Configuring and Troubleshooting Access to Encrypted Resources

advertisement
Troubleshoot Access,
Authentication, and
User Account Control
Issues
Lesson 8
Technology Skill
Troubleshooting UAC
Application Compatibility
Issues
Configuring and
Troubleshooting Access to
Encrypted Resources
Objective Domain Skill
Domain #
Troubleshoot deployment
1.5
issues
• Resolve application
compatibility issues
Configure and troubleshoot 2.6
access to resources
Understanding EFS
EFS and BitLocker
2.6
Using the Encrypting File
System Wizard
EFS and BitLocker
2.6
Skills Matrix
Technology Skill
Troubleshooting EFS
Objective Domain Skill
EFS and BitLocker
Domain #
2.6
Configuring EFS Group
Policy Settings
EFS and BitLocker
2.6
Understanding BitLocker
EFS and BitLocker
2.6
Configuring BitLocker
Group Policy
EFS and BitLocker
2.6
Troubleshooting
Authentication Issues
Troubleshoot
authentication issues
2.7
Skills Matrix
Technology Skill
Troubleshooting User
Name and Password
Objective Domain Skill
User name and password
Domain #
2.7
Understanding and
Renewing Smart Card
Certificates
• Certificates
• Smart cards
2.7
Understanding User
Account Control
Configure and troubleshoot 2.8
User Account Control
Understanding the
Principle of Least Privilege
Configure and
troubleshoot User Account
Control
Skills Matrix
2.8
Technology Skill
Objective Domain Skill
Understanding the Consent Configure credential
UI
prompts
Understanding the Secure
Desktop
Understanding Admin
Approval Mode
Skills Matrix
Domain #
2.8
Configure and troubleshoot 2.8
User Account Control
Administrator vs. standard 2.8
user
Technology Skill
Understanding File and
Registry Virtualization
Objective Domain Skill
Resolve UAC virtualization
issues
Domain #
2.8
Troubleshooting UAC
Application Compatibility
Issues
Troubleshoot application
issues
2.8
Configuring UAC Group
Policy
• Configure credential
prompts
• Troubleshoot policy
settings
2.8
Skills Matrix
Understanding User Account
Control

User Account Control (UAC) is primarily an effort
to reduce the exposure and attack surface of the
operating system by requiring that all users run
in standard user mode unless it is necessary to
do otherwise. Essentially, User Account Control
enforces the principle of least privilege.
Understanding User Account Control
Understanding User Account
Control (cont.)

The principle of least privilege limits exposure to
security threats by limiting user privileges to the
minimum required to complete required tasks.

The principle of least privilege is an important
principle in IT security.
Understanding User Account Control
Understanding the Consent UI

The Consent UI consists of UAC dialog boxes
that prompt for consent or administrator
credentials when you attempt a task that
requires elevated privileges.
Understanding User Account Control
Understanding the Secure
Desktop

The Secure Desktop helps to prevent hackers
from circumventing the UAC Consent UI.

The Secure Desktop is a desktop that Windows
Vista uses to protect against malware fooling
users into selecting an option that they do not
mean to accept by altering the user interface
(UI).
Understanding User Account Control
Understanding the Secure
Desktop (cont.)

Just before a Consent UI appears, Secure
Desktop takes a picture of the desktop,
converts it to grayscale, dims it, and replaces
your background with it. Then Windows Vista
launches an instance of terminal services that
displays the Consent UI.
Understanding User Account Control
Understanding Admin Approval
Mode

Admin Approval Mode is a mode in which
administrators must give consent for
applications to use the administrator token.

The UAC in Windows Vista implements a split
token when you log on as an administrator,
which means that you are issued two tokens: an
administrator token (AT) and a standard user
token (SUT).
Understanding User Account Control
Understanding Admin Approval
Mode (cont.)

The AT is filtered to create the SUT by removing
privileges.

When you are logged on as an administrator,
any process that you start by default receives
your SUT. If a process you start requests an AT,
then the process is issued your AT only after you
grant consent through the Consent UI.
Understanding User Account Control
Understanding Admin Approval
Mode (cont.)

When you start a process (application),
Windows Vista issues the SUT by default. A
process can be excepted from the default if one
or more of the following is true:
 If you right-clicked and selected Run as
administrator
 If you used the Ctrl + Shift + Enter shortcut to
start an application
Understanding User Account Control
Understanding Admin Approval
Mode (cont.)

A process can be excepted from the default if
one or more of the following is true (cont.):
 If the Run this program as an administrator check
box in the Compatibility tab is selected
 If Windows Vista guesses it is an installer
 If the Program Compatibility Assistant has
marked it as requiring administrative privileges
Understanding User Account Control
Understanding Admin Approval
Mode (cont.)

A process can be excepted from the default if
one or more of the following is true (cont.):
 If the application has a Vista manifest indicating
that it requires administrative privileges
 If the Sysmain.sdb database file has it marked as
requiring administrative privileges
 If it is started by a process that is running with
elevated privileges. In this case, no consent UI is
presented.
Understanding User Account Control
Understanding Changes to User
Accounts

The Power Users group has been deprecated,
and standard users have increased privileges.

There are only two account types in Windows
Vista: standard user and administrator.

Windows Vista allows some tasks to be
completed by standard users that were
previously only completed by administrators.
Understanding User Account Control
Understanding File and Registry
Virtualization

File and registry virtualization increases
compatibility with legacy applications by
redirecting reads and writes to sensitive areas of
the hard drive and registry.
Understanding User Account Control
Troubleshooting UAC Application
Compatibility Issues

Like many security innovations, UAC can cause
compatibility issues with legacy applications.
The following are some manifestations of
compatibility issues caused by UAC.
 Windows Vista may not correctly detect an
installer, uninstaller, or updater.
 Applications that require administrative privileges
but run by using a SUT token may have tasks
that fail.
Understanding User Account Control
Troubleshooting UAC Application
Compatibility Issues (cont.)

The following are some manifestations of
compatibility issues caused by UAC (cont.).
 Applications may fail to perform tasks for which
the current user does not have necessary
permissions.
 Control panel applications that perform
administrative tasks and make global changes
may not function properly.
Understanding User Account Control
Troubleshooting UAC Application
Compatibility Issues (cont.)

The following are some manifestations of
compatibility issues caused by UAC (cont.).
 DLL applications that run using RunDLL32.EXE
may not function properly if they perform global
operations.
Understanding User Account Control
Configuring UAC Group Policy

UAC Group Policy is configured in Computer
Configuration > Windows Settings > Security
Settings > Local Policies > Security Options.
Understanding User Account Control
Configuring UAC Group Policy
Settings

Open the Group Policy Object Editor with
administrator credentials.
•
Expand Computer Configuration > Windows
Settings > Security Settings > Local Policies,
and then select Security Options. All of the UAC
Group Policy settings start with User Account
Control.
Understanding User Account Control
Configuring and Troubleshooting
Access to Encrypted Resources

Encrypting File System and BitLocker are used
to encrypt data. Part of an administrator’s job is
to ensure that those people that should have
access to encrypted resources do have access
and to make encryption as transparent to users
as possible.
Configuring and Troubleshooting
Access to Encrypted Resources
Understanding EFS

EFS has the following characteristics:
 EFS uses a strong public key-based cryptography.
The encrypted encryption keys are stored within
the file and are decrypted with a private key.
 Users with roaming profiles or redirected folders
cannot use EFS unless the files being encrypted
are stored locally.
Configuring and Troubleshooting
Access to Encrypted Resources
Understanding EFS (cont.)

EFS has the following characteristics (cont.):
 You can use EFS to encrypt and decrypt files on
remote systems, but not to encrypt transmission
of files across the network.
 Files or folders that are compressed cannot be
encrypted. If you mark a compressed file or
folder for encryption, that file or folder will be
uncompressed and then encrypted.
Configuring and Troubleshooting
Access to Encrypted Resources
Understanding EFS (cont.)
•
EFS has the following characteristics (cont.):
 Encrypted files become decrypted if you copy or
move them to a volume that is not an NTFS
volume.
 Moving unencrypted files into an encrypted folder
will automatically encrypt those files. However,
the reverse operation will not automatically
decrypt files.
Configuring and Troubleshooting
Access to Encrypted Resources
Understanding EFS (cont.)
•
EFS has the following characteristics (cont.):
 Files marked with the System attribute cannot be
encrypted, nor can files in the systemroot
directory.
 Anyone with the appropriate permissions can
delete or list encrypted folders or files. For this
reason, using EFS in combination with NTFS
permissions is recommended.
Configuring and Troubleshooting
Access to Encrypted Resources
Understanding EFS (cont.)

File encryption keys are also encrypted
separately with the private keys of any recovery
agents for the domain. This allows the recovery
agents to decrypt files in case a user loses his
private key.

Recovery agent – User that can decrypt
encrypted data in the domain.
Configuring and Troubleshooting
Access to Encrypted Resources
Using the Encrypting File System
Wizard

Windows Vista introduces the Encrypting File
System Wizard in Control Panel. You can use the
wizard to do the following:
 Select an EFS certificate and key to use for EFS
 Create a new EFS certificate and key
 Back up an EFS certificate and key
 Restore an EFS certificate and key
Configuring and Troubleshooting
Access to Encrypted Resources
Using the Encrypting File System
Wizard (cont.)

You can use the wizard to do the following
(cont.):
 Set EFS to use an EFS certificate and key located
on a smart card
 Put an EFS certificate and key on a smart card
 Update previously encrypted files to use a
different certificate and key
Configuring and Troubleshooting
Access to Encrypted Resources
Troubleshooting EFS

The primary problems you will encounter with
EFS are lost certificates and file sharing of
encrypted files.
Configuring and Troubleshooting
Access to Encrypted Resources
Exporting an EFS Certificate

To share an encrypted file between users, log on
as the user for which you want to export a
certificate and click Start.
•
In the Start Search text box, key certmgr.msc
and then press Enter. The Microsoft
Management Console (MMC) appears with the
Certificate Manager Snap-in loaded.
Configuring and Troubleshooting
Access to Encrypted Resources
Exporting an EFS Certificate (cont.)
•
In the console tree, expand Personal, and then
select Certificates.
•
In the details pane, right-click the certificate
that you want to export, point to All Tasks, and
then click Export. The Certificate Export Wizard
appears.
•
Click Next. The Export Private Key page
appears.
Configuring and Troubleshooting
Access to Encrypted Resources
Exporting an EFS Certificate (cont.)
•
Select No, do not export the private key.
•
Click Next. The Export File Format page
appears. Select the format that you want to use.
•
Click Next. The File to Export page appears.
•
In the File name text box, enter a path and
filename, or click Browse to browse for the file.
Configuring and Troubleshooting
Access to Encrypted Resources
Exporting an EFS Certificate (cont.)
•
Click Next. The Completing the Certificate
Export Wizard page appears. Click Finish.
•
In the Certificate Export Wizard message box
confirming the export, click OK.
Configuring and Troubleshooting
Access to Encrypted Resources
Importing a Certificate from a
Trusted Person

To give another user access to an encrypted file
by adding that user’s certificate to the file, open
certmgr.msc.
•
In the console tree of the Certificate Manager
Snap-in, right-click Trusted People, point to All
Tasks, and then select Import.
•
Click Next. The File to Import page appears.
Configuring and Troubleshooting
Access to Encrypted Resources
Importing a Certificate from a
Trusted Person (cont.)
•
In the File name text box, enter the path and
filename of the certificate that you want to
import.
•
Click Next. The Certificate Store page appears.
•
The wizard selects the Place all certificates in
the following store option by default. Ensure
that Trusted People is present in the Certificate
store text box, and then click Next.
Configuring and Troubleshooting
Access to Encrypted Resources
Importing a Certificate from a
Trusted Person (cont.)
•
The Completing the Certificate Import Wizard
page appears. Verify that the wizard lists the
correct settings, and then click Finish.
•
In the Certificate Import Wizard message box
announcing the successful import, click OK.
Configuring and Troubleshooting
Access to Encrypted Resources
Importing/Restoring from Backup
an EFS Certificate/Private Key

To access an EFS encrypted file from two
different computers or to restore an EFS
certificate and private key that you backed up
earlier, open certmgr.msc.
•
In the console tree of the Certificate Manager
Snap-in, right-click Personal, point to All Tasks,
and then select Import.
Configuring and Troubleshooting
Access to Encrypted Resources
Importing/Restoring from Backup
an EFS Certif./Private Key (cont.)
•
Click Next. The File to Import page appears.
•
In the File name text box, enter the path and
filename of the certificate that you want to
import, or click Browse to locate the file.
•
Click Next. Depending on what type of
certificate you are importing, the remaining
pages of the wizard will vary. Follow the
onscreen prompts to complete the import.
Configuring and Troubleshooting
Access to Encrypted Resources
Adding a Certificate to an EFS
Encrypted File
User Access to Path
dialog box for an
example file and
user
Configuring and Troubleshooting
Access to Encrypted Resources
Renewing a Certificate for a
Recovery Agent

If encryption failed and you receive the following
message: “Recovery policy configured for this
system contains invalid recovery certificate,” it is
likely that you need to renew one or more
certificates for recovery agents.
Configuring and Troubleshooting
Access to Encrypted Resources
Renewing a Certificate for a
Recovery Agent (cont.)

Open certmgr.msc.
•
In the console tree of the Certificates console,
expand Personal, and then select Certificates.
•
In the details pane, right-click the certificate
that you want to renew, and point to All Tasks.
•
Point to Advanced Operations, and then select
Renew this certificate with the same key.
Configuring and Troubleshooting
Access to Encrypted Resources
Renewing a Certificate for a
Recovery Agent (cont.)
•
Click Next. The Request Certificates page
appears. Click Enroll.
•
The new certificate is issued, and the
Certificate Installation Results page appears.
•
Click Finish.
Configuring and Troubleshooting
Access to Encrypted Resources
Configuring EFS Group Policy
Settings

EFS Group Policy settings are configured in
Computer Configuration > Windows Settings >
Security Settings > Public Key Policies >
Encrypting File System.
Configuring and Troubleshooting
Access to Encrypted Resources
Understanding BitLocker

BitLocker – Encrypts all of the data stored on
the Windows operating system volume and
works in conjunction with Trusted Platform
Modules.

Bitlocker is available in Vista Enterprise and
Vista Ultimate.
Configuring and Troubleshooting
Access to Encrypted Resources
Understanding BitLocker (cont.)

BitLocker can work in conjunction with Trusted
Platform Module (TPM) version 1.2 or higher.

When you start your computer, the TPM
compares a hash of a subset of operating
system files to a hash calculated earlier of the
same operating system files. Only if the two
hashes are exactly equal does your computer
boot normally.
Configuring and Troubleshooting
Access to Encrypted Resources
Understanding BitLocker (cont.)

BitLocker can also be used without a TPM, in
which case the encryption keys are stored on a
USB flash drive that is required to decrypt the
data stored on a volume secured with BitLocker.

Because BitLocker encrypts the entire volume
independent of the operating system, encryption
is not easily compromised even if a hacker has
physical access to the hard drive.
Configuring and Troubleshooting
Access to Encrypted Resources
Understanding BitLocker (cont.)

To assist in preparing a drive for BitLocker, you
can use the BitLocker Drive Preparation Tool,
which will help you to:
 Create the second volume that BitLocker requires
 Migrate the boot files to the new volume
 Make the new volume an active volume
Configuring and Troubleshooting
Access to Encrypted Resources
Understanding BitLocker (cont.)

Recovery mode – Mode present before
Windows has started in which you can provide
credentials to cause BitLocker to allow the
operating system to boot. You will need to
supply the recovery password to leave recovery
mode and boot normally.
Configuring and Troubleshooting
Access to Encrypted Resources
Preparing for BitLocker by Using
the Drive Preparation Tool


Install the BitLocker Drive Preparation Tool. The
BitLocker Drive Preparation Tool creates a new
partition, from which it creates a new disk called
Local Disk (S:).
The new partition is set as the active partition,
meaning that your computer will boot from it.
Configuring and Troubleshooting
Access to Encrypted Resources
Preparing for BitLocker by Using
the Drive Preparation Tool (cont.)

Log on with an administrator account.
•
Click Start > All Programs > Accessories >
System Tools > BitLocker > BitLocker Drive
Preparation Tool. A User Account Control dialog
box appears.
•
Click Continue. The BitLocker Drive Preparation
Tool Wizard appears. Click I Accept if you accept
the terms of the license agreement.
Configuring and Troubleshooting
Access to Encrypted Resources
Preparing for BitLocker by Using
the Drive Preparation Tool (cont.)
•
The Preparation Drive for BitLocker page
appears. Read the cautions, and then click
Continue.
•
The tool will prepare your drive, which can take
substantial time. When the process is complete,
click Finish.
•
In the BitLocker Drive Encryption message box,
click Restart Now.
Configuring and Troubleshooting
Access to Encrypted Resources
Accessing the Manage BitLocker
Keys Wizard

Windows Vista provides a wizard that you can
use to manage your BitLocker keys.
•
Click Start, click Control Panel, and then click
Security.
•
Click Manage BitLocker keys under BitLocker
Drive Encryption. A User Account Control dialog
box appears.
Configuring and Troubleshooting
Access to Encrypted Resources
Accessing the Manage BitLocker
Keys Wizard (cont.)
•
Provide administrator credentials, and then click
OK.
•
The Manage BitLocker Keys Wizard appears.
Follow the instructions in the wizard.
Configuring and Troubleshooting
Access to Encrypted Resources
Configuring BitLocker Group
Policy

BitLocker Group Policy settings are located in
Computer Configuration > Administrative
Templates > Windows Components > BitLocker
Drive Encryption.
Configuring and Troubleshooting
Access to Encrypted Resources
Troubleshooting Authentication
Issues

Most authentication issues concern user names
and passwords. Other common authentication
issues involve authentication by using smart
cards.
Troubleshooting Authentication Issues
Finding a User’s User Name
Find Users, Contacts,
and Groups dialog box
enables you to find
active directory
objects, such as a
user.
Troubleshooting Authentication Issues
Resetting a User’s Password
Reset Password
dialog box
Troubleshooting Authentication Issues
Understanding and Renewing
Smart Card Certificates

Smart card – Plastic card about the size of a
credit card that contains a microprocessor.
Smart cards are commonly used to store digital
signatures, authenticate users, and store
encryption keys to encrypt or decrypt data.

Smart card certificates are used in conjunction
with a PIN number to authenticate a user to the
domain.
Troubleshooting Authentication Issues
Renewing a Certificate

Many enterprise environments will use
certificate autoenrollment.

Certificate autoenrollment – Feature of
Windows Server 2003 Enterprise Edition that
automatically uses the existing certificate to sign
a renewal request for a new certificate before
the existing certificate expires.
Troubleshooting Authentication Issues
Renewing a Certificate (cont.)

Open the Certificate Manager console.
•
Expand Personal, and then select Certificates.
•
In the details pane, right-click the certificate
that you want to renew, and point to All Tasks.
•
Do one of the following: Click Renew Certificate
with New Key, or Point to Advanced Operations
and click Renew this certificate with the same
key.
Troubleshooting Authentication Issues
Renewing a Certificate (cont.)
•
The Certificate Enrollment Wizard appears.
•
Click Next. The Request Certificate page
appears.
•
Click Enroll. The certificate is renewed, and the
Certificate Installation Results page appears.
Click Finish.
Troubleshooting Authentication Issues
Approving a Certificate Request

Log on to the issuing certificate authority and
open the Certification Authority console.
•
In the Certification Authority console, expand
the certificate authority, and then select Pending
Requests.
•
Right-click the pending certificate in the details
pane that you want to issue, point to All Tasks,
and then click Issue. The certificate is issued.
Troubleshooting Authentication Issues
You Learned

User Account Control increases security by
helping to enforce the principle of least
privilege.

The principle of least privilege limits exposure to
security threats by limiting user privileges to the
minimum required to complete required tasks.
Summary
You Learned (cont.)

The Consent UI is a collection of UAC dialog
boxes that prompt for consent or for
administrator credentials when you attempt a
task that requires elevated privileges.

The Secure Desktop helps to prevent hackers
from circumventing the UAC Consent UI.
Summary
You Learned (cont.)

Admin Approval Mode is a mode in which
administrators must give consent for
applications to use the administrator token.

The Power Users group has been deprecated,
and standard users have increased privileges.
Summary
You Learned (cont.)

File and registry virtualization increases
compatibility with legacy applications by
redirecting reads and writes to sensitive areas of
the hard drive and registry.

UAC, like many security innovations, can cause
compatibility issues with legacy applications.

You can simultaneously centrally manage the
behavior of UAC for many computers by using
Group Policy.
Summary
You Learned (cont.)

Encrypting File System and BitLocker are used
to encrypt data. Part of an administrator’s job is
to ensure that those people who should have
access to encrypted resources do have access
and to make encryption as transparent to users
as possible.

The Encrypting File System Wizard can help
users to manage their encrypted files and EFS
certificates.
Summary
You Learned (cont.)

The primary troubleshooting issues you will
encounter with EFS are lost certificates and how
to help users share encrypted files.

You learned how to export an EFS certificate and
an associated private key.

You learned how to import a certificate from a
trusted person.
Summary
You Learned (cont.)

You learned how to import or restore from
backup an EFS certificate and private key.

You learned how to add a certificate to an EFS
encrypted file.

You learned how to renew a certificate for a
Recovery Agent.

You learned how to configure EFS Group Policy
settings.
Summary
You Learned (cont.)

BitLocker encrypts all of the data stored on the
Windows operating system volume and works in
conjunction with Trusted Platform Modules.

You learned how to prepare a drive for BitLocker
by using the BitLocker Drive Preparation Tool.
You learned how to access the Manage BitLocker
Keys Wizard.

Summary
You Learned (cont.)

You can configure the behavior of BitLocker by
using Group policy.

Most authentication issues concern user names
and passwords. Other common authentication
issues involve authentication by using smart
cards.

You learned how to finding a user’s user name
and reset a user’s password.
Summary
You Learned (cont.)

Smart card certificates are used in conjunction
with a PIN number to authenticate a user to the
domain.

You learned how to renew a certificate and
approve a certificate request.
Summary
Download