Recent Orders

Our Reviews

Sample Papers

How It Works

Get First 2 Pages Of Your Homework Absolutely Free!

Messages

Welcome to TutorsOnSpot.Com!

World's No. 1 Assignment Writing Market

Post Your Homework

Proposals

Post your homework and get free proposals here!

Post Your Homework

Stuck in your homework and missing deadline? Get urgent help in $10/Page with 24 hours deadline

Get Urgent Writing Help In Your Essays, Assignments, Homeworks, Dissertation, Thesis Or Coursework & Achieve A+ Grades.

Privacy Guaranteed - 100% Plagiarism Free Writing - Free Turnitin Report - Professional And Experienced Writers - 24/7 Online Support

Get Free Quotes Post Your Requirements

In exercise 6.1, how do you enable efs?

28/10/2020 Client: papadok01 Deadline: 24 Hours

70-411 Administering Windows Server 2012

Lab 6

ConfigurIng file services and Disk encryption

This lab contains the following exercises and activities:

Exercise 6.1

Encrypting Files with EFS

Exercise 6.2

Configuring the EFS Recovery Agent

Exercise 6.3

Backing Up and Restoring EFS Certificates

Exercise 6.4

Encrypting a Volume with BitLocker

Lab Challenge

Deploying Network Unlock

BEFORE YOU BEGIN

The lab environment consists of student workstations connected to a local area network, along with a server that functions as the domain controller for a domain called contoso.com. The computers required for this lab are listed in Table 6-1.

Table 6-1

Computers Required for Lab 6

Computer

Operating System

Computer Name

Server (VM 1)

Windows Server 2012 R2

RWDC01

Server (VM 2)

Windows Server 2012 R2

Server01

In addition to the computers, you also require the software listed in Table 6-2 to complete Lab 6.

Table 6-2

Software Required for Lab 6

Software

Location

Lab 6 student worksheet

Lab06_worksheet.docx (provided by instructor)

Working with Lab Worksheets

Each lab in this manual requires that you answer questions, take screen shots, and perform other activities that you will document in a worksheet named for the lab, such as Lab06_worksheet.docx. You will find these worksheets on the book companion site. It is recommended that you use a USB flash drive to store your worksheets, so you can submit them to your instructor for review. As you perform the exercises in each lab, open the appropriate worksheet file using Word, fill in the required information, and save the file to your flash drive.

After completing this lab, you will be able to:

Encrypt files with EFS

Configure EFS Recovery Agent

Back up and restore EFS certificates

Encrypt a volume with BitLocker

Estimated lab time: 70 minutes

Exercise 6.1

Encrypting Files with EFS

Overview

For files that are extremely sensitive, you can use EFS to encrypt the files. During this exercise, you encrypt a file using Encrypting File System (EFS), which is a built-in feature of NTFS.

Mindset

Encryption is a way to add an additional layer of security. If the laptop is stolen and the hard drive is put into another system where the thief or hacker is an administrator, the files could not be read without the proper key. If you want to encrypt individual documents, you can use Encrypting File System (EFS).

Completion time

20 minutes

Encrypting Files with EFS
1. Log in to Server01 as the Contoso\administrator user account with the password Pa$$w0rd. The Server Manager console opens.

2. On Server01, create a C:\Data folder.

3. Create a text file in the C:\Data folder called test.txt file. Open the text file, type your name in the file, close the file, then click Save to save the changes.

4. Right-click the C:\Data folder and choose Properties. The Properties dialog box opens.

5. On the General tab, click Advanced. The Advanced Attributes dialog box appears as shown in Figure 6-1.

Figure 6-1

Configuring advanced attributes

6. Click to select Encrypt contents to secure data. Click OK to close the Advanced Attributes dialog box.

7. Click OK to close the Properties dialog box.

8. When Windows asks you to confirm the changes, click OK.

Question 1

What color is the C:\Data folder?

Question 2

Is the test.txt file in the C:\Data folder also encrypted?

9. Right-click the C:\Data folder and choose Properties. The Properties dialog box opens.

10. Under the General tab, click Advanced. The Advanced Attributes dialog box opens.

11. Clear the Encrypt contents to secure data check box. Click OK to close the Advanced Attributes dialog box.

12. Click OK to close the Properties dialog box.

13. When it asks to confirm attribute changes, click OK.

14. From Server01, log off as administrator.

End of exercise.

Sharing Files Protected with EFS with Other Users
1. Log into RWDC01 as contoso\administrator, Server Manager starts. Open the Tools menu and click Active Directory Users and Computers. The Active Directory Users and Computers console opens.

2. Right-click the Users node, click New, then click User.

3. Create a new user with the following parameters:

First Name: User1

User logon name: User1

Click Next.

4. For the Password and Confirm password text boxes, type Pa$$w0rd. Click to select Password never expires. When an Active Directory Domain Services dialog box appears, click OK. Click Next.

5. When the user is ready to be created, click Finish.

6. Under the Users node, double-click User1. The User1 Properties dialog box opens.

7. Click the Member Of tab.

8. Click the Add button. When the Select Groups dialog box opens, type domain admins and click OK.

9. Click OK to close the User1 Properties dialog box.

10. On Server01, log in as contoso\User1 with the password of Pa$$w0rd.

11. Open the C:\Data folder, right-click the test.txt file and choose Properties.

12. On the General tab, click Advanced. The Advanced Attributes dialog box opens.

13. Click Encrypt contents to secure data. Click OK to close the Advanced Attributes dialog box. Click OK to close the Properties dialog box.

14. When it asks if you want to encrypt the file and its parent folder, click OK.

15. If an Access Denied message appears, click Ignore, click Continue, click OK, and click Ignore. Click OK. If an Access Denied message appears again, click Ignore All. When you are done, the test.txt file should be green.

16. On Server01, log out as User1 and log in as Contoso\Administrator.

17. Open the C:\Data folder.

18. Double-click to open the Test.txt file.

Question 3

What error message did you get?

19. Click OK to close the message, and then close Notepad.

20. Right-click the test.txt file and click Properties.

21. Click the Security tab.

Question 4

What permissions does Administrator have?

Question 5

Why was the contoso\administrator not able to open the file?

22. Go back to the General tab, click the Advanced button, clear the Encrypt check box, and then click OK.

Question 6

Were you able to decrypt the file?

23. Click OK to close the Properties dialog box. After getting the Access Denied box, click Cancel to close it.

24. On Server01, log off as Administrator and log on as User1.

25. Open the C:\Data folder.

26. Right-click the test.txt file and choose Properties. The Properties dialog box opens.

27. Click the Advanced button to open the Advanced Attributes dialog box.

28. Click to deselect the Encrypt contents to secure data check box and then click OK.

29. Click OK to close the Properties dialog box. When it asks you to provide administrator permission to change these attributes, click Continue.

30. Log off as User1 and log on as contoso\administrator.

31. Open the C:\Data folder.

32. Right-click the Test.txt file and choose Properties.

33. Click the Advanced button to open the Advanced Attributes dialog box.

34. Click to select the Encrypt contents to secure data check box. Click OK to close the Advanced Attributes dialog box.

35. Click OK to close the Properties dialog box. When it asks to apply to the folder and its contents, click OK.

36. Right-click the test.txt file and choose Properties. Click the Advanced button to open the Advanced Attributes dialog box.

37. Click the Details button. The User Access to test.txt dialog box opens.

38. Click the Add button. When the Encrypting File System dialog box opens, click User1 and click View Certificate.

39. When the Certificate dialog box opens, click the Details tab.

Question 7

What is the Certificate used for? Hint: Look at the Enhanced Key Usage field.

40. Click OK to close the Certificates dialog box.

41. Click OK to close the Encrypting File System dialog box.

Question 8

Looking at the User Access to test.txt dialog box, who has a Recovery Certificate?

42. Take a screen shot of the User Access to test dialog box by pressing Alt+Prt Scr and then paste it into your Lab06_worksheet file in the page provided by pressing Ctrl+V.

43. Click OK to close the User Access to test.txt dialog box, click OK to close Advanced Attributes dialog box, and then click OK to close test Properties box.

44. On Server01, sign out as Administrator and log in as User1.

45. Open the C:\Data folder and open the test.txt file.

Question 9

Were you able to open the file?

46. Close the test.txt file.

47. On Server01, sign out as User1.

End of exercise.

Exercise 6.2

Configuring the EFS Recovery Agent

Overview

During this exercise, you configure EFS Recovery Agents so that you can recover EFS encrypted files although the agent is not the owner of the file.

Mindset

When an employee leaves the company, that employee's files might be encrypted, which would be unreadable to anyone else. Using an EFS recovery agent, you will be able to recover those files and make them available to the user or users who have replaced the departed user.

Completion time

15 minutes

Installing and Configuring the Certificate Authority
1. On RWDC01, log on as contoso\administrator, if needed.

2. On RWDC01, on the Server Manager, click Manage > Add Roles and Features.

3. When the Add Roles and Features Wizard starts, click Next.

4. On the Select installation type page, click Next.

5. On the Select destination server page, click Next.

6. On the Select server roles page, click Active Directory Certificate Services. When you are prompted to add features, click Add Features. Then when you are back to the Select server roles page, click Next.

7. On the Select features page, click Next.

8. On the Active Directory Certificate Services page, click Next.

9. On the Select role services, Certification Authority is already selected. Click to select the following:

Certificate Enrollment Policy Web Service

Certificate Enrollment Web Service

Certification Authority Web Enrollment

When it asks you to add additional features for any of these features, click Add Features.

10. Back on the Select role services page, click Next.

11. On the Web Server Role (IIS) page, click Next.

12. On the Select role services page, click Next.

13. On the Confirm installation selections page, click Install.

14. When the Certificate Authority is installed, click Close.

15. On Server Manager, click the Exclamation Point in a yellow triangle and then click the Configure Active Directory Certificate Services link.

16. On the Credentials page, click Next.

17. On the Role Services page, click Certification Authority, as shown in Figure 6-2. Click Next.

Figure 6-2

Configuring the Certification Authority

18. When it asks what setup type of CA you should install, click Next.

19. When it asks for the CA type, click Next.

20. On the Specify the type of the private key page, click Next.

21. On the Specify the Cryptography for CA page, click Next.

22. On the Specify the name of the CA page, click Next.

23. Change the Validity Period to 10 years and then click Next.

24. On the CA database page, click Next.

25. On the Confirmation page, click Configure.

26. When the CA is configured, take a screen shot of the CA is configured screen by pressing Alt+Prt Scr and then paste it into your Lab06_worksheet file in the page provided by pressing Ctrl+V.

27. Click Close.

28. If it asks to configure additional role services, click No.

End of exercise.

Configuring the EFS Recovery Agent
1. On RWDC01, log off as Contoso\Administrator and log in as Contoso\User1.

2. On RWDC01, using Server Manager, open the Tools menu and click Group Policy Management. The Group Policy Management console opens.

3. Expand Forest\Domains\contoso.com.

4. Right-click the Default Domain Policy and choose Edit.

5. In the Group Policy Management Editor window, expand Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\ as shown in Figure 6-3.

Figure 6-3

Opening the GPO public key policies

6. Right-click Encrypting File System and choose Create Data Recovery Agent.

7. Click the Encrypting File System node. Take a screen shot of the Group Policy Management Editor by pressing Alt+Prt Scr and then paste it into your Lab06_worksheet file in the page provided by pressing Ctrl+V.

8 On RWDC01, log off as Contoso\User1 and log in as Contoso\Administrator.

Question 10

What is needed for a user to become a data recovery agent?

End of exercise. You can leave the windows open for the next exercise.

Exercise 6.3

Backing Up and Restoring EFS Certificates

Overview

During this exercise, you back up an EFS certificate which you later restore after you delete the certificate.

Mindset

You have a standalone computer that failed and had to be rebuilt. On the computer, you had some files that were encrypted with EFS. Fortunately, you backed up the files from time to time to a removable drive. After you rebuilt the computer, you copied the files from the removable drive. Although you are using the same username and password that you used before, you cannot open the files because they are encrypted. Unfortunately, there is not much you can do unless you have the EFS certificates with the correct keys to decipher the documents. Therefore, it is important that you always have a backup of the EFS certificates in case the system needs to be replaced.

Completion time

10 minutes

Backing Up the EFS Certificates
1. Log on to Server01 as contoso\administrator. The Server Manager console opens.

2. Right-click the Start button and choose Command Prompt (Admin).

3. From the command prompt, execute the certmgr.msc command. The certmgr console opens.

4. In the left pane, double-click Personal, and then click Certificates.

5. In the main pane, right-click the certificate that lists Encrypting File System under Intended Purposes. Select All Tasks, and then click Export.

6. When the Certificate Export Wizard starts, click Next.

7. On the Export Private Key page, click Yes, export the private key and then click Next.

8. On the Export File Format page, click Next.

9. On the Security page, select the Password check box and type the password of Pa$$w0rd in the Password and Confirm password text boxes. Click Next.

Question 11

What is the difference between the cer and the pfx format when backing up digital certificates?

10. On the File to Export page, type C:\Cert.bak in the File name text box, Click Next.

11. Take a screen shot of the Completing the Certificate Export Wizard by pressing Alt+Prt Scr and then paste it into your Lab08_worksheet file in the page provided by pressing Ctrl+V.

12. When the wizard is complete, click Finish.

13. When the export is successful, click OK.

Restoring the EFS Certificate
1. Right-click the Administrator certificate and click Delete. When it asks if you want to delete the certificate, read the warning and click Yes.

2. Right-click Certificates and choose All Tasks > Import.

3. When the Certificate Import Wizard starts, click Next.

4. On the File to Import page, type c:\cert.bak.pfx, and then click Next.

5. If it asks for a password, type Pa$$w0rd in the Password text box and click Next.

6. On the Certificate Store page, click Next.

7. On the Completing the Certificate Import Wizard page, click Finish.

8. When the import is successful, click OK.

9. Take a screen shot of the Certificates console by pressing Alt+Prt Scr and then paste it into your Lab06_worksheet file in the page provided by pressing Ctrl+V.

10. Close Certificate Manager and close the Command Prompt.

End of exercise. You can leave the windows open for the next exercise.

Exercise 6.4

Encrypting a Volume with BitLocker

Overview

In this exercise, you create a new volume and then use BitLocker to encrypt the entire volume.

Mindset

EFS will encrypt only individual files; BitLocker can encrypt an entire volume. Therefore, if you want to encrypt an entire drive on a laptop, you can use BitLocker.

Completion time

10 minutes

1. Log in to Server02 as the Contoso\Administrator user account. The Server Manager console opens.

2. On Server02, on Server Manager, click Manage and click Add Roles and Features. The Add Roles and Feature Wizard opens.

3. On the Before you begin page, click Next.

4. Select Role-based or feature-based installation and then click Next.

5. On the Select destination server page, click Next.

6. On the Select server roles page, click Next.

7. On the Select features page, select BitLocker Drive Encryption.

8. When the Add Roles and Features Wizard dialog box displays, click Add Features.

9. On the Select Features page, click Next.

10. On the Confirm installation selections page, click Install.

11. When BitLocker is installed, click Close.

12. Reboot the Server02.

13. Log in to Server02 as the Contoso\Administrator. The Server Manager console opens.

14. Using Server Manager, click Tools > Computer Management. The Computer Management console opens.

15. Expand the Storage node and click Disk Management.

16. Right-click the C drive and choose Shrink Volume.

17. In the Enter the amount of space to shrink in MB text box, type 3000 and then click Shrink.

18. Under Disk 0, right-click the unused space and click New Simple Volume.

19. When the Welcome to the New Simple Volume Wizard starts, click Next.

20. On the Specify Volume Size page, click Next.

21. On the Assign Drive Letter or Path page, click Next.

22. On the Format Partition page, click Next.

23. When the wizard is complete, click Finish.

24. Close Computer Management. If you’re prompted to Format the disk, click Cancel.

25. Click the Start button and then click the Control Panel tile.

26. Click System and Security > BitLocker Drive Encryption. The BitLocker Drive Encryption window opens as shown in Figure 6-4.

Figure 6-4

Opening the BitLocker settings

27. Click the down arrow next to the E drive. Then click Turn on BitLocker. A BitLocker Drive Encryption (E:) window opens.

28. On the Choose how you want to unlock this drive page, click to select the Use a password to unlock the drive. Type a password of Pa$$w0rd in the Enter your password and Reenter your password text boxes, and then click Next.

Question 11

If you had a laptop, what chip would be used to create cryptographic keys and encrypted so that they can only be decrypted by the chip?

29. On the How do you want to back up your recovery key? page, click Save to a file option.

30. When the Save BitLocker recovery key as dialog box opens, type \\rwdc01\Software\ before BitLocker Recovery Key .txt and then click Save. Click Next.

31. On the BitLocker Drive Encryption (E:) page, select Encrypt entire drive radio button, and click Next.

32. On the Are you ready to encrypt this drive? page, click Start encrypting.

33. When the drive is encrypted, take a screen shot of the BitLocker window by pressing Alt+Prt Scr and then paste it into your Lab06_worksheet file in the page provided by pressing Ctrl+V.

34. Close the BitLocker Drive Encryption window. If you’re prompted to format the disk, click Cancel.