Step 3. Type the name of the desired user or group, click OK, and then click the View Effective Access command button.
Step 4. You are returned to the Effective Access tab, which now displays the effective permissions for the user or group, as shown in Figure 8-2. In the case illustrated here, the user's access was limited by a denial of access
specified in a group to which the user belonged; this limitation is indicated by the red "X" entries and the File Permissions entry appearing in the Access Limited By column of the dialog box.
Figure 8-2. Viewing a User or Group’s Effective Permissions to a Resource from the Effective Access Tab of the Advanced Security Settings Dialog Box
Copying and Moving Files and Folders
When you copy or move a file or folder that is configured with NTFS permissions, those NTFS permissions can change. The action that occurs depends on whether you are copying the file or folder or whether you are moving the file or folder.
Copying Files and Folders with NTFS Permissions
When you copy a file or folder that is configured with NTFS permissions, those NTFS permissions can change. If you are copying files and folders to a place where the NTFS permissions match exactly, the permissions will stay the same. The potential for change is always there, however, when you copy files and folders with NTFS permissions. There are no exceptions to this rule.
To ensure that NTFS permissions are applied effectively on your computer, you will need to keep in mind how copying can change NTFS permissions.
There are essentially three possible outcomes, as outlined in Table 8-2.
Table 8-2. The Effect of Copying Files or Folders on Their NTFS Permissions
Action Result
Copy a file or folder within the same partition
The copy inherits the NTFS permissions of the destination folder.
Copy a file or folder from one NTFS partition to another NTFS partition
The copy inherits the NTFS permissions of the destination folder.
Copy a file or folder from an NTFS partition to a FAT or FAT32 partition
The copy of a file or folder loses its NTFS permissions completely. NTFS permissions cannot apply anywhere else but on an NTFS partition.
To copy files from an NTFS partition, you need to have at least the Read permission for the originating folder. To complete the copy operation so that the copied versions are written to disk, you need to have at least the Write permission for the destination folder.
Caution
A close look at Table 8-2 should alert you to the fact that copying a file or folder from an NTFS partition to a FAT or FAT32 partition will strip the file or folder of its NTFS permissions and make it fully available to all users at the local computer.
Moving Files and Folders with NTFS Permissions
Moving files with NTFS permissions may change those permissions.
Depending on the circumstances, especially the destination of the move, the permissions may change or they may stay the same. As outlined in Table 8-3, there are also three possible outcomes.
Table 8-3. The Effect of Moving Files or Folders on Their NTFS Permissions
Action Result
Move a file or folder within the same partition
The file or folder retains its NTFS permissions, regardless of the permissions that exist for the destination folder.
Move a file or folder from one NTFS partition to another NTFS partition
The file or folder inherits the NTFS permissions of the destination folder.
Move a file or folder from an NTFS partition to a FAT or FAT32 partition
The file or folder loses its NTFS permissions completely. NTFS permissions cannot apply anywhere else but on an NTFS partition.
To move files within an NTFS partition or between two NTFS partitions, you need to have at least the Modify permission for the originating folder. To complete the move operation so that the moved versions are written to disk, you need to have at least the Write permission for the destination folder. The Modify permission is required at the source so that source files and folders can be deleted after the files or folders are safely relocated to their new home.
Note
After you have had time to think about how copying and moving files and folders affects NTFS permissions, there is an easy way to remember how all these possible outcomes will work. One simple sentence can serve to
summarize what is going on: “Moving within retains.” The only sure way to retain existing NTFS permissions during a copy or move operation is to move files within a single NTFS partition. All the other options hold a very real potential for altering NTFS permissions.
Using the Mouse to Copy or Move Objects from One Location to Another
Keep in mind the following facts about dragging objects between locations:
• When you use the mouse to drag an object from one folder to another on the same partition, you are moving that object.
• If you drag the object to a folder on another partition, you are copying that object.
• If you hold down the Ctrl key while dragging, you are copying the object, whether it is to the same or another partition.
• You can also right-drag the object. In this case, when you release the mouse
button, you receive choices of copying the object, moving it, or creating a shortcut to the object in its original location.
Dynamic Access Control
Introduced in Windows Server 2012 and available in Windows Server 2016 is Dynamic Access Control (DAC), which is a new feature that helps to enhance data security and maintain compliance by factoring in user identity and device security access factors in granting access to data. You can enable users' roaming profiles and redirected folders to be immediately available when they log on from any device and remove sensitive data availability when they log off. Security auditing has also been enhanced with new expression-based audit policies and the capability to audit new types of securable objects, as well as data located on removable storage devices.
Although there is nothing to configure in Windows 10 specifically, Microsoft requires you to know about DAC and how it works for the 70-697 exam.
DAC helps to implement security policies on document and folder access that NTFS cannot do, or cannot do well. You have learned how NTFS uses
groups, nested groups, and user permissions to secure data, and how
complicated it can be to determine exactly what permission a user may have.
What if you have a folder with some specific access requirements that require membership in two separate groups? NTFS has no easy way to implement that rule, without creating a third group, further complicating permissions.
When users can access resources from multiple devices and multiple
locations, security becomes increasingly important, but what if you want to restrict access to certain documents only from certain locations? NTFS permissions cannot help with that, either.
These are the access requirement problems that DAC is designed to solve.
You can impose multigroup requirements and impose requirements on user locations or devices, and other controls. You can tag data in file servers and classify the data based on how sensitive or secret it is. You can create audit files if you need to record which users accessed sensitive data and when it was accessed. These features can go a long way to help organizations with strict requirements such as HIPAA or Sarbanes-Oxley to ensure their systems are enforcing policy requirements.
Implementing DAC in an Active Directory environment has several requirements.
• The server role File Server Resource Manager (FSRM) on at least one Domain Controller.
• The server role Active Directory Rights Management Services (AD RMS) on any server that will host sensitive files.
• Domain Functional Level Windows Server 2012 or higher.
• The Microsoft Office Filter Packs installed on any server that will host sensitive files.
• A Group Policy Object to enable DAC on the domain.
• An Access Policy or set of Access Policies for the organization.
The details for planning and configuring each of these requirements are out of the scope of this text. You should understand that DAC is implemented using Active Directory, a set of Group Policies, and the server roles to enforce the policies, specifically the FSRM and AD RMS.
Note
For more information about Dynamic Access Control and the various scenarios for using DAC to secure sensitive data, see “Dynamic Access Control: Scenario Overview” at https://technet.microsoft.com/en-
us/windows-server-docs/identity/solution-guides/dynamic-access-control-- scenario-overview.
With DAC configured and in place in your organization, you have new
options for securing and classifying your files. For instance, you may want to
create rules to allow only certain people to access documents that contain Personally Identifying Information (PII), or audit any access of those files.
The first step is to use the FSRM to create Classification Properties you can use to classify documents. Figure 8-3 illustrates a Classification Property named Contains PII. This property can then be used on documents in the server’s file shares.
Figure 8-3. Using the FSRM to Create Classification Properties
Documents stored on the server can then use these properties, enforcing your organization’s policies for classification of sensitive data. You can access the classification properties for any document by right-clicking a document and selecting Properties from the context menu. A new Classification tab is now available, as shown in Figure 8-4. As shown, the Contains PII property can be set for the document. This is a Yes/No property. You can leave the
property as None, which will cause DAC to ignore it, or set it to Yes or No.
The “HR-Secrets” document does contain PII, so we set the property as Yes.
DAC will use this property, along with any audit or access rules you define, whenever users access the file.
Figure 8-4. Setting Classification Properties on Organization Documents
Access to Removable Media
Many organizations in government or private industry maintain sensitive data that must be carefully controlled and kept secret. To maintain a controlled environment, it’s necessary to ensure that people are not walking out of the organization with classified documents on a removable disk or USB thumb drive. These devices are easily hidden and easily lost, leading to unknown disclosures of secrets.
We will talk about encryption later in this chapter, which is useful to avoid issues of unsecured data getting lost. Your organization may have policies requiring encryption for any removable media or USB drives, or policies may simply state that these devices are not allowed to be used at all. In the latter case, you can enforce these policies using Group Policy Objects (GPOs).
The section in Group Policy called Removable Storage Access, found under Computer Configuration\Administrative Templates\System, contains many policies for fine-grained control over removable media on any domain-joined computer in the organization, as shown in Figure 8-5.
Figure 8-5. Group Policies for Removable Storage Access
For instance, you might want to prevent anyone from writing data to a DVD or CD drive, but should be allowed to read them or install applications from DVD. You can enable the CD and DVD: Deny Write Access policy and leave the execute and read access policies as Not Configured.
There are several categories of devices that you can set policies for, including what is called Windows Portable Devices (WPD) devices. As shown in the description in Figure 8-6, these include things like cell phones, media
players, and other consumer electronics (CE devices).
Figure 8-6. WPD Devices: Deny Write Access Group Policy
If needed, you can set a global policy for any removable storage by
configuring the All Removable Storage Classes policy, denying any access to removable storage of any kind.
Encrypting File System
You often hear news reports that mention thefts of laptop computers
containing valuable data. In one such case, a computer stolen from a doctor’s car in Toronto contained the records of thousands of patients, exposing them to misuse and potential identity theft. The computer was protected with a password but the data was not encrypted. Windows 10 includes the following two systems of data encryption, designed to protect data not only on your laptop when you are in a place such as an airport or hotel where a thief can grab it when you're momentarily distracted, but also at any other place where an unauthorized individual might attempt to either connect to it across the network or physically access it.
• First introduced with Windows Vista, BitLocker Drive Encryption encrypts a computer’s entire system partition. We cover BitLocker later in this
chapter.
• First introduced with Windows 2000 and refined with each successive iteration of Windows, the Encrypting File System (EFS) can be used to
encrypt files and folders on any partition that is formatted with the NTFS file system. We discuss EFS in this section.
EFS enables users to encrypt files and folders on any partition that is formatted with the NTFS file system. The encryption attribute on a file or folder can be toggled the same as any other file attribute. When you set the encryption attribute on a folder, all its contents—whether subfolders or files
—are also encrypted.
The encryption attribute, when assigned to a folder, affects files the same way that the compression attribute does when a file is moved or copied. Files that are copied into the encrypted folder become encrypted. Files that are moved into the encrypted folder retain their former encryption attribute, whether or not they were encrypted. When you move or copy a file to a file system that does not support EFS, such as FAT16 or FAT32, the file is automatically decrypted.
Tip
Remember that the file system must be set to NTFS if you want to use EFS, and no file can be both encrypted and compressed at the same time. On the exam, you may be presented with a scenario where a user is unable to use EFS or file compression on a FAT32 volume; the correct answer to such a problem is to convert the file system to NTFS, as described in the section
“Preparing a Disk for EFS.”
Encrypting File System Basics
EFS uses a form of public key cryptography, which utilizes a public and private key pair. The public key or digital certificate is freely available to anyone, and the private key is retained and guarded by the user to which the key pair is issued. The public key is used to encrypt data, and the private key decrypts the data that was encrypted with the corresponding public key. The key pair is created at the first time a user encrypts a file or folder using EFS.
When another user attempts to open the file, that user is unable to do so.
Therefore, EFS is suitable for data that a user wants to maintain as private, but not for files that are shared.
Windows 10 has the capability to encrypt files directly on any NTFS volume.
This ensures that no other user can use the encrypted data. Encryption and decryption of a file or folder is performed in the object’s Properties dialog box. Administrators should be aware of the rules to put into practice to manage EFS on a network:
• Only use NTFS as the file system for all workstation and server volumes.
• Keep a copy of each user’s certificate and private key on a USB flash drive or other removable media.
• Remove the user’s private key from the computer except when the user is actually using it.
• When users routinely save documents only to their Documents folder, make certain their documents are encrypted by having each user encrypt his own Documents folder.
• Use two recovery agent user accounts that are reserved solely for that purpose for each Active Directory Domain Services (AD DS) organizational unit (OU) if computers participate in a domain. Assign the recovery agent certificates to these accounts.
• Archive all recovery agent user account information, recovery certificates, and private keys, even if obsolete.
• When planning a network installation, keep in mind that EFS does take up additional processing overhead; plan to incorporate additional CPU
processing power in your plans.
A unique encryption key is assigned to each encrypted file. You can share an encrypted file with other users in Windows 10, but you are restricted from sharing an entire encrypted folder with multiple users or sharing a single file with a security group. This is related to the way that EFS uses certificates, which are applicable individually to users, and how EFS uses encryption keys, which are applicable individually to files. Windows 8.1 continues the capability introduced with Windows Vista to store keys on smart cards. If you are using smart cards for user logon, EFS automatically locates the
encryption key without issuing further prompts. EFS also provides wizards that assist users in creating and selecting smart card keys.
You can use different types of certificates with EFS: third-party–issued certificates, certificates issued by certification authorities (CAs)—including those on your own network—and self-signed certificates. If you have
developed a security system on your network that utilizes mutual
authentication based on certificates issued by your own CA, you can extend the system to EFS to further secure encrypted files. For more information on using certificates with EFS, refer to the Windows 10 Help and Support
Center.
Note
For more information on the technology behind EFS, refer to "How EFS Works" at http://technet.microsoft.com/en-us/library/cc962103.aspx.
Preparing a Disk for EFS
Unlike versions of Windows prior to Vista, the system and boot partition in Windows 10 must be formatted with NTFS before you can install Windows 10, as you learned in Chapter 2, "Implementing Windows." However, a data partition can be formatted with the FAT or FAT32 file systems. But you must ensure that such a partition is formatted with NTFS before you can encrypt data using EFS. If it is not, you can convert the hard disk format from FAT to NTFS or format the partition as NTFS. There are two ways to go about this:
• Use the command-line Convert.exe utility to change an existing FAT16 or FAT32 partition that contains data to NTFS without losing the data.
• Use the graphical Disk Management utility to format a new partition, or an empty FAT partition, to NTFS. If the volume contains data, you will lose it.
(You can also use the command-line Format.exe utility to format a partition as NTFS.)
The Convert.exe utility is simple to use and typically problem-free, although you should make certain to back up the data on the partition before you convert it as a precaution. Perform the following steps to use this utility:
Step 1. Log on to the computer as an administrator. Know which drive letter represents the partition that you plan to convert because only the partition that contains the encrypted files needs to be formatted with NTFS. For example, if users store all their data on drive D: and want to encrypt those files, you will convert drive D: to NTFS.
Step 2. From the Search bar or Cortana, type cmd into the Search box, and press Enter.
Step 3. The Command Prompt window opens. At the prompt, type convert d: /fs:ntfs.
Step 4. The conversion process begins. If you are running the Convert.exe utility from the same drive letter prompt as the partition you are converting, or a file is open on the partition, you are prompted with a message that states Convert Cannot Gain Exclusive Access to D:, So It Cannot Convert It Now.
Would You Like To Schedule It to Be Converted the Next Time the System Restarts (Y/N)? Press Y at the message.
Step 5. Restart the computer. The disk converts its format to NTFS. This process takes considerable time to complete, but at completion, you can access the Properties dialog box for the disk you've converted and note that it is formatted with the NTFS file system.
Encrypting Files
You can use either the cipher command-line utility or the advanced attributes of the file or folder to encrypt a file. To use the cipher utility for encrypting a file named Myfile.txt located in the C:\mydir folder, the full command to use is as follows:
cipher /e /a c:\mydir\myfile.txt
To change the Advanced encryption attribute of a file, open File Explorer and