In this scenario you will back up the BitLocker recovery information on Example-Server01 in Active Directory and also later retrieve the recovery key from Active Directory on another server and use it to access Example-Server01 again.
Task 1: Create a BitLocker recovery certificate template and issue a new recovery certificate
- Log on to Example-DC01 (Domain Controller).
- Open the Start screen and type Certification Authority and press Enter.
- In the left pane, expand Example-Example-DC01-CA and right click Certificate Templates and click Manage.
- On the Certificate Templates Console, right click Key Recovery Agent and click Duplicate Template.
- On the Properties of New Template window, select the Extensions tab, click Edit and on the Edit Application Policies Extension dialog box then click Add.
- Select BitLocker Drive Encryption and BitLocker Data Recovery Agent and then click OK twice.
- Click the General tab and type BitLocker Key Recovery as the Template display name, select Publish certificate in Active Directory and then click OK.
- Close both the Certificate Templates Console and Certification Authority windows.
- Open the Start screen and type cmd.exe and press Enter.
- Type the following commands and press Enter after each line to create a recovery certificate on the desktop:
- cd desktop
- cipher.exe /r:Recovery-Cert
- Open the Start screen and type Group Policy Management and press Enter.
- Expand the following nodes Forest: Example.com > Domains > Example.com > Group Policy Objects and right click Default Domain Policy and click Edit.
- On the Group Policy Management Editor window, expand the following nodes Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies and right click BitLocker Drive Encryption and click Add Data Recovery Agent.
- On the Welcome to the Add Recovery Agent Wizard page, click Next.
- On the Select Recovery Agents wizard page, click Browse Folders and click Next.
- Select Recovery-Cert.cer from the desktop and click Open and in the confirmation dialog box click Yes and then click Next.
- On the Completing the Add Recovery Agent Wizard page, click Finish.
- Open the Start screen and type certmgr.msc and press Enter.
- In the left pane expand Certificates – Current User > Trusted Root Certification Authorities and right click Certificates and click All Tasks > Import.
- On the Welcome to the Certificate Import Wizard page, click Next.
- On the File to Import page, click Browse, select Recovery-Cert.cer from the desktop and click Open and then click Next twice and then Finish.
The best way to go about combining NTFS and Share permissions is to first understand how the two types of permissions affect one another. In fact when NTFS and Share permissions are combined, the most restrictive permission will take effect.
For instance, if the user John has “Allow-Full Control” NTFS permission on a folder and he also has “Allow-Read” Share permission on the same folder. As a result of combining the two, John will receive “Allow-Read” permission on the folder.
The best approach to minimize the confusion and difficulty of combining NTFS and share permissions, is to always assign the user entity of “Everyone” “Allow-Full Control” share permission and then assign more detailed permissions using NTFS permissions. This way we have avoided the difficulty of combining permissions effectively and have also managed to provide more detailed permissions to users and groups.
Microsoft Enhanced Mitigation Experience Toolkit (EMET) is a piece of software installed on the operating system and it makes it very difficult to exploit a vulnerability on a system or software. It provides the capability of preventing different exploitation techniques on the operating system or software level when security patch for the faulty software is not released. The benefits of using EMET are as follows:
- It is very easy to use and does not include any complicated processes.
- In order to prevent an operating system or software from exploitation, there is no need for the source code of the software and all it takes is to install and configure EMET before or after the faulty software is installed.
- EMET can be configured for all the operating system components, processes and drivers and also individual applications and softwares installed on the operating system.
- It can also work with legacy software and applications that exist in an organization’s infrastructure and cannot be easily phased out.
There are two types of settings on EMET which can be configured to provide mitigation:
- System Settings: These settings will apply to the whole operating system and its components and drivers.
- Application Settings: These settings will apply to specific applications installed on the operating system.
In the first part of this guide you will learn how to install the BitLocker Drive Encryption feature on a Windows Server 2012 R2.
- Log on to Example-Server01.
- On the Start screen click Server Manager.
- On the Server Manager window, click Manage on the top right and from the menu select Add Roles and Features.
- On the Before you begin page, click Next.
- On the Select installation type page, select Role-based or feature-based installation and click Next.
- On the Select destination server page, select Select a server from the server pool and then select Example-Server01.Example.com from the Server pool in the middle table and click Next.
- On the Select server roles page, click Next.
- On the Select features page, select BitLocker Drive Encryption from the list and in the new dialog box select Include management tools (if applicable) and click Add Features.
- On the WDS page, click Next.
- On the Select role services page, click Deployment Server and Transport Server and click Next.
- On the Confirm installation selections, Click Install.
- Once the installation finished successfully, click Close.
In this scenario John Smith is an employee who uses his domain credentials to have direct access to Example-Server01 which many employees use to store their confidential customer’s data. John uses the folder C:\Example_Customer1 to store his exclusive customer’s data and he uses EFS to encrypt the content of this folder.
After a few months John has been asked to leave the company with immediate effect due to integrity issues and therefore the IT security administrator needs to recover the files he stored in C:\Example_Customer1.
In this exercise you will learn how to encrypt and decrypt files and folders using cipher.exe command-line utility on a Windows Server 2012 R2:
- Log on to Example-Server01 and create a new folder named Confidential_Docs in partition C.
- Double click and open Confidential_Docs and create a text document in it and name it Daily_Doc.txt.
- Double click Daily_Doc.txt and type something in it. Click File and then Save and then close the Notepad text editor.
- Open the Start screen and type cmd.exe and press Enter to open Windows command line.
- Type the following command and press Enter to encrypt the Confidential_Docs folder and all the content inside:
- Cipher.exe /E /S:C:\Confidential_Docs
- To decrypt the same folder, you will need to use the following command:
- Cipher.exe /D /S:C:\Confidential_Docs
You can disable EFS for a folder, a computer or even the entire domain. In order to disable EFS for a folder create a file called Desktop.ini that contains:
All you need to do is to save this file in the folder in which you want EFS to be disabled. When the user wants to encrypt the folder or the files in the folder, this will show him/her a message that “An error occurred applying attributes to the file: filename. The directory has been disabled for encryption.”
Please note that only the current folder with all the files in it are affected by the Desktop.ini file. If you create a subfolder, both the subfolder and any files in it can be encrypted. Also, encrypted files can be copied or moved, without losing their encryption, into the directory that contains the Desktop.ini file.
Disabling EFS for a Stand-Alone Computer
If you want to disable EFS for the entire computer, you need to add an entry to the computer Registry:
- In the Run dialog box, type regedit.exe.
- Navigate to the subkey HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows NT\CurrentVersion\EFS.
- On the Edit menu, point to New, and then click DWORD Value.
- Enter EfsConfiguration for the value name and 1 for the value data to disable EFS. (A value of 0 enables EFS.)
- Restart the computer.
- If EFS is disabled and a user tries to encrypt a file or folder, a message tells the user that “An error occurred applying attributes to the file: filename. The directory has been disabled for encryption.”
Important Points about Group Managed Service Accounts
Group Managed Service accounts are perfect identity solutions for services running on multiple hosts and using group them password management requires no administration overhead as password management is handled automatically using Windows Server 2012/2012 R2 across multiple hosts. It also supports offline hosts which are not connected to network for a period of time, and when they go back online, the password is synchronized on the service running on them and the service can start successfully. It is also important to take note that failover clusters currently do not support gMSAs but the services running on top of clusters can support them if they are a Windows service, an App pool, a scheduled task or they natively support gMSA.
Please also take note that you can only configure and administer group managed service accounts on Windows Server 2012/2012 R2 but you can still have other domain controllers running earlier versions of Windows Server operating system. There are very important points to take into consideration when configuring managed service accounts:
- Managed service accounts can work across domain boundaries as long as the required domain trusts exist.
- A managed service account can be placed in a security group.
- Managed service accounts can be stored anywhere in Active Directory, nevertheless there is also a specific container for them.
- Passwords are automatically created for managed service accounts and are refreshed every 30 days. You can change a password manually.