Encrypting File System 381 FIGURE 8.5 Encrypting a file with EFS 1 2 3 4 Symmetric Key Created Data Encrypted with Symmetric Key Encrypted Symmetric Key Stored in File Data Decryption Field (DDF) Encrypted File Encrypted Data Unencrypted File Symmetric Key Encrypted with User’s Public Key The symmetric key is stored with the file so that the file can be decrypted when necessary. Since it is stored with the file, it needs to be protected. The symmetric key is encrypted with the user’s public key (step 3) and then stored in the data decryption field of the file (step 4). Figure 8.6 shows the process when a file is opened and decrypted. When the user attempts to open the file, the user’s EFS certificate (which holds the user’s private key) is accessed (step 1). The encrypted symmetric key is retrieved from the DDF (step 2). Note that the data is still encrypted at this point. The user’s private key is then used to decrypt the symmetric key (step 3). With the sym- metric key decrypted, it can then be used to decrypt the data (step 4). At the core of this process is the user’s private key, which is kept in the user’s EFS certifi- cate. Once a user logs on, she will have automatic access to the certificate. If another user attempts to open the file, he won’t have access to the first user’s certificate and the private key. Without the private key, the data can’t be decrypted. Although you may occasionally read that EFS-protected data is compromised, it’s not because the EFS encryption is hacked. Instead, a user’s password is guessed or hacked. Once the user’s password is known, anyone can log on as that user and gain automatic access to EFS-protected files. Using strong passwords can go a long way toward protecting users’ accounts and EFS-protected data. 93157c08.indd 381 8/8/08 9:46:56 AM 382 Chapter 8 N Planning Windows Server 2008 Security FIGURE 8.6 Decrypting a file with EFS Encrypted Data Data Decryption Field (DDF) 1 2 3 4 User’s Private Key Retrieved from User’s EFS Certificate Encrypted Symmetric Key Retrieved from DDF Data Encrypted with Symmetric Key Decrypted Data Symmetric Key Encrypted with User’s Private Key Recovering EFS-Encrypted Files Since the EFS keys are stored as part of the operating system, you can lose access to the keys if you install a new operating system after a failure. The primary protection against this data loss is to ensure you have a backup of your certificate and encryption keys. If you have a backup of your certificate, then you can import your certificate into the new operating system and use it to decrypt the files encrypted in the previous operating system. Backing Up Your EFS Certificate You can export your certificate and then store the certificate on removable media such as a USB flash drive or CD-ROM. When you need to recover EFS files (such as after a server’s operating system is rebuilt), you can import the certificate into the certificate store. Exercise 8.4 shows the steps involved in exporting your EFS certificate. These steps assume there is a certificate to export. Remember, the certificate is created the first time you encrypt a file or folder. If you haven’t done so with your current account, do so now. EXERCISE 8.4 Exporting Your EFS Certificate 1. Launch a Microsoft Management Console (MMC) by clicking Start and entering MMC in the Start Search box. 2. Press Ctrl+M to add a snap-in. 93157c08.indd 382 8/8/08 9:46:56 AM Encrypting File System 383 EXERCISE 8.4 (continued) 3. In the Available Snap-ins section, select Certificates, and click Add. 4. On the Certificates Snap-in page, ensure My User Account is selected, and click Finish. 5. In the Add or Remove Snap-Ins page, click OK. 6. In Certificates console, browse to Certificates  Personal  Certificates. Select the certificate with the Intended Purpose of Encrypting File System setting. Right-click the certificate, and view the All Tasks selections. Your view will look similar to the following graphic. 7. Select Export from the All Tasks menu. On the Welcome to the Wizard page, click Next. 8. On the Export Private Key page, select Yes, Export the Private Key and then click Next. 9. On the Export File Format page, Personal Information Exchange -PKCS #12 (.PFX) will be selected. Select the Export All Extended Properties check box. Leave all the other check boxes unchecked. Click Next. 10. On the Password page, enter the password of P@ssw0rd in the Password and Con- firm Password boxes. You can also choose your own password. Click Next. 11. On the File to Export page, click the Browse button. In the Save As dialog box, select Browse Folders (on the bottom left) if the folders aren’t visible. Browse to the root of C:\ (or another folder of your choosing). Enter EFSExportCert in the File Name text box, and click Save. 12. Back on the File to Export page, click Next. 13. On the Completing the Wizard page, review the information, and click Finish. A Certifi- cate Export Wizard dialog box will appear indicating the export was successful. 93157c08.indd 383 8/8/08 9:46:57 AM 384 Chapter 8 N Planning Windows Server 2008 Security You can now copy the certificate to a floppy, USB flash drive, or CD so that it can be stored in a safe place. Importing Your EFS Certificate If you have to rebuild your server’s operating system, you won’t have access to the files that were encrypted in the original operating system unless you have access to the original key. If you have a backup of your EFS certificate, you can import the certificate, and you will then have access to your EFS files. Exercise 8.5 shows the steps involved in importing your EFS certificate. These steps assume you have completed Exercise 8.4. EXERCISE 8.5 Importing Your EFS Certificate 1. Launch the Certificate Manager by clicking Start and entering certmgr.msc in the Start Search box. 2. In the Certificates console, browse to Certificates  Personal. Right-click the Certifi- cates container, and view the All Tasks selections. Your display will look similar to the following figure. 3. Select Import to launch the Import Certificate Wizard. 4. On the Welcome to the Wizard page, click Next. 5. On the File to Import page, browse to the file location where you exported the certifi- cate in Exercise 8.4. 6. Change the extension that the system is looking for by selecting the drop-down box above the Open button. Select the Personal Information Exchange (*.pfx, *p12), as shown in the following graphic. 93157c08.indd 384 8/8/08 9:46:58 AM Encrypting File System 385 EXERCISE 8.5 (continued) 7. Select your certificate, and click Open. 8. Back on the File to Import page, click Next. 9. On the Password page, enter P@ssw0rd (or the alternate password you may have chosen). Select the Mark This Key as Exportable check box. Notice that you can also enable strong private key protection from this page. Click Next. 10. On the Certificate Store page, accept the default to place all certificates in the following store (with the Personal Certificate Store shown). Click Next. 11. On the Completing the Wizard page, click Finish. 12. A dialog box will appear indicating that the import was successful. Data Recovery Agent Imagine this: I work at your company, and I’ve been working on some research and develop- ment projects. All the data is stored on a server and protected using EFS, and I’m the only user who has access to the data. Then, a wonderful thing happens. I win the lottery! Woo hoo! Somehow I forget about these project files and start a vacation that ultimately lasts several months. In the meantime, you’re trying to access these files that can be accessed using only my private key. But since you don’t have my private key, you can’t access the files. 93157c08.indd 385 8/8/08 9:46:59 AM 386 Chapter 8 N Planning Windows Server 2008 Security For many companies, this is unacceptable. A back door to the data is needed. The data recovery agent (DRA) is the back door. A data recovery agent is a designated person who has the ability to open encrypted files. Figure 8.7 shows an EFS-protected file with a data recovery field (DRF). The data recovery field is similar to the data decryption field. It holds an encrypted version of the symmetric key used to encrypt the data. The difference is that the symmetric is encrypted with the DRA’s public key and can be decrypted only with the DRA’s public key. FIGURE 8.7 DRF within an EFS-protected file Encrypted Data EFS-Protected File Data Decryption Field (DDF) Data Recovery Field Someone responsible is designated as the data recovery agent. From then on, any files that are encrypted include a DRF. The DRA is then able to access any files using the key available in the DRA’s certificate. A new feature available within Windows Server 2008 is the ability to embed a DRA’s certificate onto a smart card. Key Recovery Agent A key recovery agent (KRA) is similar to a data recovery agent. The difference is that the KRA can recover private keys, while the DRA is used to recover data. When key recovery is implemented, private keys are stored in a key archival data store. If a user’s private key becomes lost or damaged, the KRA can retrieve the private key from the store and return it to the user. Recovered keys can also be issued to other users who will act on behalf of the original user. KRA vs. DRA In any organization, you can implement a key recovery agent, a data recovery agent, both, or neither. What is done is largely subjective. The existence of either a DRA or a KRA creates a back door to retrieve data. However, both also present a security risk. If attackers gain access to the DRA or KRA keys, they can then retrieve data that was intended to be protected. For some companies, the risks out- weigh the benefits, and neither a DRA nor a KRA is implemented. 93157c08.indd 386 8/8/08 9:46:59 AM Auditing for Server Security 387 Auditing for Server Security One of the primary things you can do when implementing server security is to watch what’s happening on the server by implementing an auditing policy. With Windows Server 2008 you can do regular auditing or specialized Active Directory auditing. Regular auditing is the same type of auditing that has been available on Windows Server products since Windows Server 2000. Windows Server 2008 has introduced more detailed auditing capabilities with Active Directory. When enabled, directory service access events can be logged with more detailed information. Auditing can watch for certain events, and when these events occur, it will log the event in the Security log. You can configure auditing of both success and failure events. You can view the Security log using Event Viewer. With auditing, you can monitor several types of events. Figure 8.8 shows the Group Policy settings for these settings, and the following text explains each category. Once enabled, events will be logged in the Security log and can be viewed using Event Viewer. FIGURE 8.8 Enabling auditing via Group Policy Account logon events Account logon events are generated when a user attempts to authenti- cate against a domain controller. Failure events are logged when authentication isn’t successful, and success events are logged when the user enters the correct credentials. Account management Account management events are generated when a user, group, or computer account is created, modified, or deleted. Both success and failure events can be audited. Directory service access Auditing can be enabled on any individual directory service object. It’s important to note that there is a two-step process for enabling directory service access. You would first enable directory service access auditing. Then you would go to the individual object where you want to audit. 93157c08.indd 387 8/8/08 9:47:00 AM 388 Chapter 8 N Planning Windows Server 2008 Security Each directory service object (users, computers, groups, OUs, and so on) has a security access control lists (SACLs). Each SACL lists users or groups by security identifier (SID) and the auditing requirement. Logon events Logon events are generated when a user attempts to authenticate against a local computer (not a domain controller). Object access Object access enables auditing for objects. For example, you may want to know when a file, folder, or registry key is accessed, modified, or deleted. By enabling object access auditing via Group Policy, you can then enable auditing at individual objects. Just as enabling directory service access auditing is a two-step process, enabling object access auditing is a two-step process. Each object has a security access control lists. Each SACL lists users or groups by security identifier and the auditing requirement. Policy change Policy change can audit any changes to user rights assignment policies, audit policies, and trust policies. Privilege use Privilege use auditing can track each time a user exercises a user right. In general, a right is something a user is allowed to do, such as change the system time. (Rights and permissions are sometimes confused; permissions grant you a specific type of access to an object.) Not all privileges are audited by default. To enable auditing of the following user rights, you need to modify the FullPrivilegeAuditing registry key: Bypass traverse checking ÛN Debug programs ÛN Create a token object ÛN Replace process-level token ÛN Generate security audits ÛN Back up and restore operations ÛN Process tracking Process tracking auditing is used to log events in response to specific applications (or individual process) events. These include events such as program activation, process exit, and indirect object access. System events System events auditing is used to log specific events from a computer. Some common events that are logged include when a computer is restarted or shut down. Auditing Detailed Active Directory Events If desired, you can enable the logging of more detailed Active Directory events. You first must enable the logging of directory service access success and failure events. Once enabled, you can then enable the logging of the following subcategories: Directory Service Access ÛN Directory Service Changes ÛN 93157c08.indd 388 8/8/08 9:47:00 AM Auditing for Server Security 389 Directory Service Replication ÛN Detailed Directory Service Replication ÛN You can enable the Directory Service Access auditing policy on the Default Domain Controllers GPO, which is linked to the Domain Controllers OU. It has meaning only on domain controllers, so it wouldn’t be set at a site level, at the domain level, or at OUs that hold other servers or workstations. The Directory Service Access subcategory logs additional details when Active Directory objects are accessed. The Directory Service Changes subcategory logs information that many administra- tors want on a regular basis. For example, when a change is made, both the old and new values are logged so an administrator can see what the value was both before and after the change. If an object is moved, both the old and new locations will be logged. Information on replication is useful when troubleshooting replication problems. To enable any of these subcategories, you would use the auditpol command-line tool. The basic syntax of auditpol when enabling the detailed Active Directory auditing is shown in the following commands: Enable success for the subcategory: ÛN auditpol /set /subcategory:”subcategory name” /success:enable Enable failure for the subcategory: ÛN auditpol /set /subcategory:”subcategory name” /failure:enable Disable success for the subcategory: ÛN auditpol /set /subcategory:”subcategory name” /success:disable Disable failure for the subcategory: ÛN auditpol /set /subcategory:”subcategory name” /failure:disable All the subcategory names are entered just as they’ve been described previously but are listed here for clarity. Note that since each of the subcategories has spaces, you must include the quotes in the command. As an example, when enabling detailed success auditing for directory service changes, you would enter the following command: auditpol /set /subcategory:”directory service access” /success:enable Enabling Directory Service Access Auditing sEnable Audit Directory Service Access via Group Policy. ÛN Enable auditing at the object level. ÛN 93157c08.indd 389 8/8/08 9:47:01 AM 390 Chapter 8 N Planning Windows Server 2008 Security The following high-level steps identify how to enable auditing for directory service access events: 1. Enable Audit Directory Service Access via Group Policy as shown in the previous section. 2. In Active Directory Users and Computers, enable the viewing of advanced features by selecting Advanced Features from the View menu. 3. Right-click an object that you want to audit (such as an OU). 4. Click the Security tab. Click the Advanced button. Figure 8.9 shows the current auditing enabled on the Domain Controllers OU. FIGURE 8.9 Enabling auditing on a directory service object The entries on the Auditing tab are referred to as the object’s security access control list (SACL). Each entry has a security identifier that is converted to a friendly name and the specific access that will be audited. You can compare this to the discretionary access control list (DACL), which is an access control list that includes the SIDs and permissions for individual objects. 5. Click the Add button, and add the user or group you want to audit. You can choose Everyone to audit access for any user. 6. Pick the individual actions that you want to audit. If you want to audit all possible access, select Full Control for the Successful and Failed columns, as shown in Figure 8.10. 93157c08.indd 390 8/8/08 9:47:01 AM [...]... support this? A Windows NT 4.0 B Windows 2000 C Windows XP D Windows Vista SP1 93 157c08.indd 4 09 8/8/08 9: 47:07 AM 410  Chapter 8    Planning Windows Server 2008 Security n Answers to Review Questions 1 C.  BitLocker Drive Encryption can be used to protect entire volumes and is useful on servers when you don’t have adequate security NTFS permissions can be hacked if the server is stolen If the server was... public network, tunneling protocols are used to create a virtual private network (VPN) 93 157c08.indd 397 8/8/08 9: 47:06 AM 398   Chapter 8    Planning Windows Server 2008 Security n In Windows Server 2008, the server role that performs this function is the Network Policy role Figure 8.16 shows a diagram using a remote access server In the diagram, both dial-up remote access and a VPN are shown For dial-up... a host (such as a server) When the packet reaches the server, the server then needs to process it The server looks within the packet to determine the port or the protocol that is being addressed Once determined, the server then passes the packet information to the appropriate service to process the packet 93 157c08.indd 393 8/8/08 9: 47:04 AM 394   Chapter 8    Planning Windows Server 2008 Security n Ports... into the system and disable BitLocker Enter the recovery password when prompted 93 157c08.indd 405 8/8/08 9: 47:07 AM 406  Chapter 8    Planning Windows Server 2008 Security n 5 You are deploying a Windows Server 2008 server to a remote office You decide to deploy BitLocker Drive Encryption with the system and verify the server meets all the hardware requirements You also want to add multifactor authentication... for a VPN server in Windows Server 2008? (Choose all that apply.) A LT2P B PPTP C SSTP D VPTP 18 You are considering deploying a VPN solution in your network Clients will connect using Windows XP and Windows Vista What tunneling protocol could you implement that would provide the highest level of protection? A LT2P B PPTP C SSTP D PPP 93 157c08.indd 408 8/8/08 9: 47:07 AM Review Questions  4 09 19 You are... requiring modifications to firewalls Port 443 is often 93 157c08.indd 399 8/8/08 9: 47:06 AM 400  Chapter 8    Planning Windows Server 2008 Security n already open on firewalls Unlike L2TP/IPsec, SSTP can pass through a NAT SSL within SSTP also provides data integrity and machine-level authentication Network Policy and Access Services Windows Server 2008 includes the role of the Network Policy and Access... NNTP servers on the Internet, it wouldn’t be feasible to block all possible IP addresses 17 A, B, C.  The Layer 2 Tunneling Protocol (L2TP), Point to Point Tunneling Protocol (PPTP), and Secure Socket Tunneling Protocol (SSTP) can all be used to support a VPN server in Windows Server 2008 There is no such thing as VPTP 93 157c08.indd 411 8/8/08 9: 47:08 AM 412  Chapter 8    Planning Windows Server 2008. .. need to minimize costs SQL Server logging  ​ sing a SQL Server to store the logged data provides you with much U more capabilities Since the data is stored in a database, it’s easy to query and manipulate 93 157c08.indd 401 8/8/08 9: 47:06 AM 402  Chapter 8    Planning Windows Server 2008 Security n the information The drawback is that SQL Server costs additional money Use SQL Server logging when you need... with Windows Vista SP1 or newer operating systems Understand encryption techniques when transmitting data.  ​ ou should know that data Y can be encrypted on the wire within a network with IPSec IPSec has three default rules that can be implemented: Client, Server, and Secure Server 93 157c08.indd 404 8/8/08 9: 47:07 AM Review Questions  405 Review Questions 1 You are deploying a Windows Server 2008 server. .. used port 57575, so it would pass the information to process that initiated the request Server Internal Firewall In addition to implementing a firewall at the edge of your network, you can also enable the firewall on each of your individual hosts Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008 all have firewall technologies that can be implemented These host-based firewalls are . a virtual private network (VPN). 93 157c08.indd 397 8/8/08 9: 47:06 AM 398 Chapter 8 N Planning Windows Server 2008 Security In Windows Server 2008, the server role that performs this function. determined, the server then passes the packet information to the appropriate service to process the packet. 93 157c08.indd 393 8/8/08 9: 47:04 AM 394 Chapter 8 N Planning Windows Server 2008 Security Ports. Successful and Failed check box, as shown in the Figure 8.11. 93 157c08.indd 391 8/8/08 9: 47:03 AM 392 Chapter 8 N Planning Windows Server 2008 Security FIGURE 8.11 Auditing deletes in the data folder