Configuring Encryption and Advanced Auditing Flashcards
BitLocker is supported on what operating systems?
Windows Vista & above
Windows Server 2008 & Above
What does the PowerShell CmdLet Do?
Add-BitLockerKeyProtector
Adds a key protector for a BitLocker volume.
What does the PowerShell CmdLet Do?
Backup-BitLockerKeyProtector
Saves a key protector for a BitLocker volume in AD DS.
What does the PowerShell CmdLet Do?
Clear-BitLockerAutoUnlock
Removes BitLocker automatic unlocking keys.
What does the PowerShell CmdLet Do?
Disable-BitLocker
Disables BitLocker encryption for a volume.
What does the PowerShell CmdLet Do?
Disable-BitLockerAutoUnlock
Disables automatic unlocking for a BitLocker volume.
What does the PowerShell CmdLet Do?
Enable-BitLocker
Enables encryption for a BitLocker volume.
What does the PowerShell CmdLet Do?
Enable-BitLockerAutoUnlock
Enables automatic unlocking for a BitLocker volume.
What does the PowerShell CmdLet Do?
Get-BitLockerVolume
Gets information about volumes that BitLocker can protect.
What does the PowerShell CmdLet Do?
Lock-BitLocker
Prevents access to encrypted data on a BitLocker volume.
What does the PowerShell CmdLet Do?
Remove-BitLockerKeyProtector
Removes a key protector for a BitLocker volume.
What does the PowerShell CmdLet Do?
Resume-BitLocker
Restores Bitlocker encryption for the specified volume.
What does the PowerShell CmdLet Do?
Suspend-BitLocker
Suspends Bitlocker encryption for the specified volume.
What does the PowerShell CmdLet Do?
Unlock-BitLocker
Restores access to data on a BitLocker volume.
How would you enable bitlocker for a device using a PIN and TPM?
- Run the following:
- $SecureString = ConvertTo-SecureString “1234” -AsPlainText -Force
- Enable-BitLocker -MountPoint “C:” -EncryptionMethod Aes256 -UsedSpaceOnly -Pin $SecureString -TPMandPinProtector
What is bitlocker for?
Bitlocker is drive Encryption. It can only be used for NTFS formated drives. It do full drive encryption or used space encryption.
Bitlocker has what characteristics?
- Can be used to encrypt entire hard drive or only the used parts of a hard drive
- Can be combined with EFS (Encrypted File System)
- Protects the integrity of the Windows boot process
- If the windows version is 2008 or Vista what do you need to do to provision bitlocker?
- If the windows version is 2008r or Windows 7 what do you need to do to provision bitlocker?
- Create a partition before deploying bitlocker
- It creates the partition for you. There is nothing to do
If you are enabling group policy to configure BitLocker what GPO should you set so that you will not encrypt the computer without the Recovery key in AD:
- If you are using Windows Server 2008R2/Windows 7 or above?
- If you are using Windows Server 2008/Windows Vista?
- Enable the GPO: Choose how Bitlocker-protect operating system drives can be recovered
- Select the option: Do not enable BitLocker until recovery information is stored in AD DS for operating system drives
- Enable the GPO: Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)
- The option need: “Require Bitlocker backup to AD DS” is enabled by default once the policy is enabled
What would you configure to set up a TPM and another source to unlock the computer?
The GPO: Require additional authentication at startup
This allows you to let computers use a usb instead of TPM if there is not a TPM chip. This will also be
- If you dont want to use EFS how would you disable all users ability to use it?
- If a CA is not avalible for EFS what happens?
- If you dont want to use EFS how would you disable all users ability to use it?
- Remove any recovery agent and disallow self signed certs.
- You can do this by navigating to Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Encrypting File System and right-clicking selecting properties, on the general tab don not allow EFS
- Remove any recovery agent and disallow self signed certs.
- If a CA is not avalible for EFS what happens?
It generates a self-signed cert. If it is not deselected.
Where can you back up the key for EFS Certificates?
You can go into the file or folder properties:
- On the General Tab
- Select Advance
- Select Details
- Select the Cert to back up
- Click Back up keys..
- This will take you to the Certificate Export Wizard
OR
You can go into the certificates console
If you add additional recovery agents what happens to files that were encrypted before it was added?
The certificate is added when:
- The file is open and closed
- You can run: cipher /u
How do you add additional Data Recovery Agents to your Domain?
- Edit the default domain policy
- Navigate to Computer Configuration -> Windows Settings -> Security Settings -> Public Key Policies
- Select what you want a Data Recovery Agent for (either EFS, Data Protection, or Bitlocker Drive Encryption)
- Right-Click and Select Add or Create Data Recovery Agent
What does the following CMD do:
- cipher /r:c:\backup
- Backs up a Cert for both public and private key
Where can you turn off EFS for self signed certs?
Go to the GPO Computer Configuration -> Policies -> Windows Settings ->
Security Settings -> Public Key Policies
The Right-Click, selet Properties, Certificates Tab, Unselect Allow EFS to generate self-signed certifications
What are the BitLocker Network Unlock core requirements?
- You must be running at least Windows 8 or Windows Server 2012.
- Any supported operating system with UEFI DHCP drivers can be Network Unlock clients.
- A server running the Windows Deployment Services (WDS) role on any supported server operating system.
- BitLocker Network Unlock optional feature installed on any supported server operating system.
- A DHCP server, separate from the WDS server.
- Properly configured public/private key pairing.
- Network Unlock Group Policy settings configured.
How do you install BitLocker Network Unlock via PowerShell?
Install-WindowsFeature BitLocker-NetworkUnlock
What are the steps (broad overview) to set up BitLocker Network Unlock?
This is a justa broad overview not specifics
- Install WDS or ensure that WDS is installed
- Confirm the WDS Service is running
- Install the Network Unlock feature
- Create the Network Unlock certificate
- Deploy the private key and certificate to the WDS Server
- Configure Group Policy settings for Network Unlock
- Require TPM+PIN protectors at startup
How do you create the network unlock certificates?
To enroll a certificate from an existing certification authority (CA), do the following:
- Open Certificate Manager on the WDS server using certmgr.msc
- Under the Certificates - Current User item, right-click Personal
- Select All Tasks, then Request New Certificate
- Select Next when the Certificate Enrollment wizard opens
- Select Active Directory Enrollment Policy
- Choose the certificate template created for Network Unlock on the Domain controller and select Enroll. When prompted for more information, add the following attribute to the certificate:
- Select the Subject Name pane and provide a friendly name value. It is suggested that this friendly name include information for the domain or organizational unit for the certificate. For example “BitLocker Network Unlock Certificate for Contoso domain”
- Create the certificate. Ensure the certificate appears in the Personal folder.
- Export the public key certificate for Network Unlock
- Export the public key with a private key for Network Unlock
How do you deploy the private key and ceritifcate to the WDS Server?
With the certificate and key created, deploy them to the infrastructure to properly unlock systems. To deploy the certificates, do the following:
- On the WDS server, open a new MMC and add the certificates snap-in. Select the computer account and local computer when given the options.
- Right-click the Certificates (Local Computer) - BitLocker Drive Encryption Network Unlock item, choose All Tasks, then Import
- In the File to Import dialog, choose the .pfx file created previously.
- Enter the password used to create the .pfx and complete the wizard.
What Group Policy Settings do you need to configure for Network Unlock?
- Navigate to the following Location: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives
- Enable the policy “Require additional authentication at startup”
- select the Require startup PIN with TPM option
- Turn on BitLocker with TPM+PIN protectors on all domain-joined computers
- Enable the policy “Require additional authentication at startup”
- Enable the GPO “Allow network unlock at startup setting”
- Deploy the public certificate to clients
- Navigate to the following location: Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\BitLocker Drive Encryption Network Unlock Certificate
- Right-click the folder and choose Add Network Unlock Certificate
- Follow the wizard steps and import the .cer file that was copied earlier.
- Deploy the public certificate to clients
What policy would you configure for removable device audit policies?
Computer Configuration -> Security Settings -> Advanced Audit Policy Configuration -> Object Access -> Audit Removable Storage
What is the different between the Local Audit Policies?
- Accout Logon Events
- Logon Events
- Audit Account Logon Events: Account logon events are generated when a domain user account is authenticated on a domain controller. The event is logged in the domain controller’s security log. Logon events are generated when a local user is authenticated on a local computer. The event is logged in the local security log. Account logoff events are not generated. (Event is logged on a DC)
- Audit Logon Events: logons that use a domain or local accounts generate a logon or logoff event on the workstation or server.
What does the Audit Policy Account Management?
Examples
- A user account or group is created, changed, or deleted.
- A user account is renamed, disabled, or enabled.
- A password is set or changed.
What is a SACL?
System Access Control List
What is the Advanced Audit Policy Global Object Access Auditing?
You can configure expression-based audit policies for files and the registry.
Note: This is all files not just a specific file
What is the Advanced Audit Policy group System?
You can audit changes to the security subsytem
What does the following Advanced Audit Policy Group allow you to audit?
Account Logon
You can audit credential validation and Kerberos-specific operations.
What does the following Advanced Audit Policy Group allow you to audit?
Account Management
You can audit account management operations, such as changes to computer accounts, user accounts, and group accounts.
What does the following Advanced Audit Policy Group allow you to audit?
Detailed Tracking
You can audit encryption events, process creation, process termination, and RPC events.
What does the following Advanced Audit Policy Group allow you to audit?
DS Access
You can audit Active Directory access and functionality.
What does the following Advanced Audit Policy Group allow you to audit?
Logon/Logoff
You can audit logon, logoff, and other account activity events, including IPsec and Network Policy Server (NPS) events.
What does the following Advanced Audit Policy Group allow you to audit?
Object Access
You can audit access to objects including files, folders, applications, and the registry.
What does the following Advanced Audit Policy Group allow you to audit?
Policy Change
You can audit changes to audit policy.
What does the following Advanced Audit Policy Group allow you to audit?
Privilege Use
You can audit the use of privileges.
