Troubleshoot Access, Authentication, and User Account Control Issues Lesson 8 Technology Skill Troubleshooting UAC Application Compatibility Issues Configuring and Troubleshooting Access to Encrypted Resources Objective Domain Skill Domain # Troubleshoot deployment 1.5 issues • Resolve application compatibility issues Configure and troubleshoot 2.6 access to resources Understanding EFS EFS and BitLocker 2.6 Using the Encrypting File System Wizard EFS and BitLocker 2.6 Skills Matrix Technology Skill Troubleshooting EFS Objective Domain Skill EFS and BitLocker Domain # 2.6 Configuring EFS Group Policy Settings EFS and BitLocker 2.6 Understanding BitLocker EFS and BitLocker 2.6 Configuring BitLocker Group Policy EFS and BitLocker 2.6 Troubleshooting Authentication Issues Troubleshoot authentication issues 2.7 Skills Matrix Technology Skill Troubleshooting User Name and Password Objective Domain Skill User name and password Domain # 2.7 Understanding and Renewing Smart Card Certificates • Certificates • Smart cards 2.7 Understanding User Account Control Configure and troubleshoot 2.8 User Account Control Understanding the Principle of Least Privilege Configure and troubleshoot User Account Control Skills Matrix 2.8 Technology Skill Objective Domain Skill Understanding the Consent Configure credential UI prompts Understanding the Secure Desktop Understanding Admin Approval Mode Skills Matrix Domain # 2.8 Configure and troubleshoot 2.8 User Account Control Administrator vs. standard 2.8 user Technology Skill Understanding File and Registry Virtualization Objective Domain Skill Resolve UAC virtualization issues Domain # 2.8 Troubleshooting UAC Application Compatibility Issues Troubleshoot application issues 2.8 Configuring UAC Group Policy • Configure credential prompts • Troubleshoot policy settings 2.8 Skills Matrix Understanding User Account Control User Account Control (UAC) is primarily an effort to reduce the exposure and attack surface of the operating system by requiring that all users run in standard user mode unless it is necessary to do otherwise. Essentially, User Account Control enforces the principle of least privilege. Understanding User Account Control Understanding User Account Control (cont.) The principle of least privilege limits exposure to security threats by limiting user privileges to the minimum required to complete required tasks. The principle of least privilege is an important principle in IT security. Understanding User Account Control Understanding the Consent UI The Consent UI consists of UAC dialog boxes that prompt for consent or administrator credentials when you attempt a task that requires elevated privileges. Understanding User Account Control Understanding the Secure Desktop The Secure Desktop helps to prevent hackers from circumventing the UAC Consent UI. The Secure Desktop is a desktop that Windows Vista uses to protect against malware fooling users into selecting an option that they do not mean to accept by altering the user interface (UI). Understanding User Account Control Understanding the Secure Desktop (cont.) Just before a Consent UI appears, Secure Desktop takes a picture of the desktop, converts it to grayscale, dims it, and replaces your background with it. Then Windows Vista launches an instance of terminal services that displays the Consent UI. Understanding User Account Control Understanding Admin Approval Mode Admin Approval Mode is a mode in which administrators must give consent for applications to use the administrator token. The UAC in Windows Vista implements a split token when you log on as an administrator, which means that you are issued two tokens: an administrator token (AT) and a standard user token (SUT). Understanding User Account Control Understanding Admin Approval Mode (cont.) The AT is filtered to create the SUT by removing privileges. When you are logged on as an administrator, any process that you start by default receives your SUT. If a process you start requests an AT, then the process is issued your AT only after you grant consent through the Consent UI. Understanding User Account Control Understanding Admin Approval Mode (cont.) When you start a process (application), Windows Vista issues the SUT by default. A process can be excepted from the default if one or more of the following is true: If you right-clicked and selected Run as administrator If you used the Ctrl + Shift + Enter shortcut to start an application Understanding User Account Control Understanding Admin Approval Mode (cont.) A process can be excepted from the default if one or more of the following is true (cont.): If the Run this program as an administrator check box in the Compatibility tab is selected If Windows Vista guesses it is an installer If the Program Compatibility Assistant has marked it as requiring administrative privileges Understanding User Account Control Understanding Admin Approval Mode (cont.) A process can be excepted from the default if one or more of the following is true (cont.): If the application has a Vista manifest indicating that it requires administrative privileges If the Sysmain.sdb database file has it marked as requiring administrative privileges If it is started by a process that is running with elevated privileges. In this case, no consent UI is presented. Understanding User Account Control Understanding Changes to User Accounts The Power Users group has been deprecated, and standard users have increased privileges. There are only two account types in Windows Vista: standard user and administrator. Windows Vista allows some tasks to be completed by standard users that were previously only completed by administrators. Understanding User Account Control Understanding File and Registry Virtualization File and registry virtualization increases compatibility with legacy applications by redirecting reads and writes to sensitive areas of the hard drive and registry. Understanding User Account Control Troubleshooting UAC Application Compatibility Issues Like many security innovations, UAC can cause compatibility issues with legacy applications. The following are some manifestations of compatibility issues caused by UAC. Windows Vista may not correctly detect an installer, uninstaller, or updater. Applications that require administrative privileges but run by using a SUT token may have tasks that fail. Understanding User Account Control Troubleshooting UAC Application Compatibility Issues (cont.) The following are some manifestations of compatibility issues caused by UAC (cont.). Applications may fail to perform tasks for which the current user does not have necessary permissions. Control panel applications that perform administrative tasks and make global changes may not function properly. Understanding User Account Control Troubleshooting UAC Application Compatibility Issues (cont.) The following are some manifestations of compatibility issues caused by UAC (cont.). DLL applications that run using RunDLL32.EXE may not function properly if they perform global operations. Understanding User Account Control Configuring UAC Group Policy UAC Group Policy is configured in Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options. Understanding User Account Control Configuring UAC Group Policy Settings Open the Group Policy Object Editor with administrator credentials. • Expand Computer Configuration > Windows Settings > Security Settings > Local Policies, and then select Security Options. All of the UAC Group Policy settings start with User Account Control. Understanding User Account Control Configuring and Troubleshooting Access to Encrypted Resources Encrypting File System and BitLocker are used to encrypt data. Part of an administrator’s job is to ensure that those people that should have access to encrypted resources do have access and to make encryption as transparent to users as possible. Configuring and Troubleshooting Access to Encrypted Resources Understanding EFS EFS has the following characteristics: EFS uses a strong public key-based cryptography. The encrypted encryption keys are stored within the file and are decrypted with a private key. Users with roaming profiles or redirected folders cannot use EFS unless the files being encrypted are stored locally. Configuring and Troubleshooting Access to Encrypted Resources Understanding EFS (cont.) EFS has the following characteristics (cont.): You can use EFS to encrypt and decrypt files on remote systems, but not to encrypt transmission of files across the network. Files or folders that are compressed cannot be encrypted. If you mark a compressed file or folder for encryption, that file or folder will be uncompressed and then encrypted. Configuring and Troubleshooting Access to Encrypted Resources Understanding EFS (cont.) • EFS has the following characteristics (cont.): Encrypted files become decrypted if you copy or move them to a volume that is not an NTFS volume. Moving unencrypted files into an encrypted folder will automatically encrypt those files. However, the reverse operation will not automatically decrypt files. Configuring and Troubleshooting Access to Encrypted Resources Understanding EFS (cont.) • EFS has the following characteristics (cont.): Files marked with the System attribute cannot be encrypted, nor can files in the systemroot directory. Anyone with the appropriate permissions can delete or list encrypted folders or files. For this reason, using EFS in combination with NTFS permissions is recommended. Configuring and Troubleshooting Access to Encrypted Resources Understanding EFS (cont.) File encryption keys are also encrypted separately with the private keys of any recovery agents for the domain. This allows the recovery agents to decrypt files in case a user loses his private key. Recovery agent – User that can decrypt encrypted data in the domain. Configuring and Troubleshooting Access to Encrypted Resources Using the Encrypting File System Wizard Windows Vista introduces the Encrypting File System Wizard in Control Panel. You can use the wizard to do the following: Select an EFS certificate and key to use for EFS Create a new EFS certificate and key Back up an EFS certificate and key Restore an EFS certificate and key Configuring and Troubleshooting Access to Encrypted Resources Using the Encrypting File System Wizard (cont.) You can use the wizard to do the following (cont.): Set EFS to use an EFS certificate and key located on a smart card Put an EFS certificate and key on a smart card Update previously encrypted files to use a different certificate and key Configuring and Troubleshooting Access to Encrypted Resources Troubleshooting EFS The primary problems you will encounter with EFS are lost certificates and file sharing of encrypted files. Configuring and Troubleshooting Access to Encrypted Resources Exporting an EFS Certificate To share an encrypted file between users, log on as the user for which you want to export a certificate and click Start. • In the Start Search text box, key certmgr.msc and then press Enter. The Microsoft Management Console (MMC) appears with the Certificate Manager Snap-in loaded. Configuring and Troubleshooting Access to Encrypted Resources Exporting an EFS Certificate (cont.) • In the console tree, expand Personal, and then select Certificates. • In the details pane, right-click the certificate that you want to export, point to All Tasks, and then click Export. The Certificate Export Wizard appears. • Click Next. The Export Private Key page appears. Configuring and Troubleshooting Access to Encrypted Resources Exporting an EFS Certificate (cont.) • Select No, do not export the private key. • Click Next. The Export File Format page appears. Select the format that you want to use. • Click Next. The File to Export page appears. • In the File name text box, enter a path and filename, or click Browse to browse for the file. Configuring and Troubleshooting Access to Encrypted Resources Exporting an EFS Certificate (cont.) • Click Next. The Completing the Certificate Export Wizard page appears. Click Finish. • In the Certificate Export Wizard message box confirming the export, click OK. Configuring and Troubleshooting Access to Encrypted Resources Importing a Certificate from a Trusted Person To give another user access to an encrypted file by adding that user’s certificate to the file, open certmgr.msc. • In the console tree of the Certificate Manager Snap-in, right-click Trusted People, point to All Tasks, and then select Import. • Click Next. The File to Import page appears. Configuring and Troubleshooting Access to Encrypted Resources Importing a Certificate from a Trusted Person (cont.) • In the File name text box, enter the path and filename of the certificate that you want to import. • Click Next. The Certificate Store page appears. • The wizard selects the Place all certificates in the following store option by default. Ensure that Trusted People is present in the Certificate store text box, and then click Next. Configuring and Troubleshooting Access to Encrypted Resources Importing a Certificate from a Trusted Person (cont.) • The Completing the Certificate Import Wizard page appears. Verify that the wizard lists the correct settings, and then click Finish. • In the Certificate Import Wizard message box announcing the successful import, click OK. Configuring and Troubleshooting Access to Encrypted Resources Importing/Restoring from Backup an EFS Certificate/Private Key To access an EFS encrypted file from two different computers or to restore an EFS certificate and private key that you backed up earlier, open certmgr.msc. • In the console tree of the Certificate Manager Snap-in, right-click Personal, point to All Tasks, and then select Import. Configuring and Troubleshooting Access to Encrypted Resources Importing/Restoring from Backup an EFS Certif./Private Key (cont.) • Click Next. The File to Import page appears. • In the File name text box, enter the path and filename of the certificate that you want to import, or click Browse to locate the file. • Click Next. Depending on what type of certificate you are importing, the remaining pages of the wizard will vary. Follow the onscreen prompts to complete the import. Configuring and Troubleshooting Access to Encrypted Resources Adding a Certificate to an EFS Encrypted File User Access to Path dialog box for an example file and user Configuring and Troubleshooting Access to Encrypted Resources Renewing a Certificate for a Recovery Agent If encryption failed and you receive the following message: “Recovery policy configured for this system contains invalid recovery certificate,” it is likely that you need to renew one or more certificates for recovery agents. Configuring and Troubleshooting Access to Encrypted Resources Renewing a Certificate for a Recovery Agent (cont.) Open certmgr.msc. • In the console tree of the Certificates console, expand Personal, and then select Certificates. • In the details pane, right-click the certificate that you want to renew, and point to All Tasks. • Point to Advanced Operations, and then select Renew this certificate with the same key. Configuring and Troubleshooting Access to Encrypted Resources Renewing a Certificate for a Recovery Agent (cont.) • Click Next. The Request Certificates page appears. Click Enroll. • The new certificate is issued, and the Certificate Installation Results page appears. • Click Finish. Configuring and Troubleshooting Access to Encrypted Resources Configuring EFS Group Policy Settings EFS Group Policy settings are configured in Computer Configuration > Windows Settings > Security Settings > Public Key Policies > Encrypting File System. Configuring and Troubleshooting Access to Encrypted Resources Understanding BitLocker BitLocker – Encrypts all of the data stored on the Windows operating system volume and works in conjunction with Trusted Platform Modules. Bitlocker is available in Vista Enterprise and Vista Ultimate. Configuring and Troubleshooting Access to Encrypted Resources Understanding BitLocker (cont.) BitLocker can work in conjunction with Trusted Platform Module (TPM) version 1.2 or higher. When you start your computer, the TPM compares a hash of a subset of operating system files to a hash calculated earlier of the same operating system files. Only if the two hashes are exactly equal does your computer boot normally. Configuring and Troubleshooting Access to Encrypted Resources Understanding BitLocker (cont.) BitLocker can also be used without a TPM, in which case the encryption keys are stored on a USB flash drive that is required to decrypt the data stored on a volume secured with BitLocker. Because BitLocker encrypts the entire volume independent of the operating system, encryption is not easily compromised even if a hacker has physical access to the hard drive. Configuring and Troubleshooting Access to Encrypted Resources Understanding BitLocker (cont.) To assist in preparing a drive for BitLocker, you can use the BitLocker Drive Preparation Tool, which will help you to: Create the second volume that BitLocker requires Migrate the boot files to the new volume Make the new volume an active volume Configuring and Troubleshooting Access to Encrypted Resources Understanding BitLocker (cont.) Recovery mode – Mode present before Windows has started in which you can provide credentials to cause BitLocker to allow the operating system to boot. You will need to supply the recovery password to leave recovery mode and boot normally. Configuring and Troubleshooting Access to Encrypted Resources Preparing for BitLocker by Using the Drive Preparation Tool Install the BitLocker Drive Preparation Tool. The BitLocker Drive Preparation Tool creates a new partition, from which it creates a new disk called Local Disk (S:). The new partition is set as the active partition, meaning that your computer will boot from it. Configuring and Troubleshooting Access to Encrypted Resources Preparing for BitLocker by Using the Drive Preparation Tool (cont.) Log on with an administrator account. • Click Start > All Programs > Accessories > System Tools > BitLocker > BitLocker Drive Preparation Tool. A User Account Control dialog box appears. • Click Continue. The BitLocker Drive Preparation Tool Wizard appears. Click I Accept if you accept the terms of the license agreement. Configuring and Troubleshooting Access to Encrypted Resources Preparing for BitLocker by Using the Drive Preparation Tool (cont.) • The Preparation Drive for BitLocker page appears. Read the cautions, and then click Continue. • The tool will prepare your drive, which can take substantial time. When the process is complete, click Finish. • In the BitLocker Drive Encryption message box, click Restart Now. Configuring and Troubleshooting Access to Encrypted Resources Accessing the Manage BitLocker Keys Wizard Windows Vista provides a wizard that you can use to manage your BitLocker keys. • Click Start, click Control Panel, and then click Security. • Click Manage BitLocker keys under BitLocker Drive Encryption. A User Account Control dialog box appears. Configuring and Troubleshooting Access to Encrypted Resources Accessing the Manage BitLocker Keys Wizard (cont.) • Provide administrator credentials, and then click OK. • The Manage BitLocker Keys Wizard appears. Follow the instructions in the wizard. Configuring and Troubleshooting Access to Encrypted Resources Configuring BitLocker Group Policy BitLocker Group Policy settings are located in Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption. Configuring and Troubleshooting Access to Encrypted Resources Troubleshooting Authentication Issues Most authentication issues concern user names and passwords. Other common authentication issues involve authentication by using smart cards. Troubleshooting Authentication Issues Finding a User’s User Name Find Users, Contacts, and Groups dialog box enables you to find active directory objects, such as a user. Troubleshooting Authentication Issues Resetting a User’s Password Reset Password dialog box Troubleshooting Authentication Issues Understanding and Renewing Smart Card Certificates Smart card – Plastic card about the size of a credit card that contains a microprocessor. Smart cards are commonly used to store digital signatures, authenticate users, and store encryption keys to encrypt or decrypt data. Smart card certificates are used in conjunction with a PIN number to authenticate a user to the domain. Troubleshooting Authentication Issues Renewing a Certificate Many enterprise environments will use certificate autoenrollment. Certificate autoenrollment – Feature of Windows Server 2003 Enterprise Edition that automatically uses the existing certificate to sign a renewal request for a new certificate before the existing certificate expires. Troubleshooting Authentication Issues Renewing a Certificate (cont.) Open the Certificate Manager console. • Expand Personal, and then select Certificates. • In the details pane, right-click the certificate that you want to renew, and point to All Tasks. • Do one of the following: Click Renew Certificate with New Key, or Point to Advanced Operations and click Renew this certificate with the same key. Troubleshooting Authentication Issues Renewing a Certificate (cont.) • The Certificate Enrollment Wizard appears. • Click Next. The Request Certificate page appears. • Click Enroll. The certificate is renewed, and the Certificate Installation Results page appears. Click Finish. Troubleshooting Authentication Issues Approving a Certificate Request Log on to the issuing certificate authority and open the Certification Authority console. • In the Certification Authority console, expand the certificate authority, and then select Pending Requests. • Right-click the pending certificate in the details pane that you want to issue, point to All Tasks, and then click Issue. The certificate is issued. Troubleshooting Authentication Issues You Learned User Account Control increases security by helping to enforce the principle of least privilege. The principle of least privilege limits exposure to security threats by limiting user privileges to the minimum required to complete required tasks. Summary You Learned (cont.) The Consent UI is a collection of UAC dialog boxes that prompt for consent or for administrator credentials when you attempt a task that requires elevated privileges. The Secure Desktop helps to prevent hackers from circumventing the UAC Consent UI. Summary You Learned (cont.) Admin Approval Mode is a mode in which administrators must give consent for applications to use the administrator token. The Power Users group has been deprecated, and standard users have increased privileges. Summary You Learned (cont.) File and registry virtualization increases compatibility with legacy applications by redirecting reads and writes to sensitive areas of the hard drive and registry. UAC, like many security innovations, can cause compatibility issues with legacy applications. You can simultaneously centrally manage the behavior of UAC for many computers by using Group Policy. Summary You Learned (cont.) Encrypting File System and BitLocker are used to encrypt data. Part of an administrator’s job is to ensure that those people who should have access to encrypted resources do have access and to make encryption as transparent to users as possible. The Encrypting File System Wizard can help users to manage their encrypted files and EFS certificates. Summary You Learned (cont.) The primary troubleshooting issues you will encounter with EFS are lost certificates and how to help users share encrypted files. You learned how to export an EFS certificate and an associated private key. You learned how to import a certificate from a trusted person. Summary You Learned (cont.) You learned how to import or restore from backup an EFS certificate and private key. You learned how to add a certificate to an EFS encrypted file. You learned how to renew a certificate for a Recovery Agent. You learned how to configure EFS Group Policy settings. Summary You Learned (cont.) BitLocker encrypts all of the data stored on the Windows operating system volume and works in conjunction with Trusted Platform Modules. You learned how to prepare a drive for BitLocker by using the BitLocker Drive Preparation Tool. You learned how to access the Manage BitLocker Keys Wizard. Summary You Learned (cont.) You can configure the behavior of BitLocker by using Group policy. Most authentication issues concern user names and passwords. Other common authentication issues involve authentication by using smart cards. You learned how to finding a user’s user name and reset a user’s password. Summary You Learned (cont.) Smart card certificates are used in conjunction with a PIN number to authenticate a user to the domain. You learned how to renew a certificate and approve a certificate request. Summary