Security Policy and EFS

From Proprofs

Contents 1 Security Policy and EFS 2 Local Security Policy 3 Account Policy 4 Local Policies 4.1 Audit Policy 4.2 User Rights Assignment 4.3 Security Options 5 PKI Policies 6 Accessing Local Security Policy 7 EFS 7.1 Recovery Agent 7.2 CIPHER 8 Moving Forward 9 Quick Review 10 Answers

[edit section] Security Policy and EFS

One of the common criticisms of Windows 98 and older Microsoft client-end offerings was that the security features on these operating systems were “weak” or inadequate, especially for computers connected to the Internet. To address these concerns, Microsoft included Windows 2000-style security features in Windows XP, including a Local Security Policy system and EFS, the two items we will cover today.

[edit section] Local Security Policy

When you work for a large company, you may have to adhere to certain rules and policies designed to protect the company and its employees. For example, many companies require you to wear an ID badge, to sign in and out of the office, or even to lock all entrances and exits. Similarly, Windows XP computers have their own local security policies, or sets of rules that govern how certain security items are handled in the OS. For the exam, you will be expected to know how to implement an effective local security policy.

[edit section] Account Policy

Account policy is considered a subset of local security policy that pertains specifically to user accounts and settings. We have already covered most of the material on account policy in the lesson “Users, Groups, and Offline Files.” To recap, let’s go over some fundamentals of account policy

• Password Policy: Determines how often passwords must be changed, who can change passwords, and how complex passwords must be
• Account Lockout Policy: After a certain number of incorrect attempts to login, XP will automatically “lock out” a user from logging in by “graying-out” the text fields for the user name and password for about a minute. Account lockout policy allows you to configure how many incorrect attempts it takes to lock out and how long a lock out lasts.

[edit section] Local Policies

Local policies cover a large range of options related to local security, including Audit Policy, User Rights Assignment, and Security Options.

[edit section] Audit Policy

Although we will cover Windows auditing in the next lesson, be aware that audit policy is related to tracking and monitoring key system events that could indicate breaches in security. For example, you can choose to “audit logon events,” meaning you can monitor logon events for any inconsistencies from baseline (such as lockouts).

[edit section] User Rights Assignment

User rights are basically what users are allowed to do; these are different from user permissions, which govern what users are allowed to access. There are two key subdivisions of user rights, which are:

• Logon Rights: Govern if a user is allowed to logon locally, remotely, or through terminal services (RDC)
• Privileges: Govern whether users can perform system-modifying tasks such as changing the system time, loading device drivers, and shutting down the PC

[edit section] Security Options

Security options are basically all of the configurations that do not pertain specifically or exclusively to user rights, auditing, or account policies. Some common security options include:

• Allowing to rename the administrator account
• Disabling the guest account
• Allowing CD-ROM access
• Allowing shut-down without log-on
• Allowing anonymous network request response
• Enabling the recovery console

[edit section] PKI Policies

Public Key Policies, or PKI Policies (the I stands for “infrastructure”) are related to how a local XP client may use a PKI controller to obtain keys.

[edit section] Accessing Local Security Policy

All of the options discussed above are available almost exclusively through the Local Security Policy MMC, found at Start -> Control Panel -> Administrative Tools -> Local Security Policy. However, some settings are automatically updated in the registry and therefore in the MMC when changed elsewhere. For example, if you disable the “Guest” account from the Users and Groups MMC, it is automatically changed to disabled in the Local Security Policy/Security Options MMC.

[edit section] EFS

Now let’s shift gears to EFS. EFS, or Encrypted File System, is a feature of Windows XP that has been ported from Windows 2000. Like local security policy, it is designed to enhance Windows security while maintaining a transparent user environment (with minimal burden to the user).

A disk, folder, or file in Windows XP can be encrypted transparently using EFS. Encryption is the process of codifying data in such a way that it is not interpretable to the computer without the proper key, which is based on credentials in the XP implementation. So, only a specific user (or users, or groups) can use EFS-encrypted data. To apply EFS to data, right-click on the drive, file, or folder and go to Advanced Attributes to select “Encrypt contents…” There are a few quirks about EFS you should be aware of:

• You can only use transparent disk compression or EFS. You cannot both compress and encrypt data
• To apply EFS to sub-folders, you must specifically choose to “apply settings to subfolders”
• Encrypted files remain encrypted when moved from drive to drive. Even if you move an encrypted file to a removable drive, it remains encrypted, but you must move it back to a Windows drive for decryption

[edit section] Recovery Agent

A recovery agent can recover or decrypt files in the case of a user account that has access to decrypt files being lost. In other words, a recovery agent is a user who can decrypt if all else fails. Typically, in a Windows XP environment, administrators are recovery agents by default.

[edit section] CIPHER

Cipher is the command-line version of EFS. You can use CIPHER to encrypt and decrypt files manually, or in conjunction with batch files or scheduled tasks. The switch for encryption on CIPHER is /e, and the switch for decryption is /d. The switch /s includes subfolders and the switch /a includes files for encryption.

[edit section] Moving Forward

After today’s long lesson, you should feel pretty confident about CIPHER, EFS, and Local Security Policy in Windows XP. Take the next short quiz and see how you fare!

[edit section] Quick Review

1. Your computer restarts after three incorrect attempts at logging in. You wish to change this behavior. Where do you go to make this configuration change?

a. Audit Policy

b. Lockout Policy

c. Domain Policy

d. Users and Groups

e. Regional Options

2. Which of the following commands will decrypt the file rad.txt?

a. SYSPREP rad.txt

b. CIPHER rad.txt

c. CIPHER /s rad.txt

d. CIPHER /e rad.txt

e. CIPHER /d rad.txt

3. You create a long document called TOPSECRET. You encrypt TOPSECRET via the CIPHER utility. A co-worker moves TOPSECRET to a CD-ROM drive and places it in his computer. He then transfers TOPSECRET. What will happen to TOPSECRET?

a. The file will lose its integrity and will not be accessible

b. The file will remain encrypted and will not be accessible

c. The file will lose its encryption attribute and will be accessible

d. The file will lose its compression attribute and will not be accessible

e. The file will remain compressed and will be accessible

[edit section] Answers

1. Since the PC re-boots after three incorrect attempts, it locks out. You need to go to Lockout Policy to change this setting. The answer is B.

2. The /d switch on the CIPHER utility decrypts. The answer is E.

3. Even though the file TOPSECRET was moved from PC to removable disk to PC, its encryption attribute remains and the file is still encrypted. The answer is B.