Configuring Encryption and Advanced Auditing Presentation: 40 minutes After completing this module, students will be able to: Secure data by using Windows® BitLocker Drive Encryption. Encrypt files by using Encrypting File System (EFS). Configure advanced auditing. Required materials To teach this module, you need the Microsoft® Office PowerPoint® file 20411C_MVA_09.pptx. Important: We recommend that you use Office PowerPoint 2007 or a newer version to display the slides for this course. If you use PowerPoint Viewer or an older version of Office PowerPoint, all the features of the slides might not display correctly. Preparation Tasks To prepare for this module: Read all of the materials for this module. Practice performing the demonstrations. Preparation for demonstrations For this module, you will use the available virtual machine environment. Before you begin the module, you must complete the following steps: On the host computer, click Start, point to Administrative Tools, and then click Hyper‑V Manager. In Hyper‑V Manager, click 20411C‑LON‑DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Sign in using the following credentials: User name: Adatum\Administrator Password: Pa$$w0rd Repeat steps 2 through 4 for 20411C-LON-SVR1 and 20411C-LON-CL1. Note: When you are done with demonstrations in this module, revert all virtual machines to their initial checkpoint. Module 10 Configuring Encryption and Advanced Auditing
Configuring Advanced Auditing Module Overview 10: Configuring Encryption and Advanced Auditing Configuring Advanced Auditing Briefly describe the module content.
Encrypting Drives by Using BitLocker
Lesson 1: Encrypting Drives by Using BitLocker 10: Configuring Encryption and Advanced Auditing Recovering Drives Encrypted with BitLocker Briefly describe the lesson content.
BitLocker can be combined with EFS What is BitLocker? 10: Configuring Encryption and Advanced Auditing BitLocker is full drive encryption that has the following characteristics BitLocker can be used to encrypt an entire hard drive or only the used parts of a hard drive BitLocker can be combined with EFS BitLocker protects the integrity of the Windows boot process Some features of BitLocker are only usable when a Trusted Platform Module (TPM) is available on the computer Mention some of the differences between EFS and BitLocker. Briefly mention that Trusted Platform Module (TPM) chips are available on many of the computers sold for the last several years.
Advanced Encryption Standard (AES) How BitLocker Works 10: Configuring Encryption and Advanced Auditing Advanced Encryption Standard (AES) 128-bit encryption key or 256-bit encryption key Automated deployment with PowerShell for computers already in production New operating system deployments can utilize BitLocker before the operating system files are written to the volume Bitlocker encrypts entire hard drive Only used space encrypted (fastest) All of hard drive encrypted (most secure for existing computers) Discuss the benefits of encrypting only used space on a hard disk. Also discuss when encrypting the entire hard drive is the best choice. Discuss which choice would be best when a server has been in production for a long time and you would not want the unused space vulnerable to data recovery. Also mention the pros and cons of 128-bit encryption versus 256-bit encryption. Your discussion should include that 128-bit encryption offers faster performance but less security.
BitLocker Requirements 10: Configuring Encryption and Advanced Auditing BitLocker is supported on Windows Vista and newer Windows client operating systems Windows Server 2008 and newer Windows server operating systems Windows XP supports the ability to read and copy data from a portable hard drive encrypted with BitLocker To Go A TPM offers additional features such as System integrity verification Multifactor authentication Discuss the different options for multifactor authentication and the situations that might call for multifactor authentication, such as compliance, regulations, and high security environments. Mention that virtual machines do not have a virtual TPM available, which means that hard drives encrypted by BitLocker on virtual machines are not as secure as hard drives encrypted by BitLocker on physical computers with TPMs.
Configuring BitLocker 10: Configuring Encryption and Advanced Auditing Enable TPM on the computer (optional) Add the BitLocker Drive Encryption feature on the server Configure Group Policy (or local Group Policy) for BitLocker settings (required if the computer does not have a TPM chip) Turn on BitLocker on the desired volume(s) Mention that TPM is enabled in the BIOS on a computer. Emphasize that Group Policy, which is covered in the next topic, handles most of the configuration of BitLocker. Also, mention that students can manage BitLocker through Windows PowerShell® and the manage-bde command-line utility.
Using Group Policy to Manage BitLocker 10: Configuring Encryption and Advanced Auditing Group Policy offers approximately 40 settings to manage and configure BitLocker. Some common settings are: Choose drive encryption method and cipher strength. Deny write access to fixed data drives/removable drives not protected by BitLocker. Configure use of passwords for fixed data drives/removable data drives. Require additional authentication at startup. Allow network unlock at startup. Discuss the strategy for deploying BitLocker across a large organization and some of the things to consider in such a deployment. Topics you could address with students include how to configure TPM-enabled computers only, how to used higher-security with BitLocker for portable computers, and how to use Group Policy to minimize the administrative overhead of supporting the deployment.
Demonstration: Configuring BitLocker 10: Configuring Encryption and Advanced Auditing In this demonstration, you will see how to configure BitLocker Drive Encryption on a computer running Windows Server 2012 R2. Run Active Directory Users and Computers, find the computer object for LON-SVR1, and then go to the BitLocker Recovery tab. Show students the recovery information on the tab. Mention that this is stored in (Active Directory® Domain Services (AD DS) because of the Group Policy settings that were enabled as part of the demonstration. Preparation Steps To perform this demonstration, you will need the 20411C-LON-DC1 virtual machine and the 20411C-LON- SVR1 virtual machine. Start the virtual machines before the demonstration. Demonstration Steps Edit Group Policy to configure BitLocker: Log in to LON-DC1 as Adatum\Administrator with the password Pa$$w0rd. In Server Manager, click Tools, and then click Group Policy Management. In Group Policy Management, double-click Forest: Adatum.com, double-click Domains, double- click Adatum.com, expand Group Policy Objects, right-click the Default Domain Policy and then click Edit.. In the Group Policy Management Editor, under Computer Configuration, expand Policies, expand Administrative Templates, expand Windows Components, expand BitLocker Drive Encryption, and then click Fixed Data Drives. In the right pane, double-click the Choose how BitLocker-protected fixed drives can be recovered setting. In the Choose how BitLocker-protected fixed drives can be recovered window, click Enabled, ensure that the checkbox next to the Save BitLocker recovery information to AD DS for fixed data drives option is selected, and then click the Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives option. Then click OK. Close the Group Policy Management console and the Group Policy Management Editor. Switch to LON-SVR1. (More notes on the next slide)
Recovering Drives Encrypted with BitLocker 10: Configuring Encryption and Advanced Auditing The best way to ensure recoverability is to plan properly before deploying BitLocker Recovery options include: Using the recovery key file to obtain the key. Obtaining the recovery key from AD DS. Using a DRA. Using the original BitLocker password. Discuss some of the ramifications of moving forward with BitLocker before having security policies in place, configuring Group Policy, and educating users. Possible ramifications include inconsistent recovery options, the inability for the Information Technology (IT) department to recover drives protected by BitLocker quickly and easily, different levels of security settings, and the difficulty of achieving a consistent experience and configuration across the entire computing environment.
Encrypting Files by Using EFS
Lesson 2: Encrypting Files by Using EFS 10: Configuring Encryption and Advanced Auditing Demonstration: Encrypting a File by Using EFS Briefly describe the lesson content.
EFS can encrypt files that are stored on an NTFS–formatted partition What Is EFS? 10: Configuring Encryption and Advanced Auditing EFS can encrypt files that are stored on an NTFS–formatted partition EFS encryption acts as an additional layer of security EFS can be used with no pre-configuration EFS is used more often to protect data on mobile computers than to protect data on file shares. Because users can save EFS-protected files on file shares, students should be aware of the possibility.
Symmetric encryption is used to protect the data How EFS Works 10: Configuring Encryption and Advanced Auditing Symmetric encryption is used to protect the data Public key encryption is used to protect the symmetric key If the concept of encryption is new to your students, spend a few minutes discussing symmetric key versus public-key encryption. Also, be sure to link public key encryption with the concepts of certificates, the public key, and the private key. If users share EFS files, the FEK is encrypted and stored once for each user. Symmetric key FEK header File Encrypted file Public key Encrypted file with FEK in header File Encryption File Decryption Private key
Recovering EFS–Encrypted Files 10: Configuring Encryption and Advanced Auditing To ensure you can recover EFS encrypted files, you should: Back up user certificates Configure a recovery agent You must back up the recovery key to: Secure against system failure Make the recovery key portable Stress to students that if their organizations will use and support EFS, they should obtain certificates from a certification authority (CA) so that they can be distributed and backed up automatically.
Demonstration: Encrypting a File by Using EFS 10: Configuring Encryption and Advanced Auditing In this demonstration, you will see how to: Verify that a computer account supports EFS on a network share Use EFS to encrypt a file on a network share View the certificate used for encryption Test access to an encrypted file Preparation Steps Start the 20411C-LON-DC1 and 20411C-LON-CL1 virtual machines. Log in to 20411C-LON-DC1 as Adatum\Administrator with the password of Pa$$w0rd. Do not log in to 20411C-LON-CL1 until directed to do so. Demonstration Steps Verify that a computer account supports EFS on a network share On LON-DC1, in Server Manager, click Tools, and then click Active Directory Users and Computers. In Active Directory Users and Computers, if necessary, expand Adatum.com, and then click Domain Controllers. Right-click LON-DC1, and then click Properties. In the LON-DC1 Properties dialog box, on the Delegation tab, verify that Trust this computer for delegation to any service (Kerberos only) is selected, and then click Cancel. This setting is on by default for domain controllers, but needs to be enabled for most file servers to support EFS. Close Active Directory Users and Computers. Use EFS to encrypt a file on a network share On LON-CL1, log in as Adatum\Doug with a password of Pa$$w0rd. On the Start screen, type \\LON-DC1\Mod10Share, and then press Enter. In File Explorer, right-click an open area, point to New, and then click Microsoft Word Document. Type MyEncryptedFile, and then press Enter to name the file. Double-click MyEncryptedFile to open it. If necessary, click Close on the Microsoft Office Activation Wizard, click Ask me later on the First things first window about update installations, and then click Accept to close the window. (More notes on the next slide)
Configuring Advanced Auditing
Lesson 3: Configuring Advanced Auditing 10: Configuring Encryption and Advanced Auditing Demonstration: Configuring Advanced Auditing Briefly describe the lesson content.
Advanced Audit Policies 10: Configuring Encryption and Advanced Auditing Windows Server 2012 and Windows Server 2008 R2 provide an additional set of Advanced Audit Policies to configure Explain the Advanced Audit Policy Configuration settings to the students, and describe how they provide greater control over auditing capability in Windows Server 2012 and Windows Server 2008 R2. Consider opening a Group Policy Object (GPO) on LON-DC1 in the Group Policy Management Editor to show students the specific settings available in each group. These settings are under: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies.
Demonstration: Configuring Advanced Auditing 10: Configuring Encryption and Advanced Auditing In this demonstration, you will see how to create and edit a Group Policy Object for Audit Policy configuration Preparation Steps To perform this demonstration, you will need the 20411C-LON-DC1 virtual machine. This machine should be running from the previous demonstration. Demonstration Steps Create and edit a GPO for audit policy configuration On LON-DC1, in Server Manager, click Tools, and then click Group Policy Management. In Group Policy Management, double-click Forest: Adatum.com, double-click Domains, double- click Adatum.com, right-click Group Policy Objects, and then click New. In the New GPO window, type File Audit in the Name field, and then press Enter. Double-click the Group Policy Objects container, right-click File Audit, and then click Edit. In the Group Policy Management Editor, under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Advanced Audit Policy Configuration, expand Audit Policies, and then click Object Access. Double-click Audit Detailed File Share. In the Properties window, select the Configure the following audit events check box. Select the Success and Failure check boxes, and then click OK. Double-click Audit Removable Storage. Select the Success and Failure check box, and then click OK. Close the Group Policy Management Editor. Close Group Policy Management.
Additional Resources & Next Steps Instructor-Led Courses 20411C: Administering Windows Server 2012 Books Exam Ref 70-411: Administering Windows Server 2012 Exams & Certifications Exam 70-411: Administering Windows Server 2012