Chapter 6, Securing File Resources

|1| Chapter Overview

Securing Access to File Resources

Securing Access to Print Resources

Planning EFS Security

Chapter 6, Lesson 1

|2| Securing Access to File Resources

|3| 1. Designing Share Security

A. Share permissions

1. Used to secure network access to data

2. Can be established for folders located on FAT, FAT32, NTFS, and CDFS volumes

3. Affect only network users

4. Combine with NT file system (NTFS) permissions to totally secure file access

|4| B. Configuring share permissions

1. Introduction

a. To enable shared folders, edit the Sharing tab of the folder properties.

b. The maximum number of allowed sessions can be limited.

c. To configure precise permission settings, click Permissions.

|5| 2. Standard share permissions

a. Full Control

(1) Allows the assigned security principal to create, delete, and modify any content within the shared folder

(2) If located on NTFS, allows the security principal to take ownership of or to change permissions on the files or folders within the shared folder

b. Change

(1) Allows a security principal to read, write, create, or modify any content within the shared folder

c. Read

(1) Allows a security principal to read, copy, or execute any content within the shared folder

|6| C. Changes to shares in Microsoft Windows 2000

1. With down-level clients, if a logical drive letter was assigned to a file share, a fake root directory is established at the shared folder.

2. In Windows 2000, the default behavior allows the root directory to be established at the shared folder.

3. Establishing the root directory at the shared folder provides additional security because the user cannot navigate to any folders above or at the same level in the folder hierarchy.

4. Down-level clients still require separate shares to be established for each user home directory.

|7| D. Making the decision: designing secure share permissions

1. Remove Full Control permission from the Everyone group.

a. In high-security networks, default permission assignments are an excess assignment of permissions.

b. Users should never require more than Change permission.

Question: What happens if share permissions are assigned to user accounts?

2. Assign share permissions to domain local groups, not to user accounts.

a. Manage share permissions by modifying group memberships rather than by editing the permissions of each shared folder.

Question: Why should you inspect the entire folder hierarchy within the shared folder before assigning share permissions?

3. Assign the maximum permission that a security principal will require for the folder hierarchy below the shared folder.

a. Shared permissions should never exceed the required level of access for all folders within the shared folder.

b. Inspect the entire folder hierarchy contained within the shared folder.

|8| E. Applying the decision: designing secure share permissions for Wide World Importers

1. Establish two separate shares for Wide World Importers.

a. Washington share: \\Washington\Applications

(1) Users: Read

(a) Users only require Read permission to find and run application software.

(2) Administrators: Full Control

(a) Full Control permission is required to modify permissions on files and to update files.

(b) Change permission can be implemented instead if administrators are not required to change permissions.

b. Dallas share: \\Dallas\Applications

(1) Graphics Users: Change

(2) Graphics Admins: Change

(a) Common Graphics global group: Lisa and David

(b) Template Admins global group: Stefan and Linda

(3) Administrators: Full Control

(a) Full Control permission is required to modify permissions on files and to update files.

(b) Change permission can be implemented instead if administrators are not required to change permissions.

|9| 2. Planning NTFS Security

A. Overview

1. NTFS permissions affect both network users and users at the computer console.

2. NTFS allows permissions to be set for individual files within a folder.

3. The ability to set permissions on files allows more flexibility when designing the security model for file access.

|10| B. Changes in the Windows 2000 NTFS file system

1. Encryption

a. EFS allows file-level and directory-level encryption.

b. EFS allows a user to perform encryption.

c. Only the user who performed the encryption or a designated EFS recovery agent can decrypt protected files.

2. Quotas

a. NTFS allows storage space restrictions to be set for each volume.

b. Quotas can be applied for each user to limit the amount of disk space in which a user can store data on a volume.

3. Permission inheritance

a. Permissions propagate to subfolders and file objects within the parent folder.

b. This reduces the effort required to modify the permissions of multiple files and subfolders.

c. If permissions for a resource are inherited, they cannot be removed directly.

|11| C. Assessing NTFS permissions

1. Overview

a. Define most permissions by using the predefined permissions.

b. Predefined NTFS permissions are compilations of several special permissions.

c. Security groups are included in each ACE in the DACL.

d. The DACL contains one ACE for each level of access defined for an object.

|12| 2. Predefined NTFS folder permissions

a. Full Control

b. Modify

c. Read & Execute

d. List Folder Contents

e. Read

f. Write

3. Predefined NTFS file permissions

a. Full Control

b. Modify

c. Read & Execute

d. Read

e. Write

|13| 4. NTFS special permissions

a. Traverse Folder/Execute File

b. List Folder/Read Data

c. Read Attributes

d. Read Extended Attributes

e. Create Files/Write Data

f. Create Folders/Append Data

g. Write Attributes

h. Write Extended Attributes

i. Delete Subfolders And Files

j. Delete

k. Read Permissions

l. Change Permissions

m. Take Ownership

n. Synchronize

|14| D. Making the decision: designing NTFS permissions

1. Assign only the necessary permissions.

a. Ensures excess permissions are never granted

b. Prevents accidental use of excess permissions

2. Create a custom domain local group for each type of access.

a. Create separate ACEs for each type of required access.

b. User access will be based on that user’s group memberships.

3. ACEs defined directly to an object are evaluated before any inherited ACEs.

Question: If a user is a member of two groups, where one group is assigned Full Control access to the folder and the other is assigned Deny Access, what will be the user’s effective permissions?

4. Within a group of explicit ACEs, access-denied ACEs are placed before access-allowed ACEs.

a. Ensures that access-denied ACEs take precedence over access-allowed ACEs

5. If there are multiple inherited ACEs, the ACEs are evaluated in the following order: from those closest to the object (first) to those farthest from the object (last).

a. Ensures that any explicit ACEs applied to the file or folder containing the file are evaluated before any inherited ACEs

6. Use security templates and Group Policy to standardize NTFS permissions.

a. Define security templates that set prescribed NTFS permissions.

b. Security templates can be imported into Group Policy to ensure that they are applied to all computers within the container where the Group Policy is applied.

E. Applying the decision: NTFS permission design for Wide World Importers

|15| 1. NTFS permissions for the Washington office

a. Users: Read & Execute

(1) Separate NTFS permissions for individual files in the Microsoft Office folder are not necessary.

(2) Users are allowed to read data and execute programs.

b. Administrators: Full Control

|16| 2. NTFS permissions for the Dallas office

a. \\Dallas\Applications

(1) Administrators: Full Control

(2) Graphics: Read & Execute

b. \\Dallas\Applications\Adobe Photoshop\Common Graphics

(1) Common Graphics: Modify

c. \\Dallas\Applications\Quark Express\Templates

(1) Templates: Modify

|17| 3. Combining Share and NTFS Security

|18| A. Evaluating effective permissions

1. Evaluate share permissions.

2. Evaluate NTFS permissions.

3. Determine the most restrictive permissions.

B. Designing effective permissions

1. Designate either share permissions or NTFS permissions as the primary permissions.

2. Define a more granular level of security by designating the effective security through NTFS permissions.

3. Evaluate all folders below a shared folder to determine the highest level of permissions that a security group will require, and set the share permissions at that level.

|19| C. Understanding default share permissions

1. Full Control is assigned to the Everyone group by default.

2. Default share permissions should be modified if NTFS permissions are not monitored.

3. Full Control permissions include three additional abilities over the Modify permission.

a. Delete files and folders that you don’t have permission to

b. Take ownership of a file

c. Change permissions of a file

4. Full Control permissions are restricted to network administrators.

5. An effective set of default permissions for a shared folder is

a. Administrators: Full Control

b. Users: Change

c. If users require only Read access to a folder, change the Users permissions to Read rather than using Change.

6. Change permissions

a. Allow users to create, read, delete, and modify any files in the share.

b. Users cannot redefine security settings within the folder.

|20| D. Making the decision: combining share and NTFS permissions

1. Set share permissions at the highest level of permissions required for the tree below.

a. Share permissions should not provide excess privileges to a security principal.

2. Use NTFS permissions to define precise access control.

a. NTFS permissions allow protection of both files and folders.

b. Share permissions should be considered only as an entry point to the file system.

3. Always use the NTFS file system for data.

a. If NTFS is not used as the file system, the only option is to use share permissions.

b. Share permissions limit defining more specific security for files and subfolders.

Question: Why would you not want to assign Full Control permissions to non-administrators?

4. Evaluate whether Full Control permission is appropriate.

a. Full Control allows security principals to redefine security for a resource.

b. Assign Full Control permissions only to administrators.

c. Never assign permissions greater than Modify to non-administrators.

|21| E. Applying the decision: Combining share and NTFS permissions for Wide World Importers

1. Review of initial share and NTFS permissions

a. The Washington and Dallas share and NTFS permissions do not assign excess permissions.

b. Share permission can remain set at the default.

c. Default share permissions could result in excess permissions if any of the NTFS permissions are applied incorrectly.

|22| 2. Documenting initial permission assignments

a. Assists with troubleshooting problems

b. Documentation should include

(1) All folders where permissions are assigned

(2) Details on group membership

(3) Rationale for each permission assignment

Chapter 6, Lesson 2

|23| Securing Access to Print Resources

|24| 1. Introduction

A. Determine who is allowed to print to a particular printer.

B. Determine the security of data as it is transmitted to the printer.

C. Protect traffic to restricted printers, such as check printers.

D. Prevent users from printing sensitive or confidential material to public printers.

|25| 2. Assessing Printer Security

A. Printer permissions

1. Print

a. Can submit print jobs to a printer and have the printer process the jobs

2. Manage documents

a. Can change document order and pause or delete documents in the print queue

b. Allows users to manage their own print jobs

c. Assigned to the Creator Owner group by default

3. Manage printers

a. Can share a printer and change the printer’s properties

B. Physical security

1. When printer output security is important

a. Put print devices in a secure location.

b. Use security cards or biometric input to access the device.

|26| C. Protecting print resources

1. Use IPSec to protect data transmitted to the print server.

2. Define IPSec policies that require IPSec for any data transmissions.

3. IPSec cannot be used to print to a physical print device directly attached to the network.

4. The print device must be locally attached to the print server to ensure end-to-end security.

|27| 3. Making the Decision: Ensuring Printer Security

A. To restrict access to the printer to a specific groups of users

1. Change the default permissions to allow Print permissions to only the domain local group.

2. Place users in a global group that is a member of the domain local group.

B. To delegate administration of a printer

1. Make the security principal a member of the Print Operators group.

2. Assign the Manage Printers permissions to the security principal if delegation is to be restricted to a specific printer.

C. To prevent inspection of print jobs

1. Put printers that print confidential data in restricted areas.

2. Attach the printers directly to the print server.

3. Use IPSec between the clients and the print server.

a. Network attached printers cannot use IPSec.

|28| 4. Applying the Decision: Printer Security for Wide World Importers

A. Change the default share permissions to limit usage to the Graphics department.

B. Data transmissions to the film printer do not need to be protected.

Chapter 6, Lesson 3

|29| Planning EFS Security

|30| 1. Introduction

A. EFS secures files that are stored locally.

B. EFS protects only the data stored on an NTFS partition.

C. EFS does not provide network transport security.

D. EFS planning should include a plan to restore data in the event that recovery keys are lost.

E. Poor EFS planning can result in the permanent loss of data.

|31| 2. Overview of the EFS Process

A. Understanding the EFS encryption process

1. Knowing how the EFS process encrypts data helps to determine

a. Which user has encrypted a file using EFS

b. Who can recover an EFS encrypted file

2. Users enable the Encrypt Contents To Secure Data attribute for a file or folder.

3. Administrators can encrypt all contents of specific folders to ensure the security of confidential data.

|32| B. Encrypting EFS data

1. A File Encryption Key is generated for each file to be encrypted.

a. The File Encryption Key is used to encrypt the clear text document into an encrypted text format.

b. The encrypted document has two additional header fields: the Data Decryption Field (DDF) and the Data Recovery Field (DRF).

2. The File Encryption Key is encrypted with the user’s EFS Encryption public key.

a. Only the user who holds the matching EFS Encryption private key can decrypt the File Encryption Key.

b. The encrypted File Encryption Key is stored in the DDF.

c. EFS encrypted files cannot be shared between users.

3. The File Encryption Key is encrypted with the EFS recovery agent’s EFS Recovery public key.

a. Only the user who holds the matching EFS Recovery private key can decrypt the File Encryption Key.

b. The File Encryption Key is encrypted and stored in the DRF.

c. When more than one EFS recovery agent is defined, multiple DRFs are associated with a file.

d. The File Encryption Key is encrypted once for each EFS recovery agent.

e. Each recovery agent can decrypt only the encrypted DRF with his EFS Recovery public key.

Note Copies of encrypted files stored in the Temp directory may be unencrypted. To prevent unauthorized viewing, empty the Temp directory regularly.

|33| C. Decrypting EFS data

1. Original user

a. The user’s EFS Encryption private key is used to decrypt the File Encryption Key stored in the DDF.

b. The File Encryption Key is used to decrypt the encrypted document.

c. The user sees no difference in behavior when opening an encrypted or nonencrypted file.

2. EFS recovery agent

a. The EFS Recovery private key of the EFS recovery agent is used to decrypt the File Encryption Key stored in the DRF.

b. The File Encryption Key is then used to decrypt the encrypted document.

|34| 3. Designating an EFS Recovery Agent

A. Introduction

1. If an EFS recovery agent is not defined, the EFS recovery attempts might fail.

a. Select the account that will be the EFS recovery agent.

b. Define the public/private key pair that will be used by the EFS process.

|35| B. The initial EFS recovery agent

1. When the computer is not a domain member

a. The initial Administrator account is configured as the EFS recovery agent by default.

(1) The initial Administrator account might or might not be named Administrator.

(2) The account name depends on the name provided during setup for the initial account at the member server or workstation.

b. The EFS Recovery certificate is a self-issued certificate created by the OS.

|36| 2. When the computer is a domain member

a. The Default Domain Policy configures the domain Administrator account as the EFS recovery agent.

b. The public key for EFS encryption is the public key associated with the Administrator account of the first DC that was installed into the domain.

c. This DC’s former Security Account Management (SAM) database is used to initially populate the domain.

d. The Administrator’s EFS Recovery certificate is reconfigured as the EFS recovery agent in the Default Domain Policy.

Note The EFS recovery agent is defined in the following location of the Default Domain Policy: Computer Configuration\Windows Settings\Security Settings \Public Key Policies\Encrypted Data Recovery Agents.

e. The initial DC in the domain is the only computer that has the associated private key.

f. If the private key is lost, EFS encrypted files cannot be recovered.

g. To prevent the private key from being lost

(1) Export the private key to a safe location.

(2) Configure the Administrator account to have a roaming profile, and then populate the roaming profile with the contents of the Administrator’s profile from the initial DC.

g. The private key is stored in the local user profile in secured storage.

h. The information stored in the user profile is shared between multiple computers only when a roaming profile is configured.

Note If a roaming profile is configured for the Administrator account and populated with information for the account from a DC other than a member server or the initial DC, the EFS recovery agent’s private key will be permanently lost. This will prevent any files encrypted with the EFS recovery agent’s public key from being decrypted.

|37| C. Configuring a custom EFS recovery agent

1. Define a new account as the EFS recovery agent.

a. The new EFS recovery agent account requires an EFS Recovery certificate but does not have to be a member of the domain Administrators group.

b. The certificate template is available from a Windows 2000 Enterprise Certification Authority (CA).

2. Import the EFS Recovery certificate into the Default Domain Policy as the domain’s Encrypted Data recovery agent.

3. The imported public key is used to encrypt the File Encryption Key stored in the DRF.

4. Multiple EFS Recovery certificates can be imported into Group Policy to create multiple EFS recovery agents.

|38| D. Configuring an empty Encrypted Data Recovery Agent policy

1. Prevent EFS encryption on the network by deleting all current EFS recovery agent certificates in the Encrypted Data Recovery Agent policy.

2. EFS encryption is not possible without defining Encrypted Data recovery agents.

3. An empty policy exists when no recovery agents are included in the Encrypted Data Recovery Agent policy.

4. The empty policy exists and is applied, but no values are assigned from it.

5. The creation of an empty policy ensures that local policy does not take precedence.

|39| E. Making the decision: planning EFS recovery agents

Question: Where should the Encrypted Data Recovery Agent be defined?

1. To ensure that all EFS encrypted files in a domain can be recovered

a. Define an Encrypted Data Recovery Agent in the Default Domain Policy.

Question: What should be done to the Encrypted Data Recovery Agent policy to prevent EFS encryption from being used?

2. To prevent EFS encryption from being used

a. Delete all existing recovery agent certificates in the Encrypted Data Recovery Agent policy.

Question: Can EFS encryption be disabled at the OU level? If so, how?

3. To prevent specific computers from using EFS encryption

a. Place all computers that cannot use EFS encryption in a separate OU or OU structure.

b. At the OU or parent OU, define a Group Policy object that has an empty policy.

c. Initialize an empty policy from encrypted data recovery agents in the Group Policy object.

Question: Are EFS recovery agents a property of the computer or user? How does this affect where they can be assigned?

4. Restrict EFS encryption to specific users.

a. This cannot be done unless all users have only one computer where they log on to the network.

b. EFS recovery agents are a property of the computer, not the user.

|40| F. Applying the decision: planning EFS recovery agents for Wide World Importers

1. Delete the default EFS recovery agent from the Default Domain Policy.

2. Remove all entries from the Default Domain Policy, but do not delete the policy.

3. Because no EFS recovery agent is defined, EFS encryption is disabled on the domain member computers.

|41| 4. Recovering Encrypted Files

A. Assessing recovery of encrypted files

1. Establish a process for recovering encrypted files.

2. Only the user who encrypted the file or the designated recovery agent can decrypt an encrypted file.

B. To deploy an EFS recovery solution

1. Create a new account that will perform the request for the EFS Recovery certificate.

2. Configure the permissions on the EFS Recovery certificate template to allow the new account to have Enroll permissions in Active Directory Sites And Services.

3. Request an EFS Recovery certificate when logged on as the new account.

|42| 4. Export the key and the corresponding private key to a PKCS#12 file and store the file on removable media.

Note PKCS#12 file is a key export format that allows the private key to be exported. The private key is protected by assigning a strong password to the PKCS#12 file. Anyone who attempts to import the key pair from the PKCS#12 file must provide the configured password.

5. Store the PKCS#12 file in a secure location, such as a safe.

6. Import the public key into the Default Domain Policy in the Encrypted Data Recovery Agent policy.

7. Delete the new account.

|43| C. To perform an EFS recovery

1. Determine the private key that can perform the EFS recovery.

2. Import the private key into the certificate store of any user account.

3. The user account now holds the corresponding private key to the public key that was used to encrypt the File Encryption Key.

|44| D. Determining the required private keys

1. Use the Efsinfo utility from the Microsoft Windows 2000 Server Resource Kit to determine which private key is required to decrypt an EFS encrypted file.

2. Efsinfo parameters

a. Efsinfo [/U] [/R] [/C] [/I] [/Y][/S:dir] [pathname […]]

(1) /U displays user information (default option).

(2) /R displays recovery agent information.

(3) /C displays certificate thumbnail information.

Note Do not confuse the certificate thumbprint with the certificate serial number. These are two different attributes of a certificate. The certificate thumbprint can be viewed by viewing the properties of a certificate and inspecting the details page.

(4) /I continues performing the specified operation even after errors have occurred; by default, Efsinfo stops when an error is encountered.

(5) /Y displays the current EFS certificate thumbnail on the local PC; files specified might not be on this PC.

(6) /S performs the specified operation on directories in the given directory and all subdirectories.

Note The Cipher.exe command allows the administrator to launch bulk encryption and decryption processes.

|45| E. Making the decision: planning recovery of encrypted files

Question: When is it necessary to import a PKCS#12 file?

1. To restrict the ability to recover encrypted files

a. Export the private key of the recovery agent to a PKCS#12 file.

b. Import the file only when necessary to recover an encrypted file.

Question: What is the process used to restrict recovery to a specific workstation?

2. To restrict recovery to a specific workstation

a. Create a new account to perform the recovery.

b. Restrict the account to the desired workstation.

c. Import the PKCS#12 file to restore the private key for recovery.

Question: What must you do to allow more than one private key to perform EFS recovery?

3. To allow more than one private key to perform EFS recovery

a. Designate more than one certificate in the Encrypted Data Recovery Agent policy.

Question: When using the Efsinfo utility, which parameters should you use to determine which user can decrypt a file?

4. To determine which users can decrypt a file

a. Use Efsinfo /U /C to determine the private key required to decrypt the DDF and decrypt the File Encryption Key.

Question: When using the Efsinfo utility, which parameters should you use to determine which recovery agents can decrypt a file?

5. To determine which recovery agents can decrypt a file

a. Use Efsinfo /R /C to determine the private key required to decrypt the DDF and decrypt the File Encryption Key.

|46| F. Applying the decision: recovering encrypted files for Wide World Importers

1. Files encrypted before the computers were rebuilt might still be recoverable.

a. A network administrator should run the Efsinfo utility to determine the thumbnail of the private key that can decrypt the DRF of the encrypted files.

2. Because Wide World Importers has not configured the EFS recovery agent, the default EFS recovery agent probably was previously configured.

a. The holder of the EFS recovery agent private key is probably the Administrator account from the first DC installed in the domain.

3. If a roaming profile has not been implemented for the Administrator account, the private key for EFS recovery of this account might be able to decrypt the DRF and decrypt the encrypted data files.