Chapter 4
Managing Data Access

MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER:

  • ✓   Support data security.
    • This objective may include but is not limited to the following subobjectives: Identifying and resolving issues related to the following: Permissions including share, NTFS, and Dynamic Access Control (DAC); access to removable media; BitLocker and BitLocker To Go including Data Recovery Agent and Microsoft BitLocker Administration and Monitoring (MBAM).
  • ✓   Configure shared resources.
    • This objective may include but is not limited to the following subobjectives: Configure shared folder permissions, configure HomeGroup settings, configure libraries, configure shared printers, configure OneDrive.
  • ✓   Configure security for mobile devices.
    • This objective may include but is not limited to the following subobjectives: Configure BitLocker, configure startup key storage.

inline   One of the most fundamental tasks in network management is setting up user’s rights and permissions. This is by far one of the most important tasks that we as IT members face every day. Too much access and your users can cause issue. Not enough access and your users can’t do their job.

One way to help make sure that your users don’t have more permissions or security than they need is to use groups. Groups are used to ease network administration by grouping users together who have similar permission requirements. Groups are an important part of network management.

We will dive into user accounts and groups in Chapter 8, “Managing Identity and Authorization,” but you still need to understand how NTFS and shared resources work together and how to secure the network hardware. So that’s where this chapter comes into play.

In this chapter, we will also talk about users accessing resources on a network. If you think about it, that’s one of the main reasons we set up networks, to share resources. If we didn’t have resources that users needed access to, why even bother setting up a network? So we will talk about sharing resources and assigning permissions to those shares.

You will then learn about NTFS security and share permissions and how they work independently and together. Finally, this chapter will introduce you to some of the Windows 10 security options, including BitLocker. So let’s start exploring ways to make your data more secure.

Managing File and Folder Security

Setting up proper file and folder security is one of the most important tasks that an IT professional can perform. If permissions and security are not properly configured, users will be able to access resources that they shouldn’t. File and folder security defines what access a user has to local resources. You can limit access by applying security for files and folders. You should know what NTFS security permissions are and how they are applied.

A powerful feature of networking is the ability to allow network access to local folders. In Windows 10, it is very easy to share folders. You can also apply security to shared folders in a manner that is similar to applying NTFS permissions. Once you share a folder, users with appropriate access rights can access the folders through a variety of methods.

When a user is created on a local Windows 10 system or if the user is created on an Active Directory domain, the user gets a Security Identification (SID) number. It is important to remember that when you assign rights to a user, those rights and permissions get associated to the user’s SID number and not the username. It’s because of this that we can rename user accounts without any issues.

Before diving into the security nitty-gritty, you need to know about the folder options. So let’s start with that discussion.

Folder Options

The Windows 10 Folder Options dialog box allows you to configure many properties associated with files and folders, such as what you see when you access folders and how Windows searches through files and folders. To open the Folder Options dialog box, right-click Start ➢ File Explorer and then select View and then Option. You can also access Folder Options by choosing Control Panel ➢ Large Icons View ➢ File Explorer Options. The Folder Options dialog box has three tabs: General, View, and Search. The options on each of these tabs are described in the following sections.

Folder General Options

The General tab, shown in Figure 4.1, includes the following options:

  • Whether folders are opened all in the same window when a user is browsing folders or each folder is opened in a separate window
  • Whether a user opens items with a single mouse click or a double-click
  • Whether to have the navigation pane show all folders and automatically expand to the current folder
images

Figure 4.1 The General tab of the Folder Options dialog box

Folder View Options

The View tab of the Folder Options dialog box, shown in Figure 4.2, is used to configure what users see when they open files and folders. For example, you can change the default setting so that hidden files and folders are displayed. Table 4.1 describes the View tab options.

Table 4.1 Folder view options

Option Description Default
Always Show Icons, Never Thumbnails Shows icons for files instead of thumbnail previews. Not selected
Always Show Menus Shows the File, Edit, View, Tools, and Help menus when you’re browsing for files. Not selected
Display File Icon On Thumbnails Displays the file icon on thumbnails. Selected
Display File Size Information In Folder Tips Specifies whether the file size is automatically displayed when you hover your mouse over a folder. Selected
Display The Full Path In The Title Bar (Classic Theme Only) Specifies whether the title bar shows an abbreviated path of your location. Selecting this option displays the full path, such as C:\Word Documents\Sybex\Windows 10 Book\Chapter 9, as opposed to showing an abbreviated path, such as Chapter 9. Not selected
Hidden Files And Folders Specifies whether files and folders with the Hidden attribute are listed. Choosing Show Hidden Files, Folders, Or Drives displays these items. Don’t Show Hidden Files, Folders, And Drives
Hide Empty Drives Prevents drives that are empty in the Computer folder from being displayed. Selected
Hide Extensions For Known File Types By default, filename extensions, which identify known file types (such as .doc for Word files and .xls for Excel files), are not shown. Disabling this option displays all filename extensions. Selected
Hide Protected Operating System Files (Recommended) By default, operating system files are not shown, which protects operating system files from being modified or deleted by a user. Deselecting this option displays the operating system files. Selected
Launch Folder Windows In A Separate Process By default, when you open a folder, it shares memory with the previous folders that were opened. Selecting this option opens folders in separate parts of memory, which increases the stability of Windows 10 but can slightly decrease the performance of the computer. Not selected
Show Drive Letters Specifies whether drive letters are shown in the Computer folder. When this option is disabled, only the name of the disk or device will be shown. Selected
Show Encrypted Or Compressed NTFS Files In Color Displays encrypted or compressed files in an alternate color when they are displayed in a folder window. Selected
Show Pop-Up Description For Folder And Desktop Items Displays whether a pop-up tooltip is displayed when you hover your mouse over files and folders. Selected
Show Preview Handlers In Preview Pane Shows the contents of files in the preview pane. Selected
Use Check Boxes To Select Items Adds a check box next to each file and folder so that one or more of them may be selected. Actions can then be performed on selected items. Not selected
Use Sharing Wizard (Recommended) Allows you to share a folder using a simplified sharing method. Selected
When Typing Into List View Selects whether text is automatically typed into the search box or whether the typed item is selected in the view. Select The Typed Item In The View
Image described by surrounding text.

Figure 4.2 The View tab of the Folder Options dialog box

Search Options

The Search tab of the Folder Options dialog box, shown in Figure 4.3, is used to configure how Windows 10 searches for files. You can choose for Windows 10 to search by filename only, by filenames and contents, or by a combination of the two, depending on whether indexing is enabled. You can also select from the following options:

  • Include subfolders
  • Find partial matches
  • Use natural language searches
  • Don’t use the index when searching in file folders for system files
  • Include system directories in non-indexed locations
  • Include compressed files in non-indexed locations
Screenshot shows checkboxes to exclude the index when searching in folders for system files, include system directories and compressed files and search file names and contents along with Restore Defaults button.

Figure 4.3 The Search tab of the Folder Options dialog box

To search for files and folders, click Start ➢ Search and type your query in the search box.

Understanding Dynamic Access Control

One of the advantages of Windows Server 2012 R2 and Windows 10 is the ability to apply data governance to your file server. This will help control who has access to information and auditing. You get these advantages through the use of Dynamic Access Control (DAC). DAC allows you to identify data by using data classifications (both automatic and manual) and then control access to these files based on these classifications.

DAC also gives administrators the ability to control file access by using a central access policy. This central access policy will also allow an administrator to set up audit access to files for reporting and forensic investigation.

DAC allows an administrator to set up Active Directory Rights Management Service (AD RMS) encryption for Microsoft Office documents. For example, you can set up encryption for any documents that contain financial information.

DAC gives an administrator the flexibility to configure file access and auditing to domain-based file servers. To do this, DAC controls claims in the authentication token, resource properties, and conditional expressions within permission and auditing entries.

Administrators have the ability to give users access to files and folders based on Active Directory attributes. For example, a user named Dana is given access to the file server share because in the user’s Active Directory (department attribute) properties, the value contains the value Sales.

Securing Access to Files and Folders

On NTFS partitions, you can specify the access each user has to specific folders or files on the partition based on the user’s logon name and group associations. Access control consists of rights (which pertain to operations on the system) and permissions (which pertain to operations on specific objects). The owner of an object or any user who has the necessary rights to modify permissions can apply permissions to NTFS objects. If permissions are not explicitly granted within NTFS, then they are implicitly denied. Permissions can also be explicitly denied; explicit denials override explicitly granted permissions.

The following sections describe design goals for access control as well as how to apply NTFS permissions and some techniques for optimizing local access.

Considering Design Goals for Access Control

Before you start applying NTFS permissions to resources, you should develop design goals for access control as a part of your overall security strategy. Basic security strategy suggests that you provide each user and group with the minimum level of permissions needed for job functionality. The following list includes some of the considerations for planning access control:

  • Defining the resources that are included within your network—in this case, the files and folders residing on the file system
  • Defining which resources will put your organization at risk, including defining the resources and defining the risk of damage if the resource is compromised
  • Developing security strategies that address possible threats and minimize security risks
  • Defining groups that security can be applied to based on users within the group membership who have common access requirements, and applying permissions to groups as opposed to users
  • Applying additional security settings through Group Policy if your Windows 10 clients are part of an Active Directory network
  • Using additional security features, such as Encrypted File System (EFS), to provide additional levels of security or file auditing to track access to critical files and folders

After you have decided what your design goals are, you can start applying your NTFS permissions.

Applying NTFS Permissions

NTFS permissions control access to NTFS files and folders. Ultimately, the person who owns an object has complete control over the object. The owner or administrator can configure access by allowing or denying NTFS permissions to users and groups.

Normally, NTFS permissions are cumulative, based on group memberships. The user gets the highest level of security from all the different groups they belong to. However, if the user had been denied access through user or group membership, those deny permissions override the allowed permissions. Windows 10 offers seven levels of NTFS permissions, plus special permissions:

Full Control This permission allows the following rights:

  • Traverse folders and execute files (programs) in the folders. The ability to traverse folders allows you to access files and folders in lower subdirectories, even if you do not have permissions to access specific portions of the directory path.
  • List the contents of a folder and read the data in a folder’s files.
  • See a folder’s or file’s attributes.
  • Change a folder’s or file’s attributes.
  • Create new files and write data to the files.
  • Create new folders and append data to the files.
  • Delete subfolders and files.
  • Delete files.
  • Compress files.
  • Change permissions for files and folders.
  • Take ownership of files and folders.

If you select the Full Control permission, all permissions will be checked by default and can’t be unchecked.

Any user with Full Control access can manage the security of a folder. However, to access folders, a user must have physical access to the computer as well as a valid logon name and password. By default, regular users can’t access folders over the network unless the folders have been shared. Sharing folders is covered in the section “Creating and Managing Shared Folders,” later in this chapter.

Modify This permission allows the following rights:

  • Traverse folders and execute files in the folders.
  • List the contents of a folder and read the data in a folder’s files.
  • See a file’s or folder’s attributes.
  • Change a file’s or folder’s attributes.
  • Create new files and write data to the files.
  • Create new folders and append data to the files.
  • Delete files.

If you select the Modify permission, the Read & Execute, List Folder Contents, Read, and Write permissions will be checked by default and can’t be unchecked.

Read & Execute This permission allows the following rights:

  • Traverse folders and execute files in the folders.
  • List the contents of a folder and read the data in a folder’s files.
  • See a file’s or folder’s attributes.

If you select the Read & Execute permission, the List Folder Contents and Read permissions will be checked by default and can’t be unchecked.

List Folder Contents This permission allows the following rights:

  • Traverse folders.
  • List the contents of a folder.
  • See a file’s or folder’s attributes.

Read This permission allows the following rights:

  • List the contents of a folder and read the data in a folder’s files.
  • See a file’s or folder’s attributes.
  • View ownership.

Write This permission allows the following rights:

  • Overwrite a file.
  • View file ownership and permissions.
  • Change a file’s or folder’s attributes.
  • Create new files and write data to the files.
  • Create new folders and append data to the files.

Special Permissions This allows you to configure any permissions beyond the normal permissions, such as auditing, and to take ownership. To apply NTFS permissions, right-click the file or folder to which you want to control access, select Properties from the context menu, and then select the Security tab. The Security tab lists the users and groups who have been assigned permissions to the file or folder. When you click a user or group in the top half of the dialog box, you see the permissions that have been allowed or denied for that user or group in the bottom half (see Figure 4.4).

Screenshot shows object name, group or user names from which WPanek is selected, Edit button, Advanced button and checkboxes to allow permissions for WPanek such as full control, modify, read, write et cetera.

Figure 4.4 The object’s Security tab

EXERCISE 4.1 walks you through assigning NTFS permissions.

Controlling Permission Inheritance

Normally, the directory structure is organized in a hierarchical manner. This means you are likely to have subfolders in the folders to which you apply permissions. In Windows 10, by default, the parent folder’s permissions are applied to any files or subfolders in that folder as well as any subsequently created objects. These are called inherited permissions.

You can specify how permissions are inherited by subfolders and files by clicking the Advanced button on the Security tab of a folder’s Properties dialog box. This calls up the Permissions tab of the Advanced Security Settings dialog box. To edit these options, click the Change Permissions button. You can edit the following options:

  • Include Inheritable Permissions From This Object’s Parent
  • Replace All Existing Inheritable Permissions On All Descendants With Inheritable Permissions From This Object

If an Allow or Deny item in the Permissions list on the Security tab has a shaded check mark, this indicates that the permission was inherited from an upper-level folder. If a check mark is not shaded, it means the permission was applied at the selected folder. This is known as an explicitly assigned permission. Knowing which permissions are inherited and which are explicitly assigned is useful when you need to troubleshoot permissions.

Understanding Ownership and Security Descriptors

When an object is initially created on an NTFS partition, an associated security descriptor is created. A security descriptor contains the following information:

  • The user or group who owns the object
  • The users and groups who are allowed or denied access to the object
  • The users and groups whose access to the object will be audited

After an object is created, the owner of the object has full permissions to change the information in the security descriptor, even for members of the Administrators group. You can view the owner of an object from the Security tab of the specified folder’s Properties by clicking the Advanced button. Then click the Owner tab to see who the owner of the object is. From this dialog box, you can change the owner of the object.

Although the owner of an object can set its permissions so that the administrator can’t access it, the administrator or any member of the Administrators group can take ownership of an object and thus manage the object’s permissions. When you take ownership of an object, you can specify whether you want to replace the owner on subdirectories and subobjects of the object. If you would like to see who owns a directory, from the command prompt, type dir /q.

Determining and Viewing Effective Permissions for NTFS

To determine a user’s effective permissions (the aggregate permissions the user has to a file or folder), add all of the permissions that have been allowed through the user’s assignments based on that user’s username and group associations. After you determine what the user is allowed, you subtract any permissions that have been denied the user through the username or group associations.

As an example, suppose user Marilyn is a member of both the Accounting and Execs groups. The following assignments have been made to the Accounting group permissions:

Permission Allow Deny
Full Control
Modify X
Read & Execute X
List Folder Contents
Read
Write

The following assignments have been made to the Execs group permissions:

Permission Allow Deny
Full Control
Modify
Read & Execute
List Folder Contents
Read X
Write

To determine Marilyn’s effective rights, you combine the permissions that have been assigned. The result is that Marilyn’s effective rights are Modify, Read & Execute, and Read, so she effectively has Modify (the highest right).

As another example, suppose that user Dan is a member of both the Sales and Temps groups. The following assignments have been made to the Sales group permissions:

Permission Allow Deny
Full Control
Modify X
Read & Execute X
List Folder Contents X
Read X
Write X

The following assignments have been made to the Temps group permissions:

Permission Allow Deny
Full Control
Modify X
Read & Execute
List Folder Contents
Read
Write X

To determine Dan’s effective rights, you start by seeing what Dan has been allowed: Modify, Read & Execute, List Folder Contents, Read, and Write permissions. You then remove anything that he is denied: Modify and Write permissions. In this case, Dan’s effective rights are Read & Execute, List Folder Contents, and Read.

If permissions have been applied at the user and group levels and inheritance is involved, it can sometimes be confusing to determine what the effective permissions are. To help identify which effective permissions will actually be applied, you can view them from the Effective Permissions tab of Advanced Security Settings, or you can use the ICACLS command-line utility.

To see what the effective permissions are for a user or group, you click the Select button and then type in the user or group name. Then click OK. If a box is checked and not shaded, then explicit permissions have been applied at that level. If the box is shaded, then the permissions to that object were inherited.

The ICACLS command-line utility can also be used to display or modify user access permissions. The options associated with the ICACLS command are as follows:

  • /grant grants permissions.
  • /remove revokes permissions.
  • /deny denies permissions.
  • /setintegritylevel sets an integrity level of Low, Medium, or High.

One issue that IT people run into is what happens to the security when you move or copy a file or folder. Let’s take a look at NTFS permissions when they are moved or copied.

Determining NTFS Permissions for Copied or Moved Files

When you copy or move NTFS files, the permissions that have been set for those files might change. Use the following guidelines to predict what will happen:

  • If you move a file from one folder to another folder on the same volume, the file will retain the original NTFS permissions.
  • If you move a file from one folder to another folder between different NTFS volumes, the file is treated as a copy and will have the same permissions as the destination folder.
  • If you copy a file from one folder to another folder on the same volume or on a different volume, the file will have the same permissions as the destination folder.
  • If you copy or move a file or folder to a FAT partition, it will not retain any NTFS permissions.

Managing Network Access

In every network, there are resources to which the users need to gain access. As IT professionals, we share these resources so that our users can do their jobs.

Sharing is the process of allowing network users access to a resource located on a computer. A network share provides a single location to manage shared data used by many users. Sharing also allows an administrator to install an application once, as opposed to installing it locally at each computer, and to manage the application from a single location.

The following sections describe how to create and manage shared folders and configure share permissions.

Creating and Managing Shared Folders

You can share a folder in two ways. To use the Sharing Wizard, right-click a folder and select Share. If the Sharing Wizard feature is enabled, you will see the File Sharing screen, where you can add local users. Alternatively, you can access the wizard by right-clicking a folder and then selecting Properties ➢ Sharing tab ➢ Share button.

However, you cannot use the Sharing Wizard to share resources with domain users. To share a folder with domain users, right-click the folder and select Properties, and then select the Sharing tab, shown in Figure 4.5.

Image described by surrounding text.

Figure 4.5 The Sharing tab of a folder’s Properties dialog box

The Share button will take you to the Sharing Wizard. To configure Advanced Sharing, click the Advanced Sharing button, which will open the Advanced Sharing dialog box.

When you share a folder, you can configure the options listed in Table 4.2.

Table 4.2 Shared folder options

Option Description
Share This Folder Makes the folder available through local access and network access
Share Name A descriptive name by which users will access the folder
Comments Additional descriptive information about the share (optional)
Limit The Number Of Simultaneous Users To The maximum number of connections to the share at any one time (no more than 10 users can simultaneously access a share on a Windows 10 computer)
Permissions How users will access the folder over the network
Caching How folders are cached when the folder is offline

If you share a folder and then decide that you do not want to share it, just deselect the Share This Folder check box. You can easily tell that a folder has been shared by the group icon located at the bottom left of the folder icon.

Keep in mind the following guidelines regarding sharing:

  • Only folders, not files, can be shared.
  • Share permissions can be applied only to folders and not to files.
  • If a folder is shared over the network and a user is accessing it locally, then share permissions will not apply to the local user; only NTFS permissions will apply.
  • If a shared folder is copied, the original folder will still be shared but not the copy.
  • If a shared folder is moved, the folder will no longer be shared.
  • If the shared folder will be accessed by a mixed environment of clients, including some that do not support long filenames, you should use the 8.3 naming format for files.
  • Folders can be shared through the Net Share command-line utility.

Now let’s take a look at configuring share permissions for your users.

Configuring Share Permissions

You can control users’ access to shared folders from the network by assigning share permissions. Share permissions are less complex than NTFS permissions and can be applied only to folders (unlike NTFS permissions, which can be applied to files and folders).

To assign share permissions, click the Permissions button in the Advanced Sharing dialog box. This brings up the Share Permissions dialog box, shown in Figure 4.6.

Screenshot shows group or usernames section from which Everyone is selected, Add and Remove buttons, permission for everyone section which includes checkboxes to allow full control, change and read.

Figure 4.6 The Share Permissions dialog box

You can assign three types of share permissions:

Full Control Allows full access to the shared folder.

Change Allows users to change data within a file or to delete files.

Read Allows a user to view and execute files in the shared folder. Read is the default permission on shared folders for the Everyone group.

Shared folders do not use the same concept of inheritance as NTFS folders. If you share a folder, there is no way to block access to lower-level resources through share permissions. One thing that is the same between shared and NTFS is that all shared permissions are additive if you belong to multiple groups. This means that you add up all the permissions of the groups and get the highest permission.

When applying conflicting share and NTFS permissions, the most restrictive permissions win. Remember that share and NTFS permissions are both applied only when a user is accessing a shared resource over a network. Only NTFS permissions apply to a user accessing a resource locally. So, for example, if a user’s NTFS security setting on a resource is Read and the share permission on the same resource is Full Control, the user would have only Read permission when they connect to the shared resource. The most restrictive set of permissions wins.

Configuring OneDrive

Windows 10 includes Microsoft OneDrive with the operating system. Microsoft OneDrive is a cloud-based storage system where corporate users or home users can store their data in the cloud. Microsoft OneDrive allows users to use up to 15 GB of cloud storage for free without a subscription. Users have the ability to get more cloud-based storage by purchasing a higher subscription.

To set up a corporate user or home user with Microsoft OneDrive, you must first have a Microsoft account. You can create a Microsoft account at the time you are accessing OneDrive, as shown in Figure 4.7.

Screenshot shows heading as Add your Microsoft account, textfields to enter email or phone and password, forgot password option, links for creating new account and privacy statement and Sign in button.

Figure 4.7 Microsoft OneDrive sign-in screen

Once you have a Microsoft account, you then sign into the Microsoft OneDrive system where you can begin uploading data. Figure 4.8 shows Microsoft OneDrive from the Internet browser. Using the Internet browser, you can control the files that are located in the cloud.

Image described by surrounding text.

Figure 4.8 Microsoft OneDrive

In Exercise 4.2, I will show you how to sign into your Microsoft OneDrive application.

At this point you can start using OneDrive to create and upload files to the OneDrive cloud. In the left corner, next to the Home tab, you will see three lines. If you click those three lines, some options will appear. The bottom option allows you to change the OneDrive settings.

Inside those settings, you have the ability to change how often the system will sync with the cloud, which accounts will be associated to this OneDrive, and many other settings. The OneDrive cloud-based storage is a good way to back up some documents for protection of data loss.

When Windows 7 was released, Microsoft created an easy way for users to set up networks at home even if they don’t know much about networking. In the next section, we will look at using Windows 10 HomeGroups.

Joining and Sharing HomeGroups in Windows 10

HomeGroup is a functionality of Windows 10 that simplifies the sharing of music, pictures, and documents within your small office or home network of Windows 10 PCs. HomeGroup allows you to share USB-connected printers too. If you have a printer installed on a Windows 10 computer and it’s shared by HomeGroup, it is automatically installed onto the other HomeGroup-enabled Windows 10 PCs. Domain-joined computers cannot host a HomeGroup, but they can be a participant of a HomeGroup. All editions of Windows 10 can use HomeGroups, but only Home, Enterprise, or Professional edition can create a HomeGroup.

The first step in the process of using HomeGroup for sharing is to create a new HomeGroup or join an existing one. If the Windows 10 network-discovery feature does not find a HomeGroup, you will be asked to create a HomeGroup. In the Network and Sharing Center, select Choose HomeGroup and then click the Create A HomeGroup button (Figure 4.13).

Image described by surrounding text.

Figure 4.13 Create a HomeGroup.

With Windows 10 network discovery turned on (the default), a HomeGroup is created automatically. You still need to join the HomeGroup to use the other shared resources and to share yours. From the Network and Sharing Center, you can join an existing HomeGroup by clicking the Join Now button, as shown in Figure 4.14.

Image described by surrounding text.

Figure 4.14 Join an existing HomeGroup.

Part of joining a HomeGroup setup is defining the libraries that you want to make available to the other members of the HomeGroup. The HomeGroup libraries are the folders (Pictures, Music, Videos, Documents, and Printers) that you want to share. So you can choose which HomeGroup libraries that you want to share or not share. The next screen in the setup (Figure 4.15) lets you choose which resources you want to share.

Image described by surrounding text.

Figure 4.15 HomeGroup sharing selections

The next step is to enter the HomeGroup password. Windows 10, by default, will recognize a HomeGroup on the network. However, the other Windows 10 machines will not have access to the resources. Allowing any Windows 10 machine connecting to the network to automatically have shared resource access would be a huge security hole. To protect the Windows 10 user resources, a password must be entered to join a HomeGroup.

The password for the HomeGroup can be viewed or changed on the machine that established the HomeGroup. After other machines have joined, each machine has the ability to view or change the password. The initial machine in the HomeGroup will create a random secure password. To view and/or print the HomeGroup password, use the Choose HomeGroup And Sharing Options selection from the Network and Sharing Center, and then choose View Or Print The HomeGroup Password item, shown in Figure 4.16. Again, this can be done from any Windows 10 machine that is already a member of the HomeGroup but not from one that wants to join.

Image described by surrounding text.

Figure 4.16 Change HomeGroup Settings screen

Figure 4.17 shows the View And Print Your HomeGroup Password screen. For simplicity here, I have changed the password to password, which is an example only and not recommended for your network.

Image described by surrounding text.

Figure 4.17 View And Print Your HomeGroup Password screen

Remember that Windows 10 will initially create a random secure password for the HomeGroup, and you need to visit the View And Print Your HomeGroup Password screen to find out what it is. You will probably want to change it. To change the password, choose the Change The Password option from the Change HomeGroup Settings page and then select Change The Password from the Change Your HomeGroup Password screen, as shown in Figure 4.18. When you change the HomeGroup password, you need to go to each of the other Windows 10 machines that are members of the HomeGroup and change the password there if you still want the others to share resources.

Image described by surrounding text.

Figure 4.18 Change the HomeGroup password.

After the HomeGroup is set up, you can see the other members’ resources from the HomeGroup option of Windows Explorer or even the Start menu if you customize the Start menu and have added HomeGroup to the displayed options. I have added the HomeGroup option to my Start menu, as shown in Figure 4.19. To add the HomeGroup to the Start menu, right-click the Start menu and choose Control Panel. Once in Control Panel, make sure the view is set to Large Icons (in the upper-right corner of the window). Right-click the HomeGroup icon and choose Pin To My Start.

Image described by surrounding text.

Figure 4.19 HomeGroup in the Start menu

HomeGroups are a great option for users who want to share resources in the Windows 10 environment. But what if you still have non–Windows 10 machines? The legacy function of simply sharing resources and setting permissions still works for Windows 10 and will allow older operating systems to have access to resources shared on Windows 10 machines as well as allow users running Windows 10 to have access to the shared resources on older Windows operating systems.

In the following sections, I will show you how to start protecting your hardware from data loss or theft by securing your hardware.

Understanding Hardware Security

One issue that IT members have to face is the protection of not only our data but also the hardware that the data resides on. (You may remember a case a few years back when an individual stole some hard drives from a VA office.) Let’s take a look at a security measure that will help you protect your data drives from physically being taken.

We must make sure that if anyone steals hardware from our corporation or from our server rooms that the data that they are stealing is secured and can’t be used. This is where BitLocker can help.

Using BitLocker Drive Encryption

To prevent individuals from stealing your computer and viewing personal and sensitive data found on your hard disk, some editions of Windows come with a new feature called BitLocker Drive Encryption. BitLocker encrypts the entire system drive.

BitLocker allows you to configure security for mobile devices by locking the physical drives. If someone steals a hard drive or external drive that has BitLocker on the drive, that drive will not function properly on another computer system.

When you use BitLocker, new files added to the BitLocker drive are encrypted automatically, and files moved from this drive to another drive or computers are decrypted automatically.

Only Windows 10 Enterprise, Professional, and Education, Windows 8 Pro and Enterprise, Windows 7 Pro and Enterprise, Windows Server 2008 and 2008 R2, and Windows Server 2012 and 2012 R2 include BitLocker Drive Encryption, and only the operating system drive (usually C:) or internal hard drives can be encrypted with BitLocker. Files on other types of drives must be encrypted using BitLocker To Go. BitLocker To Go allows you to put BitLocker on removable media such as external hard disks or USB drives.

BitLocker uses a Trusted Platform Module (TPM) version 1.2 or higher to store the security startup key. A TPM is a chip that is found in newer computers. If you do not have a computer with a TPM, you can store the startup key on a removable USB drive. If you don’t have a system with TPM, you will need to turn off the TPM setting in the local computer settings as shown in Figure 4.20. The USB drive will be required each time you start the computer so that the system drive can be decrypted.

Screenshot shows radio buttons to enable and disable additional authentication, texfield to enter comment, compatible Windows version, configuration settings for computers with a TPM and Help information.

Figure 4.20 Changing the TPM settings

If the TPM discovers a potential security risk, such as a disk error or changes made to BIOS, hardware, system files, or startup components, the system drive will not be unlocked until you enter the 48-digit BitLocker recovery password or use a USB drive with a recovery key as a recovery agent.

BitLocker must be set up either within the Local Group Policy editor or through the BitLocker icon in Control Panel. One advantage of using BitLocker is that you can prevent any unencrypted data from being copied onto a removable disk, thus protecting the computer.

BitLocker requires that you have a hard disk with at least two partitions, both formatted with NTFS. One partition will be the system partition that will be encrypted. The other partition will be the active partition that is used to start the computer. This partition will remain unencrypted.

Features of BitLocker

As with any version of Windows, Microsoft continues to improve on technologies for Windows Server 2012 R2 and Windows 10. The following sections cover some of the features of BitLocker.

BitLocker Provisioning

In previous versions of BitLocker (Windows 7), the BitLocker provisioning (system and data volumes) was completed during the post-installation of the BitLocker utility. The BitLocker provisioning was done either through the command-line interface (CLI) or Control Panel. In the Windows 8, Windows 10, and Windows Server 2012 R2 version of BitLocker, an administrator can choose to provision BitLocker before the operating system is even installed.

Administrators have the ability to enable BitLocker, prior to the operating system deployment, from the Windows Preinstallation Environment (WinPE). BitLocker is applied to the formatted volume, and BitLocker encrypts the volume prior to running the Windows setup process.

If an administrator wants to check the status of BitLocker on a particular volume, the administrator can view the status of the drive in either the BitLocker Control Panel applet or Windows Explorer.

Encrypting Used Disk Space Only

Windows 10 BitLocker has a requirement that all data and free space on the drive has to be encrypted. Because of this, the encryption process can take a very long time on larger volumes. In Windows 10 BitLocker, administrators have the ability to encrypt either the entire volume or just the space being used. When you choose to encrypt the Used Disk Space Only option, only the section of the drive that has data will be encrypted. Because of this, encryption is completed much faster.

Standard User PIN and Password Change

One issue that BitLocker has had is that you need to be a local administrator to configure BitLocker on operating system drives. This can be an issue in a large organization due to the fact deploying the Trusted Platform Module (TPM) + PIN to a large number of computers can be very challenging.

Even with the new operating system changes, administrative privileges are still needed to configure BitLocker, but now your users have the ability to change the BitLocker PIN for the operating system or change the password on the data volumes.

When a user gets to choose their own PIN and password, they normally choose something that has meaning and something easy for them to remember. That is a good thing and a bad thing. It’s good because when your users choose their own PIN and password, normally they don’t need to write it down—they just know it. It’s bad because if anyone knows the user well, they can have an easier time figuring out the person’s PIN and password. Even when you allow your users to choose their own PIN and password, make sure you set a GPO to require password complexity.

Network Unlock

One of the new features of BitLocker is called Network Unlock. Network Unlock allows administrators to easily manage desktop and servers that are configured to use BitLocker. Network Unlock allows an administrator to configure BitLocker to unlock automatically an encrypted hard drive during a system reboot when that hard drive is connected to their trusted corporate environment. For this to function properly on a system, there has to be a DHCP driver implementation in that system’s firmware.

If your operating system volume is also protected by the TPM + PIN protection, the administrator has to be sure to enter the PIN at the time of the reboot. This protection can actually make using Network Unlock more difficult to use, but they can be used in combination.

Support for Encrypted Hard Drives for Windows

One of the new advantages of using BitLocker is Full Volume Encryption (FVE). BitLocker provides built-in encryption for Windows data files and Windows operating system files. The advantage of this type of encryption is that encrypted hard drives that use Full Disk Encryption (FDE) get each block of the physical disk space encrypted. Because each physical block gets encrypted, it offers much better encryption. The only downside to this is because each physical block is encrypted, it adds some degradation to the hard drive speed. So, as an administrator, you have to decide if you want better speeds or better security on your hard disk.

Windows 7 and 2008 R2 vs. Windows 10 and 2012 R2

When reading a book on a new operating system, the first question most of us have is what’s the difference between Windows 7 and Windows 2008 R2 versus Windows 10 and Windows Server 2012 R2. Table 4.3 shows you many of the common features and how they worked then and now.

Table 4.3 BitLocker then and now

Feature Windows 7/Server 2008 R2 Windows 10/Server 2012 R2
Reset the BitLocker PIN or password The user’s privileges must be set to an administrator if you want to reset the BitLocker PIN on an operating system drive and the password on a fixed or removable data drive. Standard users now have the ability to reset the BitLocker PIN and password on operating system drives, fixed data drives, and removable data drives.
Disk encryption When BitLocker is enabled, the entire disk is encrypted. When BitLocker is enabled, users have the ability to choose whether to encrypt the entire disk or only the used space on the disk.
Hardware Encrypted Drive support Not supported. If the Windows logo hard drive comes pre-encrypted from the manufacturer, BitLocker is supported.
Unlocking using a network-based key to provide dual-factor authentication Not available. If a computer is rebooted on a trusted corporate wired network, the key protector then allows a key to unlock and skip the PIN entry.
Protection for clusters Not available. Windows Server 2012 R2 BitLocker includes the ability to support cluster shared volumes and failover clusters as long as they are running in a domain that was established by a Windows Server 2012 R2 domain controller with the Kerberos Key Distribution Center Service enabled.
Linking a BitLocker key protector to an Active Directory account Not available.   BitLocker allows a user, group, or computer account in Active Directory to be tied to a key protector. This key protector allows a protected data volumes to be unlocked.

In Exercise 4.3, you will enable BitLocker on the Windows 10 system.

Image described by surrounding text.

Figure 4.21 Choosing the BitLocker icon

Using the BitLocker Administration and Monitoring Utility

Microsoft BitLocker Administration and Monitoring (MBAM) is part of the Microsoft Desktop Optimization Pack (MDOP) and will allow the IT department to use enterprise-based utilities for managing and maintaining BitLocker and BitLocker To Go. As I talked about BitLocker, one of the hardest components of BitLocker is managing and maintaining BitLocker deployment and key recovery. This is where MBAM comes in to play.

MBAM helps IT departments simplify BitLocker deployment and key recovery while also providing centralized compliance monitoring and reporting. MBAM also helps minimize the money related to provisioning and supporting encrypted BitLocker drives.

As explained, BitLocker helps protect against the theft of hardware, and MBAM helps an IT department administer BitLocker in an easy-to-use administrative Microsoft Management Console (MMC) interface.

Overview of MBAM

Microsoft has created MBAM 2.5 to help administrators handle and administer BitLocker and BitLocker To Go. MBAM offers many of the following features:

  • Allows IT administrators to automatically set up client computers to use encrypted volumes across the entire enterprise.
  • Allows corporate security personnel to rapidly determine if the corporate compliances have been met, and it also allows them to check the state of individual computers throughout the network.
  • IT members can use Microsoft System Center Configuration Manager to have a centralized reporting and hardware management utility that works with MBAM.
  • Helps IT departments to rapidly assist end users with BitLocker PIN and recovery key requests.
  • Allows corporate users to recover their own encrypted devices by using the MBAM Self-Service Portal.
  • Give corporations piece of mind that their users can work anywhere in the world with the knowledge that corporate data is being protected.

Understanding Smart Cards

Another way to help secure Windows 10 is by using smart cards. Smart cards are plastic cards (the size of a credit card) that can be used in combination with other methods of authentication. This process of using a smart card along with another authentication method is called two-factor authentication or multifactor authentication. Authentication is the process of using user credentials to log on to either a local Windows 10 machine or a domain.

Smart card support allows you to increase the security of many critical functions of your company, including client authentication, interactive logon, and document signing.

Smart cards are now easier than ever to use and deploy because of the new features included with all versions of Windows 10.

Enhanced Support for Smart Card–Related Plug and Play and the Personal Identity Verification (PIV) Standard This allows users of Windows 10 to use smart cards from vendors who publish their drivers through Windows Update, allowing Windows 10 to use the smart card without special middleware. These drivers are downloaded in the same way as drivers for other Windows devices are downloaded. When a smart card that is PIV compliant is placed into a smart-card reader, Windows 10 will try to download a current driver from Windows Update. If a driver is not available, the PIV-compliant minidriver that is included with Windows 10 is used for the smart card.

Encrypting Drives with BitLocker If your users are using Windows 10 Enterprise or Professional, the users can choose to encrypt their removable media by turning on BitLocker and then choosing the smart-card option to unlock the drive. Windows will then retrieve the correct minidriver for the smart card and allow the operation to complete.

Smart-Card Domain Logon When using Windows 10, the correct minidriver for a smart card is automatically retrieved. This allows a new smart card to authenticate with the domain controller without requiring the user to install or configure additional middleware.

Document and Email Signing Windows 10 users can use smart cards to sign an email or document. XML Paper Specification (XPS) documents can also be signed without additional software.

Use with Line-of-Business Applications Using Windows 10 smart cards allows applications that use Cryptography Next Generation (CNG) or CryptoAPI to retrieve the correct minidriver at runtime. This eliminates the need for middleware.

Summary

In this chapter, we started looking at how to set up and configure folders on a Windows 10 and Windows Server 2012 R2 system. We talked about sharing those folders and how to grant access to those folders by using NTFS and shared permissions.

We also talked a Dynamic Access Control (DAC) and how Dynamic Access Control allows an administrator to identify data by using data classifications and then controlling access to these files based on these classifications.

DAC also gives administrators the ability to control file access by using a central access policy. This central access policy will also allow an administrator to set up audit access to files for reporting and forensic investigation.

We also talked about BitLocker and BitLocker To Go including Data Recovery Agent and Microsoft BitLocker Administration and Monitoring (MBAM).

We then finished the chapter by talking about two-factor authentication using smart cards. Smart cards and user accounts will be discussed in greater detail in Chapter 8 “Managing Identity and Authorization.”

Video Resources

There are videos available for the following exercises:

4.1

4.3

You can access the videos at www.wiley.com/go/sybextestprep on the Other Study Tools tab.

Exam Essentials

Understand folder options. Understand the purpose and features of using folders and files. Properly configuring folders and folder access is one of the most important tasks that we do on a daily basis.

Understand NTFS and share permissions. Be able to configure security permissions and know the difference between NTFS and share permissions.

Know how to use BitLocker Drive Encryption. Understand the purpose and requirements of BitLocker Drive Encryption. Know which editions of Windows 10 (Enterprise, Education, and Professional) include BitLocker.

Understand Microsoft BitLocker Administration and Monitoring (MBAM). Understand the purpose and requirements of MBAM. MBAM allows an IT department to manage all of your BitLocker setting through the use of one application.

Understand Smartcards. You need to understand smart cards and two-factor authentication. The reason it is called two-factor authentication is because you need the smart card and the PIN (two factors).

Review Questions

  1. You are hired by a friend to set up a network in their home. They have four machines in their home that are all connected by an ISP wireless router. The systems can’t share documents because there is currently no network sharing in place. They want to be able to share audio and video files among their family. How can you easily set up a network? Choose two.

    1. Install a Windows Server 2008 R2 domain controller.
    2. Create a HomeGroup.
    3. All audio and video files should be moved to the HomeGroup libraries.
    4. Move all audio and video files to a shared folder on the Windows Server 2008 R2 machine.

  2. You are the network administrator for a large organization. You have a Windows 10 machine that needs to prevent any user for copying unencrypted files from the Windows 10 machine to any removable disk. How do you accomplish this task?

    1. Within the System icon in Control Panel, set the BitLocker Drive encryption.
    2. Within the Hardware icon in Control Panel, set the BitLocker Drive encryption.
    3. Within the Device Manager icon in Control Panel, set the BitLocker Drive encryption.
    4. Within a Local Group Policy, set the BitLocker Drive encryption.

  3. Which editions of Windows 10 can you enable BitLocker? Choose all that apply.

    1. Windows 10 Education Edition
    2. Windows 10 Basic Edition
    3. Windows 10 Professional Edition
    4. Windows 10 Enterprise Edition

  4. You have a network folder that resides on an NTFS partition on a Windows 10 computer. NTFS permissions and share permissions have been applied. Which of the following statements best describes how share permissions and NTFS permissions work together if they have been applied to the same folder?

    1. The NTFS permissions will always take precedence.
    2. The share permissions will always take precedence.
    3. The system will look at the cumulative share permissions and the cumulative NTFS permissions. Whichever set is less restrictive will be applied.
    4. The system will look at the cumulative share permissions and the cumulative NTFS permissions. Whichever set is more restrictive will be applied.

  5. You are the network administrator for a medium-sized company. Rick was the head of HR and recently resigned. John has been hired to replace Rick and has been given Rick’s laptop. You want John to have access to all of the resources to which Rick had access. What is the easiest way to manage the transition?

    1. Rename Rick’s account to John.
    2. Copy Rick’s account and call the copied account John.
    3. Go into the Registry and do a search and replace to replace all of Rick’s entries with John’s name.
    4. Take ownership of all of Rick’s resources and assign John Full Control to the resources.

  6. Jeff, the IT manager for Stormwind, has been asked to give Tom the rights to read and change documents in the Stormwind Documents folder. The following table shows the current permissions on the shared folder:

    Group/User NTFS Shared
    Sales Read Change
    Marketing Modify Change
    R&D Deny Full Control
    Finance Read Read
    Tom Read Change

    Tom is a member of the Sales and Finance groups. When Tom accesses the Stormwind Documents folder, he can read all the files, but the system won’t let him change or delete files. What do you need to do to give Tom the minimum amount of rights to do his job?

    1. Give Sales Full Control to shared permissions.
    2. Give Tom Full Control to NTFS security.
    3. Give Finance Change to shared permissions.
    4. Give Finance Modify to NTFS security.
    5. Give Tom Modify to NTFS security.

  7. You are the IT manager for your company. You have been asked to give the Admin group the rights to read, change, and assign permissions to documents in the Stormwind Documents folder. The following table shows the current permissions on the Stormwind Documents shared folder:

    Group/User NTFS Shared
    Sales Read Change
    Marketing Modify Change
    R&D Deny Full Control
    Finance Read Read
    Admin Change Change

    What do you need to do to give the Admin group the rights to do their job? (Choose all that apply.)

    1. Give Sales Full Control to shared permissions.
    2. Give Full Control to NTFS security.
    3. Give Admin Full Control to shared permissions.
    4. Give Finance Modify to NTFS security.
    5. Give Admin Full Control to NTFS security.

  8. Vincent is an instructor for Stormwind, and he is talking to Jeff, the company’s IT manager. Vince asks Jeff to implement some type of two-factor authentication. What can Jeff install to complete this request?

    1. Passwords and usernames
    2. Retina scanners
    3. Fingerprint scanners
    4. Smart cards

  9. You are using Windows 10 and you have created a file with called “my text” in Notepad and has a .txt extension type. You need to change the extension type from .txt to .vbx. What setting do you need to change on the folder so that you can see the extension types?

    1. Uncheck Hide Extensions For Known File Types
    2. Check Unhide Extensions For Files
    3. Check show Extensions For Files
    4. Uncheck Hide All File Types

  10. The owner of your company has come to you and stated that they want all of the hardware on all systems to use BitLocker and BitLocker To Go. What utility should you install to help manage and maintain BitLocker and BitLocker To Go?

    1. MAAM
    2. MBAM
    3. MNBM
    4. MABM