|
|
A Quick Answer Key follows the Self Test questions. For complete questions, answers, and epxlanations to the Self Test questions in this chapter as well as the other chapters in this book, see the Self Test Appendix.
1. | Jon uses EFS to encrypt his files on the network file server. By using EFS, has Jon protected his files at all times?
|
|
2. | Andrea is attempting to encrypt a folder on her Windows 2000 Professional computer. When she encrypts the folder, she notices that it is no longer NTFS compressed. Why is this so?
|
|
3. | Catherine is the senior member of the accounting department in your company. She has several database files that need to be protected from access by other members of her department who have NTFS permissions allowing them read and write access to the network share where the database files are located. What is the easiest thing you can do to help Catherine secure her database files without adding to your administrative workload or changing any user's NTFS permissions? (Choose all that apply.)
|
|
Answers
1. | þ A. When files are encrypted on a network server using EFS, they are encrypted only while on that server. Files are decrypted on the server and sent across the network in plaintext. Jon would need to implement IPSec on the network to ensure security while in transit. ý B, C, D. EFS-encrypted files are decrypted on the file server and transmitted in plaintext across the network, thus Answer B is incorrect. EFS does not provide end-to-end security; that is a solution provided by IPSec, thus Answer C is incorrect. EFS can be used on network servers as long as they have been marked for delegation, thus Answer D is incorrect. |
2. | þ C. EFS encryption and NTFS compression are mutually exclusive, thus Andrea will not be able to use both at the same time on her folder. She can have some compressed files and some encrypted files within the same folder, but she cannot apply both attributes at the folder level itself. ý A, B, D. EFS encryption and NTFS compression are mutually exclusive. Being logged in with a domain account or an Administrative account will not change this fact, thus Answers A and B are incorrect. The extra users function is only available in Windows XP and later operating systems. Furthermore, EFS encryption and NTFS compression are mutually exclusive, thus Answer D is incorrect. |
3. | þ A, C. By having Catherine create and encrypt a new folder, all documents created or placed in the folder automatically become encrypted. Additionally, any temp files created by the application in this folder will be encrypted as well, further increasing the security of her data. ý B, D. Creating a batch file using the cipher command is not necessary since Catherine can quite easily create the new folder and encrypt it on her own, thus Answer B is incorrect. Moving users from one OU to another is not required and is most certainly not the easiest solution to this problem, thus Answer D is incorrect. |
4. | Chris wants to use EFS encryption on some of her files that are stored on the network file server. The file server is running Windows NT 4.0 SP6. Will she be able to use EFS encryption? Why or why not?
|
|
5. | What is the result of applying a public key to an unencrypted file called?
|
|
6. | Hannah has several critical payroll files on which she would like to increase security by encrypting them with EFS encryption. The files are named payroll1.pay, payroll2.pay, and payroll3.pay and are located in the Payroll folder on her computer. What does she need to encrypt to ensure maximum security is obtained for these files and the data they contain?
|
|
Answers
4. | þ C. EFS is not supported on legacy Windows operating systems, such as Windows NT 4.0 or Windows 98. You must be using Windows 2000 or later in order to be able to use EFS encryption. ý A, B, D. You cannot use EFS encryption on any Service Level of Windows NT 4.0, thus Answer A is incorrect. EFS encryption can be used on network file servers running Windows 2000 as long as they have been delegated for trust, thus Answer B is incorrect. Again, EFS requires that Windows 2000 or later be in use on the file server, thus Answer D is incorrect. |
5. | þ C. After an unencrypted file has been encrypted using a public key, it is known as ciphertext. ý A, B, D. Plaintext is the data before it has been encrypted, thus Answer A is incorrect. Encoded text is text that has been transformed into an encoded form (such as Base 64 Web encoding; see Chapter 8) but is not encrypted and can be very easily decoded without a private key, thus Answer B is incorrect. Signing refers to using a digital certificate to digitally sign a document proving that it is authentic and valid, thus Answer D is incorrect. |
6. | þ B. The best solution is to implement encryption at the folder level (making sure that the encryption attribute is set at that time to all files and folders in that folder). By doing so, not only will the payroll files be encrypted, but so will any temp files that are created in that directory. If she only encrypts the files themselves, any new files added to that directory, including temp files, will not be encrypted. ý A, C, D. Encrypting only two files and the folder might not automatically provide protection for the third file unless Hannah specifies that it is to be encrypted as well, which she can do. This, however, is not the best approach from a security point of view, thus Answer A is incorrect. Encrypting only the three payroll files themselves will leave any temp files that her payroll application creates unencrypted and vulnerable to compromise. It's better to encrypt at the folder level, thus Answer C is incorrect. Encrypting an entire volume is not advised and not possible if the volume contains system files. EFS will not encrypt system files, thus Answer D is incorrect. |
7. | Austin is preparing to copy several hundred EFS encrypted files from one Windows 2000 NTFS folder to another Windows 2000 NTFS folder. All the files are EFS encrypted. The source folder is EFS encrypted. The destination folder is not EFS encrypted. What will be the result of his action to copy these files?
|
|
8. | Chan has identified several folders on several of his Windows 2000 file servers that he would like to encrypt using his EFS certificate. Rather than perform the encryption process manually through Windows Explorer, he wants to use the cipher command. He plans to use the cipher command in a script and does not want it to stop running if an error is encountered during the process. What command should be used on these folders to achieve this result?
|
|
9. | On a local computer, who is the default data recovery agent?
|
|
10. | In a Windows 2000 Active Directory domain, who is the default data recovery agent?
|
|
11. | You want to create a new data EFS data recovery agent for your Windows 2000 Active Directory domain. From where will you perform this task?
|
|
12. | What is the effect of running the cipher command from a directory without specifying any switches?
|
|
Answers
7. | þ D. If the file to be copied is encrypted and it is being copied from one Windows 2000 NTFS folder to another, it will remain encrypted regardless of the encryption state of the destination folder. ý A, B, C. EFS-encrypted files can be copied just the same as any other file and can retain their encryption status due to improvements in the Windows 2000 copy command, thus Answer A is incorrect. The encryption state of the folder is not important as long as it is a Windows 2000 NTFS folder and the files themselves are encrypted, which they are in this case, so Answer B is incorrect. There will be no prompt asking Austin to choose what the final encryption status is to be, thus Answer C is incorrect. File operations with EFS-encrypted files are done transparently to the user except in the case of intentional encryptions and decryptions. |
8. | þ B. Christopher will want to use the cipher /e /i /s directory command, where directory is the name of the directory in which the files to be encrypted are located. The /e switch specifies that encryption is to occur, and the /i switch specifies that the process is to continue, even if errors occur. ý A, C, D. Issuing a cipher command with both the /e and /d switches is invalid, thus Answer A is incorrect. Issuing a cipher command with the /d switch causes the files to become decrypted, thus Answer C is incorrect. Issuing a cipher command without the /i switch will not force the cipher operation to continue should errors occur, thus Answer D is incorrect. |
9. | þ D. On a local computer, one that is not participating in a Windows 2000 Active Directory domain, the built-in local Administrator account is the default data recovery agent. For security reasons, you should rename this account (from Administrator) and consider exporting the EFS recovery certificate and private keys from the computer—especially if it's a portable computer. ý A, B, C. The built-in local Administrator account is the default data recovery agent on a local computer, thus Answers A, B, and C are incorrect. |
10. | þ B. The built-in domain admin account is the default data recovery agent in a Windows 2000 Active Directory domain. This account name should be changed from Administrator and not be used unless absolutely required. You should consider creating a new EFS recovery agent to perform this function. ý A, C, D. The built-in domain admin account is the default data recovery agent in a Windows 2000 Active Directory domain, thus Answers A, C, and D are incorrect. |
11. | þ D. New EFS recovery agents can be created from the Computer Configuration | Windows Settings | Security Settings | Public Key Policies | Encrypted Data Recovery Agents node of the domain GPO. Right-click Encrypted Data Recovery Agents and select Create from the context menu to start the Certificate Request Wizard, which will help you complete this process. ý A, B, C. New EFS recovery agents can be created from the Computer Configuration | Windows Settings | Security Settings | Public Key Policies | Encrypted Data Recovery Agents node of the domain GPO, thus Answers A, B, and C are incorrect. |
12. | þ D. By executing the cipher command with no modifying switches, you can quickly ascertain the encryption status of all files and folders located in the directory you are examining. ý A, B, C. By executing the cipher command with no modifying switches, you can quickly ascertain the encryption status of all files and folders located in the directory you are examining, thus Answers A, B, and C are all incorrect. |
13. | You are the data recovery agent for your Windows 2000 Active Directory domain. Pat informs you that she can no longer access files that she had previously encrypted. You discover that her EFS certificate has expired and issue her a new one. She still cannot access the files. What do you need to in order for her to be able to access these files? (Choose all that apply.)
|
|
14. | You are the data recovery agent for your Windows 2000 Active Directory domain. Jon informs you that he can no longer access files that he had previously encrypted. You discover that Jon's EFS certificate has expired, so you issue him a new one. Jon still cannot access the files. What do you need to do in order for Jon to be able to access these files? (Choose all that apply.)
|
|
15. | Andrew is one of your traveling salespeople. Andrew has a Windows 2000 portable computer on which he uses EFS encryption. While Andrew was traveling last week, he encrypted several files on his computer. This week when he placed his portable computer in the port replicator and logged into the corporate network, he reports to you that he cannot access these files any longer, although they are still on his computer. What is the most likely reason for this problem?
|
|
Answers
13. | þ A, C, D. In this case, you would need to restore the files from a backup to a recovery computer that has the recovery certificates installed. Once this is done, you can decrypt the files and then place them back into the location where Pat had them originally. Pat can the encrypt them using her new EFS certificate. ý B. Deleting Pat's user account will help correct this problem, thus Answer B is incorrect. |
14. | þ A, D. You can export your recovery agent certificate and then import it onto the computer that has the encrypted files. Once this is done, you will need to decrypt the files using Windows Explorer. After that has been done, the files can be encrypted again using Jon's new EFS certificate, if he desires to do so. ý B, C. Restore the encrypted files from a backup tape is not required when using this method, thus Answer B is incorrect. Issuing Jon an EFS Recovery Agent certificate is probably not a good idea, since he will then be able to decrypt all EFS encrypted data, thus Answer C is incorrect. |
15. | þ B. The most likely reason that Andrew cannot access the files is that he encrypted them when he was logged into the computer locally instead of using a set of cached domain account credentials. ý A, C, D. Although it is possible that Andrew's EFS certificate expired in this period of time, it is unlikely. The most likely reason that he cannot access the files is that he used his local computer account to encrypt them, thus Answer A is incorrect. Again, the most likely reason for the problem is that Andrew used his local computer account, not the domain user account he is trying to use now to access the files, thus Answer C is incorrect. If Andrew was able to select EFS encryption on his files in the first place, his hard drive was formatted with NTFS, thus Answer D is incorrect. |
|
|