Download - Window server 2012 70-411
-
8/19/2019 Window server 2012 70-411
1/21
70-411 Administering Windows Server 2012
LAB 6
CONFIGURING FILESERVICES AND DISK
ENCRYPTION
THIS LAB CONTAINS THE FOLLOWING EXERCISES AND ACTIVITIES:
Exercise 6.1 Encrypting Files with EFS
Exercise 6.2 Configring the EFS !ecovery Agent
Exercise 6.3 "#c$ing %p #nd !estoring EFS Certific#tes
Exercise 6. Encrypting # &olme with "it'oc$er
L!" C#!$$e%&e Configring (etwor$ %nloc$
BEFORE 'O( BEGIN
The lab environment consists of student workstations connected to a local area
network, along with a server that functions as the domain controller for a domain
called contoso.com. The computers required for this lab are listed in Table 6-1.
T!"$e 6)1Compters !e)ired for '#* +
Computer Operating System Computer Name
Server ,& 1. Windows Server 2012 !W/C01
Server ,& 2. Windows Server 2012 Server01
-
8/19/2019 Window server 2012 70-411
2/21
70-411 Administering Windows Server 2012
In addition to the computers, you also require the software listed in Table 6- to
complete !ab 6.
T!"$e 6)2Softw#re !e)ired for '#* +
Software Location'#* + stdent wor$sheet '#*0+wor$sheetrtf ,provided *y instrctor.
W*r+i%& ,i-# L!" W*r+s#ee-s
"ach lab in this manual requires that you answer questions, take screen shots, and
perform other activities that you will document in a worksheet named for the lab, such
as !ab#6$worksheet.rtf. %ou will find these worksheets on the book companion site. It
is recommended that you use a &'( flash drive to store your worksheets, so you can
submit them to your instructor for review. )s you perform the e*ercises in each lab,open the appropriate worksheet file using +ordad, fill in the required information,
and save the file to your flash drive.
A-er c*/0$e-i%& -#is $!" * ,i$$ "e !"$e -*:
Encrypt files with EFS
Configre EFS !ecovery Agent
"#c$ p #nd restore EFS certific#tes
Encrypt # volme with "it'oc$er
Es-i/!-e4 $!" -i/e: 5 /i%-es
Eercise +1 Encrypting Files with EFS
verview or files that are e*tremely sensitive, you can use "' to encrypt the
files./uring this e*ercise, you encrypt a file using "ncrypting ile
'ystem 0"', which is a built-in feature of 2T'.
3ompletion time # minutes
Mindset Question: You h!e se!e"# s#es $eo$#e %ho h!e sensiti!e &te"i# on thei"
'o&$ute"( I) thei" #$to$s "e sto#en* the sto#en in)o"&tion 'ou#d$ut the 'o&$n+ t ,"et "is-( .o% 'n +ou $"ote't the i&$o"tnt
dt do'u&ents/
-
8/19/2019 Window server 2012 70-411
3/21
70-411 Administering Windows Server 2012
E%cr0-i%& Fi$es ,i-# EFS
0( !og in to 'erver#1 as the Contoso1d&inist"to" user account. The 'erver
4anager console opens.
2( n 'erver#1, create a C:1Dt folder.
3( 3reate a te*t file in the 35/ata folder called test(t4t file. Type your name in the
file, close the file, then click 'ave to save the changes.
5( 7ight-click the 35/ata folder, and then click roperties. The roperties dialog
bo* opens.
6( n the 8eneral tab, click )dvanced. The )dvanced )ttributes dialog bo* appears
as shown in igure 6-1.
Fi&re 6)1Configring #dv#nced #ttri*tes
7( 3lick to select Encrypt contents to secure data. 3lick 9 to close the )dvanced
)ttributes dialog bo*.
8( 3lick 9 to close the roperties dialog bo*.
-
8/19/2019 Window server 2012 70-411
4/21
70-411 Administering Windows Server 2012
9( +hen +indows asks you to confirm the changes, click 9.
7es-i*%1
What color is the C:\Data folder.
Green
7es-i*%2
Is the test.txt file in the C:\Data folder also encrypted?
Yes
( 7ight-click the 35/ata folder and click roperties. The roperties dialog bo*
opens.
0;( &nder the 8eneral tab, click )dvanced. The )dvanced )ttributes dialog bo*
opens.
00( 3lear the Encrypt contents to secure data check bo*. 3lick 9 to close the
)dvanced )ttributes dialog bo*.
02( 3lick 9 to close the roperties dialog bo*.
03( +hen it asks to confirm attribute changes, click 9.
05( rom 'erver#1, log off as administrator.
S#!ri%& Fi$es 8r*-ec-e4 ,i-# EFS ,i-# O-#er (sers
0( !og into 7+/3#1 as 'ontoso1d&inist"to", 'erver 4anager starts. pen the
Tools menu and click )ctive /irectory &sers and 3omputers. The )ctive
/irectory &sers and 3omputers console opens.
2( 7ight-click the &sers node, click 2ew, then click &ser.
3( 3reate a new user with the following parameters5
irst 2ame5 Use"0
&ser logon name5 Use"0
3lick 2e*t.
5( or the assword and 3onfirm password te*t bo*es, type Pss%o"d;0. 3lick to
select assword never e*pires. +hen an )ctive /irectory /omain 'ervices
dialog bo* appears, click 9. 3lick 2e*t.
-
8/19/2019 Window server 2012 70-411
5/21
70-411 Administering Windows Server 2012
6( +hen the user is ready to be created, click inish.
7( &nder the &sers node, double-click &ser1. The &ser1 roperties dialog bo*
opens.
8( 3lick the 4ember f tab.
9( 3lick the )dd button. +hen the 'elect 8roups dialog bo* opens, type do&in
d&ins and click 9.
( 3lick 9 to close the &ser1 roperties dialog bo*.
0;( n 'erver#1, log in as 'ontoso1Use"0 with the password of Pss%o"d;0.
00( pen the 35/ata folder, right-click the test.t*t file and click roperties.
02( n the 8eneral tab, click )dvanced. The )dvanced )ttributes dialog bo* opens.
03( 3lick Encrypt contents to secure data. 3lick 9 to close the )dvanced )ttributesdialog bo*. 3lick 9 to close the test roperties dialog bo*.
05( +hen it asks if you want to encrypt the file and its parent folder, click 9.
06( If an )ccess /enied message appears, click Ignore, click 3ontinue, click 9, and
click Ignore. 3lick 9. If an )ccess /enied message appears again, click Ignore
)ll. +hen you are done, the test.t*t file should be green.
07( n 'erver#1, log out as &ser1 and log in as Contoso1Ad&inist"to".
08( pen the 35/ata folder.
09( /ouble-click to open the Test.t*t file.
7es-i*%3
What error message did you get?
Access is denied.
0( 3lick 9 to close the message, and then close 2otepad.
2;( 7ight-click the test.t*t file and click roperties.
20( 3lick the 'ecurity tab.
7es-i*%
What permissions does Administrator hae?
!ull control" modify" read # execute" read" and $rite.
-
8/19/2019 Window server 2012 70-411
6/21
70-411 Administering Windows Server 2012
7es-i*%9
Why $as the contoso\administrator not a%le to open the file?
&ecause it re'uire special permissions.
22( 8o back to the 8eneral tab, click the )dvanced button, clear the "ncrypt check bo*, and then click 9.
23( 3lick 9 to close the test roperties dialog bo*. +hen prompted for
administrator permissions, click 3ontinue. )fter the )ccess /enied dialog is
displayed, click 3ancel to close it.
7es-i*%6
Were you a%le to decrypt the file?
(o
25( n 'erver#1, log off as )dministrator and log on as Use"0.
26( pen the 35/ata folder.
27( 7ight-click the test.t*t file and click roperties. The roperties dialog bo* opens.
28( 3lick the )dvanced button to open the )dvanced )ttributes dialog bo*.
29( 3lick to deselect the Encrypt contents to secure data check bo*, and click 9.
2( 3lick 9 to close the roperties dialog bo*. +hen it asks you to provide
administrator permission to change these attributes, click 3ontinue.
3;( !og off as &ser1 and log on as 'ontoso1d&inist"to".
30( pen the 35/ata folder.
32( 7ight-click the test.te*t and click roperties.
33( 3lick the )dvanced button to open the )dvanced )ttributes dialog bo*.
35( 3lick to select the Encrypt contents to secure data check bo*. 3lick 9 to close
the )dvanced )ttributes dialog bo*.
36( 3lick 9 to close the roperties dialog bo*. +hen it asks to apply to the folder
and its contents, click 9.
37( 7ight-click the test.t*t folder and click roperties. 3lick the )dvanced button to
open the )dvanced )ttributes dialog bo*.
38( 3lick the /etails button. The &ser )ccess to test.t*t dialog bo* opens as shown
in igure 6-.
-
8/19/2019 Window server 2012 70-411
7/21
70-411 Administering Windows Server 2012
Fi&re 6)2Certific#te det#ils for testtt file
39( 3lick the )dd button. +hen the "ncrypting ile 'ystem dialog bo* 0as shown inigure 6-:, click &ser1 and click ;iew 3ertificate.
Fi&re 6)3EFS certific#tes for testtt
3( +hen the 3ertificate dialog bo* opens, click the /etails tab.
7es-i*%5
What is the Certificate used for? )int: *oo+ at the ,nhanced
-ey sage field .
5;( 3lick 9 to close the 3ertificates dialog bo*.
-
8/19/2019 Window server 2012 70-411
8/21
70-411 Administering Windows Server 2012
50( 3lick 9 to close the "ncrypting ile 'ystem dialog bo*.
7es-i*%
*oo+ing at the ser Access to test.txt dialog %ox" $ho has a
/ecoery Certificate?
52( Take a screen shot of the &ser )ccess dialog bo* by pressing )lt
-
8/19/2019 Window server 2012 70-411
9/21
70-411 Administering Windows Server 2012
; Yes
57( 3lose the test.t*t file.
58( n 'erver#1, sign out as &ser1.
"nd of e*ercise. %ou can leave the windows open for the ne*t e*ercise.
Eercise +2 Configring the EFS !ecovery Agent
verview /uring this e*ercise, you configure "' 7ecovery )gents so that you
can recover "' encrypted files although the agent is not the owner of
the file.
3ompletion time 1> minutes
Mindset Question:
-
8/19/2019 Window server 2012 70-411
10/21
70-411 Administering Windows Server 2012
+hen it asks you to add additional features for any of these features, click )dd
eatures.
0;( (ack on the 'elect role services page, click 2e*t.
00( n the +eb 'erver 7ole 0II' page, click 2e*t.
02( n the 'elect role services page, click 2e*t.
03( n the 3onfirm installation selections page, click Install.
05( +hen the 3ertificate )uthority is installed, click 3lose.
06( n 'erver 4anager, click the "*clamation oint in a yellow triangle and then
click 3onfigure )ctive /irectory 3ertificate 'ervices.
07( n the 3redentials page, click 2e*t.
08( n the 7ole 'ervices page, click 3ertification )uthority, as shown in igure [email protected] 2e*t.
Fi&re 6)Configring the Certific#tion Athority
-
8/19/2019 Window server 2012 70-411
11/21
70-411 Administering Windows Server 2012
09( +hen it asks what setup type of 3) you should install, click 2e*t.
0( +hen it asks for the 3) type 0as shown in igure 6->, click 2e*t.
Fi&re 6)9Specifying the type of CA
2;( n the 'pecify the type of the private key page, click 2e*t.
20( n the 'pecify the 3ryptography for 3) page, click 2e*t.
22( n the 'pecify the name of the 3) page, click 2e*t.
23( or the ;alidity eriod, click 2e*t.
25( n the 3) database page, click 2e*t.
26( n the 3onfirmation page, click 3onfigure.
27( +hen the 3) is configured, take a screen shot of the 3) is configured by
pressing )lt
-
8/19/2019 Window server 2012 70-411
12/21
70-411 Administering Windows Server 2012
28( 3lick 3lose.
29( If it asks to configure additional role services, click 2o.
C*%i&ri%& -#e EFS Rec*
-
8/19/2019 Window server 2012 70-411
13/21
70-411 Administering Windows Server 2012
Fi&re 6)63pening the 53 p*lic $ey policies
7( 7ight-click "ncrypting ile 'ystem, and select 3reate /ata 7ecovery )gent. Ifyou double-click "ncrypting ile 'ystem, you will see the )dministrator listed in
the right pane as shown in igure 6-A.
-
8/19/2019 Window server 2012 70-411
14/21
70-411 Administering Windows Server 2012
Fi&re 6)5&iewing the crrent EFS recovery #gents
8( n 7+/3#1, log off as 3ontoso&ser1 and log in as Contoso1Ad&inist"to".
7es-i*%1
What is needed for a user to %ecome a data recoery agent?
"nd of e*ercise. %ou can leave the windows open for the ne*t e*ercise.
Eercise +6 "#c$ing %p #nd !estoring EFS Certific#tesverview /uring this e*ercise, you back up an "' certificate and later
restore after you delete the cer tificate.
3ompletion time 1# minutes
-
8/19/2019 Window server 2012 70-411
15/21
70-411 Administering Windows Server 2012
Mindset Question: You hd stnd#one 'o&$ute" tht )i#ed nd hd to =e "e=ui#t( On
the 'o&$ute"* +ou hd so&e )i#es tht %e"e en'"+$ted %ith EFS(
Fo"tunte#+* +ou ='-ed u$ the )i#es )"o& ti&e to ti&e to
"e&o!=#e d"i!e( A)te" +ou "e=ui#t the 'o&$ute"* +ou de'ide to 'o$+
the )i#es )"o& the "e&o!=#e d"i!e( A#thou,h +ou "e usin, the s&e
use"n&e nd $ss%o"d tht +ou used =e)o"e* +ou 'nnot o$en the
)i#es =e'use the+ "e en'"+$ted(
-
8/19/2019 Window server 2012 70-411
16/21
70-411 Administering Windows Server 2012
Fi&re 6)Eporting # certific#te
7( +hen the 3ertificate "*port +i?ard starts, click 2e*t.
8( n the "*port rivate 9ey page, click %es, e*port the private key, and then click
2e*t.
9( n the "*port ile ormat page 0as shown in igure 6-B, click 2e*t.
-
8/19/2019 Window server 2012 70-411
17/21
70-411 Administering Windows Server 2012
Fi&re 6);Specifying the eported form#t
( n the 'ecurity page, select the assword check bo*, and type in the password of
Pss%o"d;0 in the assword and 3onfirm password te*t bo*es. 3lick 2e*t.
7es-i*%11
What is the difference %et$een the cer and the pfx format
$hen %ac+ing up digital certificates?
0;( n the ile to "*port page, type C:1Ce"t(=- in the ile name te*t bo*, 3lick
2e*t.
00( Take a screen shot of the 3ertificate "*port wi?ard by pressing )lt
-
8/19/2019 Window server 2012 70-411
18/21
70-411 Administering Windows Server 2012
Res-*ri%& -#e EFS Cer-iic!-e
0( 7ight-click the )dministrator certificate and click /elete. +hen it asks if you
want to delete the certificate, read the warning and click %es.
2( 7ight-click 3ertificates, select )ll Tasks, and then select Import.
3( +hen the 3ertificate Import +i?ard starts, click 2e*t.
5( n the ile to Import page, type ':1'e"t(=-($)4, and click then 2e*t.
6( If it asks for a password, type Pss%o"d;0 in the assword te*t bo* and click
2e*t.
7( n the 3ertificate 'tore page, click 2e*t.
8( n the 3ompleting the 3ertificate Import +i?ard page, click inish.
9( +hen the import is successful, click 9.
( Take a screen shot of the 3ertificates console by pressing )ltitLo'-e" di))e"/
0( !og in to 'erver# as the Contoso1Ad&inist"to" user account. The 'erver
4anager console opens.
2( n 'erver#, on 'erver 4anager, click 4anage and click )dd 7oles and
eatures. The )dd 7oles and eature +i?ard opens.
3( n the (efore you begin page, click 2e*t.
5( 'elect 7ole-based or feature-based installation and then click 2e*t.
6( n the 'elect destination server page, click 2e*t.
-
8/19/2019 Window server 2012 70-411
19/21
70-411 Administering Windows Server 2012
7( n the 'elect server roles page, click 2e*t.
8( n the 'elect features page, select (it!ocker /rive "ncryption.
9( +hen the )dd 7oles and eatures +i?ard dialog bo* displays, click )dd
eatures.
( n the 'elect eatures page, click 2e*t.
0;( n the 3onfirm installation selections page, click Install.
00( +hen (it!ocker is installed, click 3lose.
02( 7eboot the 'erver#.
03( !og in to 'erver# as the Contoso1Ad&inist"to". The 'erver 4anager console
opens.
05( &sing 'erver 4anager, open the Tools menu and click 3omputer 4anagement.The 3omputer 4anagement console opens.
06( "*pand the 'torage node and click /isk 4anagement.
07( 7ight-click the 3 drive and click 'hrink ;olume.
08( In the Enter the amount of space to shrink in MB te*t bo*, type 3;;; and click
'hrink.
09( &nder /isk #, right-click the unused space and click 2ew 'imple ;olume.
0( +hen the +elcome to the 2ew 'imple ;olume +i?ard starts, click 2e*t.
2;( n the 'pecify ;olume 'i?e page, click 2e*t.
20( n the )ssign /rive !etter or ath page, click 2e*t.
22( n the ormat artition page, click 2e*t.
23( +hen the wi?ard is complete, click inish.
25( 3lose 3omputer 4anagement.
26( 3lick the 'tart button, and then click the 3ontrol anel.
27( 3lick (it!ocker /rive "ncryption. The (it!ocker /rive "ncryption window
opens as shown in igure 6-1#.
-
8/19/2019 Window server 2012 70-411
20/21
70-411 Administering Windows Server 2012
Fi&re 6)13pening the "it'oc$er settings
28( 3lick the down arrow ne*t to the " drive. Then click Turn on (it!ocker. )(it!ocker /rive "ncryption 0"5 window opens.
29( n the Choose how you want to unlock this drive page, click to select the Use a
password to unlock the drive. Type a password of Pss%o"d;0 in the Enter your
password and Reenter your password te*t bo*es, and then click 2e*t.
2( n the How do you want to back up your recovery key? page, click 'ave to a file
option.
3;( +hen the ave Bit!ocker recovery key as dialo" bo# opens, type
11"%d';01So)t%"e1 before (it!ocker 7ecovery 9ey C8&I/D.t*t and click 'ave.
3lick 2e*t.
30( n the (it!ocker /rive "ncryption 0"5 page, select "ncrypt entire drive radio
button, and click 2e*t.
32( n the $re you ready to encrypt this drive? page, click 'tart encrypting.
-
8/19/2019 Window server 2012 70-411
21/21
70-411 Administering Windows Server 2012
33( +hen the drive is encrypted, take a screen shot of the (it!ocker window by
pressing )lt