How to Import Personal Certificates
You can share encrypted files with other users if you have the certificate for the other user.
To allow another user to use a file that you have encrypted, you need to import the user’s
certificate onto your computer and add the user’s name to the list of users who are permitted
access to the file, as described in the previous section.
To import a user certificate, perform these steps:
1. Click Start, type mmc, and then press Enter to open a blank MMC.
2. Click File, and then click Add/Remove Snap-in.
3. Select Certificates and click Add. Select My User Account and click Finish. Click OK to
close the Add Or Remove Snap-ins dialog box.
4. Select Certificates, and then select Trusted People.
5. Right-click Trusted People. On the All Tasks menu, click Import to open the Certificate
Import Wizard.
6. Click Next and then browse to the location of the certificate you want to import.
7. Select the certificate and then click Next.
8. Type the password for the certificate and then click Next.
9. Click Next to place the certificate in the Trusted People store.
10. Click Finish to complete the import.
11. Click OK to acknowledge the successful import, and then exit the MMC.
Now you can grant that user access to EFS-encrypted files.
How to Recover to an EFS-encrypted File Using a Data Recovery Agent
EFS grants data recovery agents (DRAs) permission to decrypt files so that an administrator
can restore an encrypted file if the user loses his or her EFS key. By default, workgroup
computers configure the local Administrator account as the DRA. In domain environments,
domain administrators configure one or more user accounts as DRAs for the entire domain.
Because DRA certificates are not copied automatically when an administrator logs onto
a computer, the process of copying the DRA certificate and recovering an EFS-encrypted file is
somewhat lengthy (but straightforward). To recover an EFS-encrypted file, perform these steps:
1. First, you need to obtain a copy of the DRA certificate. By default, this is stored in
the Administrator user account on the first domain controller in the domain. To do
this, using the DRA account, log on to the administrator account on the first domain
controller in the domain.
2. Click Start, and then click Run. Type mmc, and then press Enter. Respond to the UAC
prompt that appears.
3. Click File, and then click Add/Remove Snap-In.
4. Click Add.
A list of all the registered snap-ins on the current computer appears.
5. Double-click the Certificates snap-in.
6. If the Certificates Snap-In Wizard appears, select My User Account, and then click
Finish. Click OK.
The MMC console now shows the Certificates snap-in.
7. Browse to Certificates - Current User\Personal\Certificates. In the details pane,
right-click the domain DRA certificate, click All Tasks, and then click Export (as shown
in Figure 4-12). By default, this is the Administrator certificate that is also signed by the
Administrator, and it has the Intended Purpose shown as File Recovery.
FIGURE 4-12 Exporting a certificate for EFS recovery
8. In the Certificate Export Wizard, click Next.
9. On the Export Private Key page, select Yes, Export The Private Key, and then click Next.
10. On the Export File Format page, accept the default settings shown in Figure 4-13, and
then click Next. For security reasons, you might want to select the Delete The Private
Key If The Export Is Successful check box and then store the private key on removable
media in a safe location. Then, use the removable media when you need to recover an
EFS-encrypted file.
11. On the Password page, type a recovery password twice. Click Next.
12. On the File To Export page, type a file name to store the recovery password on
removable media. Click Next.
13. On the Completing The Certificate Export Wizard page, click Finish. Then, click OK.
FIGURE 4-13 Using the default .PFX file format for the DRA recovery key
Now you are ready to import the DRA key on the client computer that requires recovery.
Log on to the client computer and perform these steps:
1. Click Start, and then click Run. Type mmc, and then press Enter.
2. Click File, and then click Add/Remove Snap-In. Respond to the UAC prompt that
appears.
3. Click Add.
A list of all the registered snap-ins on the current computer appears.
4. Double-click the Certificates snap-in.
5. In the Certificates Snap-In Wizard, select My User Account, and then click Finish.
Click OK.
The MMC console now shows the Certificates snap-in.
6. Right-click Certificates - Current User\Personal\Certificates, click All Tasks, and then
click Import.
7. In the Certificate Import Wizard, click Next.
8. On the File To Import page, click Browse. In the Open dialog box, click the file types list
(above the Open button) and select Personal Information Exchange. Then, select the
DRA key file and click Open. Click Next.
9. On the Password page, type the password you used to protect the DRA key. Click Next.
10. On the Certificate Store page, leave the default selection to store the certificate in the
Personal store. Click Next.
11. Click Finish, and then click OK.
Now you can open or decrypt the files just as if you had been added as an authorized user.
To decrypt the files, view the properties for the file or folder and clear the Encrypt Contents
To Secure Data check box. After you click OK twice, Windows uses the DRA key to decrypt
the files. Now that the files are unencrypted, the user who owns the files should immediately
re-encrypt them.
TIP DECRYPTING RECOVERED FILES
If you use Windows Backup, files recovered from backup media will still be encrypted with
EFS. Simply recover the files to a computer and have the DRA log on to that computer to
decrypt them.
After recovering files, remove any copies of your DRA. Because the DRA can be used
to decrypt any file in your domain, it’s critical that you not leave a copy of it on a user’s
computer.
BitLocker
NTFS file permissions provide access control when the operating system is online. EFS
supplements NTFS file permissions by using encryption to provide access control that is
in effect even if an attacker bypasses the operating system (for example, by starting the
computer from a bootable DVD). BitLocker Drive Encryption, like EFS, uses encryption.
However, BitLocker has several key differences from EFS:
■ BitLocker encrypts entire volumes, including the system volume and all user and
system files. EFS cannot encrypt system files.
■ BitLocker protects the computer at startup before the operating system starts. After
the operating system starts, BitLocker is completely transparent.
■ BitLocker provides computer-specific encryption, not user-specific encryption.
Therefore, you still need to use EFS to protect private files from other valid users.
■ BitLocker can protect the integrity of the operating system, helping to prevent rootkits
and offline attacks that modify system files.
NOTE EDITIONS OF WINDOWS 7 CONTAINING BitLocker
BitLocker is a feature of Windows 7 Enterprise and Windows 7 Ultimate. It is not supported
on other editions of Windows 7.
Previous versions of Windows required administrators to configure BitLocker partitions
manually. Windows 7 setup automatically configures partitions compatible with BitLocker.
How to Use BitLocker with TPM Hardware
If available, BitLocker seals the symmetric encryption key in a Trusted Platform Module (TPM)
1.2 chip (available in some newer computers). If the computer does not have a TPM chip,
BitLocker stores the encryption key on a USB flash drive that must be provided every time the
computer starts or resumes from hibernation.
Many TPM-equipped computers have the TPM chip disabled in the basic input/output
system (BIOS). Before you can use it, you must enter the computer’s BIOS settings and enable
it. After you enable the TPM chip, BitLocker performs the TPM initialization automatically.
To allow you to initialize TPM chips manually and turn them on or off at the operating system
level, Windows 7 includes the TPM Management snap-in, as shown in Figure 4-14. To use it,
open a blank MMC console and add the snap-in.
FIGURE 4-14 Using the TPM Management snap-in to initialize a TPM manually
NOTE BitLocker INITIALIZES A TPM BY ITSELF
Because BitLocker handles the TPM initialization for you, the TPM Management snap-in is
not discussed further in this book.
BitLocker has several modes available on computers with TPM hardware:
■ TPM only This mode is transparent to the user, and the user logon experience is
exactly the same as it was before BitLocker was enabled. During startup, BitLocker
communicates with the TPM hardware to validate the integrity of the computer
and operating system. However, if the TPM is missing or changed, if the hard disk
is moved to a different computer, or if critical startup files have changed, BitLocker
enters recovery mode. In recovery mode, the user needs to enter a 40-digit recovery
key or insert a USB flash drive with a recovery key stored on it to regain access to the
data. TPM-only mode provides protection from hard-disk theft with no user training
necessary.
■ TPM with external key In this mode, BitLocker performs the same integrity checks
as TPM-only mode but also requires the user to provide an external key (usually a USB
flash drive with a certificate stored on it) to start Windows. This provides protection
from both hard-disk theft and stolen computers (assuming the computer was shut
down or locked); however, it requires some effort from the user.
■ TPM with PIN In this mode, BitLocker requires the user to type a PIN to start
Windows.
■ TPM with PIN and external key In this mode, BitLocker requires the user to provide
an external key and to type a PIN.
When TPM hardware is available, BitLocker validates the integrity of the computer
and operating system by storing “measurements” of various parts of the computer and
operating system in the TPM chip. In its default configuration, BitLocker instructs the TPM
to measure the master boot record, the active boot partition, the boot sector, the Windows
Boot Manager, and the BitLocker storage root key. Each time the computer is booted, the
TPM computes the SHA-1 hash of the measured code and compares this to the hash stored
in the TPM from the previous boot. If the hashes match, the boot process continues; if the
hashes do not match, the boot process halts. At the conclusion of a successful boot process,
the TPM releases the storage root key to BitLocker; BitLocker decrypts data as Windows
reads it from the protected volume. Because no other operating system can do this (even an
alternate instance of Windows 7), the TPM never releases the key and therefore the volume
remains a useless encrypted blob. Any attempts to modify the protected volume will render it
unbootable.
How to Enable the Use of BitLocker on Computers without TPM
If TPM hardware is not available, BitLocker can store decryption keys on a USB flash drive
instead of using a built-in TPM module. Using BitLocker in this configuration can be risky,
however, because if the user loses the USB flash drive, the encrypted volume is no longer
accessible and the computer cannot start without the recovery key. Windows 7 does not
make this option available by default.
To use BitLocker encryption on a computer without a compatible TPM, you need to
change a computer Group Policy setting by performing these steps:
1. Open the Group Policy Object Editor by clicking Start, typing gpedit.msc,
and pressing Enter. Respond to the UAC prompt that appears.
2. Navigate to Computer Configuration\Administrative Templates\Windows Components\
BitLocker Drive Encryption\Operating System Drives.
3. Enable the Require Additional Authentication At Startup setting. Then select the Allow
BitLocker Without A Compatible TPM check box. Click OK.
If you plan to deploy BitLocker in an enterprise using USB flash drives instead of TPM, you
should deploy this setting with domain-based Group Policy settings.
How to Enable BitLocker Encryption
Individual users can enable BitLocker from Control Panel, but most enterprises should use
AD DS to manage keys.
MORE INFO CONFIGURING AD DS TO BACK UP BitLocker
For detailed instructions on how to configure AD DS to back up BitLocker and TPM
recovery information, read “Configuring Active Directory to Back up Windows BitLocker
Drive Encryption and Trusted Platform Module Recovery Information”
at http://go.microsoft.com/fwlink/?LinkId=78953.
To enable BitLocker from Control Panel, perform these steps:
1. Perform a full backup of the computer, and then run a check of the integrity of the
BitLocker partition using ChkDsk.
2. Open Control Panel. Click the System And Security link. Under BitLocker Drive
Encryption, click the Protect Your Computer By Encrypting Data On Your Disk link.
3. On the BitLocker Drive Encryption page, click Turn On BitLocker.
4. On the BitLocker Drive Encryption Setup page, click Next.
5. If the Preparing Your Drive For BitLocker page appears, click Next. If you are required
to restart your computer, do so.
6. If the Turn On The TPM Security Hardware page appears, click Next, and then click
Restart.
7. If the volume is the system volume and the choice has not been blocked by
a Group Policy setting, in the Set BitLocker Startup Preferences dialog box (shown
in Figure 4-15), select your authentication choice. The choices vary depending on
whether the computer has a built-in TPM chip.
FIGURE 4-15 Startup options in BitLocker
The choices include the following:
■ Use BitLocker Without Additional Keys Uses the TPM to verify the integrity of
the operating system at every startup. This option does not prompt the user during
startup, providing completely transparent protection.
■ Require PIN At Every Startup Uses the TPM to verify the integrity of the
operating system at startup and requires the user to type a PIN to verify the user’s
identity. This option provides additional protection but can inconvenience the user.
If you choose to use a PIN, the Enter A Startup Pin page appears. Type your PIN and
then click Set PIN.
■ Require Startup USB Key At Every Startup Does not require TPM hardware.
This option requires the user to insert a USB key containing the decryption key at
startup. Alternatively, users can type a recovery key to gain access to the encrypted
system partition. If you choose to use a USB key, the Save Your Startup Key page
appears. Select the startup key and then click Save.
NOTE REQUIRING BOTH A STARTUP USB KEY AND A PIN
The BitLocker wizard allows you to choose either a PIN or a startup USB key. If you want
to use both, use the Manage-bde command-line tool. For example, to protect the
C:\ drive with both using a startup key located on the E:\ drive, you would run the
command manage-bde –protectors –add C: -TPMAndPINAndStartupKey –tsk E:.
8. On the Save The Recovery Password page, choose the destination (a USB drive, a local
or remote folder, or a printer) to save your recovery password. The recovery password
is a small text file containing brief instructions, a drive label and password ID, and
the 48-digit recovery password. Save the password and the recovery key on separate
devices and store them in different locations. Click Next.
9. On the Encrypt The Volume page, select the Run BitLocker System Check check box
and click Continue if you are ready to begin encryption. Click Restart Now. Upon
rebooting, BitLocker ensures that the computer is fully compatible and ready to be
encrypted.
10. BitLocker displays a special screen Confirming that the key material was loaded.
Now that this has been Confirmed, BitLocker begins encrypting the C:\ drive after
Windows 7 starts, and BitLocker is enabled.
BitLocker encrypts the drive in the background so that you can continue using the
computer.
How to Manage BitLocker Keys on a Local Computer
To manage keys on the local computer, follow these steps:
1. Open Control Panel and click the System And Security link. Under BitLocker Drive
Encryption, click the Manage BitLocker link.
2. In the BitLocker Drive Encryption window, click Manage BitLocker.
Using this tool, you can perform the following actions (which vary depending on the
authentication type chosen):
■ Save Or Print Recovery Key Again Provides the following options:
• Save The Recovery Key To A USB Flash Drive
• Save The Recovery Key To A File
• Print The Recovery Key
■ Duplicate The Startup Key When you use a USB startup key for authentication, this
allows you to create a second USB startup key with an identical key.
■ Reset The PIN When you use a PIN for authentication, this allows you to change
the PIN.
To manage BitLocker from an elevated command prompt or from a remote computer,
use the Manage-bde tool, which replaces the Manage-bde.wsf script in Windows Vista.
For example, to view the current BitLocker configuration, run manage-bde –status. The
following example demonstrates the configuration of a computer with one decrypted data
drive and one encrypted system drive:
manage-bde -status
BitLocker Drive Encryption: Configuration Tool version 6.1.7600
Copyright (C) Microsoft Corporation. All rights reserved.
Disk volumes that can be protected with
BitLocker Drive Encryption:
Volume E: [Flash]
[Data Volume]
Size: 0.12 GB
BitLocker Version: None
Conversion Status: Fully Decrypted
Percentage Encrypted: 0%
Encryption Method: None
Protection Status: Protection Off
Lock Status: Unlocked
Identification Field: None
Automatic Unlock: Disabled
Key Protectors: None Found
Volume C: []
[OS Volume]
Size: 126.90 GB
BitLocker Version: Windows 7
Conversion Status: Fully Encrypted
Percentage Encrypted: 100%
Encryption Method: AES 128 with Diffuser
Protection Status: Protection On
Lock Status: Unlocked
Identification Field: None
Key Protectors:
External Key
Numerical Password
For detailed information about how to use Manage-bde, run manage-bde -? at
a command prompt.
How to Recover Data Protected by BitLocker
When you use BitLocker to protect the system partition, the partition will be locked if the
encryption key is not available, causing BitLocker to enter recovery mode. Likely causes of the
encryption key not being available include:
■ One of the boot files is modified.
■ BIOS is modified and the TPM disabled.
■ The TPM is cleared.
■ An attempt is made to boot without the TPM, PIN, or USB key being available.
■ The BitLocker-encrypted disk is moved to a new computer.
After the drive is locked, you can boot only to recovery mode, as shown in Figure 4-16.
On most keyboards, you can use the standard number keys from 0–9. However, on some
non-English keyboards, you need to use the function keys by pressing F1 for the digit 1, F2
for the digit 2, and so on, with F10 being the digit 0.
FIGURE
FIGURE 4-16 Gaining access to a BitLocker-encrypted drive by typing a 48-character recovery password
If you have the recovery key on a USB flash drive, you can insert the recovery key and
press the Esc key to restart the computer. BitLocker reads the recovery key automatically
during startup.
If you cancel out of recovery, the Windows Boot Manager might provide instructions for
using Startup Repair to fix a startup problem automatically. Do not follow these instructions;
Startup Repair cannot access the encrypted volume. Instead, restart the computer and enter
the recovery key.
As a last resort, you can use the BitLocker Repair Tool (Repair-bde) to help recover data
from an encrypted volume. The BitLocker Repair Tool was a separate download for earlier
versions of Windows, but it is included in Windows 7 and Windows Server 2008 R2.
You can use the BitLocker Repair Tool to copy the decrypted contents of an encrypted
volume to a different volume. For example, if you have used BitLocker to protect the D:\ data
volume and the volume has become corrupted, you might be able to use the BitLocker Repair
Tool to decrypt the contents and copy them to the E:\ volume, if you can provide a recovery
key or password. The following command would attempt this:
repair-bde D: E: -RecoveryPassword 111111-222222-333333-444444-5555555-6666666-7777777-
888888
You can also attempt to repair a volume without copying the data by using the
–NoOutputVolume parameter, as the following command demonstrates:
repair-bde C: -NoOutputVolume –RecoveryKey D:\RecoveryKey.bek
If the system volume becomes corrupted, you can start Windows 7 Setup from the
Windows 7 DVD, start the repair tools, and open a command prompt to run the BitLocker
Repair Tool. Alternatively, you could attempt to mount the volume to a different computer
and run the BitLocker Repair Tool.
NOTE BACKING UP ENCRYPTED DRIVES
Because it can be difficult or impossible to recover a corrupted BitLocker-protected
drive, it’s especially important to back up BitLocker-protected drives regularly. Note,
however, that your backups might not be encrypted by default. This applies to system
image backups, as well. Although system image backups make a copy of your entire disk,
BitLocker functions at a lower level than system image backups. Therefore, when system
image backup reads the disk, it reads the BitLocker-decrypted version of the disk.
How to Disable or Remove BitLocker Drive Encryption
Because BitLocker intercepts the boot process and looks for changes to any of the early boot
files, it can cause problems in the following nonattack scenarios:
■ Upgrading or replacing the motherboard or TPM
■ Installing a new operating system that changes the master boot record or the boot
manager
■ Moving a BitLocker-encrypted disk to another TPM-enabled computer
■ Repartitioning the hard disk
■ Updating the BIOS
■ Third-party updates that occur outside the operating system (such as hardware
firmware updates)
To avoid entering BitLocker recovery mode, you can disable BitLocker temporarily, which
allows you to change the TPM and upgrade the operating system. When you
re-enable BitLocker, the same encryption keys will be used. You can also choose to decrypt
the BitLocker-protected volume, which will completely remove BitLocker protection. You
can re-enable BitLocker only by repeating the process to create new keys and re-encrypt the
volume.
To disable BitLocker temporarily or decrypt the BitLocker-protected volume permanently,
perform these steps:
1. Log on to the computer as Administrator.
2. From Control Panel, open BitLocker Drive Encryption.
3. Click Suspend Protection for the volume that has BitLocker enabled to use a clear key.
To remove BitLocker completely, click Turn Off BitLocker.
Troubleshooting BitLocker Problems
Several common BitLocker problems are actually “features.” The problems occur because
BitLocker is designed to provide protection from specific types of attacks. Often these
legitimate uses resemble attacks and cause BitLocker to refuse to allow the computer to start
or the BitLocker encryption to prevent you from accessing files:
■ The operating system fails to start in a dual-boot configuration You can dual-boot
a computer after enabling BitLocker. However, the second operating system instance
must be configured on a different partition. You cannot dual-boot to a second
operating system installed on the same partition.
■ The operating system fails to start if you move the hard disk to a different
computer BitLocker is designed to protect data from offline attacks, such as attacks
that bypass operating system security by connecting the hard disk to a different
computer. The new computer will be unable to decrypt the data (even if it has a TPM
chip in it). Before moving a BitLocker-encrypted disk to a different computer, disable
BitLocker. Re-enable BitLocker after transferring the disk. Alternatively, you can use the
recovery key to start Windows after moving the hard disk to the new computer.
■ The data on the hard disk is unreadable using standard disk recovery tools For
the same reasons stated in the previous bullet point, BitLocker files are unreadable
using standard disk recovery tools. Someday recovery tools that support decrypting
BitLocker files using a recovery key might be available. As of the time of this writing,
your only opportunity for recovering BitLocker encrypted files is to start Windows 7
using the BitLocker recovery key. For this reason it is very important to regularly back
up BitLocker-encrypted volumes.
PRACTICE Encrypt and Recover Encrypted Data
In this practice, you simulate the recovery of a lost EFS encryption certificate.
EXERCISE 1 Encrypt Data
In this exercise, you encrypt a file. Windows 7 automatically generates an EFS key if you don’t
already have one.
1. Log on to a computer running Windows 7 as a standard user.
2. Create a file named Encrypted.txt in your Documents folder.
3. Right-click the Encrypted.txt file, and then click Properties.
4. On the General tab of the Properties dialog box, click Advanced.
5. Select the Encrypt Contents To Secure Data check box, and then click OK twice.
6. In the Encryption Warning dialog box, select Encrypt The File Only, and then click OK.
Notice that Windows Explorer displays the Encrypted.txt file in green.
7. Double-click the Encrypted.txt file to open it in Microsoft Notepad. Then add the text
“This file is encrypted.” Save the file and close Notepad.
8. Double-click the file to verify that you can open it, and then close Notepad again.
Now you have encrypted a file, and no user can access it without your EFS key.
EXERCISE 2 Back Up an EFS Key
In Exercise 1, you encrypted a file. In this exercise, you back up the EFS key that was generated
automatically when you encrypted the file. Then you delete the original key and determine
whether you can access the EFS-encrypted file. To complete this practice, you must have
completed Exercise 1.
1. Click Start, and then click Control Panel.
2. Click the User Accounts link twice.
3. In the left pane, click the Manage Your File Encryption Certificates link.
The Encrypting File System Wizard appears.
4. On the Manage Your File Encryption Certificates page, click Next.
5. On the Select Or Create A File Encryption Certificate page, leave the default certificate
(your EFS certificate) selected, and then click Next.
6. On the Back Up The Certificate And Key page, click Browse and select the Documents
folder. For the file name, type EFS-cert-backup.pfx. Click Save, and then type
a complex password in the Password and Confirm Password fields. Click Next.
7. If the Update Your Previously Encrypted Files page appears, leave all check boxes
cleared and then click Next.
8. On the Encrypting File System page, click Close.
9. In Windows Explorer, open your Documents folder and verify that the EFS certificate
was exported correctly.
Now that you have backed up your EFS key, you can lose it safely. Simulate a corrupted
or lost key by following these steps to delete it:
10. Click Start, type mmc, and then press Enter to open a blank MMC.
11. Click File, and then click Add/Remove Snap-in.
12. Select Certificates and click Add.
13. Select My User Account, and then click Finish.
14. Click OK.
15. Expand Certificates – Current User, expand Personal, and then select Certificates.
16. In the middle pane, right-click your EFS certificate, and then click Delete.
17. In the Certificates dialog box, click Yes to Confirm that you want to delete the
certificate.
18. Log off the current desktop session and then log back on. Windows 7 caches the user’s
EFS certificate. Thus, if you remained logged on, you would still be able to open your
encrypted file.
19. Open the Documents folder and double-click the Encrypted.txt file. Notepad should
appear and display an “Access is denied” error message. This indicates that the file is
encrypted but you don’t have a valid EFS certificate.
EXERCISE 3 Recover Encrypted Data
In this exercise, you recover a lost EFS key and use it to access encrypted data. To complete
this exercise, you must have completed Exercises 1 and 2.
1. In the Documents folder, double-click the EFS-cert-backup.pfx file that you created in
Exercise 2.
The Certificate Import Wizard appears.
2. On the Welcome To The Certificate Import Wizard page, click Next.
3. On the File To Import page, click Next.
4. On the Password page, type the password you assigned to the certificate. Then click
Next.
5. On the Certificate Store page, click Next.
6. On the Completing The Certificate Import Wizard page, click Finish.
7. Click OK to Confirm that the import was successful.
8. Open the Documents folder and double-click the Encrypted.txt file. Notepad should
appear and display the contents of the file, indicating that you successfully recovered
the EFS key and can now access encrypted files.
Lesson Summary
■ Use EFS to encrypt individual files and folders. Because encrypted files are unavailable
if the user loses his or her EFS certificate, it’s important to have a backup EFS certificate
and a recovery key. In environments where multiple users log on to a single computer,
you can grant multiple users access to EFS-encrypted files.
■ Use BitLocker to encrypt the entire system volume. If available, BitLocker makes use of
TPM hardware to seal the encryption key. BitLocker then works with the TPM hardware
during computer startup to verify the integrity of the computer and operating system.
If TPM hardware is available, you can optionally require the user to insert a USB flash
drive with a special key or type a password to gain access to the BitLocker-encrypted
volume. BitLocker is disabled by default on computers without TPM hardware, but you
can enable BitLocker without TPM hardware by using Group Policy settings. If TPM
hardware is not available, users are required to insert a USB flash drive or a recovery
key to start Windows 7.
Lesson Review
You can use the following questions to test your knowledge of the information in Lesson 3,
“Using Encryption to Control Access to Data.” The questions are also available on the companion
CD if you prefer to review them in electronic form.
NOTE ANSWERS
Answers to these questions and explanations of why each answer choice is right or wrong
are located in the “Answers” section at the end of the book.
1. Which tool would you use to back up an EFS certificate?
A. BitLocker Drive Encryption
B. Computer Management
C. Certificates
D. Services
2. In the Certificates console, which node would you access to back up the DRA
certificate?
A. Certificates – Current User\Personal\Certificates
B. Certificates – Current User\Active Directory User Object
C. Certificates (Local Computer)\Personal\Certificates
D. Certificates (Local Computer)\Active Directory User Object
3. Which of the following configurations does BitLocker support? (Choose all that apply.)
A. Use BitLocker with a TPM but without additional keys
B. Use BitLocker with a TPM and require a PIN at every startup
C. Use BitLocker without a TPM and require a PIN at every startup
D. Use BitLocker without a TPM and require a USB key at every startup
Chapter Review
To further practice and reinforce the skills you learned in this chapter, you can perform the
following tasks:
■ Review the chapter summary.
■ Review the list of key terms introduced in this chapter.
■ Complete the case scenarios. These scenarios set up real-world situations involving the
topics of this chapter and ask you to create a solution.
■ Complete the suggested practices.
■ Take a practice test.
Chapter Summary
■ Authentication is the process of identifying a user and validating the user’s identity.
To troubleshoot authentication problems, first verify that the user does not have
a logon restriction, such as a locked-out account, an expired password, or a disabled
account. If you need to monitor authentication errors, enable failure auditing for
Account Logon Events and then examine the Security event log. If a computer account
becomes untrusted, you can either leave and rejoin the domain or reestablish the trust
with the Netdom tool.
■ Internet Explorer is one of the most important tools in Windows because it provides
users access to Web applications and the Internet. Therefore, it’s vital that you know
how to configure Internet Explorer and troubleshoot common problems. Historically,
many users have experienced problems with add-ons, which extend Internet Explorer’s
capabilities but also have the potential to behave unreliably or maliciously. Fortunately,
Internet Explorer gives administrators complete control over which add-ons can
be installed, as well as the capability to quickly start Internet Explorer without any
add-ons. To reduce security risks when using Internet Explorer, Protected Mode runs
Internet Explorer with minimal privileges. If a Web page, Internet Explorer, an add-on,
or any process launched from within Internet Explorer requires elevated privileges,
the elevation must be approved before Internet Explorer can take action. To provide
privacy and authentication, many Web sites use SSL certificates. Therefore, it’s vital
that you understand the causes of common certificate problems and how to fix these
problems.
■ Encryption provides data protection even if an attacker bypasses operating system
security. Windows Vista includes two encryption technologies: EFS and BitLocker. EFS
encrypts individual files and folders, while BitLocker encrypts the entire system volume.
If a user loses their key, they will be unable to access encrypted files. Therefore, it is
important to maintain EFS data recovery agents and BitLocker recovery keys, as well
as data backups. To manage BitLocker from a command prompt, use the Manage-bde
tool. To repair BitLocker from a command prompt, use the Repair-bde tool.
Key Terms
Do you know what these key terms mean? You can check your answers by looking up the
terms in the glossary at the end of the book.
■ ActiveX
■ BitLocker Drive Encryption
■ Encrypting File System (EFS)
■ Mandatory Integrity Control (MIC)
■ Multifactor Authentication
■ Protected Mode
■ Protected Mode Compatibility Layer
■ Rootkit
Case Scenarios
In the following case scenarios, you apply what you’ve learned about subjects of this chapter.
You can find answers to these questions in the “Answers” section at the end of this book.
Case Scenario 1: Recommend Data Protection Technologies
You are a desktop support technician at Wingtip Toys. Recently, Adina Hagege, your
organization’s CEO, stopped you in the hallway to ask a couple of quick questions.
Questions
Answer the following questions for your CEO:
1. “Can you give me a quick second opinion about something? I travel almost constantly,
and I keep the company financials and all the plans for our new toys on my laptop. The
IT department says they have file permissions set up so that only I can view these files.
Is that good enough to protect me if someone steals my laptop?”
2. “Is there some way I can protect my data even if my laptop is stolen? What are my
options?”
3. “Sometimes I share files with people across the network. Which of those technologies
will allow me to share files this way?”
Case Scenario 2: Unwanted Internet Explorer Add-On
You are a systems administrator for Humongous Insurance. Recently, one of your brokers
called the support desk because he was experiencing odd problems when using Internet
Explorer. Specifically, his home page had changed and the pop-up blocker no longer seemed
to be working.
Your manager is concerned that this will be more than an isolated incident and asks you
to interview key people and then come to his office to make recommendations about how to
deal with this type of problem in the future.
Interviews
Following is a list of company personnel interviewed and their statements:
■ David Barber, Broker “I had installed an add-on because it said it would make
browsing the Web faster. I didn’t notice any improvement. After that, though, my
Internet Explorer home page changed and I began to get a lot of advertisements
popping up on my screen.”
■ Julian Price, Internet Development Project Manager “We recently converted all of
our internal software to the ASP.NET Web application platform. To do some of the
more complicated stuff, we install custom client-side add-ons in Internet Explorer.
So, whatever you do, don’t block all add-ons. We use add-ons internally, and we update
them regularly, so we really need users to be able to install the add-ons automatically.”
Questions
Answer the following questions for your manager:
1. If this comes up again, what’s the best way to remove the unwanted add-on?
2. Are there any features enabled by default in Windows 7 that protect users from
unwanted add-ons? What are they?
3. What’s the best way to prevent unwanted add-ons in the future?
Suggested Practices
To help you master the exam objectives presented in this chapter, complete the following
tasks.
Identify and Resolve Logon Issues
For this task, you should complete both practices.
■ Practice 1 Visit http://social.answers.microsoft.com/Forums/en-US/categories
and browse the Security, Privacy, And User Accounts newsgroup. Read the posts to
determine how administrators solved authentication problems.
■ Practice 2 On your production computer, enable success and failure auditing for the
Audit Logon Events policy. Leave this enabled for several days, and then analyze the
audit events in the Security event log to identify the types of events that are added
during normal computer usage.
Identify and Resolve Encryption Issues
For this task, you should complete Practice 1. If you want a better understanding of BitLocker,
complete Practices 2 and 3.
■ Practice 1 In a domain environment, use EFS to encrypt a file. Then, copy the domain
DRA key to that computer and use a different account to recover the encrypted file.
■ Practice 2 Enable BitLocker Drive Encryption on a computer running Windows 7.
Then, search the Internet for a free .ISO file for a bootable operating system and
burn the .ISO file to a CD or DVD. Restart the computer from the bootable media and
attempt to view files on the BitLocker-protected volume.
■ Practice 3 Enable BitLocker Drive Encryption on a computer running Windows 7.
Then, connect the hard disk to a different computer and attempt to load Windows.
When prompted, provide the recovery key.
Identify and Resolve Windows Internet Explorer
Security Issues
For this task, you should complete at least Practices 1 through 3. If you want in-depth
knowledge of how Internet Explorer handles both legitimate and malicious changes,
complete Practice 4 as well.
■ Practice 1 On your day-to-day computer, open Internet Explorer and view the
Manage Add-Ons dialog box. Examine the different add-ons that are already installed.
■ Practice 2 Start Internet Explorer with add-ons disabled. Browse to your favorite Web
sites and notice any differences caused by the missing add-ons.
■ Practice 3 On your day-to-day computer, use Explorer to browse \%userprofile%\
AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\ and its
subfolders. The folder is hidden, so you will need to type the full path. Make note of
the applications that the Internet Explorer compatibility layer has virtualized and the
types of files that were virtualized.
■ Practice 4 Perform a fresh installation of Windows 7 on a computer used only
for testing. Browse to your favorite Web sites and notice how the Information
Bar, Protected Mode, and UAC work together to protect the user from potentially
unwanted add-ons. Next, use Internet Explorer to browse to potentially dangerous
Web sites that might try to install malicious software and view how Internet Explorer
responds (Hint: search for combinations of words such as “crack,” “hack,” “warez,”
and “serials”).
Take a Practice Test
The practice tests on this book’s companion CD offer many options. For example, you can test
yourself on just one exam objective, or you can test yourself on all the 70-685 Certification
exam content. You can set up the test so that it closely simulates the experience of taking
a Certification exam, or you can set it up in study mode so that you can look at the correct
answers and explanations after you answer each question.
MORE INFO PRACTICE TESTS
For details about all the practice test options available, see the section entitled “How to
Use the Practice Tests,” in the Introduction to this book.
No hay comentarios:
Publicar un comentario