Download presentation
Presentation is loading. Please wait.
1
Configuring Encryption and Advanced Auditing
20411B 11: Configuring Encryption and Advanced Auditing Presentation: 40 minutes Lab: 40 minutes After completing this module, students will be able to: Encrypt files by using Encrypting File System (EFS). Configure advanced auditing. Required materials To teach this module, you need the Microsoft® Office PowerPoint® file 20411B_11.pptx. Important: We recommend that you use Office PowerPoint 2007 or a newer version to display the slides for this course. If you use PowerPoint Viewer or an older version of Office PowerPoint, all the features of the slides might not display correctly. Preparation tasks To prepare for this module: Read all of the materials for this module. Practice performing the demonstrations and the lab exercises. Work through the Module Review and Takeaways section, and determine how you will use this section to reinforce student learning and promote knowledge transfer to on-the-job performance. Module 11 Configuring Encryption and Advanced Auditing
2
Configuring Advanced Auditing
20411B Module Overview 11: Configuring Encryption and Advanced Auditing Configuring Advanced Auditing Briefly describe the module content.
3
Lesson 1: Encrypting Files by Using Encrypting File System
11: Configuring Encryption and Advanced Auditing Demonstration: Encrypting a File by Using EFS Briefly describe the lesson content.
4
EFS encryption acts as an additional layer of security
20411B What Is EFS? 11: Configuring Encryption and Advanced Auditing EFS is a feature that can encrypt files that are stored on an NTFS–formatted partition EFS encryption acts as an additional layer of security EFS can be used with no pre-configuration EFS is commonly used to protect data on mobile computers. It is used less often on networks, but because the default configuration allows users to use EFS on file shares, students should be made aware of the possibility.
5
Symmetric encryption is used to protect the data
20411B How EFS Works 11: Configuring Encryption and Advanced Auditing Symmetric encryption is used to protect the data Public key encryption is used to protect the symmetric key If students are not familiar with encryption, spend a few minutes discussing symmetric key versus public-key encryption. Also, be sure to link public key encryption with certificates, the public key, and the private key. If EFS files are shared among users, then the FEK is encrypted and stored once for each user. FEK header File Encrypted file Public key Symmetric file with FEK in header File Encryption FEK header Encrypted file File Decryption Symmetric key File Private key
6
Recovering EFS–Encrypted Files
20411B Recovering EFS–Encrypted Files 11: Configuring Encryption and Advanced Auditing To ensure you can recover EFS encrypted files, you should: Back up user certificates Configure a recovery agent You must back up the recovery key to: Secure against system failure Make the recovery key portable Stress to students that if their organization is going to use and support EFS, they should obtain certificates from a certification authority (CA) so that they can be distributed and backed up automatically.
7
Demonstration: Encrypting a File by Using EFS
11: Configuring Encryption and Advanced Auditing In this demonstration, you will see how to: Verify that a computer account supports EFS on a network share Use EFS to encrypt a file on a network share View the certificate used for encryption Test access to an encrypted file Preparation Steps Start the 20411B-LON-DC1 and 20411B-LON-CL1 virtual machines. Log on to 20411B-LON-DC1 as Adatum\Administrator with the password of Pa$$w0rd. Do not log on to 20411B-LON-CL1 until directed to do so. Demonstration Steps Verify that a computer account supports EFS on a network share On LON-DC1, in Server Manager, click Tools, and then click Active Directory Users and Computers. In Active Directory Users and Computers, if necessary, expand Adatum.com, and then click Domain Controllers. Right-click LON-DC1, and then click Properties. In the LON-DC1 Properties dialog box, on the Delegation tab, verify that Trust this computer for delegation to any service (Kerberos only) is selected, and then click Cancel. This setting is on by default for domain controllers, but needs to be enabled for most file servers to support EFS. Close Active Directory® Users and Computers. Use EFS to encrypt a file on a network share On LON-CL1, log on as Adatum\Doug with a password of Pa$$w0rd. On the Start screen, type \\LON-DC1\Mod11Share, and then press Enter. In Windows® Explorer, right-click an open area, point to New, and then click Microsoft Word Document. Type MyEncryptedFile, and then press Enter to name the file. Double-click MyEncryptedFile to open it. If necessary, click OK to set the user name. Click Don’t make changes and then click OK. (More notes on the next slide)
8
11: Configuring Encryption and Advanced Auditing
20411B 11: Configuring Encryption and Advanced Auditing In the document, type My secret data, and then click the Save button. Close Microsoft® Word. Right-click MyEncryptedFile, and then click Properties. In the MyEncryptedFile Properties dialog box, on the General tab, click Advanced. In the Advanced Attributes dialog box, select the Encrypt contents to secure data check box, and then click OK. In the MyEncryptedFile Properties dialog box, click OK. Sign out of LON-CL1. View the certificate used for encryption On LON-DC1, in the Windows Explorer window, expand Computer, expand drive C, and then click Users. Notice that Doug has a profile on the computer. This is where the self-signed certificate is stored. It cannot be viewed in the Microsoft Management Console (MMC) Certificates snap-in unless Doug logs on locally to the server. In the Windows Explorer window, type C:\Users\Doug\Appdata\ and then press Enter. Expand Roaming, expand Microsoft, expand SystemCertificates, expand My, and then expand Certificates. This is the folder that stores the self-signed certificate for Doug. Test access to an encrypted file On LON-CL1, log on as Adatum\Alex with a password of Pa$$w0rd. On the Start screen, type \\LON-DC1\Mod11Share, and then press Enter. Double-click MyEncryptedFile. If necessary, click OK to set the user name. Click OK to clear the access denied message. Click Don’t make changes, click OK. Close Microsoft Word.
9
Lesson 2: Configuring Advanced Auditing
20411B Lesson 2: Configuring Advanced Auditing 11: Configuring Encryption and Advanced Auditing Demonstration: Configuring Advanced Auditing Briefly describe the lesson content.
10
Overview of Audit Policies
20411B Overview of Audit Policies 11: Configuring Encryption and Advanced Auditing Audit events in a category of activities, such as: Access to NTFS files and folders Account or object changes in AD DS Logon Assignment of use of user rights By default, domain controllers audit success events for most categories Goal: Align audit policies with corporate security policies Over-auditing: Logs are too big to find important events Under-auditing: Important events are not logged Spend some time talking about the concepts and procedures related to auditing. Explain to students that, at a bare minimum, they should configure audit policies according to their business and security requirements, and then monitor the security event logs. However, some types of auditing require an additional step: configuring the system access control list (SACL) to specify exactly what activities should be audited. For example, file and folder access requires configuring the Object Access audit policy, and specifying on the Auditing tab of the Advanced Security Settings dialog box exactly which success and failure events should be audited. Be certain that students understand the dangers of both under-auditing and over-auditing, and that they see the value in aligning audit policy with the (preferably written) IT security and usage policies of their organization. If students start discussing compliance and regulations such as the Sarbanes-Oxley Act of 2002 (SOX), it’s important to remind them that few if any regulations actually specify what needs to be audited. They simply require that an organization have controls in place. Furthermore, they do not dictate exactly what those controls should be. For obvious reasons, organizations err on the “over-auditing” side when they are subject to oversight and regulation, but it is important not to audit unimportant or unnecessary events to avoid performance implications.
11
Specifying Auditing Settings on a File or Folder
20411B Specifying Auditing Settings on a File or Folder 11: Configuring Encryption and Advanced Auditing Auditing settings for a file or folder are specified by modifying the SACL: Explain that there are three steps to auditing file and folder access in Windows Server® 2012: Specify auditing settings on the files and folders (this slide). Enable audit policy for object access (next slide). View audit events in the security log (following slide). Obviously, you cannot view events in the security log until the first two steps are complete, but there is no “correct order” to the first two steps. Both have to be completed, in any order, before audit events are logged. Full control will record all associated events Recording audit events will not occur until the audit policy is enabled
12
To enable Audit Policy by configuring Audit Policy settings in a GPO:
Enabling Audit Policy 11: Configuring Encryption and Advanced Auditing Explain to the students how and where audit policy is enabled. To enable Audit Policy by configuring Audit Policy settings in a GPO: Enable the appropriate settings in the GPO Apply the GPO to the AD DS location where your servers are located
13
Evaluating Events in the Security Log
20411B Evaluating Events in the Security Log 11: Configuring Encryption and Advanced Auditing View the audit events in the Details field in security log, and filter to reduce the number of events to examine: Ensure your students understand that audit entries are found in the security log, which can be accessed by using Event Viewer. Use this topic to reinforce the complete picture of auditing in Windows® operating systems.
14
Advanced Audit Policies
20411B Advanced Audit Policies 11: Configuring Encryption and Advanced Auditing Windows Server 2012 and Windows Server 2008 R2 provide the following additional set of Audit Policies to configure: Explain the advanced audit policy configuration settings to the students, and describe how they provide greater control over auditing capability in Windows Server 2012 and Windows Server 2008 R2. Consider opening a Group Policy Object (GPO) on LON-DC1 in the Group Policy Management Editor to show students the specific settings available in each group. These settings are found under: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies
15
Demonstration: Configuring Advanced Auditing
20411B Demonstration: Configuring Advanced Auditing 11: Configuring Encryption and Advanced Auditing In this demonstration, you will see how to create and edit a Group Policy Object for Audit Policy configuration Preparation Steps To perform this demonstration, you will need the 20411B-LON-DC1 virtual machine. This machine should be running from the previous demonstration. Demonstration Steps Create and edit a GPO for audit policy configuration On LON-DC1, in Server Manager, click Tools, and then click Group Policy Management. In Group Policy Management, double-click Forest: Adatum.com, double-click Domains, double- click Adatum.com, right-click Group Policy Objects, and then click New. In the New GPO window, type File Audit in the Name field, and then press Enter. Double-click the Group Policy Objects container, right-click File Audit, and then click Edit. In the Group Policy Management Editor, under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Advanced Audit Policy Configuration, expand Audit Policies, and then click Object Access. Double-click Audit Detailed File Share. In the Properties window, select the Configure the following events check box. Select the Success and Failure check boxes, and then click OK. Double-click Audit Removable Storage. Select the Success and Failure check box, and then click OK. Close the Group Policy Management Editor. Close Group Policy Management.
16
Lab: Configuring Encryption and Advanced Auditing
Exercise 2: Configuring Advanced Auditing Exercise 1: Encrypting and Recovering Files Your organization wants to allow users to start encrypting files with EFS. However, there are concerns about recoverability. To enhance the management of the certificates used for EFS, you are going to configure an internal CA to issue certificates to users. You will also configure a recovery agent for EFS, and verify that the recovery agent can recover files. Exercise 2: Configuring Advanced Auditing Your manager has asked you to track all access to file shares that are stored on LON-SVR1. You also need to be aware of any time a user accesses a file on a removable storage device that is attached to the server. You have decided to implement the appropriate object access settings by using Advanced audit policy Configuration. Virtual machines: B-LON-DC1 20411B-LON-CL1 20411B-LON-SVR1 User name: Adatum\Administrator Password: Pa$$w0rd Logon Information Estimated Time: 40 minutes
17
20411B Lab Scenario 11: Configuring Encryption and Advanced Auditing A. Datum is a global engineering and manufacturing company with head office based in London, United Kingdom. An IT office and data center are located in London to support the London location and other locations. A. Datum has recently deployed a Windows Server 2012 server and client infrastructure. You have been asked to configure the Windows Server environment to protect sensitive files, and to ensure that access to files on the network is audited appropriately. You have also been asked to configure auditing for the new server.
18
20411B Lab Review 11: Configuring Encryption and Advanced Auditing In Exercise 1, Task 1, why were you asked to generate a new Data Recovery Agent certificate by using the AdatumCA certification authority (CA)? What are the benefits of placing servers in an organizational unit (OU), and then applying audit policies to that OU? What is the reason for applying audit policies across the entire organization? Question: In Exercise 1, Task 1, why were you asked to generate a new Data Recovery Agent certificate by using the AdatumCA certification authority (CA)? Answer: The AdatumCA CA is recognized as a trusted authority for computers that are joined to the domain. Generating the certificate from AdatumCA makes the certificate more portable and more convenient to use than a self-signed certificate that are generated from a Windows Server 2012 computer. Question: What are the benefits of placing servers in an organizational unit (OU), and then applying audit policies to that OU? Answer: You can target specific servers to record audit events, rather than having the auditing process apply across the entire enterprise. This is especially important when auditing records a large amount of events. Writing a large amount of events to physical disks on all servers in the organization could cause significant performance issues. Question: What is the reason for applying audit policies across the entire organization? Answer: If you are trying to pinpoint a general problem, or if you are unsure where a specific event is occurring, targeting a larger group of servers may be necessary to capture the event. In this case, event filtering can be used to search for a specific audit event.
19
Module Review and Takeaways
20411B Module Review and Takeaways 11: Configuring Encryption and Advanced Auditing Tools Review Questions Question Some users are encrypting files that are stored on network shares to protect them from other departmental users with NTFS permissions to those files. Is this an effective way to prevent users from viewing and modifying those files? Answer Yes. An EFS–encrypted file cannot be opened or modified by unauthorized users. By default, only the user that encrypted the file and the recovery agent can decrypt the file. Why might EFS be considered a problematic encryption method in a widely-distributed network file server environment? EFS encryption is based primarily on personal certificates, which are commonly stored in a user profile. The ability to decrypt files relies strictly on access to the certificate in the profile, which may not be available, depending on the computer to which the user is logging on. You have configured an audit policy by using Group Policy to apply to all of the file servers in your organization. After enabling the policy and confirming that the Group Policy settings are being applied, you discover that no audit events are being recorded in the event logs. What is the most likely reason for this? To audit file access, you must configure files or folders to audit specific events. If you do not do so, the audit events will not be recorded. Tools Tool Used to Where to find it? Group Policy Management Console Manage GPOs containing audit policy settings Server Manager - Tools Event Viewer View audit policy events
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.