The exam may touch on two things about Encrypting File Service (EFS): The file system must be set to NTFS if you want to use EFS. In addition, no file can be both encrypted and compressed at the same time.
NTFS is required for EFS.
A user must have a file encryption certificate before another user can grant him the right to open a shared encrypted file.
Data recovery agents are users with file encryption certificates who have been designated the right to decrypt users' encrypted files in case the user's file encryption certificate is damaged or lost.
Public keys are stored in the My Certificates folder of a user's profile in plain text.
Private keys are encrypted in the RSA folder in a user's profile.
Cipher.exe is the command used to manage EFS encrypted files. Cipher /e encrypts, and cipher /d decrypts.
A security template is created as an .inf file. This file is imported into a database with an extension of .sdb. If you use Secedit.exe, secedit /configure /dbpath\database.sdb is the command used to apply the security settings to overwrite existing security settings.
Account policies set in an Active Directory Group Policy object (GPO) for passwords and account lockouts are applicable to only a domain.
Table 24 describes password policies and their default values.
Table 24. Password Policies
Policy
Meaning
Default Value
Enforce Password history
Number of unique passwords that the computer can remember
0
Maximum Password age
Number of days after first being set until the user is forced to change the password
42 days
Minimum Password age
Number of days after first being set until the user is allowed to change the password
0 days
Minimum Password length
Number of characters required for any password
0
Password Must Meet Complexity Requirements
Requires that the password not contain the user name or real name, is at least six characters long, must be a combination of letters, numbers, and symbols
Disabled
Store password using Reversible Encryption
Allows user's passwords to be stored in reversible encryption, which is not much more secure than plain text
Disabled
Table 25 describes account lockout policies and their suggested values.
Table 25. Account Lockout Policies
Policy
Meaning
Account Lockout Duration
Number of minutes after being locked out before account is allowed to log on. Suggested value 30 minutes.
Account Lockout Threshold
Number of bad passwords that are accepted before the user account is locked out. Suggested value 3 attempts.
Reset Account Lockout Counter After
Number of minutes after submitting a bad password that the computer "forgets" that there was a failed logon attempt. Suggested value 30 minutes.
The sequence of application of GPO settings is
Windows NT 4 system policies found in NTConfig.pol
Local policies
Site group policies
Domain group policies
OU group policies
Child OU group policies (applied after the group policies of the top-level OUs and flow down the hierarchy of the Active Directory)
To configure the security settings for an Internet zone, click the zone to select it and then click the Custom Level button. The zones are Internet, Local Intranet, Trusted Sites, and Restricted.
