An important aspect of protecting your information and information

systems has to do with the secure storage of your valuable information

assets. In addition to the implementation of physical security controls,
such as a locked server room, sensitive information should have right
permissions and also be encrypted while in storage (on the hard drive).
Therefore, encryption protects the confidentiality of your information
assets. Further, because unauthorized users cannot access the encrypted
information, they cannot make unauthorized changes to the information,
thus protecting the integrity of the information.

Many encryption utilities and even devices are available that can help
you secure your critical and sensitive information assets. Some
encryption technologies are even built into operating system, such as the
Encrypting File System (EFS), and the newer disk-encryption technology
from Microsoft, BitLocker, GuardianEdge Technologies
(http://www.guardianedge,com/) and PGP Corporation (http://pgp.com/)
provide third-party encryption tools. L-3 Titan Group (http://titan.com/)
manufactures encryption devices.

Other aspect of protecting your information assets has to do with

ensuring the availability of the information assets. You should be
knowledgeable to perform routing backups and data recovery from backups
to increase the availability of these assets.

. 1
The Encrypting File System.
(EFS)

Windows 2000 and above provides security for file in storage on NTFS
volumes. This is called the Encrypting File System (EFS). EFS operates as
an additional layer of security complementing both the NTFS and share-
point permissions on Windows systems.
EFS should be implemented for any sensitive data. Because of the
increased frequency of portable devices being lost or stolen, it is
especially important to implement EFS on laptop computers.

Scenario
-------
You are responsible for the protection of sensitive information that
often gets produced and utilized on company-owned laptop computers. On
occasions, these laptops and sensitive files must be shared among several
top-level executives of the company.

Scope of Lab
-------

Duration
-------
This lab should take approximately 2 hours.
Setup
-------
You will create secured (encrypted) content and confirm that it is
secure. Then you will provide access to this content for selected other
user(s).

Caveat
-------
With the addition of any securing technology, there will be an increase
in administrative overhead to support that technology. It is possible
that users will lock themselves out of their sensitive content, requiring
a preconfigured Data Recovery Agent (Local Administrator for Workgroup
mode systems, configured manually, or the administrator of the domain for
domain members, automatically configured) to decrypt the content.

Procedure
-------
For this lab, you must first create the Data Recovery Agent Policy.

Then you will need to create two
and User2. User1 will create and
log on as User2 and confirm that
allow access to the content, EFS
content.
standard (nonadministrator) users: User1
secure sensitive content. You will then
even though NTFS permissions should
does not allow User2 to access the

Next you’ll log on as User1 again, and add User2 to the list of users who
can access the encrypted file.

Then you’ll log back on as User2 and confirm that you can access the
encrypted content as User2.

Equipment Used
-------
For this lab, you need the following equipment:
o Windows XP Pro system with the following configuration:
 A member of Workgroup (not a member of domain).
 At least one NTFS volume.
o Local Administrator access.

Details
-------
Configuring the Volume for EFS

1. Log on to Windows XP Pro system as the Local Administrator.

2. Launch Explorer by rigth-clicking the Start button and selecting

Explorer.

3. Select the root of C:\ drive in the left panel.

4. Right-click on the C:\ drive and select Properties.

5. Confirm that the volume's filesystem is NTFS, the click OK.

NOTE: ESF is not available on any FAT filesystems, including floppy

disks.
It is available only on volumes formatted with NTSF.

6. In the right pane, right-click in the white area and select New >
Folder. Name the folder GOODSTUFF.

7. Right-click the new GOODSTUFF folder and select Properties.

8. In the Properties dialog box, select the Security tab. Under Group Or
User Name, Select Users ComputerName\Users on the list of Group Or User
Names, where ComputerName is the name of your computer.
NOTE: In this case shown, the computer name is My Computer

9. Enable the Write permission under Permissions For Users. Click OK. You
have now confirmed that the volume supports EFS and you created a storage
location for the local users of the system.

Create Users.

1. Right-click on My Computer and select Manager to open the Computer

Management console.

2. Expand Local Users And Groups. Select the Users subfolder.

3. In the right pane, right-click in the white space and select New User.
4. Type User1 for both User Name and Full Name. Type Password1 in the
Password and confirm Password fields. Clear the option User Must Change
Password At Next Logon, and enable the options User Cannot Change
Password and Password Never Expires. Click Create.

5. You will see a new, empty, New User dialog box. Type User2 for User
Name and Full Name. Type Password1 in the Password and Confirm Password
fields. Clear the option User Must Change Password At Next Logon, and
enable both User Cannot Change Password and Password Never Expires. Click
Create.
6. Click Close. Confirm the existence of the two new accounts for User1
and User2.

7. Minimize the Computer Management console by clicking the X in the

upper-right corner.

Creating the EFS Data Recovery Agent Policy

1. To define and EFS Data Recovery Agent (DRA) policy, you must produce a
DRA certificate for the local administrator. Still logged on as Local
Administrator, open and command windows by selecting Start > Run and
entering CMD. Then click OK.

2. You will create a location to hold the certificates and view the
properties of the command (Cipher) used to create the certificates. At
the command prompt, enter the command cd\. Press enter, which returns you
to the root of the C:\ drive.

3. At the command prompt, enter the command md AA. Press Enter to create
a new folder called C:\AA.

4. At the command prompt, enter the command cd AA. Press Enter to place
your focus in the new C:AA folder.
5. To create the certificates required for EFS Data Recovery, at the
command prompt enter this command:

Cipher /R:c:\AA\AdminEFSDRA

6. Type the password Password1 and press Enter.

7. To Confirm the password, type Password1 a second time and press Enter.
The two certificates for DRA ara produced in the C:\AA folder.

8. Close de command window.

9. Select Start > Programs > Administrative Tools > Local Security
Policy.
10. In the Local Security Settings dialog box, expand Public Key Policies
and select Encrypting File System.

11. Right-click on Encrypting File System and select Add Data Recovery
Agent. This launches the Add Recovery Agent Wizard. Click Next.
12. On the select Recovery Agents screen, click the Browse Folders button
and browse to C:\AA.

13. Select the AdminEFSDRA.cer file that you just created with the Cipher
command. Click Open. This pulls the certificate file into the Add
recovery Agent Wizard.
14. Click the Next button, and then click Finish.

15. Close de Local Security Setting dialog box.

16. Right-click the Start button and select Explore.

17. Open the folder C:\AA.

18. Right-click on the file AdminEFSDRA.pfx and select Install PFX.

19. In the Certificate Import Wizard, click Next.

20. Confirm the Certificate file with the .PFX extension is entered in
the File Name field. Click Next.

21. Enter the password Password1 to access the private key associated
with the certificate.

22. Leave the two checkboxes deselected and click Next in the wizard.

23. Allow the Certificate Store location to be automatically select, and

click Next in the wizard.

24. Click Finish. You should see message reporting that the import was
successful. Click OK to clear the message.

25. Log off as Local Administrator by selecting Start > Log Off
Administrator.

27. You have now confirmed and configured the C:\ drive for EFS, you have
created two users to implement ESF, and you have successfully configured
the local administrator as the EFS Data Recovery Agent.
Creating EFS Content as User1

1. Log on to the local computer as User1 with the password Password1.

2. Launch explorer by right-clicking the Start button and selecting

Explore.

3. Select the root of the c:\ drive in the left pane.

4. In the right pane, double-click the folder GOODSTUFF.

5. Right-click in the white space in the right pane and select New > Text
Document.

6. Rename the text document Secrets.txt.

7. Open Secrets.txt with Notepad and type a message.

8. Save Secrets.txt with the new content.

9. Close Notepad.

10. Right-click Secrets.txt and select Properties.

11. In the Properties dialog box, on the General tab click Advanced.

12. In the Advanced Attributes dialog box, enable the option Encrypt
Contents to Secure Data.

13. Click OK.

14. Click Apply in the Properties dialog box. You will be prompted to
select between encrypting the folder and all content, or encrypting this
one file. Select The File Only.
15. Select the Security tab of the Properties dialog box. Select the
Users group in the top pane. Notice that users of the local system have
Read & Execute, Read, and Write permissions inherited from parent
folders. Click OK.

16. Open Secrets.txt with Notepad and view your message to confirm that
you can access the data, even though the file is now encrypted.

17. Close Notepad.

Attempting Access of ESF Content as User2

1. Log on to the local computer as User2 with the password Password1.

2. Launch explorer by right-clicking the Start button and selecting

Explore.

3. Select the root of the C:\ drive in the left pane.

4. In the right pane, double-click the folder GOODSTUFF.

5. Attempt to open Secrets.txt. Notepad launches, but even though you
just confirmed that you have permission to read the Secrets.txt document,
you get the error message Access is denied. EFS has this documents encrypted
so that only User1 and the EFS Data Recovery Agent can decrypt the file.

Creating EFS Content as User2

1. Still logged on as User2, in the GOODSTUFF folder in Explorer, right-

click in the white space in the right pane and select New > Text
Document.

2. Rename the new text document User2Secrets.txt.

3. Open User2Secrets.txt with Notepad and type a message.

4. Save User2Secrets.txt with the new content.

5. Close Notepad.

6. Right-click User2Secrets.txt and select Properties.

7. Click Advanced.

8. Enable Encrypt Contents To Secure Data.

9. Click OK in the advanced Attributes dialog box.

10. Click Apply in the Properties dialog box. You will be prompted to
select between encrypting the folder and all content, or encrypting this
one file. Select The File Only.

11. Select the Security tab of the Properties dialog box. Select the
Users group in the top pane. Notice that users of the local system have
Read & Execute, Read, and Write permissions inherited from parent
folders.

12. Click OK.

13. Notice in Explorer that files, Secrets.txt and User2Secrets.txt, are

now displayed in green (the default color and settings) indicating the
EFS status of the files.

14. Open User2Secrets.txt with Notepad and view your message to confirm
that you can access the data logged on as User2, even though the file is
now encrypted.

15. Close Notepad

16. Log off as User2.

Sharing EFS Content to User2

1. Log in to the local computer as User1 with the password Password1.

2. Launch Explorer by right-clicking the Start buttom and selecting

Explore.

3. Select the root of the C:\ drive in the left.

4. In the right pane, double-click the folder GOODSTUFF.

5. Open Secrets.txt with notepad to confirm that User1 has access to the
EFS content.

6. Close Notepad.

7. In explorer, attempt to open User2Secrets.txt. One again, Notepad

launches, but even though you just confirmed that User1 has permitions to
read the User2Secrets.txt document, you get the error message Access is
denied. EFS has this document encrypted so that only User2 can decrypt
the file.

8. Click OK to clear the error message, and then close Notepad.

9. In the explorer, right-click on Secrets.txt and select Properties.

10. Click Advanced.

11. Select Details. Notice that User1 is the only user listed as Users
Who Can Transparently Access This File. Also notice that Administrator is
listed as the Data Recovery Agent for Secrets.txt. This is the due to the
EFS Data Recovery Agent policy you implemented earlier in this lab.

12. Click Add

13. Highlight User2.

14. Click View Certificate. This certificate for User2 holds User2’s
encrypting key. With this key, User1 can grant User2 access to the EFS
content, Secrets.txt. Close the certificate.

15. Click OK in the Select User dialog box.

16. Notice that now both User1 and User2 are listed as Users Who Can
Transparently Access This File.

17. Click OK in the Encryption Details dialog box.

18. Click OK in the Advanced Attributes dialog box.

19. Click OK in the Secrets.txt Properties dialog box.

20. Open and view Secrets.txt to confirm that you still have access to
the data.

21. Close Secrets.txt.

22. Log off as User1

Attempting Access of ESF Content as User2

1. Log on to the local computer as User2 with the password Password1.

2. Launch Explorer by right-clicking the Start button and selecting

Explore.

3. Select the root of the C:\ drive in the left pane.

4. In the right pane, double-click the folder GOODSTUFF.

5. Attempt to open Secrets.txt. Yow now have access to the contents of

Secrets.txt as User2.

6. Log off as User2.

Lab. 2
EFS Data Recovery

One of the fundamental responsibility of and administrator is to protect

the company’s information. This means that it is your responsibility to
be able to recover any lost or inaccessible data. There are several
seasons that an administrator may need to recover content users encrypted
via EFS. A user can accidentally delete their decryption key, or a user
may forget their password and need to have it reset. (Resetting a user’s
password disables a user’s ability to decrypt their EFS content). The
decryption key is stored inside the user profile. If this profile gets
deleted, the decryption key is lost.
Since you have been configured as an EFS Data Recovery Agent, you can
decrypt their encrypted content and recover the inaccessible data.

Scenario
-------
As a security administrator, you are responsible for protecting sensitive
information and implementing EFS. After cleaning up the User Account
database, you realize there is critical data that has been encrypted by a
deleted user account. You must recover the data and provide access to
that data to another user.

Scope of lab.

Duration
-------
This should take approximately 2 hours

Setup
-------
EFS is enabled through the user of a Public Key Infrastructure (PKI) and
digital certificates that contain an encryption key. If the decryption
key is lost, the user may never regain access to the EFS content.

A safety mechanism to minimize data loss is the EFS Data Recovery Agent.
By default, the administrator for the domain is the EFS Default Data
Recovery Agent in a system in Domain mode. Typically the Local
Administrator is configured as they EFS Data Recovery Agent on a system
in Workgroup mode. This must be done manually on a system in Workgroup
mode.

Taking advantage of the work performed in . 1, you will delete a user

account that had created secured content. You will then confirm that
other users cannot access the content. With that completed, you will work
through the steps to recover (decrypt) the content and grant access to
the content to another user. That user would then have access to the
secure EFS content utilizing their encryption key.
Caveat
-------
There are combinations of events that can permanently prevent decryption
of the content. Data can be lost. Implement EFS with care.

Procedure
-------
For this , you will delete a user (User2) that you created in .1. User2
created a secure data file called User2Secret.txt. You will the log on as
User1 and confirm that eve thought permissions should allow access to the
content, EFS does not allow User1 to access the User2 secured content.

You will then walk through the steps to decrypt the content and grant
ownership of the critical data to another user. This new owner should
implement EFS using their encryption key to secure this sensitive data.

Equipment Used
--------
For this , you need the following equipment:
Windows XP Pro system with the following configuration.
o A member of a workgroup (not a member of a domain).
o At least one NTFS volume.
Local Administrator access.
Completion of 1, “The Encrypting File System”.

Details
--------
Losing an EFS Encryption Key.

1. Log on to the Windows XP Pro system as the Local Administrator with

the password Password1.

2. Right-click on My Computers and select Manage to open the Computer

Management console.

3. Expand Local Users And Groups. Select the Users subfolder.

4. In the right pane, right-click on User2 and select Delete.

5. Review the warning regarding the deletion of user accounts. Click Yes
to confirm the deletion of User2.

6. Close the Computer Management console. You have just deleted User2,
the only user account that had access to User2Secrets.txt.

Implementing EFS Data Recovery

1. Launch Explored by right-clicking the Start button and selecting
Explore.

2. Select the root of the C:\ drive in the left pane.

3. In the right pane, double-click the folder GOODSTUFF.

4. In Explorer, double-click User2Secrets.txt.

5. User2Secrets.txt opens correctly in Notepad. This is because the Local
Administrator, by default, has Full Control permissions on all user files
and, in Lab 1, was configured as an EFS Data Recovery Agent for any EFS
content produced on the system.

6. Close User2Secrets.txt in Notepad.

7. Right-click the file User2Secrets.txt and select Properties.

8. Select Security tab.

9. Select the General tab.

10. Click the Advanced button. This opens the Advanced Attributes dialog
box. In this dialog box, click the Details button, which takes you to the
Encryption Details dialog box. To transfer access to User1, you must add
User1 to the Users Who Can Transparently Access This File list. Click the
Add button.

11. Select User1 in the Select User dialog box and click OK.

12. To tighten up the EFS security on this sensitive file, select User2,
the deleted user, in the Users Who Can Transparently Access This File
list, and then click the Remove button.

13. Click ON in the Encryption Details dialog box.

14. Click OK in the Advanced Attributes dialog box.

15. Click OK in the User2Secrets.txt Properties dialog box.

16. Log off as Administrator.

Testing the EFS Data Recovery

1. Log on to the Windows XP Pro system as User1 with the password
Password1.

2. Launch Explorer by right-clicking the Start button and selecting

Explore.

3. Select the root of the C:\ drive in the left pane.

4. In the right pane, double-click the folder GOODSTUFF.

5. In Explore, double-click User2Secrets.txt. User2Secrets.txt opens

correctly in Notepad. This is because User1 has sufficient permissions on
all GOODSTUFF files and was added to the list of Users Who Can
Transparently Access This File EFS content by the EFS Data Recovery
Agent.

6. Close User2Secrets.txt in Notepad.

7. Log off as User1.