Chapter 5: Managing and Troubleshooting the Encrypting File System

The Role of EFS in a Network Security Plan

  1. Jon uses EFS to encrypt his files on the network file server. By using EFS, has Jon protected his files at all times?

    1. No, because the files are decrypted on the file server and then sent in plaintext across the network.

    2. Yes, because the files are sent in ciphertext across the network and decrypted on his local computer.

    3. Yes, because EFS also provides end-to-end security for data.

    4. No, because EFS cannot be used on network file servers, only on a local computer.

    þ A. When files are encrypted on a network server using EFS, they are encrypted only while on that server. Files are decrypted on the server and sent across the network in plaintext. Jon would need to implement IPSec on the network to ensure security while in transit.

    ý B, C, D. EFS-encrypted files are decrypted on the file server and transmitted in plaintext across the network, thus Answer B is incorrect. EFS does not provide end-to-end security; that is a solution provided by IPSec, thus Answer C is incorrect. EFS can be used on network servers as long as they have been marked for delegation, thus Answer D is incorrect.

  2. Andrea is attempting to encrypt a folder on her Windows 2000 Professional computer. When she encrypts the folder, she notices that it is no longer NTFS compressed. Why is this so?

    1. Andrea is not logged in with a domain account. Domain accounts are required to implement both encryption and compression at the same time.

    2. Andrea is not a member of the Administrators group. Only Administrators can implement both encryption and compression at the same time.

    3. EFS encryption and NTFS compression are mutually exclusive. You cannot implement both encryption and compression at the same time.

    4. Extra users have been added to the files contained in the folder. You must not have extra users added to a file in order to apply both encryption and compression to it.

    þ C. EFS encryption and NTFS compression are mutually exclusive, thus Andrea will not be able to use both at the same time on her folder. She can have some compressed files and some encrypted files within the same folder, but she cannot apply both attributes at the folder level itself.

    ý A, B, D. EFS encryption and NTFS compression are mutually exclusive. Being logged in with a domain account or an Administrative account will not change this fact, thus Answers A and B are incorrect. The extra users function is only available in Windows XP and later operating systems. Furthermore, EFS encryption and NTFS compression are mutually exclusive, thus Answer D is incorrect.

  3. Catherine is the senior member of the accounting department in your company. She has several database files that need to be protected from access by other members of her department who have NTFS permissions allowing them read and write access to the network share where the database files are located. What is the easiest thing you can do to help Catherine secure her database files without adding to your administrative workload or changing any user's NTFS permissions? (Choose all that apply.)

    1. Instruct Catherine to create a new folder and place her database documents inside it.

    2. Create a batch file for Catherine that uses the cipher command to encrypt her files for her in their current folder.

    3. Instruct Catherine to configure EFS encryption on the folder itself from Windows Explorer.

    4. Remove all the other users in Catherine's department from the OU they are located in and place them in a new OU with different effective NTFS permissions.

    þ A, C. By having Catherine create and encrypt a new folder, all documents created or placed in the folder automatically become encrypted. Additionally, any temp files created by the application in this folder will be encrypted as well, further increasing the security of her data.

    ý B, D. Creating a batch file using the cipher command is not necessary since Catherine can quite easily create the new folder and encrypt it on her own, thus Answer B is incorrect. Moving users from one OU to another is not required and is most certainly not the easiest solution to this problem, thus Answer D is incorrect.

Using the Encrypting File System

  1. Chris wants to use EFS encryption on some of her files that are stored on the network file server. The file server is running Windows NT 4.0 SP6. Will she be able to use EFS encryption? Why or why not?

    1. Yes. SP6 upgrades NTFS v4 to NTFS v5, which is the version used by Windows 2000.

    2. No. EFS encryption cannot be used on a network file server, only on a local computer.

    3. No. EFS encryption can only be used in Windows 2000, Windows XP, and Windows .NET, not in Windows NT 4.0 or any other Windows product.

    4. Yes. As long as her computer is using Windows 2000, it makes no difference what operating system the file server is running.

    þ C. EFS is not supported on legacy Windows operating systems, such as Windows NT 4.0 or Windows 98. You must be using Windows 2000 or later in order to be able to use EFS encryption.

    ý A, B, D. You cannot use EFS encryption on any Service Level of Windows NT 4.0, thus Answer A is incorrect. EFS encryption can be used on network file servers running Windows 2000 as long as they have been delegated for trust, thus Answer B is incorrect. Again, EFS requires that Windows 2000 or later be in use on the file server, thus Answer D is incorrect.

  2. What is the result of applying a public key to an unencrypted file called?

    1. Plaintext

    2. Encoded

    3. Ciphertext

    4. Signed

    þ C. After an unencrypted file has been encrypted using a public key, it is known as ciphertext.

    ý A, B, D. Plaintext is the data before it has been encrypted, thus Answer A is incorrect. Encoded text is text that has been transformed into an encoded form (such as Base 64 Web encoding; see Chapter 8) but is not encrypted and can be very easily decoded without a private key, thus Answer B is incorrect. Signing refers to using a digital certificate to digitally sign a document proving that it is authentic and valid, thus Answer D is incorrect.

  3. Hannah has several critical payroll files on which she would like to increase security by encrypting them with EFS encryption. The files are named payroll1.pay, payroll2.pay, and payroll3.pay and are located in the Payroll folder on her computer. What does she need to encrypt to ensure maximum security is obtained for these files and the data they contain?

    1. Hannah needs to implement EFS encryption on the payroll1.pay file, the payroll2.pay file, and the Payroll folder.

    2. Hannah needs to implement EFS encryption on the Payroll folder only.

    3. Hannah needs to implement EFS encryption on the payroll1.pay, payroll2.pay, and payroll3.pay files only.

    4. Hannah need to implement EFS encryption on the root of the volume on which the files are stored.

    þ B. The best solution is to implement encryption at the folder level (making sure that the encryption attribute is set at that time to all files and folders in that folder). By doing so, not only will the payroll files be encrypted, but so will any temp files that are created in that directory. If she only encrypts the files themselves, any new files added to that directory, including temp files, will not be encrypted.

    ý A, C, D. Encrypting only two files and the folder might not automatically provide protection for the third file unless Hannah specifies that it is to be encrypted as well, which she can do. This, however, is not the best approach from a security point of view, thus Answer A is incorrect. Encrypting only the three payroll files themselves will leave any temp files that her payroll application creates unencrypted and vulnerable to compromise. It's better to encrypt at the folder level, thus Answer C is incorrect. Encrypting an entire volume is not advised and not possible if the volume contains system files. EFS will not encrypt system files, thus Answer D is incorrect.

User Operations

  1. Austin is preparing to copy several hundred EFS encrypted files from one Windows 2000 NTFS folder to another Windows 2000 NTFS folder. All the files are EFS encrypted. The source folder is EFS encrypted. The destination folder is not EFS encrypted. What will be the result of his action to copy these files?

    1. EFS encrypted files cannot be copied, thus nothing will happen. He will need to decrypt them before copying.

    2. The files will become decrypted because the destination folder is not encrypted.

    3. He will be prompted to choose whether or not each file should remain encrypted after the files have been copied to the destination folder.

    4. The files will remain encrypted because the files themselves are encrypted.

    þ D. If the file to be copied is encrypted and it is being copied from one Windows 2000 NTFS folder to another, it will remain encrypted regardless of the encryption state of the destination folder.

    ý A, B, C. EFS-encrypted files can be copied just the same as any other file and can retain their encryption status due to improvements in the Windows 2000 copy command, thus Answer A is incorrect. The encryption state of the folder is not important as long as it is a Windows 2000 NTFS folder and the files themselves are encrypted, which they are in this case, so Answer B is incorrect. There will be no prompt asking Austin to choose what the final encryption status is to be, thus Answer C is incorrect. File operations with EFS-encrypted files are done transparently to the user except in the case of intentional encryptions and decryptions.

  2. Chan has identified several folders on several of his Windows 2000 file servers that he would like to encrypt using his EFS certificate. Rather than perform the encryption process manually through Windows Explorer, he wants to use the cipher command. He plans to use the cipher command in a script and does not want it to stop running if an error is encountered during the process. What command should be used on these folders to achieve this result?

    1. cipher /e /d /s directory

    2. cipher /e /i /s directory

    3. cipher /d /i /s directory

    4. cipher /e /f /s directory

    þ B. Christopher will want to use the cipher /e /i /s directory command, where directory is the name of the directory in which the files to be encrypted are located. The /e switch specifies that encryption is to occur, and the /i switch specifies that the process is to continue, even if errors occur.

    ý A, C, D. Issuing a cipher command with both the /e and /d switches is invalid, thus Answer A is incorrect. Issuing a cipher command with the /d switch causes the files to become decrypted, thus Answer C is incorrect. Issuing a cipher command without the /i switch will not force the cipher operation to continue should errors occur, thus Answer D is incorrect.

  3. On a local computer, who is the default data recovery agent?

    1. There is no default data recovery agent on a local computer.

    2. The first user added to the Administrators group after installation is complete.

    3. The first user to log into the computer after installation is complete.

    4. The built-in administrative account.

    þ D. On a local computer, one that is not participating in a Windows 2000 Active Directory domain, the built-in local Administrator account is the default data recovery agent. For security reasons, you should rename this account (from Administrator) and consider exporting the EFS recovery certificate and private keys from the computer—especially if it's a portable computer.

    ý A, B, C. The built-in local Administrator account is the default data recovery agent on a local computer, thus Answers A, B, and C are incorrect.

  4. In a Windows 2000 Active Directory domain, who is the default data recovery agent?

    1. The built-in administrative account on each computer.

    2. The built-in domain administrative account.

    3. The first user to be added to the Administrators group after creating the domain.

    4. The user who installs the first Enterprise Root CA in the domain.

    þ B. The built-in domain admin account is the default data recovery agent in a Windows 2000 Active Directory domain. This account name should be changed from Administrator and not be used unless absolutely required. You should consider creating a new EFS recovery agent to perform this function.

    ý A, C, D. The built-in domain admin account is the default data recovery agent in a Windows 2000 Active Directory domain, thus Answers A, C, and D are incorrect.

  5. You want to create a new data EFS data recovery agent for your Windows 2000 Active Directory domain. From where will you perform this task?

    1. The Certificate Authority console

    2. The Local Computer Security console on the first domain controller

    3. The System applet on the Root CA

    4. The Group Policy object that is applied to the root domain

    þ D. New EFS recovery agents can be created from the Computer Configuration | Windows Settings | Security Settings | Public Key Policies | Encrypted Data Recovery Agents node of the domain GPO. Right-click Encrypted Data Recovery Agents and select Create from the context menu to start the Certificate Request Wizard, which will help you complete this process.

    ý A, B, C. New EFS recovery agents can be created from the Computer Configuration | Windows Settings | Security Settings | Public Key Policies | Encrypted Data Recovery Agents node of the domain GPO, thus Answers A, B, and C are incorrect.

  6. What is the effect of running the cipher command from a directory without specifying any switches?

    1. It will encrypt all files and folders in the directory except for those that are already encrypted.

    2. It will decrypt all files and folders in the directory that are currently encrypted.

    3. It will prompt you for action (encryption or decryption) for every file and folder located in that directory.

    4. It will provide an output showing the encryption status of every file and folder located in that directory.

    þ D. By executing the cipher command with no modifying switches, you can quickly ascertain the encryption status of all files and folders located in the directory you are examining.

    ý A, B, C. By executing the cipher command with no modifying switches, you can quickly ascertain the encryption status of all files and folders located in the directory you are examining, thus Answers A, B, and C are all incorrect.

EFS Architecture and Troubleshooting

  1. You are the data recovery agent for your Windows 2000 Active Directory domain. Pat informs you that she can no longer access files that she had previously encrypted. You discover that her EFS certificate has expired and issue her a new one. She still cannot access the files. What do you need to in order for her to be able to access these files? (Choose all that apply.)

    1. Use Windows Explorer to decrypt the files for Pat.

    2. Delete Pat's Windows user account and recreate it for her.

    3. Place the files in the location where Pat had saved them originally.

    4. Restore the files to a recovery computer that has the recovery certificates installed.

    þ A, C, D. In this case, you would need to restore the files from a backup to a recovery computer that has the recovery certificates installed. Once this is done, you can decrypt the files and then place them back into the location where Pat had them originally. Pat can the encrypt them using her new EFS certificate.

    ý B. Deleting Pat's user account will help correct this problem, thus Answer B is incorrect.

  2. You are the data recovery agent for your Windows 2000 Active Directory domain. Jon informs you that he can no longer access files that he had previously encrypted. You discover that Jon's EFS certificate has expired, so you issue him a new one. Jon still cannot access the files. What do you need to do in order for Jon to be able to access these files? (Choose all that apply.)

    1. Export your recovery certificate.

    2. Restore the encrypted files from a backup tape.

    3. Issue Jon an EFS Recovery Agent certificate.

    4. Import your recovery certificate onto the computer that contains Jon's encrypted files.

    þ A, D. You can export your recovery agent certificate and then import it onto the computer that has the encrypted files. Once this is done, you will need to decrypt the files using Windows Explorer. After that has been done, the files can be encrypted again using Jon's new EFS certificate, if he desires to do so.

    ý B, C. Restore the encrypted files from a backup tape is not required when using this method, thus Answer B is incorrect. Issuing Jon an EFS Recovery Agent certificate is probably not a good idea, since he will then be able to decrypt all EFS encrypted data, thus Answer C is incorrect.

  3. Andrew is one of your traveling salespeople. Andrew has a Windows 2000 portable computer on which he uses EFS encryption. While Andrew was traveling last week, he encrypted several files on his computer. This week when he placed his portable computer in the port replicator and logged into the corporate network, he reports to you that he cannot access these files any longer, although they are still on his computer. What is the most likely reason for this problem?

    1. His EFS certificate expired since last week.

    2. He encrypted the files using his local computer user account.

    3. He encrypted the files using his cached domain user account.

    4. His hard drive is not NTFS formatted.

    þ B. The most likely reason that Andrew cannot access the files is that he encrypted them when he was logged into the computer locally instead of using a set of cached domain account credentials.

    ý A, C, D. Although it is possible that Andrew's EFS certificate expired in this period of time, it is unlikely. The most likely reason that he cannot access the files is that he used his local computer account to encrypt them, thus Answer A is incorrect. Again, the most likely reason for the problem is that Andrew used his local computer account, not the domain user account he is trying to use now to access the files, thus Answer C is incorrect. If Andrew was able to select EFS encryption on his files in the first place, his hard drive was formatted with NTFS, thus Answer D is incorrect.



MCSE. MCSA Implementing & Administering Security in a Windows 2000 Network Study Guide Exam 70-214
MCSE/MCSA Implementing and Administering Security in a Windows 2000 Network: Study Guide and DVD Training System (Exam 70-214)
ISBN: 1931836841
EAN: 2147483647
Year: 2003
Pages: 162

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net