Securing File Resources - PowerPoint PPT Presentation

About This Presentation

Title:

Securing File Resources

Description:

... to a file share, a fake root directory is established at ... Manage Documents. Manage Printers. Physical Security. When printer output security is important ... – PowerPoint PPT presentation

Number of Views:62

Avg rating:3.0/5.0

Slides: 48

Provided by: higheredM

Category:

more less

Transcript and Presenter's Notes

Title: Securing File Resources

1
Securing File Resources

Securing Access to File Resources
Securing Access to Print Resources
Planning EFS Security

2
Securing Access to File Resources

Designing share security
Planning NT file system (NTFS) security
Combining share and NTFS security

3
Designing Share Security
4
Configuring Share Permissions

To enable shared folders, edit the Sharing tab of
the folder properties.
The maximum number of allowed sessions can be
limited.
To configure precise permission settings, click
Permissions.

5
Standard Share Permissions

Full Control
Change
Read

6
Changes to Shares in Microsoft Windows 2000

With down-level clients, if a logical drive
letter is assigned to a file share, a fake root
directory is established at the shared folder.
In Windows 2000, the default behavior allows the
root directory to be established at the shared
folder.
This provides additional security because the
user cannot navigate to any folders above or at
the same level in the folder hierarchy.
Down-level clients still require separate shares
to be established for each user home directory.

7
Making the Decision Designing Secure Share
Permissions

Remove Full Control permission from the Everyone
group.
Assign share permissions to domain local groups,
not to user accounts.
Assign the maximum permission that a security
principal will require for the folder hierarchy
below the shared folder.

8
Applying the Decision Designing Secure Share
Permissions for Wide World Importers

Washington share \\Washington\Applications
Users Read
Administrators Full Control
Dallas share \\Dallas\Applications
Graphics Users Change
Graphics Admins Change
Administrators Full Control

9
Planning NTFS Security
10
Changes in Windows 2000 NTFS File System

Encryption
Quotas
Permission inheritance

11
Assessing NTFS Permissions

Define most permissions by using the predefined
permissions.
Predefined NTFS permissions are compilations of
several special permissions.
Security groups are included in each Access
Control Entry (ACE) in the discretionary access
control list (DACL).
The DACL contains one ACE for each level of
access defined for an object.

12
Predefined NTFS Permissions

Folder
Full Control
Modify
Read Execute
List Folder Contents
Read
Write

File
Full Control
Modify
Read Execute
Read
Write

13
NTFS Special Permissions

Traverse Folder/Execute File
List Folder/Read Data
Read Attributes
Read Extended Attributes
Create Files/Write Data
Create Folders/Append Data
Write Attributes

Write Extended Attributes
Delete Subfolders And Files
Delete
Read Permissions
Change Permissions
Take Ownership
Synchronize

14
Making the Decision Designing NTFS Permissions

Assign only the necessary permissions.
Create a custom domain local group for each type
of access.
ACEs defined directly to an object are evaluated
before any inherited ACEs
Within a group of explicit ACEs, access-denied
ACEs are placed before access-allowed ACEs.
If there are multiple inherited ACEs, the ACEs
are evaluated in the following order from those
closest to the object (first) to those farthest
from the object (last).
Use security templates and Group Policy to
standardize NTFS permissions.

15
Applying the Decision Washington Office NTFS
Permission Design
16
Applying the Decision Dallas Office NTFS
Permission Design
17
Combining Share and NTFS Security
18
Evaluating Effective Permissions
19
Default Share Permissions

Full Control is assigned to the Everyone group by
default.
Default share permissions should be modified if
NTFS permissions are not monitored.
Full Control permission includes three additional
abilities over the Modify permission.
Full Control permissions are restricted to
network administrators.
An effective set of default permissions for a
shared folder is
Administrators Full Control
Users Change
Change permissions allow users to create, read,
delete, and modify any files in the share.

20
Making the Decision Combining Share and NTFS
Permissions

Set share permissions at the highest level of
permissions required for the tree below.
Use NTFS permissions to define precise access
control.
Always use the NTFS file system for data.
Evaluate whether Full Control permission is
appropriate.

21
Applying the Decision Combining Share and NTFS
Permissions for Wide World Importers

Initial share and NTFS permissions
The Washington and Dallas shares and NTFS
permissions do not assign excess permissions.
Share permissions could remain set at the
default.
Default share permissions could result in excess
permissions if any of the NTFS permissions are
applied incorrectly.

22
Applying the Decision Combining Share and NTFS
Permissions for Wide World Importers (Cont.)

Documenting initial permission assignments
All folders where permissions are assigned
Details on group membership
Rationale for each permission assignment

23
Securing Access to Print Resources

Assessing printer security
Printer permissions
Physical security
Transmission security

24
Designing Secure Access to Print Resources

Determine who is allowed to print to a particular
printer.
Determine the security of data as it is
transmitted to the printer.
Protect traffic to restricted printers, such as
check printers.
Prevent users from printing sensitive or
confidential material to public printers.

25
Assessing Printer Security

Printer Permissions
Print
Manage Documents
Manage Printers
Physical Security
When printer output security is important
Put print devices in a secure location
Use security cards or biometric input to access
the device

26
Protecting Print Resources
27
Making the Decision Ensuring Printer Security

Restrict access to the printer to a specific
group of users.
Delegate administration of a printer.
Prevent inspection of print jobs.

28
Applying the Decision Printer Security for Wide
World Importers

Change the default share permissions to limit
usage to the Graphics department.
Data transmissions to the film printer do not
need to be protected.

29
Planning EFS Security

Overview of the Encrypting File System (EFS)
process
Designating an EFS recovery agent
Recovering encrypted files

30
Planning EFS Security Overview

EFS secures files that are stored locally.
EFS protects only the data stored on an NTFS
partition.
EFS does not provide network transport security.
EFS planning should include a plan to restore
data in the event that recovery keys are lost.
Poor EFS planning can result in the permanent
loss of data.

31
EFS Encryption Process

Knowing how the EFS process encrypts data helps
to determine
Which user has encrypted a file by using EFS
Who can recover an EFS encrypted file
Users can enable the Encrypt Contents To Secure
Data attribute for a file or folder.
Administrators can encrypt all contents of
specific folders to ensure the security of
confidential data.

32
Encrypting EFS Data
33
Decrypting EFS Data
34
Designating an EFS Recovery Agent

If an EFS recovery agent is not defined, the EFS
recovery attempts might fail.
Select the account that will be the EFS recovery
agent.
Define the public/private key pair that will be
used by the EFS process.

35
The Initial EFS Recovery Agent

When the computer is not a domain member
The initial Administrator account is configured
as the EFS recovery agent by default
The EFS Recovery certificate is a self-issued
certificate created by the OS

36
The Initial EFS Recovery Agent (Cont.)

When the computer is a domain member
The Default Domain policy configures the domain
Administrator account as the EFS recovery agent
The public key for EFS encryption is the public
key associated with the Administrator account of
the first domain controller (DC) that was
installed into the domain
This DC's former Security Account Management
(SAM) database is used to initially populate the
domain
The Administrator's EFS Recovery certificate is
reconfigured as the EFS recovery agent in the
Default Domain Policy

37
Configuring a Custom EFS Recovery Agent

Define a new account as the EFS recovery agent.
The new EFS recovery agent account requires an
EFS Recovery certificate but does not have to be
a member of the domain Administrators group.
The certificate template is available from a
Microsoft Windows 2000 Enterprise Certification
Authority (CA).
Import the EFS Recovery certificate into the
Default Domain Policy as the domain's Encrypted
Data recovery agent.
The imported public key is used to encrypt the
File Encryption Key stored in the Data Recovery
Field (DRF).
Multiple EFS Recovery certificates can be
imported into Group Policy to create multiple EFS
recovery agents.

38
Configuring an Empty Encrypted Data Recovery
Agent

Prevent network EFS encryption by deleting all
current EFS recovery agent certificates in the
Encrypted Data Recovery Agent policy.
EFS encryption is not possible without defining
Encrypted Data recovery agents.
An empty policy exists when no recovery agents
are included in the Encrypted Data Recovery Agent
policy.
The empty policy exists and is applied, but no
values are assigned from it.
The creation of an empty policy ensures that
local policy does not take precedence.

39
Making the Decision Planning EFS Recovery Agents

Ensure that all EFS encrypted files in a domain
can be recovered.
Prevent EFS encryption from being used.
Prevent specific computers from using EFS
encryption.
Restrict EFS encryption to specific users.

40
Applying the Decision Planning EFS Recovery
Agents for Wide World Importers

Delete the default EFS recovery agent from the
Default Domain Policy.
Remove all entries from the Default Domain
Policy, but do not delete the policy.
Because no EFS recovery agent is defined, EFS
encryption is disabled on the domain member
computers.

41
Deploying an EFS Recovery Solution

Create a new account that will perform the
request for the EFS Recovery certificate.
Configure the permissions on the EFS Recovery
certificate template to allow the new account to
have Enroll permissions in Active Directory Sites
And Services.
Request an EFS Recovery certificate when logged
on as the new account.

42
Deploying an EFS Recovery Solution (Cont.)

Export the key and the corresponding private key
to a PKCS12 file and store the file on removable
media.
Store the PKCS12 file in a secure location, such
as a safe.
Import the public key into the Default Domain
Policy in the Encrypted Data Recovery Agent
Policy.
Delete the new account.

43
Performing an EFS Recovery

Determine the private key that can perform the
EFS recovery.
Import the private key into the certificate store
of any user account.
The user account now holds the corresponding
private key to the public key that was used to
encrypt the File Encryption Key.

44
Determining the Required Private Keys

Use the Efsinfo utility from the Microsoft
Windows 2000 Server Resource Kit to determine
which private key is required to decrypt an EFS
encrypted file.
Efsinfo parameters
Efsinfo /U /R /C /I Y /Sdir
pathname

45
Making the Decision Planning Recovery of
Encrypted Files

Restrict the ability to recover encrypted files.
Restrict recovery to a specific workstation.
Allow more than one private key to perform EFS
recovery.
Determine which users can decrypt a file.
Determine which recovery agents can decrypt a
file.

46
Applying the Decision Recovering Encrypted Files
for Wide World Importers

Files encrypted before the computers were rebuilt
might still be recoverable.
Because Wide World Importers has not configured
the EFS recovery agent, the default EFS recovery
agent probably was previously configured.
If a roaming profile has not been implemented for
the Administrator account, the private key for
EFS recovery of this account might be able to
decrypt the DRF and decrypt the encrypted data
files.

47
Chapter Summary