Managing and

Maintaining Microsoft
Windows Security
LECTURE 4
Microsoft Windows Encryption Tools and
Technologies
CYU 07317 Security Strategies in Windows Platforms 01/08/2025 1
 What is an Encryption
 Encryption is the method by which information is
converted into secret code that hides the information's
true meaning
 The science of encrypting and decrypting information is
called cryptography
 In computing, unencrypted data is also known as
plaintext, and encrypted data is called ciphertext.
CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 2
 Learning Objects
 Identify encryption methods supported by Microsoft Windows
 Describe EFS, BitLocker, and BitLocker To Go
 Explain setup and enabling of file, folder, and volume-level
encryption
 Research encryption in communications
 Outline encrypted Microsoft Windows protocols
CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 3
 Learning Objects
 Debate the advantages and the disadvantages of encrypted
communications
 Describe security certificates
 Examine the public key infrastructure (PKI)
 Outline best practices for Microsoft Windows encryption
techniques
 Discuss business challenges of implementing encryption
CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 4
 What is Encryption ?
 Encryption is the process of transforming readable information into
unreadable information in such a way that anyone with a proper key can
reverse the process, making the information readable again
 Encryption is the process of encoding information from plain
text into ciphertext so that only authorized parties can
understand the information
 Encryption is one of the most common technique used to secure
data in transit
CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 5
 Encryption…
 It is one of the another type of control mechanism used by Microsoft
Windows to protect data against attackers
 Files, folders, and volumes can be encrypted using Windows encryption
tool
 Data which is in transport can be vulnerable to attack
 Encryption is used to ensure that no unauthorized user can view sensitive
data
 Encryption also validates both the integrity and the source of the data.
CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 6
 Encryption Methods Supported by the
Microsoft Windows
 Microsoft provides various programs and methods to
secure data with encryption tool for data at rest and data
in transit
 For securing data at rest, Microsoft use the following tools:
i. BitLocker for encrypting entire volumes
ii. Encrypting File System (EFS) for encrypting files and
folders
CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 7
 Data in transit
 For securing data in transit, Microsoft provides support for
many methods and strategies which includes:
i. Secure networking protocols
ii. Digital certificates
iii. Public key infrastructure
iv. Virtual private networks
CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 8
 Point to NOTE
If you need to support multiple operating systems, you’ll need to look
beyond the Windows-only options presented in this section
One of the most popular cross-platform encryption products is
Truecrypt.
You can find out more about this free open source product at:
http://www.truecrypt.org/

CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 9

 Encryption methods supported by
Windows
 Windows operating system supports three main methods to
encrypt stored data
 These methods are:
i. Encrypting File System (EFS)
ii. BitLocker and
iii. BitLocker To Go
CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 10
 Encrypting File System
 The Encrypting File System (EFS) was introduces by Microsoft
Windows in 2000
 This feature works only for NTFS file systems
 It allows users to encrypt files or entire folders
 You can enable the encryption for files or folders by simply selecting a
checkbox on the object’s properties page
 It doesn’t require any additional input from the user
 The figure below shows the object property page’s encryption setting.
CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 11
CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 12
 Drawback of EFS
 The main drawback to EFS is that it is user-based.
 Each user must choose to enable encryption for specific files or folders.
 Alternatively, administrators must define policies that require
encryption.
 The key used to encrypt and decrypt data is based on the user’s
password
 Using any tool that resets passwords outside of Windows will result in
your losing all encrypted data for that user.
CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 13
 BitLocker Drive Encryption
 BitLocker Drive Encryption is the most current encryption method
used by Windows
 Unlike EFS, BitLocker Drive Encryption has two settings only for each
volume. That’s ON or OFF
 BitLocker Drive Encryption, encrypted everything on the selected
volume
 Since entire volumes are encrypted, only administrators can enable or
disable encryption
 Individual users cannot alter any BitLocker settings
CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 14
 What is TPM?
 Trusted Platform Module (TPM) is a physical / embedded security
technology (microcontroller) that resides on a computer’s motherboard or in its
processor
 The Trusted Platform Module (TPM) technology is designed to provide hardware-
based, security-related functions
 A TPM chip is a secure crypto-processor that is designed to carry out
cryptographic operations
 BitLocker operation modes depends on the computer’s Trusted Platform
Module (TPM) microchip to manage and protect the key used for volume
encryption and decryption
CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 15
 BitLocker Authentication Modes
MECHANISM AUTHENTICATION MODE DESCRIPTION

TPM only Transparent operation No additional input is required from the user.
TPM + PIN User authentication The user is required to enter a PIN before Windows
boots.
TPM + PIN + User authentication The user is required to enter a PIN, called the Startup
USB key PIN, and insert a USB key, called the Startup key, with
authentication credentials before Windows boots.

TPM + USB User authentication The user is required to insert a USB key with
key authentication credentials before Windows boots.

USB key only USB key mode The only authentication mode that does depend on TPM
hardware—the user only inserts a USB with
authentication credentials before Windows boots.
CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 16
Comparison of the BitLocker and EFS
Feature
BITLOCKER ENCRYPTING FILE SYSTEM (EFS)

Encrypts all files on the selected volume Encrypts only selected files and folders

Either on or off for all users Encrypts files based on user actions, each user can
encrypt files or folders individually

Uses TPM or USB key as part of the Does not require any special hardware
authentication process

Must be administrator to turn BitLocker on or Any user can choose to encrypt files or folders
off
CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 17
 Cont…
 EFS is present in the latest newly installed Windows clients and servers.
 BitLocker is available on Windows workstation computers, but is not enabled by default for
Windows Server
 If you plan to use BitLocker on Windows Server, you must enable it using the Server
Manager utility.
 To launch Server Manager, choose Start > Server Manager.
 In Server Manager, select Manage > Add Roles and Features from the menu to open the
Add Roles and Features Wizard.
 Select Next four times to open the Features selection window. Select the BitLocker Drive
Encryption checkbox to add BitLocker
CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 18
CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 19
CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 20
 Cont…
 Before adding BitLocker, Windows will ask you to confirm that you want to
continue.
 Select Next > Install to confirm your choice to add BitLocker.
 Once BitLocker has been installed, Windows will warn you that you must
restart the system.
 When you select Close, Windows will ask if you want to restart your system
now or later.
 Once you restart Windows, the BitLocker feature will be available for all
volumes
CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 21
 Figure below shows the confirmation and
completion windows

CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 22

Figure showing confirmation and completion
windows…

CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 23

 Features of the BitLocker
 Microsoft added new features to BitLocker starting with Windows 8 and
Windows Server 2012.
 The added features make it even easier to encrypt files on a Windows
computer
 BitLocker features added in Windows 8 and Windows Server 2012 are:
i. BitLocker provisioning
ii. Encrypt only used disk space
iii. Allow regular users to change BitLocker PIN or password
iv. Network unlock
v. Support for encrypted hard drives
CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 24
 BitLocker Provisioning
 In previous Windows versions, BitLocker could be enabled only
after installing the operating system.
 Now, administrators can enable BitLocker as part of the
Windows workstation installation process
 This allows administrators to deploy Windows workstations in an
encrypted state

CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 25

 Encrypt Only Used Disk Space
 BitLocker now allows administrators to encrypt only blocks in a volume
that are used to store data
 When using this option, BitLocker will not encrypt unused blocks.
 This option can dramatically reduce the time required to initially encrypt
an existing volume.

CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 26

 Encrypt only used disk space
 BitLocker now allows administrators to encrypt only blocks in a volume
that are used to store data
 When using this option, BitLocker will not encrypt unused blocks
 This option can dramatically reduce the time required to initially encrypt
an existing volume.

CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 27

 Allow regular users to change
BitLocker PIN or password
 Regular users can change the Windows workstation BitLocker PIN or
password for operating system volumes
 Regular users can also change the Windows workstation BitLocker for
fixed data volumes
 These features make it easier for administrators to deploy BitLocker to a
large number of computers without having to use only generated PINs
and passwords.

CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 28

 Network unlock
 The current Windows Server feature allows desktop
and server computers to automatically unlock
operating system volumes when they boot
 To use this feature, computers must be connected to
a trusted wired TCP/IP network

CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 29

 Support for encrypted hard drives
 BitLocker is a software solution that provides Full Volume Encryption
(FVE)
 Another encryption method gaining popularity is Full Disk Encryption
(FDE)
 In FDE, the disk controller encrypts each block
 FDE is faster than FVE, since it occurs at a lower level than the operating
system
 BitLocker since Windows 8 and Windows Server 2012 supports encrypted
hard drives that use FDE.

CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 30

 BitLocker To Go
 BitLocker To Go is an extension to BitLocker that protects removable
storage devices, such as USB keys
 Since removable storage devices may be used to transport sensitive data
from one computer to another, it is important to ensure the data are
secure as they are being transported
 BitLocker To Go makes it easy to encrypt an entire device.
 When you turn on BitLocker To Go for a device, Windows asks whether
to use a password or a smart card to encrypt the data.
CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 31
 BitLocker To Go…
 Once initialized, all data on the removable device are
encrypted
 You will need to enter the same password or use your smart
card to access the media’s contents on the other computer
(based on which option you selected when you enabled
BitLocker To Go)
 As long as the other computer is running Windows 7 or later,
you will just be prompted for the password or smart card.
CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 32
 Enabling File, Folder, and Volume-Level
Encryption
 Enabling EFS, BitLocker, and BitLocker To Go is easy
 All you have to do is open the Properties dialog box for the
desired object and select the appropriate option

CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 33

 Enabling EFS
 The first step to enabling EFS is deciding what to encrypt
 Remember that individual files are stored on disk in plaintext
form unencrypted before being encrypted
 After being encrypted, the plaintext files are deleted, but not
totally removed

CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 34

 Cont…
 To avoid any traces of plaintext files being left, it is recommended that
you use folder encryption.
 Once you decide what to encrypt, open Windows Explorer and navigate
to the file or folder.
 To encrypt the object, open the context menu by right-clicking on the
object, and select Properties.
 From the Properties dialog box, choose the Advanced button.
CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 35
Properties and Advanced Attributes dialog boxes.

 In the Advanced Attributes dialog

box, select the “Encrypt contents to
secure data” checkbox, choose OK,
then choose OK again to close the
Properties dialog box
 The object is now stored as an
encrypted object
 No further action from the user is
necessary

CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 36

 Enabling BitLocker
 Enabling BitLocker is just as easy as EFS. First, however, ensure
that you are logged on as an administrator user
 To enable BitLocker, open Windows Explorer and navigate to
Computer. Open the context menu of the selected volume by
right-clicking on the desired volume, and select Turn On
BitLocker
 The figure below shows the BitLocker option on the object’s
context menu.
CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 37
BitLocker option on the object’s context
menu

CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 38

 Alternatively, you can launch the BitLocker management tool to view and
manage BitLocker for all volumes
 Open the Control Panel by selecting Start > Control Panel
 Select System and Security, then BitLocker Drive Encryption
 The BitLocker management tool displays all volumes, along with an
option to turn BitLocker on or off for each volume
 The figure shows the BitLocker management tool.
CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 39
 BitLocker management tool.

CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 40

 Cont…
 After selecting to enable BitLocker, Windows asks you to pick
an authentication method
 The authentication method tells Windows what information is
required to access an encrypted volume
 The figure below, shows the BitLocker Authentication
options

CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 41

 BitLocker Authentication options.

CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 42

 Cont…
 Once you select the desired authentication options, Windows will ask
where to save a recovery key
 If you lose the ability to access the primary encryption key, you’ll need
the recovery key to decrypt the volume
 Windows provides the following options for storing the recovery key:
 Save the recovery key to a USB flash drive
 Save the recovery key to a file
 Print the recovery key
CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 43
 Enabling BitLocker To Go
 Enabling BitLocker To Go is very similar to enabling BitLocker
 Before starting the procedure, ensure your removable device is
attached First, open Windows Explorer and navigate to
Computer
 Open the context menu of the selected removable volume by
right-clicking on the desired volume, and select Turn On
BitLocker
 The table below shows the BitLocker To Go option on the
object’s context menu
CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 44
Cont…

CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 45

 Encryption in Communications
 Communication data encryption is similar to the concept of BitLocker To
Go
 Encrypted communications is when two entities are communicating and
do not want a third party to intercept or to listen in
 Encrypted communication means people can share information with
varying degrees of certainty that third parties cannot intercept what was
said
 Secured Phones and Crypto phones are mobile telephones that provide
security against eavesdropping and electronic surveillance
CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 46
 Cont…
The most common perception of encryption is to ensure
confidentiality.
Encryption provides the ability to “hide” data from unauthorized users.
 It also provides integrity and nonrepudiation
Integrity is provided by ensuring data has not been modified since it was
encrypted
This is often accomplished by calculating hash or checksum values.

CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 47

 What is Non-repudiation?
 Non-repudiation is the assurance that someone cannot deny the
validity of something
 The Nonrepudiation means that a receiver can verify the source of a
message
 Non-repudiation is a legal concept that's widely used in information
security and refers to a service, which provides proof of the origin and
integrity of data
 Additionally, the sender cannot deny sending the message
 Windows supports the use of digital signatures to provide nonrepudiation.

CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 48

 Other Windows encryption methods and
technology
The other encryption techniques supported by Windows are:
 Encryption in Communications
 Encryption Protocols in Microsoft Windows
 Encryption Protocols in Microsoft Windows
 Microsoft Windows and Security Certificates
 Public Key Infrastructure
CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 49
 Encryption process for data in transit

Encrypted
data
transmission
CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 50
 Secure Web application connection

CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 51

 Encryption Protocols in Microsoft
Windows
SSL/TLS
 One of the most common types of encrypted communication is the
Transport
 Layer security protocol Transport Layer Security (TLS)
 TLS was formerly called Secure Sockets Layer (SSL)
 It was originally introduced to secure Web application communication
TLS provides the secure channel for the Hypertext Transfer Protocol
Secure (HTTPS) protocol for secure Web pages.
CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 52
 SSL/TLS
 TLS creates an encrypted tunnel between a Web client, most commonly
a Web browser, and a Web server
 All data sent back and forth between the server and the client is
encrypted. The client and server negotiate a cipher and then exchange
a key using public key cryptography.
 Once the key has been securely exchanged, both sides use the
symmetric key for subsequent communications.

CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 53

Cont…
 TLS provides the secure channel for the Hypertext Transfer Protocol
Secure (HTTPS) protocol for secure web pages
 TLS creates an encrypted tunnel between a web client, most commonly
a web browser, and a web server
 All data sent back and forth between the server and the client are
encrypted
 The client and server negotiate a cipher and then exchange a key
using public key cryptography
 Once the key has been securely exchanged, both sides use the
symmetric key for subsequent communications.
CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 54
 The figure below shows a secure connection
between a Web client and a Web server.
 Although SSL/TLS was created for
Web application communication
 It is commonly used in many
applications, including Remote
Desktop, database connections,
and any network connections that
require exchanging encrypted
data.
CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 55
 Virtual Private Network
 Another type of encrypted communication is a virtual private network
(VPN)
 A virtual private network (VPN) is a mechanism for creating a secure
connection between a computing device and a computer network or
between two networks, using an insecure communication medium such as
the public Internet
 This type of communication exists between a client and a server or
between two servers
 Once the VPN is established, all messages exchanged between the
computers are encrypted.
CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 56
 Difference between a VPN and a standard
TLS
 The difference between a VPN and a standard TLS
connection is the number of applications each can
handle
 The TLS connection is generally limited to a single
application, while the VPN may transport data from many
different applications.

CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 57

 A client must initiate a VPN.
 During negotiation, the client and server agree on a protocol and
set up an encrypted tunnel
 The tunnel looks like a regular network connection to local
applications, but doesn’t require any special processing.
Applications send unencrypted messages to one another while the
VPN endpoints take care of the encryption and decryption

CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 58

 Figure…..Virtual private network
(VPN)

CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 59

 Internet Protocol Security (IPSec)
 The most common VPN protocol pair is the Internet Protocol Security
(IPSec) with Layer 2 Tunneling Protocol (L2TP)
 This protocol pair, often referred to as IPSec/L2TP, provides end-to-end
tunneling with optional encryption.
 The other common VPN protocol used in legacy systems is the Point-to-
Point Tunneling Protocol (PPTP).
 Windows supports both IPSec/L2TP and PPTP when setting up VPNs
 One drawback to both protocols is that they can have problems with
firewalls and Web proxies, among other things

CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 60

 IKEv2 doesn’t support as many platforms as other popular VPN
protocols, but it is very secure and fast
 The other common VPN protocol used in legacy systems is the Point-to-
Point Tunneling Protocol (PPTP)
 Windows supports both IPSec/L2TP and PPTP when setting up VPNs
 One drawback to both protocols is that they can have problems
with firewalls and web proxies among other things
 Each of these protocols uses specific ports that must be open through
network devices for the protocol to work.

CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 61

 Wireless Security
 The original wireless security protocol, Wired Equivalent Privacy
(WEP), has been shown to be easily compromised
 A determined attacker can hack a WEP key in just a few minutes
 The successor to WEP is Wi-Fi Protected Access (WPA)
 The original WPA implemented only a portion of the IEEE 802.11i
standard
 The successor to WPA, WPA2, is a full 802.11i implementation.
CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 62
 Cont…
 While the full WPA2 protocol requires an 802.11X server, the pre-shared
key (PSK) mode bypasses the complexity of the authentication server
 Simpler WPA implementations, including most homes and small
businesses, use WPA-PSK or WPA2-PSK
 The Wi-Fi Alliance has announced the availability of WPA3, the latest
technology to secure wireless communication
 WPA3 focuses on making general use devices on wireless networks easier
to secure and harder to compromise.
CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 63
 Microsoft Windows and Security
Certificates
 Encryption algorithms are of two types symmetric and asymmetric.
 Symmetric algorithms use the same key to encrypt and decrypt data
 Asymmetric algorithms use two related keys one key to encrypt data and
another key to decrypt data
 In general, symmetric algorithms are faster than asymmetric algorithms of the
same strength
 For large amounts of data or frequent encryption/decryption cycles, symmetric
algorithms are preferable to asymmetric algorithms because of the faster
execution time.
CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 64
 Problem of symmetric algorithms

 The main problem with using symmetric algorithms in distributed

applications, such as web applications or VPNs, is getting the same key to
both server and client
 If you can’t get the encryption key to a client in a secure manner, then you
can’t create a secure connection
 One approach to the problem is to only use asymmetric encryption.
Asymmetric encryption is slower and requires substantial overhead to
maintain connections.
CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 65
 A novel solution is to use asymmetric encryption to exchange a symmetric
key
 The receiver receives a message containing the symmetric encryption key
that has been encrypted using the sender’s private key.
 The receiver can decrypt the message with the sender’s public key
 Once the key is properly exchanged, all subsequent communication can
use the faster symmetric encryption
 One problem with this approach is ensuring there is trust when
negotiating and exchanging encryption keys during connection setup.
 You have to trust that the sender is who he or she claims to be and not an
imposter

CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 66

 Digital Certificate
 A security certificate also called a digital certificate is used to deliver a
trusted public key that can be used with assurance it belongs to the stated
owner
 A digital certificate is a file or electronic password that proves the authenticity
of a device, server, or user through the use of cryptography and the public
key infrastructure (PKI).
 A security certificate is a document that contains identity information and a
public key, along with other descriptive information
 The document is then encrypted with the private key of a trusted entity
CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 67
 Cont…
 A digital certificate can be decrypted using the public key of the trusted
entity if it came from the trusted entity
 Once successfully decrypted, the document will contain the public key
from a source that can be trusted at least you can trust that the key
came from the stated source
 The most commonly used format for digital certificates is defined by
the International Telecommunications Union (ITU-T)
and X.509 standard.
CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 68
CERTIFICATE DESCRIPTION
TYPE
TLS/SSL Server A certificate presented by a TLS/SSL server to authenticate that server during a TLS/SSL
certificate connection setup.
TLS/SSL Client A certificate presented by a TLS/SSL client during TLS/SSL connection setup when bidirectional
certificate (server and client) authentication is required.
Email certificate The S/MIME secure email protocol uses an email certificate for the message recipient to acquire
the recipient’s public key and uses it to encrypt email messages for that recipient.

Code Signing A certificate used to validate signatures of compiled programs used to detect any unauthorized
certificate changes made after signing.
Qualified certificate A certificate that identifies an individual and is commonly used with electronic signatures.

Self-signed certificate A certificate signed by the issuer

When a certificate is not issued by a trusted authority, the value of the self-signed certificate relies
on the trust a certificate user has for the issuer
Generally regarded as untrusted, self-signed certificates are sometimes called snake oil certificates.
CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 69
 Public Key Infrastructure
 The general approach to handling keys using trusted entities and digital
certificates has been formalized into a strategy called the public key
infrastructure (PKI)
 PKI is the collection of hardware, software, policies, and procedures
needed to manage digital certificates
 The PKI process starts with a list of trusted entities and their public keys
 A trusted entity is generally a certificate authority (CA) or a
defined trusted source
CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 70
 Cont…
 Each computer system contains a list of public keys of trusted
entities
 A document that is encrypted with a trusted entity’s private
key can be decrypted with the same entity’s public key.
 When setting up a connection, you would first obtain a
security certificate from a trusted entity

CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 71

Cont…

 The formal PKI process would require you to request a certificate for the
connection’s target, or other end, from the PKI registration authority
(RA)
 The RA authenticates you and directs the CA to issue the certificate
 You would decrypt the certificate using the CA’s public key
 The certificate contains the public key for the target
 Once the target’s public key is obtained, you can use it to encrypt
messages that only the target can decrypt with its private key.

CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 72

 Best Practices for Windows Encryption
Techniques
 Change your passwords periodically.
 The longer passwords remain unchanged, the higher the probability they will
be compromised.
 Change passwords at least every six months.
 Do not write down passwords.
 Use passwords that can be remembered.
 Passwords that are written down are easier for an attacker to find and use.

CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 73

Cont…
 Export recovery keys to removable media and store the media in
a safe Place
 EFS or BitLocker recovery information should be physically
stored in a separate, safe location.
 Encrypt the My Documents folder for all users. Since most
people use
 My Documents for most document files, encrypting this folder
will protect the most commonly used file folder.

CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 74

 Never encrypt individual files—always encrypt folders
 This keeps any sensitive data from ever being written to the
disk in plaintext.
 Designate two or more recovery agent accounts per
organizational unit.
 Designate two or more computers for recovery, one for each
designated recovery agent account.

CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 75

 Avoid using print spool files in your print server architecture, or
make sure that print spool files are generated in an encrypted
folder
 This keeps sensitive information from being stored in plaintext
on a print server.
 Use multifactor authentication when using BitLocker on
operating system volumes to increase volume security.
 Store recovery information for BitLocker in Active Directory
Domain Services to provide a secure storage location.

CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 76

 Disable standby mode for portable computers that use
BitLocker.
 BitLocker protection is effective only when computers are
turned off or in hibernation.
 When BitLocker keys have been compromised, either format
the volume
 or decrypt and encrypt the entire volume to remove the
BitLocker metadata.
 Require strong passwords for all VPN connections.

CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 77

 Use the strongest level of encryption that your situation allows
for VPNs.
 Use SSTP for VPNs when possible.
 Disable SSID broadcasting for wireless networks.
 Never use WEP for wireless networks—only use WPA/WPA2.
 Trust only certificates from CAs or trusted sites
 Train users to reject certificates from unknown or untrusted
sites.

CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 78

 LECTURER SUMMARY
 A solid security strategy depends on multiple layers of controls to protect
each object
 In this lecture, we learned how additional layers of controls using encryption can
increase the security of sensitive data
 Windows includes the ability to encrypt data at rest using EFS, BitLocker, and
BitLocker To Go
 Windows also supports encryption of data in transit through the use of several
protocols and methods.
 Selecting the best mix of encryption methods and applying best practices when using
those
CYU 07317methods
Secuirty Strategies inwill
Windowsmake
Platforms your data more secure for data at rest and in transit
01/08/2025 79
 END
CYU 07317 Secuirty Strategies in Windows Platforms 01/08/2025 80