Implment Server Hardening Solutions

Question 1

What is Secure Boot?

Answer 1

SecureBoot is part of UEFI 2.3.1 that ensures a server only boots using trusted hardware.

Question 2

How does Secure Boot work?

Answer 2

• Secure Boot checks each piece of software used in boot, including ROMs and the OS, against a database containing the signatures of well-known signatures kept in firmware.
• If the software is valid, boot proceeds.

Question 3

What does Secure Boot protect against?

Answer 3

The execution of unsigned (malicious) code.

Question 4

What are the requirements of Secure Boot?

Answer 4

UEFI Version 2.3.1

Question 5

What is the Secure Boot boot sequence?

Answer 5

1. PC is powered on. Signature databases are checked against the platform key.
2. If the firmware is not trusted, UEFI must initiate OEM-specific recovery to restore trusted firmware.
3. If a problem with the Windows Boot Manager, firmeware will boot to a copy.
   3a. If this Fails - Firmware initiates firmware recovery.
4. Once Windows Boot Manager is running, if there are drive issues or kernel issues, WinRE is booted so the image/drivers can be recovered.
5. Windows loads AntiMalware
6. Windows loads other kernel drivers and initializes user mode.

Question 6

What are the benefits of UEFI?

Answer 6

• Security: Secure Boot, Device Guard, Credential Guard, Exploit Guard, etc. all require secure boot, which requires UEFI.
• Faster Boot
• Support for larger hard drives (+2TB) and drives with more partitions.
• Support for multicast deployments
• Support for better UEFI drivers, applications, and ROMs

Question 7

How does AV play into secure boot?

Answer 7

Antivirus is signed by MS verifying it is a trusted boot critical driver and launches early in the boot process. This ensures that no processes are able to get in the middle of AV startup and prevent AV from protecting a system early.

Question 8

What versions of TPM are supported by Server 2016?

Answer 8

TPM 1.2 and TPM 2.0

Question 9

Is TPM 2.0 backwards compatible with 1.2?

Answer 9

No

Question 10

How do you verify whether a system has an available TPM?

Answer 10

• Device Manager \ Security Devices

- UEFI

Question 11

Is a TPM always a physical piece of hardware?

Answer 11

No. Some TPMs are firmware based. Windows works with either hardware or firmware-based TPMs.

Question 12

What is required before a TPM can be used?

Answer 12

It must be installed and provisioned.

Question 13

What is required to manually provision a TPM?

Answer 13

Server 2016+ automatically provisions a TPM, however, if the OS is being reinstalled the TPM may need cleared before utilizing the TPM for the OS to take full advantage.

Question 14

What are the advantages of TPM 2.0 over TPM 1.2?

Answer 14

• TPM 1.2 only supports RSA and SHA-1. TPM 2.0 supports newer algorithms (e.g. SHA-256)
• TPM 2.0 enables greater crypto agility by being more flexible with the different crypto algorithms.
• TPM 2.0 is more consistent across different implementations.
• TPM 2.0 has a default lockout configured by Windows
• TPM 1.2 always was a discrete component. TPM 2.0 can be implemented as a single package on the board and integrated into other components or run as firmware.

Question 15

Can TPM 2.0 work with BIOS?

Answer 15

No. TPM 2.0 only supports UEFI

Question 16

What different implementation options exist for TPMs?

Answer 16

• Discrete TPMs - Separate components on the board
• Integrated TPMs - Use dedicated hardware integrated into other hardware
• Firmware TPM - Runs in Trusted Execution Mode
  NOTE: Windows is compatible with all these TPM implementations.

Question 17

Which versions of Windows support TPM 2.0?

Answer 17

• All versions of Windows 10
• IoT Core (optional)
• Server 2016 +

Question 18

What different windows features are available with TPM 2.0 over 1.2?

Answer 18

• Windows Defender System Guard
• AutoPilot
• SecureBIO
• DRTM

Question 19

Which Windows features/components require TPM of any variety?

Answer 19

• Measured Boot
• BitLocker
• Drive Encryption
• Windows Defender System Guard
• Device Health Attestation
• TPM Platform Crypto Provider Key Storage Provider
• Virtual Smart Card
• AutoPilot
• SecureBIO
• DRTM

Question 20

Which Windows Features/components do not require a TPM of any variety?

Answer 20

• Windows Defender Application Control (Device Guard)
• Credential Guard
• Windows Hello
• UEFI Secure Boot
• Certificate Storage

Question 21

Which versions of Windows 10 and Server 2016 support BitLocker?

Answer 21

• All editions of Server 2016

- All versions excluding Windows 10 Home support BitLocker

Question 22

Can you BitLocker Windows 10 Home?

Answer 22

No. It does not support BitLocker. It does support a stripped down version of BitLocker called “Device Encryption.”

Question 23

What does BitLocker protect against?

Answer 23

• Lost, stolen or inappropriately decommissioned devices

- BitLocker also verifies the boot process integrity

Question 24

What is required on a system for BitLocker to offer the most protection?

Answer 24

TPM 1.2 or later

Question 25

Can BitLocker be implemented on a device without TPM 1.2 or newer?

Answer 25

• Yes. However, it will require either a USB key to start or resume from hibernation.
• Windows 8 and Newer may use a password to protect systems without TPMs
• Without a TPM, there are no pre-startup system integrity verification

Question 26

What is BitLocker Recovery Password Viewer?

Answer 26

• An extension to AD that enables locating and viewing BitLocker Drive Encryption recovery passwords that have been backed up to AD
• Can be used to help recover data that is stored on a drive encrypted with BitLocker

Question 27

How do you view BitLocker Recovery Passwords stored in AD?

Answer 27

• Right Click the computer object in AD \ Properties

- Right-Click the domain container and search for the recovery password

Question 28

To view BitLocker recovery passwords, by default, what permission is required?

Answer 28

Domain Administrator. This can be delegated.

Question 29

What tools are provided with the BitLocker Drive Encryption Tools?

Answer 29

• Command Line: manage-bde and repair-bde

- Powershell Cmdlets for Powershell

Question 30

What is Repair-BDE used for?

Answer 30

Disaster recovery scenarios where a BitLocker protected drive cannot be unlocked normally using the recovery console.

Question 31

What are the BitLocker hardware requirements?

Answer 31

• For system integrity check: Use TPM 1.2 or newer
• Without a TPM, BitLocker requires a startup key on a removable drive (e.g. USB)
• TPMs must have a TCG-compliant BIOS or UEFI (not required for non-TPM)
• BIOS must support usb mass storage, inlucidng reading small files in a pre-OS environment.
• Hard disk must be partitioned with at least 2 partitions/volumes
• • OS (Boot) Drive must be NTFS
• • System drive with files used to load Windows after firmware has prpared the drive. Not BitLocker protected. Must be formatted FAT32 (UEFI) or NTFS (Bios). Recommended size 350MB
• • Windows should be able to create these partitions automatically.
• When installing BitLocker on a server OS use the Enhanced Storage Feature for hardware encryption drive support.

Question 32

What new BitLocker features were introduced in Server 2016?

Answer 32

• XTS-AES Support
• Encrypt and recover device with Azure AD
• DMA Port protection
• GPO for Configuring Pre-Boot Recovery

Question 33

What are the differences between different encryption version types offered by BitLocker?

Answer 33

• AES-128: Default
• AES-256: Same as 128 but double cipher length
• XTS-AES-128: FIPS Compliant, Incompatible with pre-Server 2016
• XTS-AES-256: Same as XTS-AES-128 but double cipher length

Question 34

Why is it recommended to not use a kernel debugger while BitLocker is enabled?

Answer 34

• Kernel debugger may be able to access BitLocker keys and other sensitive data
• If a debugger is used, OS will automatically restart after every boot.

Question 35

With Server 2008 and Windows Vista, how do you configure BitLocker if the computer already has an OS installed?

Answer 35

Utilize the “BitLocker Drive Preparation Tool” to configured required volumes.

Question 36

What different key protectors are available with BitLocker?

Answer 36

• TPM
• PIN (Numeric)
• Enhanced PIN (Alphanumeric)
• Startup Key
• Recovery Password
• Recovery Key

Question 37

You have deployed systems that do not have TPM 1.2 or higher and would like to secure them with BitLocker. What key protector/authentication method should be used?

Answer 37

Startup Key

Question 38

Which BitLocker protection method provides the least amount of data protection and why? How can this be mitigated?

Answer 38

TPM-only. TPM-only protects against attacks to modify the early boot components. It encrypts drives, but, as in the case with a laptop, the TPM would still allow an attacker to boot the system and potentially compromise the storage within. This is mitigated by incorporating other factors to provide multi-factor access to the system.

Question 39

What is the most transparent BitLocker authentication method that still offers MFA?

Answer 39

TPM + Network Key

Question 40

To use Windows RE along with BitLocker, what must be done?

Answer 40

The Windows RE boot image must reside on the volume not protected by BitLocker.

Question 41

Can a system be BitLocker protected before the OS install?

Answer 41

yes. Using WinPE a randomly generated key can be applied to the formatted volume and encrypt it prior to the Windows install.

Question 42

What different encryption options are available for BitLocker?

Answer 42

(Hint: What portion of the drive can be encrypted)

• Used Space Only - Encrypts only used space. Useful for systems with freshly provisioned drives. Faster
• Full encryption - Encrypts entire drive. Used for repurposed drives.

Question 43

Which GPO setting will ensure BitLocker data is backed up by AD?

Answer 43

Computer Configuration \ Administrative Templates \ Windows Components \ BitLocker Drive Encryption \ \ Choose how BitLocker protected drives can be recovered?

Question 44

What data is stored for each computer object with BitLocker recovery information in AD?

Answer 44

• 48-digit recovery password

- Key package data. Can be used to decrypt the drive if it is severely damaged

Question 45

When was FIPS support for the recovery password protector introduced?

Answer 45

Server 2012 R2/Windows 8.1

Question 46

What is the FIPS Standard?

Answer 46

• US Federal Information Processing Standard (FIPS) defines security and interoperability requirements for computer systems used by the US Federal Government.
• FIPS 140 defines approved cryptographic algorithms

Question 47

How did BitLocker behave before FIPS support was introduced when it was placed in FIPS mode?

Answer 47

• BitLocker would prevent the creation or use of recovery passwords and force users to create recovery keys

Question 48

How do servers running with FIPS support behave when in FIPS mode?

Answer 48

• FIPS compliant recovery passwords can be created
• FIPS compliant recovery passwords can be distinguished from those created with other systems.
• FIPS compliant recovery passwords will unlock a drive and allow read/write access even while in FIPS mode
• FIPS compliant recovery passwords may be exported to and stored in AD

Question 49

Can you use recovery passwords generated on FIPS mode systems from versions of Windows prior to Server 2012 R2 on servers running Server 2012 R2?

Answer 49

No. These are incompatible with one another

Question 50

If a computer was configured with a single partition, can BitLocker still be installed and configured?

Answer 50

Yes. BitLocker does require at least two partitions on a drive, however, the drive can be repartitioned without using data using the Bdehdcfg tool.

Question 51

What different tools can be used to turn on BitLocker Drive Encryption?

Answer 51

• BitLocker Control Panel
• Windows Explorer
• Manage-bde command line
• BitLocker Windows Powershell cmdlets

Question 52

How do you enable BitLocker from the control panel?

Answer 52

Choose the Manage BitLocker option in the control panel. Select “Turn on BitLocker”

Question 53

When enabling BitLocker in the control panel, which drives show up?

Answer 53

Only formatted drives with assigned drive letters

Question 54

How do you utilize hardware encrypted drives as the boot drive with BitLocker?

Answer 54

• Drive must be in an uninitialized state and in the security inactive state
• System must also always boot with UEFI 2.3.1 or higher and the CSM should be disabled.

Question 55

Where should a BitLocker recovery key be stored?

Answer 55

• Should be printed, saved on removable media, or on a network folder.
• Key cannot be stored in the root-directory of a non-removable drive on on the encrypted drive.
• Ideally the key should be stored separate from the computer.

Question 56

You have a sensitive system which is being retired. You intend to reuse the hardware from this system in a new system. You need to ensure that even the deleted data is protected by BitLocker on the new system. How would you accomplish this?

Answer 56

Encrypt the whole drive. While encrypting only used space is faster, but in this scenario full encryption ensures even deleted files are encrypted and secured.

Question 57

You have just installed BitLocker on a system and rebooted to start the initia encrypt. When you go to manage BitLocker, the only options are for the password, recovery key, or for disabling BitLocker. Why aren’t there more options?

Answer 57

Until BitLocker encryption is complete the options for management are limited. Wait until encryption has completed (manage-bde -status) and you will be able to do more after that.

Question 58

How do you check the status of a BitLocker encryption from the command line?

Answer 58

CMD: manage-bde -status
PS: Get-BitLockerVolume

Question 59

What unlock drive options are available for securing a data volume with BitLocker?

Answer 59

• Password
• Smart Card
• Automatically unlock this drive on this computer

Question 60

With a BitLocker protected data volume, how does the “automatically unlock this drive on this computer” unlock option work?

Answer 60

The drive will be unlocked if the system drive is unlocked.

Question 61

What are the requirements for storing BitLocker recovery keys in OneDrive?

Answer 61

• Computers cannot be domain joined

- User must be using a Microsoft account

Question 62

When can you utilize BitLocker encryption from Windows Explorer?

Answer 62

This is available on client OSes by default and can be added to Server OSes by installing the BitLocker and Desktop Experience role.

Question 63

You have an encrypted Disk you’ve swung over from and older system a new system. BitLocker says the dirve is “encrypted on write.” What does this mean?

Answer 63

The drive was encrypted on Windows 8 using “Used Space Only”

Question 64

Does BitLocker work with cluster-aware disks?

Answer 64

Yes. BitLocker can protect cluster-aware disk by adding protects to the Cluster Name Object that allow the disk to properly failover and be unlocked by any member computer

Question 65

Can you use a SID-based password protector to protect the OS volume?

Answer 65

Yes. It will require an additional protector (TPM, PIN, RecoveryKey, etc).

Question 66

What happens if you take a partially encrypted drive from Windows 7 and move it to Windows 10? How will BitLocker handle it?

Answer 66

BitLocker in Windows 8+ will complete the encryption regardless of policy.

Question 67

What are the limitations of protecting the OS volume with the BitLocker SID-based protector?

Answer 67

An additional protect is required and the SID-based protector does not unlock the OS in the pre-boot environment.

Question 68

What is a common use case for AD-based protectors with BitLocker?

Answer 68

Unlocking Failover Cluster enabled volumes

Question 69

What are some methods to check the status of BitLocker for a given volume?

Answer 69

• Control Panel
• Windows Explorer
• Manage-BDE
• WIndows Powershell (Get-BitLockerVolume)

Question 70

You go into the Control Panel to check the status of the BitLocker volume. You see the status is “Waiting for Activation.” What needs done?

Answer 70

• BitLocker is enabled with a clear protector key and it requires further action to be fully protected.
• Add the keys via Control Panel, Manage-BDE, or WMI and it should start working.

Question 71

Is decrypting a volume a volume a valid troubleshooting step?

Answer 71

No. Decryption should only be done at the end of a drive’s life or if there is an issue with BitLocker that prevents the volume from being encrypted or unlocked readily.

Question 72

How do you mark an attribute as confidential in AD?

Answer 72

In the schema, modify the searchFlags on the object and enable bit 7 (128 decimal)

Question 73

What are the BitLocker Recovery AD attributes?

Answer 73

• msTPM-OwnerInformation
• msFVE-KeyPackage
• msFVE-RecoveryPassword
• msFVE-RecoveryInformation

Question 74

What does the attribute msTPM-OwnerInformation represent in AD?

Answer 74

This attribute contains the owner information of a computer’s TPM module. This attribute is applied to the computer object.

Question 75

What does the attribute msFVE-KeyPackage represent in AD?

Answer 75

This attribute contains the BitLocker encryption key secured by the corresponding recovery password. This attribute is applied to the msFVE-RecoveryInformation object.

Question 76

What does the attribute msFVE-RecoveryPassword represent in AD?

Answer 76

This attribute contains the BitLocker encryption key secured by the corresponding recovery password. This is applied to the msFVE-RecoveryInformation object.

Question 77

What is the msFVE-RecoveryInformation object?

Answer 77

This object is created for every encrypted volume and is stored as a sub-attribute of the computer’s objec where the volume was encrypted. Contains the recovery attributes associated with a BitLocker recovery.

Question 78

What permission allows a user to read a confidential attribute?

Answer 78

Control_Access Extended right (viewable/settiable via LDP)

Also grants permission to LAPS passwords

Question 79

What permission must be granted to the BitLocker recovery information in AD to allow a non-Domain Admin to read the attributes?

Answer 79

• Read

- Control_access (set via LDP or script)

Question 80

You receive the error “The numerical password was not added. The FIPS Group Policy setting on the compute prevents recovery password creation” when you attempt to add a recovery password a BitLocker volume. How is the error corrected?

Answer 80

Go into Group Policy. Modify the policy that configures “Computer Configuration \ Windows Security \ Security Settings \ Local Policies \ Security Options \ System Cryptography: Use FIPS Compliant Algorithms for encryption, hasing, and signing” and disable the setting.

Note: This error may also present as “Cannot decrypt disk. Policy requires a password which is not allowed with the current security policy about use of FIPS algorithms.”

This error may appear when a drive is encrypted and an recovery key is created but no password is created as its protector or when the recovery password is not archived in AD.

Question 81

What is the difference between Symmetric and Asymmetric encryption?

Answer 81

Symmetric uses a single key to encrypt and decrypt.

• Often referred to as single-key, secret-key, shared-key, or private-key
• AES, DES, or 3DES are examples

Asymmetric uses two keys: one for encrypting and one for decrypting.

• Often called public key cryptography
• SSL/TLS and PGP are examples of protocols that use asymmetric keys
• Common encryption methods are Diffe-Hellman and RSA

Question 82

Which version of Windows was BitLocker Drive Encryption (BDE) introduced?

Answer 82

Server 2008 / Windows Vista

Question 83

In which version of Windows was the ability to use XTS-AES introduced into BitLocker?

Answer 83

Windows 10 version 1511 / Server 2016

Question 84

What is required before you can enable BitLocker with TPM + Startup Key + Startup Pin?

Answer 84

“Require additional authentication at startup” is required via GPO. Located under “Computer Configuration \ Policies \ Administrative Templates \ Windows Components \ BitLocker Drive Encryption \ Operating System Drives.

Question 85

What happens if you runt he command ‘manage-bde -on’ on a data drive with no other information?

Answer 85

This will enable BitLocker on the data drive. However, the drive will not be protected as no authenticating protector is installed. You’ll need to enable a protector after the fact to fully protect the drive. The drive is encrypted, just not protected.

Question 86

You ran the command “manage-bde -on C:” what will happen after this command?

Answer 86

Assuming C: is the OS volume and a TPM is installed, the OS volume will be encrypted with TPM-only and no recovery key.

Question 87

What command will allow you to determine the encryption status on a target system?

Answer 87

manage-bde -status

Question 88

What command will enable BitLocker on C and utilize a USB drive (E:) as the startup key?

Answer 88

manage-bde -Protectors -add C: -StartupKey E:

manage-bde -on C:

Question 89

What command will list the protectors configured for a volume?

Answer 89

manage-bde -protectors -get $VolumeLetter

Question 90

How would you enable encryption on a volume without TPM available that uses password and SID-based protectors?

Answer 90

manage-bde -protectors -add $VolLetter -pw -sid $UserOrGroupSid

Question 91

Using the command line, how would you ensure a data volume is encrypted using a password protector?

Answer 91

manage-bde -protectors -add -pw C:

manage-bde -on C:

Question 92

How do you decrypt a BitLocker drive using the command line?

Answer 92

manage-bde -off C:

Question 93

What Powershell cmdlet will remove an existing protector from a BitLocker volume?

Answer 93

Remove-BitLockerKeyProtector

Question 94

What is the process to remove a BitLocker protector using Powershell?

Answer 94

1. First identify the key protector ID
   $Volume = Get-BitLockerVolume
   $KeyProtectors = $Volume.KeyProtector
2. Identify the KeyProtectorID that needs removed and remove it.
   Remove-BitLockerKeyProtector $VolumeLetter -KeyProtectorId $KeyProtectorID

Question 95

How do you enable BitLocker using just a TPM protector with Powershell?

Answer 95

Enable-BitLocker $VolumeLetter

Question 96

Which switch should be used with Enable-BitLocker to skip any hardware checks so the system doesn’t require a reboot before starting encryption?

Answer 96

-SkipHardwareTest

Question 97

How would you enable the password/SID-based BitLocker protection using Powershell?

Answer 97

Enable-BitLocker $DriveLetter -AdAccountOrGroupProtector -AdAccountOrGroup $GroupOrUserOrSid

Question 98

How would you check the status of a BitLocker Volume using Powershell?

Answer 98

Get-BitLockerVolume $VolumeLetter

Question 99

How do you decrypt a BitLocker volume with Powershell?

Answer 99

Disable-BitLocker $VolumeLetter

Question 100

What is an easy way to better ensure that ASLR (Address Space Layout Randomization) is supported by the CPU?

Answer 100

Select a 64-bit CPU

Question 101

What versions of Windows include protections against DMA-enabled devices when the computer is locked or no one has logged in?

Answer 101

Windows 10 Pro, Enterprise, or Education

Question 102

What different devices are vulnerable to DMA attacks?

Answer 102

FireWire
ThunderBolt
ExpressCard
PCI Express
PCMCIA
PCI
PCI-X

Question 103

What are some countermeasures for DMA-Attacks?

Answer 103

Block DMA via Policy
WIndows 10 - Automatically blocks DMA from being installed until the computer is unlocked
“Instant Go” devices do not have DMA ports
IO-MMU prevents DMA attacks when running a Hypervisor

Question 104

Is USB susceptible to DMA attacks?

Answer 104

No

Question 105

What can prevent “cold boot” attacks?

Answer 105

Secure Boot

Question 106

Where are TPM Settings stored in Group Policy?

Answer 106

Computer Configuration \ Policies \ Administrative Templates \ System \ Trusted Platform Module Services

Question 107

What different TPM Settings can be set via GPO?

Answer 107

Turn on TPM backup to Active Directory Domain Services
Configure the list of blocked TPM commands
Configure the level of TPM owner authorization information available to the OS
Configure standard user lockout duration
Standard User individual lockout threshold

Question 108

In which versions of Windows is Secure Boot supported?

Answer 108

Windows 8 / Server 2012 +

Question 109

Which versions of Linux support Secure Boot?

Answer 109

Fedora 18+
openSUSE 12.3+
RHEL 7+
CentOS 7+
Unbuntu 12.04.2+

Question 110

How do you enable Secure Boot for platform and BCD integrity validation?

Answer 110

GPO: Computer Configuration \ Policies \ Administrative Templates \ Windows Components \ BitLocker Drive Encryption \ Operating System Drives
- Configure “Allow Secure Boot for integrity validation”

Question 111

You decide no to turn on Secure Boot-based integrity validation via GPO yet you notice it is still being used. Why is this?

Answer 111

By default, BitLocker will use Secure Boot-based integrity validation unless policy is set to disabled via GPO.

Question 112

What generation VMs support Secure Boot?

Answer 112

Generation 2

Question 113

How do you enable Secure Boot on a VM in Hyper-V?

Answer 113

VM Settings \ Security node \ select “Enable Secure Boot”

This feature is enabled by default

Question 114

Can you enable TPMs on Hyper-V VMs if the hardware doesn’t have a physical TPM?

Answer 114

Yes. By enabling TPMs on the Hyper-V VMs without a physical TPM, you utilize a virtual TPM.

Question 115

How do you gather information about the TPM from Powershell?

Answer 115

Get-TPM

Question 116

Can MBR disks be used as boot disks with UEFI?

Answer 116

No. Only GPT disks are supported with UEFI.

Question 117

How can you see the number of bad attempts a TPM will allow before locking someone out?

Answer 117

Get-TPM | Select-Object LockoutMax

Note: LockoutCount shows how many attempts have been made and LockedOUt will show if the TPM is locked out.

Question 118

How do you adjust the lockout threshold on a TPM 1.2 device?

Answer 118

You do not, this can only be adjusted with a TPM 2.0.

Question 119

How do you view if the TPM is 1.2 or 2.0?

Answer 119

Get-WmiObject -Class Win32_TPM -Namespace root\cimv2\Security\MicrosoftTPM | Select-Object SpecVersion

Question 120

What kind of protectors may be used in BitLocker protected drives that are not OS drives?

Answer 120

Password
Smart Card
Automatic Unlock

Question 121

How do you enable BitLocker to utilize Secure Boot for integrity validation?

Answer 121

GPO: Computer Configuration \ Policies \ Administrative Templates \ Windows Components \ BitLocker Drive Encryption \ Operating System Drives

• Enable the setting “Allow Secure Boot for integrity validation”
• Note: This feature is enabled by default. Use this policy to enforce the setting.

Question 122

What is the benefit of using Secure Boot-based integrity validation?

Answer 122

BCD Settings can be repaired during boot without triggering a recovery event

Question 123

You have a company that utilizes both Windows 8.1 and Windows 10. You have a BitLocker encrypted drive that gets moved from system to system. Which BitLocker encryption method should be used?

Answer 123

AES-128 or AES-256

Support for XTS-AES came later in Windows 10 and drives equipped with the newer protocols do not work on older systems.

Question 124

What options are available for BitLocker in the control panel after a drive is encrypted?

Answer 124

Backup your recovery key
Change password
Remove password
Add smart card
Turn on auto-unlock
Turn off BitLocker

Question 125

Who can change the PIN for passwords for an encrypted volume?

Answer 125

Users have the ability to do this, however, they must first know the existing PIN.

Question 126

What happens if a user enters a BitLocker PIN/Password too many times incorrectly in an attempt to reset the the PIN/Password of a BitLocker volume?

Answer 126

A user has five tries before BitLocker locks out the account and an administrator must reset the PIN or password.

The system can be rebooted to reset the counter.

Question 127

How do you set the complexity of BitLocker PINs/Passwords?

Answer 127

Group Policy: Computer Configuration \ Policies \ Administrative Templates \ Windows Components \ BitLocker Drive Encryption
Modify “Configure use of passwords for fixed drives”

Question 128

What is BitLocker To Go?

Answer 128

Enables users to encrypt removable USB drives without requiring the device go through recovery on the other systems.

Question 129

What are the requirements for BitLocker To Go?

Answer 129

Server 2008 R2 / Windows 7
Insert USB and configure encryption
No TPM Required

Question 130

How do you control which drive encryption options are available to users for BitLocker?

Answer 130

Group Policy: Computer Configuration \ Policies \ Administrative Templates \ Windows Components \ BitLocker Drive Encryption

Question 131

What are some different settings that can be configured for BitLocker using Group Policy? (General, not actual settings)

Answer 131

• Require all removable drives to be BitLocker-protected before data can be saved to them
• Require or disallow specific methods for unlocking BitLocker-Protected Drives
• Configure methods to recover data from BitLocker-protected drives
• Configure the BitLocker recovery passwords that is stored in ADDS
• Require or disallow different types of recovery password storage or make them optional.
• Prevent BitLocker from activating if it is not able to backup keys to AD DS.
• Choose drive encryption method and cipher strength.

Question 132

In which version of Windows was the ability to encrypt BitLocker volumes used with Failover Clusters and Cluster Shared Volumes introduced?

Answer 132

Server 2016

Question 133

Why is it recommend to BitLocker volumes before placing them in the storage pool with the cluster?

Answer 133

If you don’t protect volumes prior to this, the resource will need to be placed in maintenance mode later to complete the operation.

Question 134

If storage is thinly provisioned, by default what BitLocker encryption mode is used?

Answer 134

Used Disk Space Only

Question 135

When attempting to unlock a protected volume without user interaction, what order does BitLocker follow?

Answer 135

1. Clear Key
2. Driver-based auto-unlock key
3. ADAccountOrGroup Protector (Service context then user context)
4. Registry-based auto-unlock key

Question 136

In which version of Windows as the ability to pre-provision drives with BitLocker enabled introduced?

Answer 136

Server 2012 / Windows 8

Question 137

How do we pre-provision a drive with BitLocker prior to OS install?

Answer 137

In WinPE execute the following command: Manage-bde -on X:

Question 138

What is network unlock?

Answer 138

Network Unlock provides an automatic unlock of OS volumes at system reboot when connected to a trusted, wired corporate network.

Question 139

What are the requirements for Network Unlock?

Answer 139

• Windows 8 / Windows Server 2012 with UEFI Support
• Any OS must have UEFI DHCP Drivers
• Unlock clients require TPM and at least one TPM protector
• BitLocker Network Unlock Feature installed
• Server 2016 WDS Role
• DHCP, separate from WDS and the DC
• A Network Unlock Certificate
• Network Unlock GPO settings

Question 140

What happens if you are unable to communicate with the WDS server and Network Unlock is enabled for BitLocker?

Answer 140

BitLocker displays the startup key unlock screen.

Question 141

What high-level steps are required to deploy Network Unlock?

Answer 141

1. Install WDS Role
2. Ensure WDS is running
3. Install Network Unlock feature
4. Create/Install Network Unlock Certificate
5. Deploy Private Key and Certificate to WDS
6. Configure GPO for Network Unlock
7. Require TPM + PIN protectors at startup

Question 142

What are the requirements for a Network Unlock Certificate?

Answer 142

Duplicate the User Template and change the following

• Certificate Recipient: Server 2012/Windows 8
• Enable publishing to AD
• Purpose: Encryption
• Allow private key to be exported
• Minimum Key Size: 2048
• Subject Name: Supply in request
• Extensions - Remove: Client Authentication, Encrypting File System, Secure Email
• Extensions - Add: BitLocker Network Unlock (this may need to be created)
• Key Usage: Allow key exchange with key encryption.

Question 143

What format should a Network Unlock private key be exported in?

Answer 143

Personal Information Exchange - PKCS #12 (.PFX)

Question 144

Where do you configure the Network Unlock certificate to be used by BitLocker?

Answer 144

GPO: Computer Configuration \ Policies \ Windows Settings \ Security Settings \ Public Key Policies \ BitLocker Drive Encryption Network Unlock Certificate

Question 145

What is the Microsoft BitLocker Administration and Monitoring tool (MBAM)?

Answer 145

MBAM tool provides a single interface to manage BitLocker encryption policies; simplifies deployment and key recovery; centralizes provisioning; and assesses compliance and encryption stations across the organization.

Question 146

How do you install the MBAM tool?

Answer 146

Microsoft BitLocker Administration and Monitoring (MBAM) is part of the Microsoft Desktop Optimization Pack (MDOP)

Question 147

What are the components of MBAM?

Answer 147

Administration and monitoring server
MBAM Client
Policy Template

Question 148

In MBAM what is the Recovery and Hardware Database?

Answer 148

The Recovery and Hardware Database is part of the MBAM Administration and monitoring server.

It maintains the recovery key and the hardware information collected from the MBAM agents managed by MBAM.

Question 149

What does the MBAM Compliance and Audit Database do?

Answer 149

The compliance and audit database holds information for the OS drive, fixed data drives, and removable storage drives.

It uses GPO to enforce encryption parameters and to send recovery, hardware, and compliance information to the appropriate entities.

Question 150

What does the Policy Template in MBAM do?

Answer 150

It is used to configure BitLocker Administration and Monitoring client policies used to determine the encryption policy options for BitLocker Drive Encryption.

Question 151

Which tool in the MBAM allows for monitoring compliance with BitLocker GPOs?

Answer 151

Policy Template

Question 152

How would you provide a self service tool to users to be able to acquire their own recovery keys if they forget or do not know their recovery password?

Answer 152

MBAM.

It includes a self-service portal.

Question 153

What tool would you use to report on the compliance status of BitLocker deployments and the settings that systems have related to BitLocker?

Answer 153

Utilize the MBAM it has several compliance reporting features, most notably the Policy Template feature.

Question 154

In which version of Windows Server were the BitLocker AD extensions made available?

Answer 154

Server 2008, however, they were not built-in and had to be installed manually.
Server 2012, however, included them by default.

Question 155

How do you enable storage of BitLocker Recovery information to AD?

Answer 155

Computer Configuration \ Policies \ Administrative Templates \ Windows Components \ BitLocker Drive Encryption \ Store BitLocker Recovery Information in Active Directory

• Require BitLocker Backup to AD DS
• Set BitLocker recovery information to store recovery passwords and key packages.

For each type of drive being backed up configure the following

• Allow data recovery agent
• Save BitLocker Recovery information to AD DS for drives
• Set Configure storage of BitLocker Recovery information to AD DS to backup recovery passwors and key packages

Question 156

What is the BitLocker Data Recovery Agent?

Answer 156

A DRA is a user account that is an administrator who is authorized to recover BitLocker fixed drives for the entire or using a certificate on a smart card.

Question 157

How do you configure a BitLocker Data Recovery Agent?

Answer 157

In “Computer Configuration \ Policies \ Windows Settings \ Security Settings \ Public Key Policies \ BitLocker Drive Encryption \ Provide the unique identities for your organization” add the user account.

Enable DRA recovery for each type of BitLocker resourced you wish to recover.

Note: The BitLocker DRA certificate template is not available by default in Server 2016 but can be downloaded.

Question 158

In which version of Windows was Network Unlock introduced?

Answer 158

Windows 8 / Server 2012

Question 159

Does Network Unlock support IPv6?

Answer 159

Yes. It utilizes the link-local address to create DHCPv6 packets needed without the need for setting up DHCPv6 servers.

Question 160

How would you get Network Unlock to work with computers across multiple subnets?

Answer 160

DHCP Relay needs configured to forward DHCP info across subnets.

Question 161

If you have an existing WDS installation and wish to incorporate Network Unlock, what is required?

Answer 161

Make sure that WDS is not hosted alongside DHCP: the two roles must be separate for Network Unlock

Install the Network Unlock Feature

Question 162

What Powershell Cmdlet will install the Network Unlock Feature?

Answer 162

Install-WindowsFeature -Name BitLocker-NetworkUnlock

Question 163

Can Network Unlock work over wifi?

Answer 163

Yes. but it is not recommended due to potential for WIFI spoofing, the difficulty in preventing relay attacks, and wifi goes beyond the physical boundaries of the building.

Question 164

For Network Unlock to work, must TPM + PIN be configured for BitLocker?

Answer 164

No. It does not. However, TPM plus one other protector is a requirement.

Question 165

What command will verify the BitLocker Network Unlock Certificate is present?

Answer 165

certutil -verifystore FVENKP

Question 166

Which certificate should be uploaded to the Network Unlock GPO to ensure devices can utilize Network Unlock?

Answer 166

The WDS Certificate (public key) should be uploaded to “Computer Configuration \ Policies \ WIndows Settings \ Security Settings \ Public Key Policies \ BitLocker Drive Encryption Network Unlock Certificate”

Question 167

How would you configure Network Unlock WDS certificates without using Group Policy?

Answer 167

Registry - HKLM:\Software\Policies\Microsoft\SystemCertificates\FVE_NKP

Question 168

How does Network Unlock behave if multiple PXE servers are used on the network?

Answer 168

Only the servers with the network provider will respond as it is the only one capable of analyzing network unlock packets.

Question 169

How would you build redundancy for Network Unlock?

Answer 169

Ensure that multiple WDS servers are configured with he unlock certificate.

Question 170

How do you configure Network Unlock for MBR partitions?

Answer 170

You don’t. BitLocker utilizes Secure Boot which requires GPT drives.

Question 171

What is the most common use case for Network Unlock?

Answer 171

To allow enterprises to unlock BitLocker protected systems for patching unattended workstations and remotely managed servers.

Question 172

WHat is required to enable DHCP support in UEFI?

Answer 172

UEFI must be in native mode without a compatibility support mode (CSM) enabled (UEFI cannot be in legacy mode)

Question 173

Why is it important that DHCP be enabled on the primary/first network adapter in a system for Network Unlock?

Answer 173

Network Unlock stops enumerating adapters when it reaches on with a DHCP port failure for any reason.

This is important on system with multiple adapters. Ensure the first adapter is DHCP enabled.

Question 174

What is the process of installing Network Unlock?

Answer 174

1. Install WDS Role Feature (Network Unlock will do this if it isn’t already done)
2. Configure WDS to communicate with DHCP
3. Verify WDS is working
4. Install Network Unlock Feature
5. Create certificate template for Network Unlock
6. Create Network Unlock Certificate
7. Deploy Certificate with Private Key to WDS Server
8. Configure Network Unlock GPO
9. [Optional] Configure subnet policy on WDS

Question 175

How would you restrict WDS - Network Unlock Server to only be able to serve specific subnets?

Answer 175

Modify the configuration file %windir%\System32\bde-network-unlock.ini to list subnets that Network Unlock will respond to.

Question 176

How would you disable Network Unlock?

Answer 176

Unregister the PXE provider from WDS.

Remove/Disable the GPO that provides the ‘Allow Network Unlock at startup’ setting.

Question 177

How do you update Certificates for Network Unlock?

Answer 177

Import/Generate new certificates for the server and update the certificate in group policy.

Question 178

How would you verify that the Network Unlock Protector is listed on a target system?

Answer 178

manage-bde -protectors -get C:

Question 179

How do you enable WDS Debug Logging?

Answer 179

Event Viewer \ Applications and Services Log \ Microsoft \ Windows\ Deployment-Services-Diagnostics \ Debug

Right-Click \ Enable Log

Note: This can also be done with wevtutil

Question 180

You are attempting to configure BitLocker for all OS drives using Group Policy. You are running a mix of Server 2008 R2 and Server 2016. You configure the policy setting “Store BitLocker recovery information in Active Directory Domain Services.” BitLocker recovery information is not being backed up. Why?

Answer 180

The “Store BitLocker recovery information in Active Directory Domain Services” is only used for Windows Vista and Server 2008.

To configure BitLocker backup to AD for new OSes use “Choose how BitLocker-protected Operating System Drives can be recovered” setting.

Question 181

Why would you want to prevent users from configuring BitLocker on their own?

Answer 181

If you allow users to configure BitLocker and they cannot create the recovery options, the system could be permanently locked out and unrecoverable.

Question 182

What settings need configured to prevent users from configuring BitLocker on their own?

Answer 182

GPO: Computer Configuration \ Policies \ Administrative Templates \ Windows Components \ BitLocker Drive Encryption

• Operating System Drivers \ Require Additional authentication at startup
• • Set all settings to “Do not allow”
• Fixed Data Drives
• • Configure use of smart cards on fixed data drives \ Disabled
• • Configure use of passwords for fixed data drives \ Disabled
• Removable Data Drives \ Control use of BitLocker on removable driver \ Disabled. `

Question 183

Which versions of WIndows support BitLocker recovery information in AD?

Answer 183

Server 2008 and Newer

- Server 2008 will require some extensions

Question 184

What schema version is required to support BitLocker Recovery from Active Directory ?

Answer 184

Schema version 39

Note: Check this with Get-ADObject

Question 185

How do you allow a device without a TPM to enable BitLocker?

Answer 185

GPO: Computer Settings \ Policies \ Administrative Templates \ Windows Components \ BitLocker Drive Encryption \ Operating System Drives \ Require additional authentication at startup
- Check “Allow BitLocker with compatible TPM”

Question 186

If you configure the BitLocker GPO Setting “Allow BitLocker without a compatible TPM”, what other kind of protector should be used?

Answer 186

Either a USB Startup key or a Password should be configured.

Question 187

What needs done to run a CHKDSK against a BitLocker protected volume?

Answer 187

Start WinRE and enter the BitLocker recovery key

Run CHKDSK as normal

Question 188

How do you enable a Data Recovery Agent for BitLocker?

Answer 188

GPO: Computer Configuration \ Policies \ Windows Settings \ Security Settings \ Public Key Policies \ BitLocker Drive Encryption

• Choose how BitLocker Protected drives can be recovered \ Check “Allow Data Recovery Agent”
• Provide the unique identifiers for your organization
• • BitLocker Identification Field
• • Allowed BitLocker Identification Field

Configure a recovery certificate (PFX)

GPO: Computer Configuration \ Policies \ Windows Settings \ Security Settings \ Public Key Policies \ BitLocker Drive Encryption \ \ R-Click “Add Data Recovery Agent” \ Select DRA certificate

Question 189

How do you tell if a drive has a Data Recovery agent associated with it?

Answer 189

View the volumes BitLocker information and you should see “Data Recovery Agent” listed.

Question 190

How would you use a Data Recovery Agent to unlock a drive using the command line?

Answer 190

manage-bde -unlock $DriveLetter -cert -ct $DRACertThumbprint

Question 191

You attempt to recover a BitLocker drive using an existing DRA certificate and receive an error saying the unlock failed. What needs done to access the drive?

Answer 191

Ensure the certificates;s private key is actually installed into your certificate stores.

Question 192

How do you destroy the key data on a BitLocker protected volume?

Answer 192

Boot into WinPE and execute a format against the disk. This removes the information and leave the drive encrypted.

Question 193

How do you grant the Control_Access right to a user/group?

Answer 193

dsacls $Object /G $User:CA;$objType

Note: The CA in the permission above indicates Control_Access

Question 194

How do you set an object as confidential?

Answer 194

Configure the schema searchFlags to decimal 128 (0x00000080).

Question 195

Can you utilize dynamic disks with BitLocker?

Answer 195

No. It only supports basic disks.

Question 196

When implementing BitLocker, of the following which is required for BitLocker to work: TPM, Drive Partitions, Security Key, or Group Policy?

Answer 196

For BitLocker to function, the bare minimum would be drive partitions. TPM and security key are neither required by themselves and Group Policy is not required but does help manage BitLocker.

Question 197

You wan to configure BitLocker Encryption for a Cluster Shared Volume. The volume is already created and the role service installed on the cluster nodes. What must be done first?

Answer 197

Place the CSV in maintenance mode.
Get-ClusterSharedVolume $ResourceName | Suspend-ClusterResource

Note: Traditional PDRs will use the Get-ClusterResrouce command instead. This command does not show Cluster Shared Volumes

Question 198

You run the Powershell command Get-ClusterResource to locate the Cluster Shared Volume you wish to encrypt. However, the volume doesn’t show in the list. What’s wrong?

Answer 198

Nothing. Cluster Shared Volumes are exposed via the Get-ClusterSharedVolume cmdlet and do not show in Get-ClusterResource.

Question 199

What is the process for configuring BitLocker on a Cluster Shared Volume before adding disks to the cluster?

Answer 199

1. Install BitLocker Drive Encryption Feature
2. Ensure Disks are formatted NTFS and have drive letters.
3. Identify the cluster: Get-Cluster
4. Enable BitLocker on the volume of choice: Enable-BitLocker -ADAccountOrGroupProtector -ADAccountOrGroup $Group
5. Repeat for each disk
6. Add the volumes to the cluster

Question 200

What are the requirements for using the ADAccountOrGroup Protector with BitLocker?

Answer 200

Server 2012 or Newer DCs

Question 201

What is required for a BitLocker Protected CSV to failover in a traditional cluster when using ADAccountOrGroup Protector?

Answer 201

The Cluster Name Object (CNO) is configured in the protect or a member of the group the protector is using.

Question 202

What command would you use to enable BitLocker on a Cluster Shared Volume?

Answer 202

Enable-BitLocker -MountPoint $CSVPath -ADAccountOrGroupProtector -ADAccoutOrGroup $CNO

Question 203

How would you recover data off a BitLocker protected drive that is no longer bootable?

Answer 203

Repair-BDE

Question 204

How do you run Repair-BDE to fix a BitLocker volume?

Answer 204

• You first need the recovery and an external disk which needs to be wiped
• Repair-BDE $SourceDisk $ExternalDisk -rp $RecoveryKey [-lf $LogPath]
• This will take awhile to run and give information about what it could salvage.

Question 205

How do you delegate the reading of BitLocker recovery information in Active Directory?

Answer 205

Manage-bde -protectors -adbackup C: -id $RecoveryPasswordId

Question 206

How would you get information about the Recovery Password for storing it in AD using the command line?

Answer 206

Manage-bde -protectors -get C:

Question 207

What command can be used to add a group or an account to a volume protected by BitLocker?

Answer 207

Add-BitLockerProtector $DriveLetter -AdDAccountOrGroupProtector -ADAccountOrGroup $Identity

Question 208

How would you test an AppLocker that doesn’t apply to your system against an executable you wish to run on your system?

Answer 208

• $GPOPath = (Get-GPO -Name $GPOName).Path
• $XML = Get-AppLockerPolicy -Domain -LDAP “LDAP:\$GPOPath” -XMl
• Test-AppLockerPolicy -XmlPolicy $Xml -Path $ExecutiblePath

Question 209

In Windows Defender what all can be done from the Home tab?

Answer 209

Check status of Windows Defender

Initiate a Scan

Question 210

You configure the following AppLocker setting. Will you be able to run the FireFoxInstall.exe located at .\Desktop\TestAppLocker\Subtest?

Allow - Everyone - %OSDRIVE%\Users\Administrator.CONTOSO\Desktop\TestAppLocker\F*

Answer 210

No. The rule blocks any files that match that name in the entire hierarchy beneath where the rule is configured.

Question 211

In Windows Defender what does it mean when Real Time Protection is on?

Answer 211

That Defender is monitoring and attempting to catch malware behavior.

Question 212

What are some examples of suspicious behavior that may be caught by Windows Defender Heuristics?

Answer 212

Programs copying themselves into other programs

Programs that try to write to the disk directly

Programs trying to manipulate critical system files

Question 213

WIth Windows Defender, what is the difference between a Quick Scan and a Full Scan?

Answer 213

Quick scans check areas that malicious software is likely to infect.

Full scan checks all files on the disk and running programs.

Question 214

What different sections are located on the Windows Defender Home tab?

Answer 214

• Real-time Protection Status
• Virus and Spyware definitions status
• Scan Options
• Scan Details - When the last scan was run

Question 215

What are the different categories of items in Windows Defender?

Answer 215

• Quarantine Items
• Allowed Items
• All Detected Items

Question 216

What are quarantined items in Windows Defender?

Answer 216

Items that are not allowed to run but are not removed from the computer.

Question 217

What is the process of removing a quarantined item in Windows Defender?

Answer 217

1. Launch Windows Defender
2. History Tab
3. Quarantined Items
4. View Details
5. Select the Item
6. Click Remove

Question 218

What items can be modified via the Settings Applet for Windows Defender?

Answer 218

• Enable/disable real-time protection
• Enable/disable cloud-based protection (this controls the sending of items to Microsoft)
• Enable/disable automatic sample submission
• Select files, folders, file types, etc. to exclude from scans.

Question 219

What items can be modified via the Settings Applet for Windows Defender?

Answer 219

• Enable/disable real-time protection
• Enable/disable cloud-based protection (this controls the sending of items to Microsoft)
• Enable/disable automatic sample submission
• Select files, folders, file types, etc. to exclude from scans.

Question 220

How would you configure a Windows Defender Scheduled scan?

Answer 220

Task Scheduler \ Task Scheduler Library \ Microsoft \ Windows \ Windows Defender

Configure the “Windows Defender Scheduled Scan”

Question 221

How would you centrally manage definition updates for Windows Defender?

Answer 221

WSUS

Question 222

What is required in WSUS to ensure Windows Defender definition updates can be downloaded?

Answer 222

Launch WSUS \ Options \ Products and Classifications \ Classifications Tab \ Check “Definitions Updates”

Question 223

What are some settings that can be configured for Windows Defender via GPO?

Answer 223

• Enable Headless UI Mode
• Suppress Notifications
• Suppress reboot notifications
• Exclusions (Extension, Path, and Process)
• Configure removal of items from quarantine
• Scheduled Scans
• Turn Windows Defender on and off

Question 224

What are some settings that can be configured for Windows Defender via GPO?

Answer 224

• Enable Headless UI Mode
• Suppress Notifications
• Suppress reboot notifications
• Exclusions (Extension, Path, and Process)
• Configure removal of items from quarantine
• Scheduled Scans
• Turn Windows Defender on and off

Question 225

What Powershell cmdlet will get the Windows Defender status on a system?

Answer 225

Get-MpComputerStatus

Question 226

What Powershell cmdlet will list threats that have been detected on a system?

Answer 226

Get-MpThreat

Question 227

What Powershell Cmdlet is used to remove detected threats from Windows Defender?

Answer 227

Remove-MpThreat

Question 228

What Powershell Cmdlet will initiate a Windows Defender scan of a system?

Answer 228

Start-MpScan

Question 229

What Powershell Cmdlet will cause Windows Defender to initiate a definition update?

Answer 229

Update-MpSignature

Question 230

What is an offline scan in Windows Defender?

Answer 230

A scan that occurs after a reboot and before an OS is fully initialized. It is intended to capture rootkits and other highly persistent malware.

Question 231

How would you initiate a Windows Defender quick scan via Powershell?

Answer 231

Start-MpScan -ScanType QuickScan

Question 232

How would you initiate a Windows Defender full scan using Powershell?

Answer 232

Start-MpScan -ScanType FullScan

Question 233

What Powershell cmdlet will configure settings in Windows Defender?

Answer 233

Set-MpPreference

Question 234

Which tab in Windows Defender will show quarantined items?

Answer 234

History Tab

Question 235

What is Windows Defender Offline?

Answer 235

A scanning tool that runs from a trusted environment without the OS starting up.

Question 236

Which versions of Windows support Windows Defender Offline?

Answer 236

Windows 10/8.1/7

Question 237

When should Windows Defender Offline be run?

Answer 237

If Windows detects a rootkit or other highly persistent malware on your system it will alert you to use Windows Defender Offline.

If you suspect your system has malware hiding but the security software isn’t detecting it.

Question 238

How do you initialize a WIndows Defender Offline Scan?

Answer 238

1. Start \ Settings \ Update and Security \ Windows Security \ Virus and Threat Protection
2. Current Threats
3. Select “Windows Defender Offline Scan” \ Scan Now
4. Reboot the system

Question 239

What combination of Defenses will prevent users from installing unapproved applications, including malware on systems?

Answer 239

Restricting /Removing Admin Rights

Configure AppLocker

Question 240

In which version of Windows was AppLocker introduced?

Answer 240

Server 2012 / Windows 7

Question 241

What service must be running for AppLocker to work?

Answer 241

Application Identity Service

Question 242

You have configured AppLocker policies via GPO. However you notice that even though enforcement is enabled, none of the AppLocker policies are being enforced. What should you check?

Answer 242

Application Identity Service needs to be running.

Question 243

Where are the AppLocker settings located?

Answer 243

Group Policy: Computer Configuration \ Policies \ Windows Settings \ Security Settings \ Application Control Policies \ AppLocker

Question 244

What are the different rule types in AppLocker?

Answer 244

• Executable Rules
• Windows Installer Rules
• Packaged App Rules
• Script Rules

Question 245

What file extensions would be associated with AppLocker executible rules?

Answer 245

.EXE

.COM

Question 246

What file extensions would be associated with AppLocker script rules?

Answer 246

.ps1
.bat
.js
.cmd
.vbs

Question 247

What file extensions would be associated with AppLocker Windows installer rules?

Answer 247

.MSI
.MST
.MSP

Question 248

What file extensions would be associated with AppLocker packaged app installer rules?

Answer 248

.APPX

Question 249

What is the default configuration mode for AppLocker?

Answer 249

Audit Mode

No rules configured for any rule types

Question 250

What are the different methods for creating rules in AppLocker?

Answer 250

Create New Rule
Automatically Generate Rules
Create Default Rules

Question 251

What should you expect if you use the “Create new Rule” option when creating AppLocker rules?

Answer 251

The wizard will walk you through the process of creating and AppLocker rule one rule at a time.

You will manually configure permissions, publishers, exceptions, and provide a name for the rule.

Question 252

What should you expect if you use the “Automatically Generate Rules” option when creating AppLocker rules?

Answer 252

The wizard creates rules for many apps in a single step.

You select a folder and let the wizard create rules for that folder or for all packaged apps on a system.

Question 253

What should you expect if you use the “Create Default Rules” option when creating AppLocker Rules?

Answer 253

The wizard creates rules meant to ensure that key Windows Paths are allowed (C:\Windows and C:\Program FIles).

Without default rules in place, when creating a new rule, AppLocker will prompt to create default rules.

Question 254

What are the four stages of creating AppLocker rules?

Answer 254

• Set Permissions
• Set Conditions (Publisher, Path, or File Hash)
• Add exceptions
• Name the rule

Question 255

What different permissions can be configured as part of an AppLocker rule?

Answer 255

Allow
Deny
Exceptions

Question 256

What different conditions can be configured as part of an AppLocker rule?

Answer 256

Publisher
File Hash
Path

Question 257

What is the difference between the different conditions that are configurable as part of an AppLocker rule?

Answer 257

• Publisher identifies an application based on the manufacturer’s digital signature. The advantage of this option is that the rule can survive the update of the application as well as a location change. The disadvantage is some manufacturers change their signature periodically.
• Path identifies applications based on the physical location in the file system. This is less secure as files can simply be moved to this secure path to run. This risk is mitigated by limiting administrative access.
• File Hash causes the system to compute the hash of the application. Each time the application is upgraded or patched, a new hash is needed making this method difficult to maintain.

Question 258

When creating default rules in AppLocker, what all is included in the default rules?

Answer 258

• Allow everyone to run files found in C:\Program Files
• Allow everyone to run files found in C:\Windows
• Allow BUILTIN\Administrators to run all files.

Question 259

You are configuring AppLocker. You create the default rules. You need to block users from using calc.exe. What needs to be done?

Answer 259

You’ll need to configure an exception to the default rules that allows for blocking calc.exe since it is part of the default rule set.

Question 260

You have configured AppLocker rules ad-hoc on multiple systems via Local Policy. You engineering team is ready to deploy it across the enterprise and would like to use your built-in policy to start. How would you get the settings from the local policy?

Answer 260

Export the policy and import it into AD.

• GPEdit; Computer Configuration \ Windows Settings \ Security Setting s\ Application Control Policies
• R-Click “AppLocker” \ Export Policy
• Rename the Policy \ Save

Question 261

What Powershell cmdlet would display the configured Applocker policy? What are some relevent switches?

Answer 261

Get-AppLockerPolicy

• Local retrieves the local policy
• Effective retrieves the system’s configured total policy
• Domain retrieves the domain policy
• Xml displays the results in XML format

Question 262

How would you obtain the required information to create an Applocker rule for a file (i.e. Hash, Publisher, or Path) using Powershell?

Answer 262

Get-AppLockerFileInformation

Question 263

What is the default action of Applocker: allow or deny?

Answer 263

Deny. AppLocker operates using the “block by default, allow by exception” principle.

Question 264

When AppLocker processes rules, what order are the rules processed?

Answer 264

• Check for explicit deny actions (these always in)
• Check for explicit allows
• If no rule matches, apply the default deny action.

Question 265

How does the link order of different AppLocker policies affect how AppLocker works?

Answer 265

Last-write is preserved for enforcement. If a high-level enables AppLocker enforcement and a lower-level policy configures Audit Only, Applocker is placed in Audit Only Mode.

As far as the configured rules, these rules are cumulative across linked GPOs with last-writer determining conflicts.

Question 266

What are some considerations to make when configuring AppLocker via GPO?

Answer 266

• Rule collections that are not configured will be enforced
• Group Policy does not overwrite or replace rules from already linked GPOs.
• AppLocker processes the explicit deny rule before allow rules.
• For rule enforcement, the last writer policy applies.

Question 267

What Powershell cmdlet can be used to determine if a specific user or group of users will be able to perform an action based on the specified AppLocker policy?

Answer 267

Get-AppLockerPolicy -Effective | Test-AppLockerPolicy -Path $Executible -User $TargetUser

Question 268

What are some technologies that fall under Virtualization Based Security?

Answer 268

• Code Integrity (Device Guard)
• Credential Guard
• Control Flow Guard

Question 269

What is another name for Code Integrity?

Answer 269

Device Guard

Question 270

What does Code Integrity do when configured?

Answer 270

• Code Integrity (Device Guard) helps harden against malware by running only trusted applications.
• Server 2016 uses virtualization-based security to isolate the code integrity service from Windows.

Question 271

What does Credential Guard do?

Answer 271

Credential Guard isolates and hardens key system and user identity information (LSA credentials).

Question 272

How does Virtual Secure Mode (VSM) work?

Answer 272

OS components and security tokens (among other things) are isolated from one another using Windows containers under the hood. If one piece is compromised the other is not necessarily compromised.

Question 273

What are the requirements for Virtual Secure Mode (VSM)?

Answer 273

• UEFI running in Native Mode (Legacy/Compatibility/CSM are not supported)
• x64 Windows 10 Enteprrise / Server 2016
• x64 CPU with SLAT and Virtualization extensions (Intel VT or AMD-V)
• Physical systems need to have hardware that is Windows 10 Enterprise ready or Server 2016 Ready
• Virtual Systems must use Hyper-V Generation 2 VMs with Secure Boot and TPM

Question 274

How do you enable both Device Guard and Nested Virtualization together?

Answer 274

You do not. They are incompatible.

Question 275

How do you enable Secure Boot and vTPM for Hyper-V VMs?

Answer 275

Hyper-V Manager \ Locate a Gen 2 VM
Turn off the VM
R-Click VM \ Settings \ Security
Select "Enable Secure Boot"
Select "Enable Trusted Platform Module"

Question 276

How do you enable Device Guard?

Answer 276

Group Policy: Computer Configuration \ Policies \ Administrative Templates \ System \ Device Guard \ Turn on Virtualization Based Security

• Click Enabled
• Under “Virtualization Based Protection of Code Integrity” choose “Enable with UEFI Lock”

Question 277

How can you tell if Device Guard is enabled on a system?

Answer 277

Launch System Information \ Look for “Device Guard Virtualization Based Security” to show if it is running.

Question 278

How would you launch system information from the command line?

Answer 278

Msinfo32.exe

Question 279

If you have Device Guard enabled and attempt to run software that is not digitally signed, what happens?

Answer 279

There is a chance the software won’t run. Code integrity policies must be configured to account for these scenarios.

Question 280

When Device Guard is first configured, what mode is it in by default?

Answer 280

Audit Mode.

This mode allows for fine-tuning the policy before enabling enforcement.

Question 281

You have Device Guard configured in audit mode. What is the next step to getting a valid enforcement policy built?

Answer 281

Create a trusted code integrity policy. Typically the first one is created to only allow trusted publisher-signed apps.

Question 282

How do you create a code integrity policy that allows for only trusted publisher-signed software?

Answer 282

New-CIPolicy -Level Publisher -FilePath C:\CI\Audit-Publisher.xml -UserPES Audit

Question 283

After creating a code integrity policy XML file what needs done?

Answer 283

The XML needs converted to binary and copied to the code integrity folder.
CopyFrom-CIPolicy $CIXml $NewCIBin
Copy-Item $NewCIBinPath C:\Windows\System32\CodeIntegrity\sipolicy.p7b

Question 284

What happens when you run software not in the CI Policy while Device Guard is in Audit mode?

Answer 284

An event is logged to the event log.

Question 285

How would you combine the capture policies for Device Guard from multiple servers into a single file?

Answer 285

Merge-CIPolicy

Question 286

What Powershell cmdlet will allow you configure Device Guard?

Answer 286

Set-Rule

Question 287

What are some different configurations that can be set via Set-Rule for Device Guard?

Answer 287

• 0 Enabled UMCI - Restricts both user and kernel-mode binaries. Default restricts kernel only.
• 2 Required WHQL - Requires every driver to be WHQL signed. No legacy.
• 3 Enable Audit Mode - Enables execution of binaries outside of CI Policies but logs them. Remove this to enforce policies.
• 4 Disabled Flight Signing - Code Integrity will not trust flightroot-signed binaries
• 6 Enable Unsigned System Integrity Policy - Allows the policy to remain unsigned. If removed, the policy must be signed and have UpdatePolicySigners added to enable modifications.
• 8 Required EV Signers - Requires that drives be both WHQL signed and have Extended Verification (EV) certificates. All Win10 drivers have this.
• 9 Enabled Advanced Boot Options Menu - F8 menu is disabled by default. This turns it on.
• 10 Enabled Boot Audit On Failure - Used with enforcement mode. If the driver hangs on start, CI is placed in audit mode so Windows boots.

Question 288

After you have validated your Device Guard Settings with Audit Mode, what must be done to move it to enforcement mode?

Answer 288

Set-RuleOption -Option 3 -FilePath $CIPolicyPath -Delete

ConvertFrom-CIPolicy C:\CI\MergePolicy.xml C:\CI\AuditPublisher.bin

Question 289

Which types of stored credentials does Credential Guard protect?

Answer 289

Unconstrained Kerberos Delegation
NTLMv1
MS-CHAPv2
Digest Authentication
CredSSP
Kerbers DES Encryption

Question 290

What different methods exist for enabling credential guard?

Answer 290

Registry
Group Policy
Device Guard and Credential Guard Readiness Tool

Question 291

How can you view the status of Credential Guard?

Answer 291

System Information (Msinfo32)

Question 292

How do you enable Credential Guard via GPO?

Answer 292

GPMC: Computer Configuration \ Policies \ Administrative Templates \ System \ Device Guard \ Turn on Virtualization Based Security \ Enabled

GPMC: Computer Configuration \ Policies \ Administrative Templates \ System \ Device Guard \ Turn on Virtualization Based Security \ “Credential Guard” \ Enable with UEFI Lock

Question 293

How do you enable Credential Guard via the Registry?

Answer 293

HKLM:\System\CurrentControlSet\Control\DeviceGuard

• Add the DWORD “Enable VirtualizationBasedSecurity” with a value of 1
• Add the DWORD “RequirePlatformSecurityFeatures” and give it the value of 1 for Secure Boot or 2 for Secure Boot and DMA protection

HKLM:\System\CurrentControlSet\Control\Control\LSA
- Add the DWORD “LsaCfgFlags” with the value of 1 to enable Credential Guard with UEFI Lock or the value of 2 for Credential Guard without UEFI lock.

Question 294

How would you enable Credential Guard using Device Guard and Credential Guard readiness tool?

Answer 294

Download the tool and unzip

Run the following Powershell: DG_Readiness_Tool_v3.2.ps1 -Enable -Autoreboot

Question 295

What types of information is stored in the isolated LSA process?

Answer 295

Only a subset of OS binaries needed for security. Nothing more (especially no drivers)

Question 296

Which authetnication protocols do not work with Credential Guard enabled?

Answer 296

NTLMv1, MS-CHAPv2, Digest, and CredSSP

Apps may still use credentials stored in the WIndows Vault that are not protected by Credential Guard

Question 297

How would you use unconstrained Kerberos delegation with Credential Guard Enabled?

Answer 297

You don’t. Credential Guard disallows the use of Kerberos unconstrained delegation.

Question 298

How would you use DES encryption with Credential Guard?

Answer 298

You wouldn’t. DES is not supported with Credential Guard Enabled.

Question 299

What is NTLM?

Answer 299

NTLM is a suite of security protocols that provide authentication, integrity, and confidentiality to users.

NTLM is an integrated SSO mechanism built into Windows Authentication and is part of Integrated Windows HTTP Authentication.

Provides the maximum compatibility across Windows platforms compared to Kerberos and is easier to implement

Question 300

What authentication protocol is used by integrated WIndows HTTP Authentication?

Answer 300

NTLM

Question 301

What authentication protocol is used when authenticating a sever that belongs to a different AD forest?

Answer 301

NTLM

Question 302

How do you configure NTLM Traffic Auditing?

Answer 302

GPMC: Computer Configuration \ Policies \ WIndows Settings \ Security Settings \ Local Policies \ Security Options

• Configure the following for all systems in the domain
• • Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers - Audit All
• • Network Security: Restrict NTLM: Audit Incoming NTLM Traffic - Enable Auditing for all accounts
• Configure the following on Domain Controllers
• • Network Security: Restrict NTLM: Audit NTLM Authentication in this Domain - Enable All

Question 303

When NTLM traffic auditing is enabled, where are NTLM events captured?

Answer 303

Event Viewer \ Applications and Services Log \ Microsoft \ Windows \ NTLM \ Operations

Question 304

What different GPO settings are available for NTLM restriction?

Answer 304

GPMC: Computer Configuration \ Policies \ Windows Settings \ Security Settings \ Local Policies \ Security Options

• Network Security: LAN Manager Authentication Level
• Network Security: Restrict NTLM: Add remote server exceptions for NTLM Authentication
• Network Security: Restrict NTLM: Add server exceptions in this domain
• Network Security: Restrict NTLM: Incoming NTLM Traffic
• Network Security: Restrict NTLM: NTLM Authentication in this domain
• Network Security: Restrict NTLM: Outgoing NTLM Traffic to remote servers

Question 305

How would you add a server or system to be able to utilize NTLM even after it has been restricted and disabled?

Answer 305

GPMC: Computer Configuration \ Policies \ Windows Settings \ Security Settings \ Local Policies \ Security Options
- Network Security: Restrict NTLM: Add server exceptions for NTLM authentication.

Question 306

Why is it unadvised to outright block NTLM as the first step in eliminating NTLM?

Answer 306

Applications may break. Many applications, especially third party ones, have dependencies or default configurations built around NTLM

Question 307

When configuring or auditing NTLM, what kinds of applications are likely to still be using it?

Answer 307

• Apps that allow various security configurations (e.g. IIS)
• Apps that have not been correctly configured with SPNs (e.g. Sharepoint and SQL)
• Apps that use IPs instead of DNS names
• Apps with legacy code that only supports NTLM

Question 308

What is the process of blocking NTLM on versions of Windows prior to Server 2003?

Answer 308

It is discouraged. Kerberos was not in wide use at this time and there are likely compatibility issues.

Question 309

Which events would show the workflow a user is using that would show how NTLM is being used to better identify where it is being used?

Answer 309

• Event 8004 on the Domain Controller
• Event 8003 on the member server
• Event 8001 on the client workstation

Question 310

What is a security baseline?

Answer 310

A collection of configuration items from Microsoft for a product that provides prescribed values to help maintain the security of a system or solve a specific use case.

Question 311

What are the key features of the Microsoft Security and Compliance Toolkit?

Answer 311

• Policy Analyzer (PolicyAnalyzer.exe) compares and analyzes GPOs and shows redundant settings, differences, etc.
• LGPO (LGPO.exe) is a tool for transferring GPOs directly between a host’s registry and a GPO backup. Allows for some level of testing prior to deployment.

Question 312

What are the high-level steps for using Secuirty Compliance Toolkit?

Answer 312

1. Download the toolkit with the necessary baselines
2. Backup GPOs
3. Load an existing GPO backup and baseline into Policy Analyzer
4. Edit existing GPO Backup with Policy Analyzer \ Save
5. Use LGPO to load the revised backup into a host for testing
6. Restore revised backup as the new GPO for deployment

Question 313

Where is the Microsoft Security Compliance Toolkit obtained from?

Answer 313

Download from Microsoft

Question 314

What versions of WIndows are supported by the Microsoft Security and Compliance Toolkit?

Answer 314

Windows 10
Server 2012 R2
Server 2016

Question 315

Does the Microsoft Security and Compliance Toolkit have any requirements or prerequisites?

Answer 315

.NET Framework 4.6

Question 316

What types of GPOs can be imported by the Security Compliance Toolkit?

Answer 316

• Registry Policy Files
• Security Templates
• Audit Policy Backup Files

Question 317

Where are the registry.pol files located on a system?

Answer 317

C:\Windows\System32\GroupPolicy

Question 318

What command line tool will parse registry.pol files into text files?

Answer 318

LGPO.exe /parse /m C:\Windows\System32\GroupPolicy\Machine\registry.pol

Question 319

How would you export the local computer security policy as a GPO backup and include the GPO display name via command line?

Answer 319

LGPO.exe /b $Path /n $DisplayName

Question 320

What are the key features of the Policy Analyzer tool?

Answer 320

• Highlight when a set of GPOs have redundant settings or internal inconsistencies.
• Highlight differences between versions of GPOs
• Compare GPOs against current local policy and local registry
• Export results to Excel

Question 321

What different items are included in the Microsoft Security Compliance Toolkit download?

Answer 321

Windows 10 Baselines (multiple versions)
Windows Server Baselines (2012 R2, 2016, and 2019)
Office Security Baselines (Office 2016)
Policy Analyzer
LGPO

Question 322

What are the main features of the LGPO tool?

Answer 322

• LGPO is a command-line utility designed to help automate the management of local group policy
• LGPO can import registry.pol files, security templates, advanced auditing backup files, and formatted LGPO text files.
• It can export LGPO to a GPO backup
• It can convert a Local GPO to a LGPO text file.

Question 323

What tool did Microsoft Security Compliance Toolkit replace?

Answer 323

Microsoft Security Compliance Manager

- Note: Not all the features of SCM aren’t replicated in SCT (DCM and SCAP are unsupported)

Question 324

What is Control Flow Guard?

Answer 324

Control Flow Guard is a highly optimized platform security feature that is used to combat memory corruption vulnerabilities.

CFG is compiled into a program which prevents programs from executing code outside of their memory space by extending DEP.

Question 325

What happens if an application compiled with Control Flow Guard is run on a system that doesn’t support it?

Answer 325

The application will run but the CFG features will not be used.

Question 326

What is the Enhanced Mitigation Experience Toolkit (EMET)?

Answer 326

EMET is a free security tool that is designed to protect software from undiscovered zero-day exploits without fixes.

It cannot prevent 100% of attacks but it does reduce the attack surface.

Question 327

Which versions of Windows support EMET?

Answer 327

Vista SP2+ / Server 2008 R2+

Windows 10/ Server 2016 support mitigated for untrusted fonts.

Question 328

What is required for EMET to work?

Answer 328

.NET Framework 4

Question 329

What are the different components of EMET?

Answer 329

• Attack Surface Reduction (ASR) Mitigation
• Data Execution Prevention (DEP) Mitigation
• Structured Execution Handling Overwrite Protection (SEHOP) Security Mitigation
• Heapspray Allocation Security Mitigation
• NullPage Security Mitigation
• Export Address Table Filtering (EAF) Security Mitigation
• Mandatory Address Space Layout Randomization (ASLR) Security Mitigation
• Bottom Up ASLR Security Mitigation
• Load Library Check [ Return Oriented Programming (ROP) Security Mitigation]
• Memory Protection [ROP Security Mitigation]
• Caller Checks [ROP Security Mitigation - x86 only]
• Simulate Execution Flow [ROP Security Mitigation - x86 only]
• Stack Pivot [ROP Security Mitigation]
• Windows 10 Untrusted Fonts
• Certificate Trust