This chapter covers the following subjects:
• Configuring Data Encryption Using Encrypting File System (EFS):
This section shows you how you can secure data on your Windows 10
computer by using encryption to prevent others from viewing specific files or folders. Encrypting files and folders prevents other users from accessing sensitive documents, even if your device is lost or stolen. You will also learn how to back up your EFS keys and how to configure recovery agents in case your keys are lost.
• Configuring Disk Quotas: This section shows you how to specify quotas that limit the amount of disk space used by users storing files on your
Windows 10 computer.
• Configuring File Access Auditing: Auditing lets you record actions that take place on your computer, including attempts to access files, folders, and printers. This section shows you how to use Group Policy to set up a policy that effectively tracks these types of activities.
• Configuring Shared Resources: Windows 10 provides two ways of
sharing resources such as folders and printers on your computer so that users on other computers can access them. This section shows you how to
configure your computer to share the public folder and how to set up a standard set of permissions and enable the sharing of individual folders and printers. Windows 10 provides four default file libraries, which act as
pointers to user-specific and shared folders for documents, pictures, music, and videos. This section shows you how to configure these libraries and add or remove folders from them. A recent feature of Windows is the capability to automatically associate configured printers with the network where the printer is available. We also discuss Location Aware Printing technology, the benefits it provides, and how to configure and manage printer settings.
This chapter covers the following objectives for the 70-697 exam:
Configure file and folder access: Encrypt files and folders by using EFS, configure disk quotas, configure file access auditing, configure authentication and authorization.
Configure shared resources:
• Configure shared folder permissions, configure HomeGroup settings, configure libraries, configure shared printers, configure OneDrive.
• Configure file and printer sharing and HomeGroup connections; configure folder shares, public folders, and OneDrive; configure file system
permissions; configure OneDrive usage; troubleshoot data access and usage.
From the earliest version of Windows NT right up to the present, Windows has had a system of access permissions in place that determine who has access to what and what can they do to it. You learned about how to use NTFS security permissions to specify who has access to files and folders and what they can do with them in Chapter 7, “Windows 10 Security.” More recent versions of Windows have enabled users to protect data even further with encryption methods that can help to prevent those who might have circumvented other access controls from viewing or modifying confidential information. Windows can also track the usage of disk space by individuals using the computer and place a disk quota on the maximum amount of storage a particular user can access. Included also is a system of auditing access attempts to files and folders so that individuals in charge of security are able to track all types of access on the network and take appropriate measures to protect sensitive information. This chapter looks at these and other methods of sharing and protecting resources on computers and their networks.
One of the major reasons for connecting computers in a network is to share resources such as folders, files, and printers. Resources can exist on
computers that are not connected to a network; and these resources may need to be secured, protected, and accessed by different users as well. Windows 10 comes with a host of tools designed to secure and manage resources wherever they may be found. Nowadays, resources can even exist remotely on the
cloud; Windows 10 includes the OneDrive feature that enables you to share images, documents, and so on among computers, smartphones, and other devices in different physical locations. Microsoft expects you to be
knowledgeable about all these features when taking the 70-697 and 70-698 exam.
In a modern workplace, workers require access to information created by others in the company and work they produce must be made available to their coworkers and superiors. Therefore, such resources must be shared so that others can access them. But lots of confidential information is also out there, and it must be protected from access by those who are not entitled to view it.
At home, family members need to share things such as photos, videos, and music. But parents have sensitive information, such as family finances, that must be protected as well.
“Do I Know This Already?” Quiz
The “Do I Know This Already?” quiz allows you to assess whether you should read this entire chapter or simply jump to the “Exam Preparation Tasks” section for review. If you are in doubt, read the entire chapter. Table 14-1 outlines the major headings in this chapter and the corresponding “Do I Know This Already?” quiz questions. You can find the answers in Appendix A, “Answers to the ‘Do I Know This Already?’ Quizzes.”
Table 14-1. “Do I Know This Already?” Foundation Topics Section-to- Question Mapping
Foundations Topics Section Questions Covered in This Section
Configuring Data Encryption Using
EFS 1–2
Configuring Disk Quotas 3
Configuring File Access Auditing 4
Configuring Shared Resources 5–10
Caution
The goal of self-assessment is to gauge your mastery of the topics in this chapter. If you do not know the answer to a question or are only partially sure of the answer, you should mark that question as wrong for purposes of the self-assessment. Giving yourself credit for an answer you correctly guess skews your self-assessment results and might provide you with a false sense of security.
1. You want to encrypt the Confidential folder. This folder is located on the D:\ volume, which is formatted with the FAT32 file system. You access the folder's Properties dialog box and click the Advanced button. But the option to encrypt the folder is not available. What do you need to do to encrypt this folder? (Each correct answer presents a complete solution to the problem.
Choose two.)
a. Format the D:\volume with the NTFS file system.
b. Use the Convert.exe utility to convert the D:\ volume with the NTFS file system.
c. Move the Confidential folder to the C:\ volume, which is formatted with the NTFS file system.
d. Decompress the Confidential folder.
2. You are the desktop support specialist for your company. A user named Peter has left the company, and you have deleted his user account. Later you realize that he had encrypted his Work folder on his Windows 10 computer,
and you must regain access to this folder. What should you do?
a. Log on to Peter's computer with your user account and decrypt the file.
b. Log on to Peter's computer with the default administrator account and decrypt the file.
c. Re-create Peter's user account, log on with this account, and decrypt the file.
d. You cannot access this folder; it is permanently lost.
3. Your company has hired several college students for the summer as
interns. They will be storing files on the D: drive of a Windows 10 computer.
You have created user accounts for each student and added these accounts to a group named Interns. You want to ensure that these students do not store a large amount of data on the D: drive, so you decide to limit each user to 500 MB space on the D: drive. What should you do? (Each correct answer
presents part of the solution. Choose two.)
a. Ensure that the D:\ drive is formatted with the NTFS file system.
b. Ensure that the D:\ drive is formatted with the FAT32 file system.
c. In the Add New Quota Entry dialog box, select the Do Not Limit Disk Usage option and specify the 500 MB limit and the Interns group.
d. In the Add New Quota Entry dialog box, select the Limit Disk Space To option and specify the 500 MB limit and the Interns group.
e. In the Add New Quota Entry dialog box, create a separate disk quota for each user in the Interns group that specifies the Do Not Limit Disk Usage option and the 500 MB limit.
f. In the Add New Quota Entry dialog box, create a separate disk quota for each user in the Interns group that specifies the Limit Disk Space To option and the 500 MB limit.
4. You are responsible for maintaining data security on a Windows 10 Pro
computer used by your boss. He has stored a large number of documents containing sensitive corporate information that only a limited number of individuals are permitted to access. He would like to know when others attempt to access this information. To this extent, you have enabled object access auditing on his computer.
A couple of weeks later, your boss informs you that he has noticed a couple of files have been altered in an inappropriate fashion. He has checked the Security log on his computer, but no information is available to suggest who is accessing these files, so he asks you to rectify this problem. What should you do?
a. You also need to enable auditing of logon events in the Local Security Policy snap-in on your boss's computer.
b. You also need to access File Explorer on your boss's computer. From this location, ensure that the appropriate auditing entries have been enabled for the folder in which the sensitive documents are located.
c. You need to ask your boss to check events recorded in the System log of his computer.
d. You should move the folder containing the sensitive documents to a server located in a secured room, and on which auditing has been enabled.
5. You want users at other computers on your network to be able to access folders located in the libraries of your Windows 10 computer without the need to perform additional sharing tasks, so you open the Advanced sharing settings dialog box. Which option should you enable?
a. File and Printer Sharing b. Public Folder Sharing
c. Password Protected Sharing d. Media Streaming
6. Which of the following are true about hidden administrative shares?
(Choose three.)
a. These shares are suffixed with the $ symbol and are visible in any Explorer window.
b. These shares are suffixed with the $ symbol and are visible only in the Shares node of the Computer Management snap-in.
c. These shares are suffixed with the $ symbol and can be accessed from the Network and Sharing Center.
d. You can access these shares by entering the UNC path to the share in the Run command.
e. These shares are created by default when Windows 8.1 is first installed, and they cannot be removed.
7. Which of the following are valid permissions you can set for shared folders? (Choose three.)
a. Full Control b. Modify c. Change
d. Read and Execute e. Read
8. Which of the following is not true about file libraries in Windows 10?
a. Libraries are virtual folders that are actually pointers to the Documents, Pictures, Music, and Videos folder locations on the computer.
b. Each library consists of a user-specific folder and a public folder.
c. You can add additional folders to any library at any time in Windows 8.1.
d. You are limited to the four default libraries; it is not possible to designate additional libraries in Windows 10.
9. You have shared your printer so that others can access it on the network.
You want Kristin, who works at another computer on the network to be able to pause, resume, restart, and cancel all documents, but you do not want her to be able to modify printer properties or permissions. What printer
permission should you grant her user account?
a. Print
b. Manage This Printer c. Manage Documents d. Full Control
10. Your laptop now automatically uses the Richardson office printer when you are visiting the Richardson office and the color laser printer near your office when you are at headquarters. Recently, the color printer was moved to another floor and a newer printer installed in its place. You have installed the new printer drivers and tested it, but whenever you return to headquarters, it prints to the printer that is now on another floor. What is the best way to fix this issue?
a. Delete the original color printer.
b. Turn off location-aware printing.
c. Use the Printer Troubleshooting tool
d. Select the newer printer specifically for a print job. It will then become your default printer and Windows will use it each time you print after that.
Foundation Topics
Configuring Data Encryption Using Encrypting File
System (EFS)
You often hear news reports that mention thefts of laptop computers
containing valuable data. In one such case, a computer stolen from a doctor’s car in Toronto contained the records of thousands of patients, exposing them to misuse and potential identity theft. The computer was protected with a password but the data was not encrypted. Windows 10 includes the following two systems of data encryption, designed to protect data not only on your laptop when you are in a place such as an airport or hotel where a thief can grab it when you're momentarily distracted, but also at any other place where an unauthorized individual might attempt to either connect to it across the network or physically access it:
• First introduced with Windows Vista, BitLocker Drive Encryption encrypts a computer’s entire system partition. You learned about BitLocker and
BitLocker To Go in Chapter 8, “Windows 10 Data Security.”
• First introduced with Windows 2000 and refined with each successive iteration of Windows, the Encrypting File System (EFS) can be used to
encrypt files and folders on any partition that is formatted with the NTFS file system. We discuss EFS in this section.
EFS enables users to encrypt files and folders on any partition that is formatted with the NTFS file system. The encryption attribute on a file or folder can be toggled the same as any other file attribute. When you set the encryption attribute on a folder, all its contents—whether subfolders or files
—are also encrypted.
The encryption attribute, when assigned to a folder, affects files the same way that the compression attribute does when a file is moved or copied. Files that are copied into the encrypted folder become encrypted. Files that are moved into the encrypted folder retain their former encryption attribute, whether or not they were encrypted. When you move or copy a file to a file system that does not support EFS, such as FAT16 or FAT32, the file is automatically decrypted.
Tip
Remember that the file system must be set to NTFS if you want to use EFS, and no file can be both encrypted and compressed at the same time. On the exam, you may be presented with a scenario where a user is unable to use EFS or file compression on a FAT32 volume. The correct answer to such a problem is to convert the file system to NTFS, as described later in the section “Preparing a Disk for EFS.”
Encrypting File System Basics
EFS uses a form of public key cryptography, which utilizes a public and private key pair. The public key or digital certificate is freely available to anyone, whereas the private key is retained and guarded by the user to which the key pair is issued. The public key is used to encrypt data, and the private key decrypts the data that was encrypted with the corresponding public key.
The key pair is created at the first time a user encrypts a file or folder using EFS. When another user attempts to open the file, that user is unable to do so.
Therefore, EFS is suitable for data that a user wants to maintain as private, but not for files that are shared.
Windows 10 has the capability to encrypt files directly on any NTFS volume.
This ensures that no other user can use the encrypted data. Encryption and decryption of a file or folder is performed in the object’s Properties dialog box. Administrators should be aware of the rules to put into practice to manage EFS on a network:
• Only use NTFS as the file system for all workstation and server volumes.
• Keep a copy of each user’s certificate and private key on a USB flash drive or other removable media.
• Remove the user’s private key from the computer except when the user is actually using it.
• When users routinely save documents only to their Documents folder, make
certain their documents are encrypted by having each user encrypt his or her own Documents folder.
• Use two recovery agent user accounts that are reserved solely for that purpose for each Active Directory Domain Services (AD DS) organizational unit (OU) if computers participate in a domain. Assign the recovery agent certificates to these accounts.
• Archive all recovery agent user account information, recovery certificates, and private keys, even if obsolete.
• When planning a network installation, keep in mind that EFS does take up additional processing overhead; plan to incorporate additional CPU
processing power in your plans.
A unique encryption key is assigned to each encrypted file. You can share an encrypted file with other users in Windows 10, but you are restricted from sharing an entire encrypted folder with multiple users or sharing a single file with a security group. This is related to the way that EFS uses certificates, which are applicable individually to users, and how EFS uses encryption keys, which are applicable individually to files. Windows 10 continues the capability introduced with Windows Vista to store keys on smart cards. If you are using smart cards for user logon, EFS automatically locates the encryption key without issuing further prompts. EFS also provides wizards that assist users in creating and selecting smart card keys.
You can use different types of certificates with EFS: third-party–issued certificates, certificates issued by certification authorities (CAs)—including those on your own network—and self-signed certificates. If you have
developed a security system on your network that utilizes mutual
authentication based on certificates issued by your own CA, you can extend the system to EFS to further secure encrypted files. For more information on using certificates with EFS, refer to the Windows 10 Help and Support
Center.
Note
For more information on the technology behind EFS, refer to "How EFS Works" at https://technet.microsoft.com/en-us/library/cc962103.aspx.
Preparing a Disk for EFS
Unlike versions of Windows prior to Vista, the system and boot partition in Windows 10 must be formatted with NTFS before you can install Windows 10, as you learned in Chapter 9, "Managing User Data." However, a data partition can be formatted with the FAT or FAT32 file systems. But you must ensure that such a partition is formatted with NTFS before you can encrypt data using EFS. If it is not, you can convert the hard disk format from FAT to NTFS or format the partition as NTFS. There are two ways to go about this:
• Use the command-line Convert.exe utility to change an existing FAT16 or FAT32 partition that contains data to NTFS without losing the data.
• Use the graphical Disk Management utility to format a new partition, or an empty FAT partition, to NTFS. If the volume contains data, you will lose it.
(You can also use the command-line Format.exe utility to format a partition as NTFS.)
The Convert.exe utility is simple to use and typically problem-free, although you should make certain to back up the data on the partition before you convert it as a precaution. Perform the following steps to use this utility:
Step 1. Log on to the computer as an administrator. Know which drive letter represents the partition that you plan to convert, because only the partition that contains the encrypted files needs to be formatted with NTFS. For example, if users store all their data on drive D: and want to encrypt those files, you convert drive D: to NTFS.
Step 2. From the taskbar Search text box, ensure that Apps is selected, type cmd into the Search box, and press Enter.
Step 3. The Command Prompt window opens. At the prompt, type convert d: /fs:ntfs.