policy settings:
■ Computer Configuration\Policies\Administrative Templates\Network\Offline Files\Encrypt
The Offline Files Cache Enable this setting to encrypt Offline Files. Offline Files are discussed
in Lesson 2, “Sharing Folders.”
■ Computer Configuration\Policies\Administrative Templates\Windows Components\Search
\Allow Indexing Of Encrypted Files If you index encrypted files, an attacker might be
able to see the contents of an encrypted file by examining the index. Disabling indexing
of encrypted files improves security but prevents users from searching those files.
How to Configure a Data Recovery Agent
An encrypted file is inaccessible to anyone who lacks the decryption key, including system
administrators and, if they lose their original key, users who encrypted the files. To enable
recovery of encrypted files, EFS supports DRAs. DRAs can decrypt encrypted files. In enterprise
Active Directory environments, you can use Group Policy settings to configure one or
more user accounts as DRAs for your entire organization. To configure an enterprise DRA, follow
these steps:
1. Configure an enterprise CA. For example, you can install the Windows Server 2008
Active Directory Certificate Services server role. The default settings work well.
2. Create a dedicated user account to act as the DRA. Although you could use an existing
user account, the DRA has the ability to access any encrypted file—an almost unlimited
Lesson 1: Managing File Security 521
power that must be carefully controlled in most organizations. Log on using the DRA
account.
IMPORTANT Avoid giving one person too much power
For the DRA user account, or any highly privileged account, have two people type half the
account’s password. Then have each user write down half of the password and give the password
halves to different managers to protect. This requires at least two people to work
together to access the DRA account—a security concept called collusion. Collusion greatly
reduces the risk of malicious use by requiring attackers to trust each other and work together.
3. Open the Group Policy Object in the Group Policy Management Editor.
4. Right-click Computer Configuration\Policies\Windows Settings\Security Settings\Public
Key Policies\Encrypting File System, and then choose Create Data Recovery Agent.
The Group Policy Management Editor creates a file recovery certificate for the DRA
account.
DRAs can automatically open encrypted files just like any other file—exactly as if they had
encrypted it with their own user certificate. You can create multiple DRAs.
PRACTICE Encrypt and Recover Files
In this practice, you create two user accounts: a user account that will encrypt a file with EFS
and a DRA that will access the encrypted file. Then, you will encrypt a file, verify that other
user accounts cannot access it, and finally recover the encrypted file using the DRA.
 Exercise 1 Configure a DRA
In this exercise, you create accounts that represent a traditional EFS user and a DRA.
1. Add the Active Directory Certificate Services role using the default settings to Dcsrv1 to
configure it as an enterprise CA.
2. Create a domain user account named EFSUser and make the account a member of the
Domain Admins group so that it can log on to the domain controller. You will use this
account to create and encrypt a file.
3. Create a domain user account named DRA and make the account a member of the
Domain Admins group. Log on using the DRA account.
4. In Server Manager, right-click Features\Group Policy Management\Forest: nwtraders.msft
\Domains\nwtraders.msft\Default Domain Policy, and then choose Edit.
The Group Policy Management Editor appears.
522 Chapter 11 Managing Files
5. In the console tree, expand Computer Configuration\Policies\Windows Settings\Security
Settings, and then select Public Key Policies. In the details pane, double-click the
Certificate Services Client – Auto-Enrollment policy. Set the Configuration Model to
Enabled, and then click OK.
6. Right-click Computer Configuration\Policies\Windows Settings\Security Settings\Public
Key Policies\Encrypting File System, and then choose Create Data Recovery Agent.
The account you are currently logged on with, DRA, is now configured as a DRA.
 Exercise 2 Encrypt a File
In this exercise, you use the newly created EFSUser account to create an encrypted text file.
1. On Dcsrv1, log on using the EFSUser account.
2. Click Start, and then choose Documents.
3. In the Documents window, right-click Documents, and then choose Properties. Do not
right-click the Documents shortcut listed in the Favorite Links pane; doing so will modify
the shortcut and not the folder.
4. In the General tab of the Documents Properties dialog box, click Advanced. Select the
Encrypt Contents To Secure Data check box, and then click OK three times.
5. Right-click the details pane, choose New, and then choose Text Document. Name the
document Encrypted. Notice that it appears in green in Windows Explorer because it is
encrypted.
6. Open the encrypted document and add the text “Hello, world.” Save and close the
document.
 Exercise 3 Attempt to Access an Encrypted File
In this exercise, you use the Administrator account (which is not configured as a DRA) to simulate
an attacker attempting to access a file that another user has encrypted.
1. On Dcsrv1, log on using the Administrator account. This account has administrative
privileges to Dcsrv1, but it is not configured as a DRA.
2. Click Start, and then choose Computer.
3. In the Computer window, browse to C:\Users\EFSUser\Documents.
4. Double-click the Encrypted document in the details pane. Notice that Notepad displays
an Access Is Denied error. You would see this same error even if you reinstalled the operating
system or connected the hard disk to a different computer.
Lesson 1: Managing File Security 523
 Exercise 4 Recover an Encrypted File
In this exercise, you use the DRA account to access the encrypted file and then remove the
encryption from the file so that other users can access it.
1. On Dcsrv1, log on using the DRA account. This account is configured as a DRA.
2. Click Start, and then choose Computer.
3. In the Computer window, browse to C:\Users\EFSUser\Documents. Respond to any
User Account Control (UAC) prompts that appear.
4. Double-click the Encrypted document in the Details pane. Notice that Notepad displays
the file because the DRA account is configured as a DRA. Close Notepad.
5. In Windows Explorer, right-click the Encrypted file, and then choose Properties. In the
General tab, click Advanced. Clear the Encrypt Contents To Secure Data check box, and
then click OK twice. Respond to the UAC prompts that appear. DRA accounts can
remove encryption, allowing other accounts to access previously encrypted files.
Lesson Summary
■ NTFS file permissions control access to files when Windows is running, whether users
access files locally or across the network. NTFS file permissions allow you to grant users
and groups read access, write access, or full control access (which allows users to change
permissions). If you deny a user NTFS file permissions, it overrides any other assigned
permissions. If a user does not have any NTFS file permissions assigned, that user is
denied access.
■ EFS encrypts files, which protects them when Windows is offline. Although encryption
provides very strong security, users will be unable to access encrypted files if they lose
the encryption key. To protect against this, use Active Directory Group Policy settings to
configure a DRA that can recover encrypted files.
Lesson Review
You can use the following questions to test your knowledge of the information in Lesson 1,
“Managing File Security.” The questions are also available on the companion CD if you prefer
to review them in electronic form.
NOTE Answers
Answers to these questions and explanations of why each answer choice is correct or incorrect are
located in the “Answers” section at the end of the book.
524 Chapter 11 Managing Files
1. You create a folder named Marketing on a computer named FileServer and configure
NTFS permissions to grant the Domain Users group Read permission and the Marketing
group Modify permission. You share the folder and grant the Everyone group Reader
permission. Mary, a user account who is a member of both the Marketing group and the
Domain Users group, logs on locally to the FileServer computer to access the Marketing
folder. What effective permissions will Mary have?
A. No access
B. Read
C. Write
D. Full Control
2. You have a folder protected with EFS that contains a file you need to share across the network.
You share the folder and assign NTFS and share permissions to allow the user to
open the file. What should you do to allow the user to access the encrypted file without
decreasing the security?
A. Right-click the file, and then choose Properties. In the Security tab, add the user’s
account.
B. Right-click the file, and then choose Properties. In the General tab, click Advanced.
Click the Details button, and then add the user’s account.
C. Right-click the file, and then choose Properties. In the General tab, click Advanced.
Clear the Encrypt Contents To Secure Data check box.
D. Do nothing.
Lesson 2: Sharing Folders 525
Lesson 2: Sharing Folders
One of the most common ways for users to collaborate is by storing documents in shared folders.
Shared folders allow any user with access to your network and appropriate permissions to
access files. Shared folders also allow documents to be centralized, where they are more easily
managed than if they were distributed to thousands of client computers.
Although all versions of Windows since Windows For Workgroups 3.11 have supported file
sharing, Windows Server 2008 adds the File Services server role, which includes a robust set
of features for sharing folders and managing shared files. With the improved disk quota capability,
Windows can notify users and administrators if individual users consume too much
disk space. DFS provides a centralized directory structure for folders shared from multiple
computers and is capable of automatically replicating files between folders for redundancy.
Offline Files automatically copy shared files to mobile computers so that users can access the
files while disconnected from the network.
After this lesson, you will be able to:
■ Install the File Services server role.
■ Use quotas to notify you when users consume more than an allotted amount of disk
space.
■ Share folders across the network.
■ Use DFS to create a namespace of shared folders on multiple servers.
■ Use Offline Files to grant mobile users access to copies of network files and folders
while they are disconnected from the network.
Estimated lesson time: 55 minutes
Installing the File Services Server Role
Windows Server 2008 can share folders without adding any server roles. However, adding the
File Services server role adds useful management tools along with the ability to participate in
DFS namespaces, configure quotas, generate storage reports, and other capabilities. To install
the File Services server role, follow these steps:
1. In Server Manager, select and then right-click Roles. Choose Add Role.
The Add Roles Wizard appears.
2. On the Before You Begin page, click Next.
3. On the Server Roles page, select the File Services check box. Click Next.
4. On the File Services page, click Next.
526 Chapter 11 Managing Files
5. On the Select Role Services page, select from the following roles:
❑ File Server Although not required to share files, adding this core role service
allows you to use the Share And Storage Management snap-in.
❑ Distributed File System Enables sharing files using the DFS namespace and replicating
files between DFS servers. If you select this role service, the wizard will
prompt you to configure a namespace.
❑ File Server Resources Manager Installs tools for generating storage reports, configuring
quotas, and defining file screening policies. If you select this role service, the
wizard will prompt you to enable storage monitoring on the local disks.
❑ Services for Network File System Provides connectivity for UNIX client computers
that use Network File System (NFS) for file sharing. Note that most modern
UNIX operating systems can connect to standard Windows file shares, so this service
is typically not required.
❑ Windows Search Service Indexes files for faster searching when clients connect to
shared folders. This role service is not intended for enterprise use. If you select this
role service, the wizard will prompt you to enable indexing on the local disks.
❑ Windows Server 2003 File Services Provides services compatible with computers
running Windows Server 2003.
6. Respond to any roles service wizard pages that appear.
7. On the Confirmation page, click Install.
8. On the Results page, click Close.
You can access the File Services tools using the Roles\File Services node in Server Manager.
Using Quotas
When multiple users share a disk, whether locally or across the network, the disk will quickly
become filled—usually because one or two users consume far more disk space than the rest.
Disk quotas make it easy to monitor users who consume more than a specified amount of disk
space. Additionally, you can enforce quotas to prevent users from consuming more disk space
(although this can cause applications to fail and is not typically recommended).
With Windows Server 2008 you should use the Quota Management console to configure disk

Random Posts

No comments yet

Leave a Reply

You must be logged in to post a comment.