516 Chapter 11 Managing Files Figure 11-2 The Security tab Encrypting File System NTFS provides excellent protection for files and folders as long as Windows is running. How- ever, an attacker who has physical access to a computer can start the computer from a different operating system (or simply reinstall Windows) or remove the hard disk and connect it to a different computer. Any of these very simple techniques would completely bypass NTFS secu- rity, granting the attacker full access to files and folders. EFS protects files and folders by encrypting them on the disk. If an attacker bypasses the oper- ating system to open a file, the file appears to be random, meaningless bytes. Windows con- trols access to the decryption key and provides it only to authorized users. NOTE EFS support Windows 2000 and later versions of Windows support EFS. The sections that follow describe how to configure EFS. How to Protect Files and Folders with EFS To protect a file or folder with EFS, follow these steps: 1. Open Windows Explorer (for example, by clicking Start and then choosing Computer). 2. Right-click the file or folder, and then click Properties. The Properties dialog box appears. Lesson 1: Managing File Security 517 3. In the General tab, click Advanced. The Advanced Attributes dialog box appears. 4. Select the Encrypt Contents To Secure Data check box. 5. Click OK twice. If you encrypt a folder, Windows automatically encrypts all new files in the folder. Windows Explorer shows encrypted files in green. The first time you encrypt a file or folder, Windows might prompt you to back up your file encryption key, as shown in Figure 11-3. Choosing to back up the key launches the Certificate Export Wizard, which prompts you to password-protect the exported key and save it to a file. Backing up the key is very important for stand-alone computers because if the key is lost, the files are inaccessible. In Active Directory environments, you should use a data recovery agent (DRA), as described later in this section, to recover files. Figure 11-3 Prompting the user to back up the encryption key How to Share Files Protected with EFS If you need to share EFS-protected files with other users on your local computer, you need to add their encryption certificates to the file. You do not need to follow these steps to share files across a network; EFS only affects files that are accessed on the local computer because Windows automatically decrypts files before sharing them. To share an EFS-protected file, follow these steps: 1. Open the Properties dialog box for an encrypted file. 2. In the General tab, click Advanced. The Advanced Attributes dialog box appears. 518 Chapter 11 Managing Files 3. Click the Details button. The User Access dialog box appears, as shown in Figure 11-4. Figure 11-4 The User Access dialog box 4. Click the Add button. The Encrypting File System dialog box appears. 5. Select the user you want to grant access to, and then click OK. 6. Click OK three more times to close all open dialog boxes. The user you selected will now be able to open the file when logged on locally. How to Configure EFS Using Group Policy Settings Users can selectively enable EFS on their own files and folders. However, most users are not aware of the need for encryption and will never enable EFS on their own. Rather than relying on users to configure their own data security, you should use Group Policy settings to ensure that domain member computers are configured to meet your organization’s security needs. Within the Group Policy Management Editor, you can configure EFS settings by right-clicking the Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies \Encrypting File System node and then choosing Properties to open the Encrypting File System Properties dialog box, as shown in Figure 11-5. Lesson 1: Managing File Security 519 Figure 11-5 Defining EFS properties This dialog box allows you to configure the following options: ■ File Encryption Using Encrypting File System (EFS) By default, EFS is allowed. If you select Don’t Allow, users will be unable to encrypt files with EFS. ■ Encrypt The Contents Of The User’s Documents Folder Enable this option to automati- cally encrypt the user’s Documents folder. Although many other folders contain confi- dential information, encrypting the Documents folder significantly improves security, especially for mobile computers, which are at a higher risk of theft. NOTE Preventing attackers from bypassing EFS EFS protects files when the operating system is offline. Therefore, if someone steals an employee’s laptop at an airport, the thief won’t be able to access EFS-encrypted files—unless the user is currently logged on. If you enable EFS, you should also configure the desktop to automatically lock when not in use for a few minutes. ■ Require A Smart Card For EFS Select this check box to prevent the use of software certif- icates for EFS. Enable this if users have smart cards and you want to require the user to insert the smart card to access encrypted files. This can add security, assuming the user does not always leave the smart card in the computer. ■ Create Caching-Capable User Key From Smart Card If this and the previous option are enabled, users need to insert a smart card only the first time they access an encrypted file during their session. If this option is disabled, the smart card must be present every time the user accesses a file. 520 Chapter 11 Managing Files ■ Enable Pagefile Encryption Encrypts the page file. Windows uses the page file to store a copy of data that is stored in memory, and, as a result, it might contain unencrypted copies of EFS-encrypted files. Therefore, a very skillful attacker might find unen- crypted data in the page file if this option is disabled. Encrypting the page file can impact performance. ■ Display Key Backup Notifications When User Key Is Created or Changed If enabled, Windows prompts the user to back up EFS keys when encryption keys are created or changed. ■ Allow EFS To Generate Self-Signed Certificates When A Certification Authority Is Not Available If disabled, client computers will need to contact your certification authority (CA) the first time an EFS file is encrypted. This would prevent users who are discon- nected from your network from enabling EFS for the first time. To allow EFS to retrieve a certificate from a CA instead of generating a self-signed certificate, you should config- ure a CA and enable autoenrollment. For detailed instructions, perform Practice 1 in this lesson. Additionally, you should consider configuring the following EFS-related Group Policy settings: ■ Computer Configuration\Policies\Administrative Templates\Network\Offline Files\Encrypt The Offline Files Cache Enable this setting to encrypt Offline Files. Offline Files are dis- cussed in Lesson 2, “Sharing Folders.” ■ Computer Configuration\Policies\Administrative Templates\Windows Components\Search \Allow Indexing Of Encrypted Files If you index encrypted files, an attacker might be able to see the contents of an encrypted file by examining the index. Disabling indexing of encrypted files improves security but prevents users from searching those files. How to Configure a Data Recovery Agent An encrypted file is inaccessible to anyone who lacks the decryption key, including system administrators and, if they lose their original key, users who encrypted the files. To enable recovery of encrypted files, EFS supports DRAs. DRAs can decrypt encrypted files. In enter- prise Active Directory environments, you can use Group Policy settings to configure one or more user accounts as DRAs for your entire organization. To configure an enterprise DRA, fol- low these steps: 1. Configure an enterprise CA. For example, you can install the Windows Server 2008 Active Directory Certificate Services server role. The default settings work well. 2. Create a dedicated user account to act as the DRA. Although you could use an existing user account, the DRA has the ability to access any encrypted file—an almost unlimited Lesson 1: Managing File Security 521 power that must be carefully controlled in most organizations. Log on using the DRA account. IMPORTANT Avoid giving one person too much power For the DRA user account, or any highly privileged account, have two people type half the account’s password. Then have each user write down half of the password and give the pass- word halves to different managers to protect. This requires at least two people to work together to access the DRA account—a security concept called collusion. Collusion greatly reduces the risk of malicious use by requiring attackers to trust each other and work together. 3. Open the Group Policy Object in the Group Policy Management Editor. 4. Right-click Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\Encrypting File System, and then choose Create Data Recovery Agent. The Group Policy Management Editor creates a file recovery certificate for the DRA account. DRAs can automatically open encrypted files just like any other file—exactly as if they had encrypted it with their own user certificate. You can create multiple DRAs. PRACTICE Encrypt and Recover Files In this practice, you create two user accounts: a user account that will encrypt a file with EFS and a DRA that will access the encrypted file. Then, you will encrypt a file, verify that other user accounts cannot access it, and finally recover the encrypted file using the DRA.  Exercise 1 Configure a DRA In this exercise, you create accounts that represent a traditional EFS user and a DRA. 1. Add the Active Directory Certificate Services role using the default settings to Dcsrv1 to configure it as an enterprise CA. 2. Create a domain user account named EFSUser and make the account a member of the Domain Admins group so that it can log on to the domain controller. You will use this account to create and encrypt a file. 3. Create a domain user account named DRA and make the account a member of the Domain Admins group. Log on using the DRA account. 4. In Server Manager, right-click Features\Group Policy Management\Forest: nwtraders.msft \Domains\nwtraders.msft\Default Domain Policy, and then choose Edit. The Group Policy Management Editor appears. 522 Chapter 11 Managing Files 5. In the console tree, expand Computer Configuration\Policies\Windows Settings\Secu- rity Settings, and then select Public Key Policies. In the details pane, double-click the Certificate Services Client – Auto-Enrollment policy. Set the Configuration Model to Enabled, and then click OK. 6. Right-click Computer Configuration\Policies\Windows Settings\Security Settings\Pub- lic Key Policies\Encrypting File System, and then choose Create Data Recovery Agent. The account you are currently logged on with, DRA, is now configured as a DRA.  Exercise 2 Encrypt a File In this exercise, you use the newly created EFSUser account to create an encrypted text file. 1. On Dcsrv1, log on using the EFSUser account. 2. Click Start, and then choose Documents. 3. In the Documents window, right-click Documents, and then choose Properties. Do not right-click the Documents shortcut listed in the Favorite Links pane; doing so will mod- ify the shortcut and not the folder. 4. In the General tab of the Documents Properties dialog box, click Advanced. Select the Encrypt Contents To Secure Data check box, and then click OK three times. 5. Right-click the details pane, choose New, and then choose Text Document. Name the document Encrypted. Notice that it appears in green in Windows Explorer because it is encrypted. 6. Open the encrypted document and add the text “Hello, world.” Save and close the document.  Exercise 3 Attempt to Access an Encrypted File In this exercise, you use the Administrator account (which is not configured as a DRA) to sim- ulate an attacker attempting to access a file that another user has encrypted. 1. On Dcsrv1, log on using the Administrator account. This account has administrative privileges to Dcsrv1, but it is not configured as a DRA. 2. Click Start, and then choose Computer. 3. In the Computer window, browse to C:\Users\EFSUser\Documents. 4. Double-click the Encrypted document in the details pane. Notice that Notepad displays an Access Is Denied error. You would see this same error even if you reinstalled the oper- ating system or connected the hard disk to a different computer. Lesson 1: Managing File Security 523  Exercise 4 Recover an Encrypted File In this exercise, you use the DRA account to access the encrypted file and then remove the encryption from the file so that other users can access it. 1. On Dcsrv1, log on using the DRA account. This account is configured as a DRA. 2. Click Start, and then choose Computer. 3. In the Computer window, browse to C:\Users\EFSUser\Documents. Respond to any User Account Control (UAC) prompts that appear. 4. Double-click the Encrypted document in the Details pane. Notice that Notepad displays the file because the DRA account is configured as a DRA. Close Notepad. 5. In Windows Explorer, right-click the Encrypted file, and then choose Properties. In the General tab, click Advanced. Clear the Encrypt Contents To Secure Data check box, and then click OK twice. Respond to the UAC prompts that appear. DRA accounts can remove encryption, allowing other accounts to access previously encrypted files. Lesson Summary ■ NTFS file permissions control access to files when Windows is running, whether users access files locally or across the network. NTFS file permissions allow you to grant users and groups read access, write access, or full control access (which allows users to change permissions). If you deny a user NTFS file permissions, it overrides any other assigned permissions. If a user does not have any NTFS file permissions assigned, that user is denied access. ■ EFS encrypts files, which protects them when Windows is offline. Although encryption provides very strong security, users will be unable to access encrypted files if they lose the encryption key. To protect against this, use Active Directory Group Policy settings to configure a DRA that can recover encrypted files. Lesson Review You can use the following questions to test your knowledge of the information in Lesson 1, “Managing File Security.” The questions are also available on the companion CD if you prefer to review them in electronic form. NOTE Answers Answers to these questions and explanations of why each answer choice is correct or incorrect are located in the “Answers” section at the end of the book. 524 Chapter 11 Managing Files 1. You create a folder named Marketing on a computer named FileServer and configure NTFS permissions to grant the Domain Users group Read permission and the Market- ing group Modify permission. You share the folder and grant the Everyone group Reader permission. Mary, a user account who is a member of both the Marketing group and the Domain Users group, logs on locally to the FileServer computer to access the Marketing folder. What effective permissions will Mary have? A. No access B. Read C. Write D. Full Control 2. You have a folder protected with EFS that contains a file you need to share across the net- work. You share the folder and assign NTFS and share permissions to allow the user to open the file. What should you do to allow the user to access the encrypted file without decreasing the security? A. Right-click the file, and then choose Properties. In the Security tab, add the user’s account. B. Right-click the file, and then choose Properties. In the General tab, click Advanced. Click the Details button, and then add the user’s account. C. Right-click the file, and then choose Properties. In the General tab, click Advanced. Clear the Encrypt Contents To Secure Data check box. D. Do nothing. Lesson 2: Sharing Folders 525 Lesson 2: Sharing Folders One of the most common ways for users to collaborate is by storing documents in shared fold- ers. Shared folders allow any user with access to your network and appropriate permissions to access files. Shared folders also allow documents to be centralized, where they are more easily managed than if they were distributed to thousands of client computers. Although all versions of Windows since Windows For Workgroups 3.11 have supported file sharing, Windows Server 2008 adds the File Services server role, which includes a robust set of features for sharing folders and managing shared files. With the improved disk quota capa- bility, Windows can notify users and administrators if individual users consume too much disk space. DFS provides a centralized directory structure for folders shared from multiple computers and is capable of automatically replicating files between folders for redundancy. Offline Files automatically copy shared files to mobile computers so that users can access the files while disconnected from the network. After this lesson, you will be able to: ■ Install the File Services server role. ■ Use quotas to notify you when users consume more than an allotted amount of disk space. ■ Share folders across the network. ■ Use DFS to create a namespace of shared folders on multiple servers. ■ Use Offline Files to grant mobile users access to copies of network files and folders while they are disconnected from the network. Estimated lesson time: 55 minutes Installing the File Services Server Role Windows Server 2008 can share folders without adding any server roles. However, adding the File Services server role adds useful management tools along with the ability to participate in DFS namespaces, configure quotas, generate storage reports, and other capabilities. To install the File Services server role, follow these steps: 1. In Server Manager, select and then right-click Roles. Choose Add Role. The Add Roles Wizard appears. 2. On the Before You Begin page, click Next. 3. On the Server Roles page, select the File Services check box. Click Next. 4. On the File Services page, click Next. [...]... example, if a shadow copy ID is {56036723-cdcc-49ef -9 8 a 4-4 45b1645770e}, you could revert to the shadow copy using the following command: vssadmin revert shadow /Shadow={56036723-cdcc-49ef -9 8 a 4-4 45b1645770e} For complete usage information, type VSSAdmin /? at a command prompt Windows Server Backup Windows Server Backup copies an entire disk volume (for example, the volume Windows is installed on) to a vhd... computer running Windows Server 2008 Server Core Which tool should you use? A FileScrn B DirQuota C StorRept D Net 546 Chapter 11 Managing Files Lesson 3: Backing Up and Restoring Files With previous versions of Windows, administrators needed to rely on non -Microsoft software to back up servers With Windows Server 2008, the operating system has useful backup capabilities built in Although Windows Server Backup... and volumes Installing Windows Server Backup Features To install the Windows Server Backup Features, follow these steps: 1 In Server Manager, right-click Features, and then choose Add Features The Add Features Wizard appears 2 On the Features page, expand Windows Server Backup Features Then, select either the Windows Server Backup check box (for graphical tools) or the Command-Line Tools check box (to... DirQuota /? Configuring Disk Quotas Using Windows Explorer Although you should always use the Quota Management console to configure quotas in Windows Server 2008, the operating system continues to support quota management using Windows Explorer, using the same interface as earlier versions of Windows To configure disk quotas on a local computer using Windows Explorer, follow these steps: 1 Open Windows. .. select the file screen you want to use Click Next NOTE Configuring file screening You can configure file screening using the Roles\File Services\Share And Storage Management\File Server Resource Manager\File Screening Management node of Server Manager You can use the FileScrn.exe command-line tool in scripts or when running Windows Server 2008 Server Core 9 On the DFS Namespace Publishing page, select the... namespace (for Active Directory environments) or a stand-alone namespace (for workgroup environments) If all DFS servers for the namespace are running Windows Server 2008, enable Windows Server 2008 mode Click Next 3 If the Namespace Configuration page appears, you can click the Add button to add folders You can also do this later using the DFS Management snap-in Click Next If you don’t create a DFS namespace... Offline Files by following these steps: 1 In Windows Explorer, right-click the network folder or file, and then choose Properties 2 On the Offline Files tab, select the Always Available Offline check box Then, click OK NOTE Using Offline Files in Windows Vista In Windows Vista, you can right-click a network file or folder and then select Always Available Offline Windows immediately synchronize the file... “Backup - ” folder containing the vhd disk image file The format is exactly the same as a Complete PC backup created in Windows Vista MORE INFO Installing VHDMount Microsoft Virtual Server 2005 R2 SP1 includes VHDMount, a command-line tool for mounting vhd files so that you can browse their contents This is an excellent way to extract files from a Windows Server backup For instructions... installing Virtual Server 2005 R2 SP1, read “VHDMount Without Virtual Server at http://blogs.technet.com/daven/archive/2006/12 /15/vhdmount-without-virtual -server. aspx Scheduling Backups Scheduling backups requires a dedicated local disk You cannot use the Backup Schedule Wizard to back up to a disk that will be used by other applications, and you cannot back up to a shared folder on the network After... the \Configuration\Task Scheduler Library \Microsoft\ Windows \Backup node in Server Manager and calls the Wbadmin tool to perform the backup Lesson 3: Backing Up and Restoring Files 551 Performing Backups from a Command Prompt or Script You can use the Wbadmin tool to initiate backups from a script or at a command prompt (such as when using Windows Server 2008 Server Core) For example, to initiate a . the network. Estimated lesson time: 55 minutes Installing the File Services Server Role Windows Server 2008 can share folders without adding any server roles. However, adding the File Services server. client computers. Although all versions of Windows since Windows For Workgroups 3.11 have supported file sharing, Windows Server 2008 adds the File Services server role, which includes a robust set of. Quota Management snap-in supports the use of quota tem- plates. You can use a quota template to apply a set of quotas and response behavior to vol- umes. Windows Server 2008 includes the following