EFS
- encrypted file system
-- encrypts files stored on an ntfs volume
- anyone can encrypt file default
- who ever encrypts the file can access it and decrypt it
- you can create recovery agents
cipher /?
cipher /r:administrator
define recovery agent via group policy
- mmc
- admin tolls
-- security settings only
-- gpedit.msc
Self assigned certificate
- can backup the certificate
-- control panel user accounts
-- mmc certificate snap-in
BitLocker
- drive encryption
-- protect from theft
-- encrypt the c:\ on the server / workstation / laptop
-- in case someone steals the hard drive
- prior to sp1
-- you can only encrypt a single volume
-- with sp1 all volumes (only after the first volume has been encrypted)
1.5 GB partition (min available for bitlocker --- S:\ drive)
BitLocker Drive
- prep tool
Boot MGR
(BCD)
Boot Configuration Data
Control to configure/enable
TPM
- Trusted Platform Module (chip)
MMC plugin
If computer does not support TPM you can use a USB stick
- gpedit.msc
BDE
- bitlocker drive encryption
-- bitlocker available on enterprise and ultimate only
WinPE
- Windows Pre-Installation Environment
- CD and USB
- loads in to RAM (x:\windows)
DISKPART
- select disk 0
- select partition 3
- deletion partition
Group Policy
- is a collection of user and computer policy settings
-- push out either a user and/or computer (settings or new)
-- policies can be assigned in multiple areas
-- local (applies to just that one computer)
--- mmc
--- admin tools (see settings)
--- gpedit.msc
--- rsat
---- must be logged on to the domain
- AD
-- active directory: in an AD environment GPO's can be created and linked at 3 levels
S-ite - LEVEL
D-omain - LEVEL
OU - Organization Unit - LEVEL
GPMC is installed by default
S,D, O is the inheritance order
A domain is a logical grouping of computers with no geographical boundaries (as long as you have the bandwidth) that shares a security and replication boundary
SITES: are physical location in AD (NY, JAX and LA - for example)
- subnets with computers
see drawing in my notes
- Multimaster
ALL PEERS
- Multimaster replication
see drawing in my notes
if their is a conflict closest to the user/computer wins
see Alan's photos
- only a admin can setup an audit policy
- audit the success / failure of events
- audit results are displayed in security log of event viewer
- audit
-- account logon events
-- logon events
-- account management
--- show account creation or modify existing accounts
-- object access
--- must be selected in you want to audit folder, file and printers on an ntfs volume
RSOP
- resultant set of policy
will show what GPO's are applied to user / computer
2 modes
- logging mode
- which setting have been applied
- planning mode
-- simulate a mode
-- slow wan link
-- loop back processing
--- merge or replace
CMD for gpresult (ON TEST)
ADUC r/c any any -user or computer
all task rsop
GPMC
Local Profiles
- profiles are created at first logon
- always local by default
c:\users\username
-- desktop
-- start menu
Roaming Profiles
- copy an existing local profile to an existing share
DC1
- created an account
-- profile tab
\\dc1 profiles tab
AD will know
- system properties
- advanced tab
- second settings button
-highlight user and select copy to \\dc1\profiles\student1
Folder Redirection (ON TEST)
- folder redirection via GPO
- local \ roaming profiles