20411B-ENU-TrainerHandbook
.pdf
Administering Windows Server® 2012 10-43
Task 2: Enable access-based enumeration for the BranchDocs namespace |
|
||
• |
In DFS Management, in the \\Adatum.com\BranchDocs Properties dialog box, on the AdvancedMCT |
||
|
tab, select the Enable access-based enumeration for this namespace check box. |
USE |
|
Task 3: Add the ResearchTemplates folder to the BranchDocs namespace |
|||
• Add a new folder to the BranchDocs namespace: |
|||
|
o Folder name: ResearchTemplates |
||
|
o Add a folder target: |
.ONLY |
|
|
|
Path: \\LON-SVR4\ResearchTemplates |
|
|
|
||
|
|
Create share |
|
|
|
Local path: C:\BranchDocs\ResearchTemplates |
|
Permissions: All users have read and write permissions
Task 4: Add the DataFiles folder to the BranchDocs namespace
1.On LON-SVR1, open Windows Explorer, in the address bar type, type \\Adatum.com\BranchDocs\STUDENT and then press Enter.
2.Verify that both ResearchTemplates and DataFiles display, and then close the window. USE• Add a new folder to the BranchDocs namespace:
You have been asked to ensure that the files contained in the new DFS namespace are replicated to both LON-SVR1 and LON-SVR4 to ensure data availability.
PROHIBITED
1.Create another folder target for DataFiles.
2.Configure replication for the namespace.
3.To prepare for the next module.
Task 1: Create another folder target for DataFiles
1.In DFS Management, expand Adatum.com\BranchDocs, and then click DataFiles.
2.In the details pane, notice that there is currently only one folder target.
MCT USE ONLY. STUDENT USE PROHIBITED
|
|
11-1 |
|
|
|
|
|
Module 11 |
|
MCT |
|
|
USE |
||
Configuring Encryption and Advanced Auditing |
|||
Contents: |
|
||
|
.ONLY |
||
Module Overview |
11-1 |
||
Lesson 1: Encrypting Files by Using Encrypting File System |
11-2 |
||
Lesson 2: Configuring Advanced Auditing |
11-6 |
||
Lab: Configuring Encryption and Advanced Auditing |
11-13 |
||
Module Review and Takeaways |
11-17 |
||
|
|
||
Module Overview
As an administrator of the Windows Server® 2012 operating system, you should ensure the continued security of the files and folders on your servers. You can encrypt sensitive files by using native Windows Server 2012 tools. However, you must be aware of some considerations and implementation methods in
order to provide a reliable environment. |
STUDENT |
||
By using Windows Server 2012, you can understand how files and folders are being used on your |
|||
|
|||
Windows Server 2012 computers. You can also audit file and folder access. Auditing file and folder access |
|||
can give you insight into general usage, and more critical information, such as unauthorized usage |
|
||
attempts. |
|
||
This module describes the Windows Server 2012 tools that can help you to provide increased file system |
|||
security on your servers. |
USE |
||
Objectives |
|||
After completing this module, you will be able to: |
|||
• |
Encrypt files by using EFS. |
||
PROHIBITED |
|||
• |
Configure advanced auditing. |
||
|
|
||
Configuring Encryption and Advanced Auditing
Lesson 1 |
MCT |
|||||
Encrypting Files by Using Encrypting File System |
||||||
USE |
||||||
Encrypting File System (EFS) is a built-in component of the NTFS file system that enables encryption and |
||||||
decryption of file and folder contents on an NFTS volume. It is important to understand how EFS works |
||||||
before implementing EFS in your environment. You should also know how to recover the encrypted files, |
||||||
and troubleshoot issues when EFS encryption does not work properly. |
||||||
|
|
|
|
|||
Lesson Objectives |
|
|
||||
After completing this lesson, you will be able to: |
.ONLY |
|||||
• |
Describe EFS. |
|||||
• Explain how EFS works. |
||||||
• Explain how to recover EFS–encrypted files. |
||||||
• |
Explain how to encrypt a file by using EFS. |
|||||
What Is EFS? |
|
STUDENT |
||||
EFS is a feature that can encrypt files that are |
|
|
||||
|
|
|||||
stored on an NTFS formatted partition. By default, |
|
|
||||
this option is available to all users. You can also |
|
|
||||
use EFS to encrypt files on a file share. |
|
|
||||
After a file is encrypted by using EFS, it can |
|
|
||||
only be accessed by authorized users. If a user is |
|
|
||||
authorized, then access to the file is transparent |
|
|
||||
and it can be opened like an unencrypted file. If a |
|
|
||||
user is not authorized, attempts to open the file |
|
|
||||
|
|
|
||||
will result in an access denied message. |
|
|
|
|||
EFS encryption acts as an additional layer of |
|
|
|
|||
|
USE |
|||||
security in addition to NTFS permissions. If users |
||||||
are given NTFS permission to read a file, they must still be authorized by EFS to decrypt the file. |
||||||
The default configuration of EFS requires no administrative effort. Users can begin encrypting files |
||||||
PROHIBITED |
||||||
immediately, and EFS automatically generates a user certificate with a key pair for a user if one does not |
||||||
already exist. Using a certification authority (CA) to issue user certificates enhances manageability of the |
||||||
certificates. |
||||||
|
|
|
|
|||
|
|
|
|
|||
You can disable EFS on client computers by using Group Policy. In the Properties of the policy, navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Polices\Encrypting Files System, and then click Don’t allow.
11-4 Configuring Encryption and Advanced Auditing |
|
MCT |
||
|
|
|
||
When you add a new recovery agent through Group Policy, the agent is added automatically to all |
|
|||
|
|
|||
newly encrypted files, but the agent is not automatically added to the existing encrypted files. Because |
|
|
||
the recovery agent for a file is set at the time that the file is encrypted, an encrypted file must be accessed |
||||
and saved to update the recovery agent. |
USE |
|||
To back up the recovery agent certificate, you should always export the certificate with the private key |
||||
and keep it in a secure location. The two reasons to back up the private key for the recovery agent (or the |
||||
recovery key) are: |
||||
• |
To secure against system failure. The domain administrator key that is used by default for EFS |
|||
.ONLY |
||||
|
recovery is stored only on the first domain controller in the domain. If anything happened to this |
|||
|
domain controller, EFS recovery would be impossible. |
|||
• To make the recovery key portable. The recovery key is not automatically available to the recovery |
||||
|
agent on all computers. The recovery key must be installed in the recovery agent’s profile. If roaming |
|||
|
profiles are not used, then exporting and importing the recovery key is a method to update the |
|||
|
recovery agent’s profile on a particular computer. |
|||
|
|
|||
Demonstration: Encrypting a File by Using EFS |
STUDENT |
|||
This demonstration shows how to: |
||||
• Verify that a computer account supports EFS on a network share. |
||||
• Use EFS to encrypt a file on a network share. |
||||
• View the certificate used for encryption. |
||||
• Test access to an encrypted file. |
||||
Demonstration Steps |
||||
Verify that a computer account supports EFS on a network share |
||||
USE |
||||
1. On LON-DC1, open Active Directory Users and Computers. |
||||
2. Verify that that LON-DC1 is trusted for delegation to any service. |
||||
Use EFS to encrypt a file on a network share |
||||
1. |
Log on to LON-CL1 as Adatum\Doug with a password of Pa$$w0rd. |
|||
1.On LON-DC1, navigate to C:\Users\. Notice that Doug has a profile on the computer. This is where PROHIBITED the self-signed certificate is stored. It cannot be viewed in the Microsoft Management Console (MMC) Certificates snap-in unless Doug logs on locally to the server.
2.Navigate to C:\Users\Doug\AppData\roaming\Microsoft\SystemCertificates\My\Certificates. This is the folder that stores the self-signed certificate for Doug.2. Navigate to3. \\LON-DC1\Mod11Share.
PROHIBITED USE STUDENT .ONLY USE MCT