Protecting Sensitive Data with Windows .NET Server - PowerPoint PPT Presentation

1 / 36
About This Presentation
Title:

Protecting Sensitive Data with Windows .NET Server

Description:

Prepare CA for Key Recovery- Add Key Recovery Agent certificate to those the CA can issue ... Assign the Key Recovery Agents Recovery certificate to the CA ... – PowerPoint PPT presentation

Number of Views:53
Avg rating:3.0/5.0
Slides: 37
Provided by: rb773
Category:

less

Transcript and Presenter's Notes

Title: Protecting Sensitive Data with Windows .NET Server


1
Protecting Sensitive Data with Windows .NET Server
  • Roberta Bragg

2
EFS Angel or Devil?
  • Strong encryption for files
  • Transparent to users
  • Built in to Windows 2000/XP-Professional
  • BUT,
  • Easy to lose access to encrypted data
  • No built in key management structure
  • XP does not require a recovery agent

3
Abandon All Hope Ye Who Enter Here
  • Should we abandon EFS?
  • How can we avoid data loss?
  • Can .NET Server help?
  • Lets do a quick review..

4
(No Transcript)
5
(No Transcript)
6
Avoiding Data Loss
  • Ensure users archive encryption keys
  • OR
  • Disable EFS until you can implement PKI
  • OR
  • Adopt .NET Server Key Archival Solution
  • Recommendation
  • Adopt .NET Server PKI s advanced features
  • Custom templates
  • Key archival

7
Archiving Keys
  • Each user must open her Certificate store
  • Right click on EFS certificate
  • Chose export
  • Be sure to export the private key
  • Store in safe place
  • How many hundreds of user do you have?
  • How many of them can you trust to do this?

8
Open Certificates Console
9
Select Key to Export
10
(No Transcript)
11
(No Transcript)
12
Import Archived Key
13
Youll need the password
14
Place Certificate in Personal Store
15
Disable EFS Windows 2000 standalone
  • Use Administrative Tools\Local Security Policy
  • Delete the file recovery certificate
  • Delete the policy

16
Disable EFS Windows 2000 domain
  • Use the same procedure but do so in the Domain
    default Policy
  • Make sure to delete the policy as this will
    prevent a Group Policy linked to an OU from
    allowing EFS

17
WARNING!
  • XP not affected by removing domain recovery agent
    in Windows 2000!
  • While W2K requires recovery agent before a file
    can be encrypted, XP does not!
  • XP can use a recovery agent if one exists, but
    does not, in standalone, or in Windows NT domain,
    create one.

18
Disable EFS Windows XP Professional
  • Two choices
  • Set EFS Registry Key at
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Cu
    rrentVersion\EFS
  • Create a new value of type DWORD called
    EfsConfiguration and give it a value of 1
  • OR

19
Use XP Local Security Policy
20
.NET Server Key Archival
  • A new approach
  • Automatic Key archival and thus key recovery, not
    file recovery
  • Advantages
  • If users keys are corrupt or lost, can replace
    keys
  • Process of EFS certificates can be automated
  • Control over recovery personnel
  • Key recovery agent will not be able to decrypt
    files

21
Ground Rules
  • 100 .NET
  • No files have been encrypted yet or users are
    ready to decrypt and re-encrypt with new EFS
    certificates
  • Enterprise Certificate Authority must be
    installed on a .NET Enterprise edition server

22
Process
  • Determine those users who should have EFS
    privileges
  • Plan and implement PKI using .NET infrastructure
  • Prepare CA for Key Recovery
  • Create custom template for EFS
  • Transition to new Certificates

23
Determine Users
  • Dont have to allow all
  • Who really needs to do this?
  • Training

24
Plan and Implement PKI using .NET
  • Requires much thought and preplanning
  • Actual implementation process very simple
  • Best practices
  • Secure Standalone root CA in a vault
  • On-line, hardened, protected, Subordinate
    Enterprise CA

25
Prepare CA for Key Recovery- Create Key Recovery
Group and give it enroll permission on the Key
recovery certificate
26
Prepare CA for Key Recovery- Add Key Recovery
Agent certificate to those the CA can issue
27
Prepare CA for Recovery Have Key Recovery
Agents obtain Key Recovery certificate
28
Prepare CA for Recovery Assign the Key Recovery
Agents Recovery certificate to the CA
29
Create Custom Template for EFS Allow private
key to be exported
30
Create Custom Template for EFS Require that
new certificates supercede old
31
Transition to new Certificates
  • Undo steps taken previously to prevent EFS
  • New users will automatically receive new
    certificate and keys will be archived
  • If current users, will need to obtain new
    certificate
  • Previously encrypted files must be decrypted and
    then encrypted using new certificates

32
Test! View certificates to insure key has been
archived, obtain certificate serial number
33
Test! Log on key recovery agent and recover key
Certutil GetKey 11867e520000000000006 outputblob
34
Test!Retrieve key and place in certificate file
for user
Certutil recoverkey outputblob admin.pfx
35
Questions?
  • For more information
  • Microsoft whitepaper http//www.microsoft.com/win
    dowsxp/pro/techinfo/planning/pkiwinxp/default.asp
  • My Ebook .NET Server Security volumes 1, 3, 5 at
    NETIQ http//www.netiq.com/offers/securityebook/re
    gister.asp
  • Get your copy of RC1 and set up your own test
    now! http//www.microsoft.com/windows.netserver/pr
    eview/default.mspx

36
Questions for Roberta?
  • Click on the
  • Ask a Question button on the left side of your
    screen
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2025 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Protecting Sensitive Data with Windows .NET Server" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!