LAB 1

CONFIGURING DISK
AND FILE ENCRYPTION

AL
RI
TE
THIS LAB CONTAINS THE FOLLOWING EXERCISES AND ACTIVITIES:
MA
Exercise 1.1 Encrypting Files with EFS

Exercise 1.2 Configuring the EFS Recovery Agent

ED

Exercise 1.3 Encrypting a Volume with BitLocker

HT

Lab Challenge Backing Up and Restoring EFS Certificates

R IG
PY

BEFORE YOU BEGIN

The lab environment consists of student workstations connected to a local area network, along with a
CO

server that functions as the domain controller for a domain called adatum.com. The computers
required for this lab are listed in Table 1-1.

Table 1-1
Computers required for Lab 1

Computer Operating System Computer Name

Server (VM 1) Windows Server 2016 LON-DC1
Server (VM 2) Windows Server 2016 LON-SVR1
Server (VM 3) Windows Server 2016 LON-SVR2

In addition to the computers, you will also require the software listed in Table 1-2 to complete Lab 1.

  1
2  70-744: Securing Windows Server 2016

Table 1-2
Software required for Lab 1

Software Location
Lab 1 student worksheet Lab01_worksheet.docx (provided by instructor)

Working with Lab Worksheets

Each lab in this manual requires that you answer questions, shoot screen shots, and perform other
activities that you will document in a worksheet named for the lab, such as Lab01_worksheet.docx.
You will find these worksheets on the book companion site. It is recommended that you use a USB
flash drive to store your worksheets, so you can submit them to your instructor for review. As you
perform the exercises in each lab, open the appropriate worksheet file using Word, fill in the required
information, and then save the file to your flash drive.

SCENARIO
After completing this lab, you will be able to:

■■ Encrypt files with EFS

■■ Configure the EFS Recovery Agent

■■ Encrypt a volume with BitLocker

■■ Backup and restore EFS certificates

Estimated lab time: 100 minutes

Exercise 1.1 Encrypting Files with EFS

Overview For files that are extremely sensitive, you can use Encrypting File System
(EFS) to encrypt the files. In this exercise, you will encrypt a file using
Encrypting File System (EFS), which is a built-in feature of NTFS.
Mindset Encryption is a way to add an additional layer of security. If a laptop is
stolen and the hard drive is put into another system where the thief or hacker
is an administrator, the files could not be read without the proper key. To
encrypt individual documents, you can use EFS.
Completion time 50 minutes

ENCRYPTING FILES WITH EFS

1. Log in to LON-SVR1 as the adatum\administrator user account with the password Pa$$w0rd.
The Server Manager console opens.

2. On LON-SVR1, create a C:\Data folder.

 Lab 1: Configuring Disk and File Encryption  3

3. Create a text file in the C:\Data folder named test.txt file. Open the text file, type your name in
the file, close the file, then click Save to save the changes.

4. Right-click the C:\Data folder and choose Properties. The Properties dialog box opens.

5. On the General tab, click Advanced. The Advanced Attributes dialog box appears, as shown in
Figure 1-1.

Figure 1-1
Configuring advanced attributes

6. Select the Encrypt contents to secure data check box. Click OK to close the Advanced
Attributes dialog box.

7. Click OK to close the Properties dialog box.

8. When Windows prompts you to confirm the changes, click OK.

Question
Which icon is used for the Data folder?
1

Question
Which icon is used for the test.txt file?
2

9. Right-click the C:\Data folder and choose Properties. The Properties dialog box opens.

10. Under the General tab, click Advanced. The Advanced Attributes dialog box opens.

11. Clear the Encrypt contents to secure data check box. Click OK to close the Advanced
Attributes dialog box.

12. Click OK to close the Properties dialog box.

13. When you are prompted to confirm attribute changes, click OK.
4  70-744: Securing Windows Server 2016

SHARING FILES PROTECTED WITH EFS WITH OTHER USERS

1. Log in to LON-DC1 as adatum\administrator with the password of Pa$$w0rd. Server

Manager starts.

2. In Server Manager, click Tools > Active Directory Users and Computers. The Active Directory
Users and Computers console opens.

3. Right-click the Users node and choose New > User.

4. Create a new user with the following parameters:

First Name: User1

User logon name: User1

Click Next.

5. In the Password and Confirm password text boxes, type Pa$$w0rd. Click to select Password
never expires. When an Active Directory Domain Services dialog box appears, click OK.
Click Next.

6. When the user is ready to be created, click Finish.

7. Under the Users node, double-click User1. The User1 Properties dialog box opens.

8. Click the Member Of tab.

9. Click the Add button. In the Select Groups dialog box, type domain admins and then click OK.

10. Click OK to close the User1 Properties dialog box.

11. On LON-SVR1, right-click the Data folder and choose Properties.

12. In the Data Properties dialog box, click the Security tab.

13. Click the Edit button.

14. In the Permissions for Data dialog box, click the Add button.

15. In the Select Users, Computers, Sevice Accounts, or Groups dialog box, in the Enter the object
names to select text box, type User1 and then click OK.

16. Select User1 and then clicAllow Full control.

17. Click OK twice more.

18. On LON-SVR1, sign out as administrator.

19. On LON-SVR1, log in as adatum\User1 with the password of Pa$$w0rd.

 Lab 1: Configuring Disk and File Encryption  5

20. Open the C:\Data folder, right-click the test.txt file and choose Properties.

21. On the General tab, click Advanced. The Advanced Attributes dialog box opens.

22. Click the Encrypt contents to secure data check box. Click OK to close the Advanced
Attributes dialog box. Click OK to close the Properties dialog box.

23. When you are prompted to confirm that you want to encrypt the file and its parent
folder, click OK.

24. If an Access Denied message appears, click Ignore, click Continue, click OK, and then click
Ignore. Click OK. If an Access Denied message appears again, click Ignore All. Upon comple-
tion of this step, the test.txt file should odisplay a lock icon.

25. On LON-SVR1, log out as User1 and log in as adatum\administrator with the password
of Pa$$w0rd.

26. Open the C:\Data folder.

27. Double-click the Test.txt file.

Question
Which error message is displayed?
3

28. Click OK to close the message and then close Word.

29. Right-click the test.txt file and choose Properties.

30. Click the Security tab.

Question
Which permissions does the Administrator have?
4

Question
Why was the adatum\administrator not able to open the file?
5

31. On the General tab, click the Advanced button, clear the Encrypt check box, and then click OK.

32. Click OK to close the text.txt Properties dialog box.

Question
Were you able to decrypt the file?
6

33. In the Error Applying Attributes dialog box, click Cancel.

34. On LON-SVR1, log off as Administrator and log in as User1 with the password of Pa$$w0rd.

35. Open the C:\Data folder.

6  70-744: Securing Windows Server 2016

36. Right-click the test.txt file and choose Properties. The Properties dialog box displays.

37. Click the Advanced button to open the Advanced Attributes dialog box.

38. Clear the Encrypt contents to secure data check box and then click OK.

39. Click OK to close the Properties dialog box. If you are prompted to provide administrator
permission to change these attributes, click Continue. If a message displays indicating an error
occurred applying attributes to the file, click Ignore.

40. Log off as User1 and log in as adatum\administrator with the password of Pa$$w0rd.

41. Open the C:\Data folder.

42. Right-click the Test.txt file and choose Properties.

43. Click the Advanced button to open the Advanced Attributes dialog box.

44. Click the Encrypt contents to secure data check box. Click OK to close the Advanced
Attributes dialog box.

45. Click OK to close the Properties dialog box. When it you are prompted to confirm that you want
to apply these changes to the folder and its contents, click OK.

46. Right-click the test.txt file and choose Properties. Click the Advanced button to open the
Advanced Attributes dialog box.

47. Click the Details button. The User Access to test.txt dialog box displays.

48. Click the Add button. In the Encrypting File System dialog box, click User1 and then click View
Certificate.

49. In the Certificate dialog box, click the Details tab.

Question What is the Certificate used for? Hint: Look at the Enhanced Key
7 Usage field.

50. Click OK to close the Certificates dialog box.

51. Click OK to close the Encrypting File System dialog box.

Question Looking at the User Access to test.txt dialog box, who has a
8 Recovery Certificate?

52. Take a screen shot of the User Access to test.txt dialog box by pressing Alt+PrtScr and then
paste it into your Lab01_worksheet file in the page provided by pressing Ctrl+V.

[copy screen shot over this text]

 Lab 1: Configuring Disk and File Encryption  7

53. Click OK to close the User Access to test.txt dialog box, click OK to close Advanced Attributes
dialog box, and then click OK to close test Properties box.

54. On LON-SVR1, log off as Administrator and log in as User1.

55. Open the C:\Data folder and double-click the test.txt file.

Question
Did the file open?
9

56. Close the test.txt file.

57. On LON-SVR1, log off as User1.

End of exercise. Remain logged in to LON-DC1.

Exercise 1.2 Configuring the EFS Recovery Agent

Overview In this exercise, you will configure EFS Recovery Agents so that you can
recover EFS encrypted files although the agent is not the owner of the file.
Mindset When an employee leaves the company, that employee’s files might be
encrypted, which means they are unreadable to any other user. Using an EFS
recovery agent, you can recover those files and make them available to the
user or users who have replaced the departed user.
Completion time 10 minutes

1. On LON-DC1, click the Start button and then click the Windows PowerShell tile.

2. For the lab environment, in the Windows PowerShell window, execute the following commands:

Certutil -setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE

3. In Server Manager, click Tools > Certification Authority.

4. Right-click AdatumCA and choose All Tasks > Stop Service.

5. Right-click AdatumCA and choose All Tasks > Start Service.

6. Close Certificate Authority.

7. On LON-DC1, log off as adatum\administrator and log in as adatum\user1 with the password
of Pa$$w0rd. Server Manager opens.

8. In Server Manager, click Tools > Group Policy Management. The Group Policy Management
console opens.

9. In the Group Policy Management console, expand the Domains node and then expand
Adatum.com.
8  70-744: Securing Windows Server 2016

10. Right-click the Default Domain Policy and choose Edit.

11. In the Group Policy Management Editor window, expand Computer Configuration\Policies\
Windows Settings\Security Settings\Public Key Policies\ (see Figure 1-2).

Figure 1-2
Opening the GPO public key policies

12. Click, then right-click Encrypting File System and choose Create Data Recovery Agent.

13. Click the Encrypting File System node. Take a screen shot of the Group Policy Management
Editor by pressing Alt+PrtScr and then paste it into your Lab01_worksheet file in the page
provided by pressing Ctrl+V.

[copy screen shot over this text]

14. On LON-DC1, log off as adatum\User1.

Question
What is needed for a user to become a data recovery agent?
10

End of exercise.
 Lab 1: Configuring Disk and File Encryption  9

Exercise 1.3 Encrypting a Volume with BitLocker

Overview In this exercise, you will create a new volume and then use BitLocker to
encrypt the entire volume.
Mindset EFS will encrypt only individual files; BitLocker can encrypt an entire
volume. Therefore, if you want to encrypt an entire drive on a laptop, you
can use BitLocker.
Completion time 20 minutes

1. Log in to LON-SVR2 as the adatum\administrator user account.

2. If Server Manager does not open, open Server Manager..

3. In Server Manager, click Manage > Add Roles and Features. The Add Roles and Feature
Wizard opens.

4. On the Before you begin page, click Next.

5. Select Role-based or feature-based installation and then click Next.

6. On the Select destination server page, click Next.

7. On the Select server roles page, click Next.

8. On the Select features page, select BitLocker Drive Encryption.

9. In the Add Roles and Features Wizard dialog box, click Add Features.

10. On the Select Features page, click Next.

11. On the Confirm installation selections page, click Install.

12. When BitLocker is installed, click Close.

13. Restart the LON-SVR2.

14. Click the Start button and then click the Control Panel tile.

15. Click System and Security > BitLocker Drive Encryption. The BitLocker Drive Encryption
window opens, as shown in Figure 1-3.

16. Click the down arrow next to the D drive. Then click Turn on BitLocker. A BitLocker Drive
Encryption (D:) window opens.

17. On the Choose how you want to unlock this drive page, click to select the Use a password to
unlock the drive. Type a password of Pa$$w0rd in the Enter your password text box and the
Reenter your password text box. Click Next.
10  70-744: Securing Windows Server 2016

Figure 1-3
Opening the BitLocker settings

Question With a laptop, which chip is used to create cryptographic keys and
11 encrypt them so that they can only be decrypted by the chip?

18. On the How do you want to back up your recovery key? page, click Save to a file.

19. In the Save BitLocker recovery key as dialog box, type \\LON-DC1\Software\ before BitLocker
Recovery Key <GUID>.txt and then click Save. Click Next.

20. On the Choose which encryption mode to use page, answer the following question and then
click Next.

Question
By default, which encryption mode is selected?
12

21. On the Are you ready to encrypt this drive? page, click Start encrypting.

22. When the drive is encrypted, take a screen shot of the BitLocker window by pressing Alt+PrtScr
and then paste it into your Lab01_worksheet file in the page provided by pressing Ctrl+V.

[copy screen shot over this text]

23. Close the BitLocker Drive Encryption window. If you’re prompted to format the disk,
click Cancel.

End of exercise.
 Lab 1: Configuring Disk and File Encryption  11

Lab Challenge Backing Up and Restoring EFS Certificates

Overview In this Lab Challenge, you will back up an EFS certificate that you will
later restore after you delete the certificate.
Mindset You administer a standalone computer that failed and had to be rebuilt.
The computer included files that were encrypted with EFS. Fortunately,
you backed up the files to a removable drive. After you rebuilt the
computer, you copied the files from the removable drive. Although you
are using the same username and password that you used before, you
cannot open the files because they are encrypted. Unfortunately, there
is not much you can do unless you have the EFS certificates with the
correct keys to decipher the documents. Therefore, it is important that
you always have a backup of the EFS certificates in case the system
needs to be replaced.
Completion time 20 minutes

BACKING UP THE EFS CERTIFICATES

1. Log in to LON-SVR1 as adatum\administrator. Server Manager opens.

2. Click the Start button and then click Windows PowerShell.

3. From the Windows PowerShell prompt, execute the certmgr.msc command. The certmgr con-
sole opens.

4. In the left pane, double-click Personal and then click Certificates.

5. In the main pane, right-click the certificate that lists Encrypting File System under Intended
Purposes and choose All Tasks. Click Export.

6. In the Certificate Export Wizard, click Next.

7. On the Export Private Key page, click Yes, export the private key and then click Next.

8. On the Export File Format page, click Next.

9. On the Security page, click the Password check box and, in the Password and Confirm password
text boxes, type the Pa$$w0rd. Click Next.

Question What is the difference between the cer format and the pfx format
13 when backing up digital certificates?

10. On the File to Export page, in the File name text box, type C:\Cert.pfx. Click Next.

11. Take a screen shot of the Completing the Certificate Export Wizard by pressing Alt+PrtScr and
then paste it into your Lab01_worksheet file in the page provided by pressing Ctrl+V.

[copy screen shot over this text]

12  70-744: Securing Windows Server 2016

12. When the wizard is complete, click Finish.

13. When the export is successful, click OK.

RESTORING THE EFS CERTIFICATE

1. Right-click the Administrator certificate and choose Delete. When you are prompted to confirm
that you want to delete the certificate, read the warning and then click Yes.

2. Right-click Certificates and choose All Tasks > Import.

3. When the Certificate Import Wizard starts, click Next.

4. On the File to Import page, type c:\cert.pfx, and then click Next.

5. If you are prompted to provide a password, type Pa$$w0rd in the Password text box and then
click Next.

6. On the Certificate Store page, click Next.

7. On the Completing the Certificate Import Wizard page, click Finish.

8. When the import is successful, click OK.

9. Take a screen shot of the Certificates console by pressing Alt+PrtScr and then paste it into your
Lab01_worksheet file in the page provided by pressing Ctrl+V.

[copy screen shot over this text]

10. Close Certificate Manager and then close the Command Prompt.

End of lab.