Troubleshoot Access, Authentication, and User Account Control Issues Lesson 8.

Troubleshoot Access, Troubleshoot Access, Authentication, and Authentication, and

User Account Control User Account Control IssuesIssues

Lesson 8

Skills MatrixSkills Matrix

Technology Skill Objective Domain Skill Domain #Troubleshooting UAC Application Compatibility Issues

Troubleshoot deployment issues• Resolve application compatibility issues

1.5

Configuring and Troubleshooting Access to Encrypted Resources

Configure and troubleshoot access to resources

2.6

Understanding EFS EFS and BitLocker 2.6

Using the Encrypting File System Wizard

EFS and BitLocker 2.6


Technology Skill Objective Domain Skill Domain #Troubleshooting EFS EFS and BitLocker 2.6

Configuring EFS Group Policy Settings


Understanding BitLocker EFS and BitLocker 2.6

Configuring BitLocker Group Policy


Troubleshooting Authentication Issues

Troubleshoot authentication issues

2.7


Technology Skill Objective Domain Skill Domain #Troubleshooting User Name and Password

User name and password 2.7

Understanding and Renewing Smart Card Certificates

• Certificates• Smart cards

2.7

Understanding User Account Control

Configure and troubleshoot User Account Control

2.8

Understanding the Principle of Least Privilege


2.8


Technology Skill Objective Domain Skill Domain #Understanding the Consent UI

Configure credential prompts

2.8

Understanding the Secure Desktop


2.8

Understanding Admin Approval Mode

Administrator vs. standard user

2.8


Technology Skill Objective Domain Skill Domain #Understanding File and Registry Virtualization

Resolve UAC virtualization issues

2.8

Troubleshooting UAC Application Compatibility Issues

Troubleshoot application issues

2.8

Configuring UAC Group Policy

• Configure credential prompts• Troubleshoot policy settings

2.8

User Account Control (UAC) is primarily an effort to reduce the exposure and attack surface of the operating system by requiring that all users run in standard user mode unless it is necessary to do otherwise. Essentially, User Account Control enforces the principle of least privilege.

Understanding User Account Control

Understanding User Account ControlUnderstanding User Account Control

The principle of least privilege limits exposure to security threats by limiting user privileges to the minimum required to complete required tasks.

The principle of least privilege is an important principle in IT security.

Understanding User Account Control (cont.)


The Consent UI consists of UAC dialog boxes that prompt for consent or administrator credentials when you attempt a task that requires elevated privileges.

Understanding the Consent UI


The Secure Desktop helps to prevent hackers from circumventing the UAC Consent UI.

The Secure Desktop is a desktop that Windows Vista uses to protect against malware fooling users into selecting an option that they do not mean to accept by altering the user interface (UI).

Understanding the Secure Desktop


Just before a Consent UI appears, Secure Desktop takes a picture of the desktop, converts it to grayscale, dims it, and replaces your background with it. Then Windows Vista launches an instance of terminal services that displays the Consent UI.

Understanding the Secure Desktop (cont.)


Admin Approval Mode is a mode in which administrators must give consent for applications to use the administrator token.

The UAC in Windows Vista implements a split token when you log on as an administrator, which means that you are issued two tokens: an administrator token (AT) and a standard user token (SUT).

Understanding Admin Approval Mode


The AT is filtered to create the SUT by removing privileges.

When you are logged on as an administrator, any process that you start by default receives your SUT. If a process you start requests an AT, then the process is issued your AT only after you grant consent through the Consent UI.

Understanding Admin Approval Mode (cont.)


When you start a process (application), Windows Vista issues the SUT by default. A process can be excepted from the default if one or more of the following is true:

If you right-clicked and selected Run as administrator

If you used the Ctrl + Shift + Enter shortcut to start an application



A process can be excepted from the default if one or more of the following is true (cont.):

If the Run this program as an administrator check box in the Compatibility tab is selected

If Windows Vista guesses it is an installer

If the Program Compatibility Assistant has marked it as requiring administrative privileges



A process can be excepted from the default if one or more of the following is true (cont.):

If the application has a Vista manifest indicating that it requires administrative privileges

If the Sysmain.sdb database file has it marked as requiring administrative privileges

If it is started by a process that is running with elevated privileges. In this case, no consent UI is presented.



The Power Users group has been deprecated, and standard users have increased privileges.

There are only two account types in Windows Vista: standard user and administrator.

Windows Vista allows some tasks to be completed by standard users that were previously only completed by administrators.

Understanding Changes to User Accounts


File and registry virtualization increases compatibility with legacy applications by redirecting reads and writes to sensitive areas of the hard drive and registry.

Understanding File and Registry Virtualization


Like many security innovations, UAC can cause compatibility issues with legacy applications. The following are some manifestations of compatibility issues caused by UAC.

Windows Vista may not correctly detect an installer, uninstaller, or updater.

Applications that require administrative privileges but run by using a SUT token may have tasks that fail.

Troubleshooting UAC Application Compatibility Issues


The following are some manifestations of compatibility issues caused by UAC (cont.).

Applications may fail to perform tasks for which the current user does not have necessary permissions.

Control panel applications that perform administrative tasks and make global changes may not function properly.

Troubleshooting UAC Application Compatibility Issues (cont.)


The following are some manifestations of compatibility issues caused by UAC (cont.).

DLL applications that run using RunDLL32.EXE may not function properly if they perform global operations.

Troubleshooting UAC Application Compatibility Issues (cont.)


UAC Group Policy is configured in Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.

Configuring UAC Group Policy


Open the Group Policy Object Editor with administrator credentials.

• Expand Computer Configuration > Windows Settings > Security Settings > Local Policies, and then select Security Options. All of the UAC Group Policy settings start with User Account Control.

Configuring UAC Group Policy Settings


Encrypting File System and BitLocker are used to encrypt data. Part of an administrator’s job is to ensure that those people that should have access to encrypted resources do have access and to make encryption as transparent to users as possible.

Configuring and Troubleshooting Access to Encrypted Resources

Configuring and Troubleshooting Configuring and Troubleshooting Access to Encrypted ResourcesAccess to Encrypted Resources

EFS has the following characteristics:

EFS uses a strong public key-based cryptography. The encrypted encryption keys are stored within the file and are decrypted with a private key.

Users with roaming profiles or redirected folders cannot use EFS unless the files being encrypted are stored locally.

Understanding EFS


EFS has the following characteristics (cont.):

You can use EFS to encrypt and decrypt files on remote systems, but not to encrypt transmission of files across the network.

Files or folders that are compressed cannot be encrypted. If you mark a compressed file or folder for encryption, that file or folder will be uncompressed and then encrypted.

Understanding EFS (cont.)


• EFS has the following characteristics (cont.):

Encrypted files become decrypted if you copy or move them to a volume that is not an NTFS volume.

Moving unencrypted files into an encrypted folder will automatically encrypt those files. However, the reverse operation will not automatically decrypt files.



• EFS has the following characteristics (cont.):

Files marked with the System attribute cannot be encrypted, nor can files in the systemroot directory.

Anyone with the appropriate permissions can delete or list encrypted folders or files. For this reason, using EFS in combination with NTFS permissions is recommended.



File encryption keys are also encrypted separately with the private keys of any recovery agents for the domain. This allows the recovery agents to decrypt files in case a user loses his private key.

Recovery agent – User that can decrypt encrypted data in the domain.



Windows Vista introduces the Encrypting File System Wizard in Control Panel. You can use the wizard to do the following:

Select an EFS certificate and key to use for EFS

Create a new EFS certificate and key

Back up an EFS certificate and key

Restore an EFS certificate and key

Using the Encrypting File System Wizard


You can use the wizard to do the following (cont.):

Set EFS to use an EFS certificate and key located on a smart card

Put an EFS certificate and key on a smart card

Update previously encrypted files to use a different certificate and key

Using the Encrypting File System Wizard (cont.)


The primary problems you will encounter with EFS are lost certificates and file sharing of encrypted files.

Troubleshooting EFS


To share an encrypted file between users, log on as the user for which you want to export a certificate and click Start.

• In the Start Search text box, key certmgr.msc and then press Enter. The Microsoft Management Console (MMC) appears with the Certificate Manager Snap-in loaded.

Exporting an EFS Certificate


• In the console tree, expand Personal, and then select Certificates.

• In the details pane, right-click the certificate that you want to export, point to All Tasks, and then click Export. The Certificate Export Wizard appears.

• Click Next. The Export Private Key page appears.

Exporting an EFS Certificate (cont.)


• Select No, do not export the private key.

• Click Next. The Export File Format page appears. Select the format that you want to use.

• Click Next. The File to Export page appears.

• In the File name text box, enter a path and filename, or click Browse to browse for the file.



• Click Next. The Completing the Certificate Export Wizard page appears. Click Finish.

• In the Certificate Export Wizard message box confirming the export, click OK.



To give another user access to an encrypted file by adding that user’s certificate to the file, open certmgr.msc.

• In the console tree of the Certificate Manager Snap-in, right-click Trusted People, point to All Tasks, and then select Import.

• Click Next. The File to Import page appears.

Importing a Certificate from a Trusted Person


• In the File name text box, enter the path and filename of the certificate that you want to import.

• Click Next. The Certificate Store page appears.

• The wizard selects the Place all certificates in the following store option by default. Ensure that Trusted People is present in the Certificate store text box, and then click Next.

Importing a Certificate from a Trusted Person (cont.)


• The Completing the Certificate Import Wizard page appears. Verify that the wizard lists the correct settings, and then click Finish.

• In the Certificate Import Wizard message box announcing the successful import, click OK.

Importing a Certificate from a Trusted Person (cont.)


To access an EFS encrypted file from two different computers or to restore an EFS certificate and private key that you backed up earlier, open certmgr.msc.

• In the console tree of the Certificate Manager Snap-in, right-click Personal, point to All Tasks, and then select Import.

Importing/Restoring from Backup an EFS Certificate/Private Key


• Click Next. The File to Import page appears.

• In the File name text box, enter the path and filename of the certificate that you want to import, or click Browse to locate the file.

• Click Next. Depending on what type of certificate you are importing, the remaining pages of the wizard will vary. Follow the onscreen prompts to complete the import.

Importing/Restoring from Backup an EFS Certif./Private Key (cont.)


Adding a Certificate to an EFS Encrypted File


User Access to Path dialog box for an example file and user

If encryption failed and you receive the following message: “Recovery policy configured for this system contains invalid recovery certificate,” it is likely that you need to renew one or more certificates for recovery agents.

Renewing a Certificate for a Recovery Agent


Open certmgr.msc.

• In the console tree of the Certificates console, expand Personal, and then select Certificates.

• In the details pane, right-click the certificate that you want to renew, and point to All Tasks.

• Point to Advanced Operations, and then select Renew this certificate with the same key.

Renewing a Certificate for a Recovery Agent (cont.)


• Click Next. The Request Certificates page appears. Click Enroll.

• The new certificate is issued, and the Certificate Installation Results page appears.

• Click Finish.

Renewing a Certificate for a Recovery Agent (cont.)


EFS Group Policy settings are configured in Computer Configuration > Windows Settings > Security Settings > Public Key Policies > Encrypting File System.

Configuring EFS Group Policy Settings


BitLocker – Encrypts all of the data stored on the Windows operating system volume and works in conjunction with Trusted Platform Modules.

Bitlocker is available in Vista Enterprise and Vista Ultimate.

Understanding BitLocker


BitLocker can work in conjunction with Trusted Platform Module (TPM) version 1.2 or higher.

When you start your computer, the TPM compares a hash of a subset of operating system files to a hash calculated earlier of the same operating system files. Only if the two hashes are exactly equal does your computer boot normally.

Understanding BitLocker (cont.)


BitLocker can also be used without a TPM, in which case the encryption keys are stored on a USB flash drive that is required to decrypt the data stored on a volume secured with BitLocker.

Because BitLocker encrypts the entire volume independent of the operating system, encryption is not easily compromised even if a hacker has physical access to the hard drive.



To assist in preparing a drive for BitLocker, you can use the BitLocker Drive Preparation Tool, which will help you to:

Create the second volume that BitLocker requires

Migrate the boot files to the new volume

Make the new volume an active volume



Recovery mode – Mode present before Windows has started in which you can provide credentials to cause BitLocker to allow the operating system to boot. You will need to supply the recovery password to leave recovery mode and boot normally.



Install the BitLocker Drive Preparation Tool. The BitLocker Drive Preparation Tool creates a new partition, from which it creates a new disk called Local Disk (S:).

The new partition is set as the active partition, meaning that your computer will boot from it.

Preparing for BitLocker by Using the Drive Preparation Tool


Log on with an administrator account.

• Click Start > All Programs > Accessories > System Tools > BitLocker > BitLocker Drive Preparation Tool. A User Account Control dialog box appears.

• Click Continue. The BitLocker Drive Preparation Tool Wizard appears. Click I Accept if you accept the terms of the license agreement.

Preparing for BitLocker by Using the Drive Preparation Tool (cont.)


• The Preparation Drive for BitLocker page appears. Read the cautions, and then click Continue.

• The tool will prepare your drive, which can take substantial time. When the process is complete, click Finish.

• In the BitLocker Drive Encryption message box, click Restart Now.

Preparing for BitLocker by Using the Drive Preparation Tool (cont.)


Windows Vista provides a wizard that you can use to manage your BitLocker keys.

• Click Start, click Control Panel, and then click Security.

• Click Manage BitLocker keys under BitLocker Drive Encryption. A User Account Control dialog box appears.

Accessing the Manage BitLocker Keys Wizard


• Provide administrator credentials, and then click OK.

• The Manage BitLocker Keys Wizard appears. Follow the instructions in the wizard.

Accessing the Manage BitLocker Keys Wizard (cont.)


BitLocker Group Policy settings are located in Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption.

Configuring BitLocker Group Policy


Most authentication issues concern user names and passwords. Other common authentication issues involve authentication by using smart cards.

Troubleshooting Authentication Issues

Troubleshooting Authentication IssuesTroubleshooting Authentication Issues

Finding a User’s User Name


Find Users, Contacts, and Groups dialog box enables you to find active directory objects, such as a user.

Resetting a User’s Password


Reset Password dialog box

Smart card – Plastic card about the size of a credit card that contains a microprocessor. Smart cards are commonly used to store digital signatures, authenticate users, and store encryption keys to encrypt or decrypt data.

Smart card certificates are used in conjunction with a PIN number to authenticate a user to the domain.

Understanding and Renewing Smart Card Certificates


Many enterprise environments will use certificate autoenrollment.

Certificate autoenrollment – Feature of Windows Server 2003 Enterprise Edition that automatically uses the existing certificate to sign a renewal request for a new certificate before the existing certificate expires.

Renewing a Certificate


Open the Certificate Manager console.

• Expand Personal, and then select Certificates.

• In the details pane, right-click the certificate that you want to renew, and point to All Tasks.

• Do one of the following: Click Renew Certificate with New Key, or Point to Advanced Operations and click Renew this certificate with the same key.

Renewing a Certificate (cont.)


• The Certificate Enrollment Wizard appears.

• Click Next. The Request Certificate page appears.

• Click Enroll. The certificate is renewed, and the Certificate Installation Results page appears. Click Finish.

Renewing a Certificate (cont.)


Log on to the issuing certificate authority and open the Certification Authority console.

• In the Certification Authority console, expand the certificate authority, and then select Pending Requests.

• Right-click the pending certificate in the details pane that you want to issue, point to All Tasks, and then click Issue. The certificate is issued.

Approving a Certificate Request


SummarySummary

User Account Control increases security by helping to enforce the principle of least privilege.

The principle of least privilege limits exposure to security threats by limiting user privileges to the minimum required to complete required tasks.

You Learned

SummarySummary

The Consent UI is a collection of UAC dialog boxes that prompt for consent or for administrator credentials when you attempt a task that requires elevated privileges.

The Secure Desktop helps to prevent hackers from circumventing the UAC Consent UI.

You Learned (cont.)

SummarySummary

Admin Approval Mode is a mode in which administrators must give consent for applications to use the administrator token.

The Power Users group has been deprecated, and standard users have increased privileges.

You Learned (cont.)

SummarySummary

File and registry virtualization increases compatibility with legacy applications by redirecting reads and writes to sensitive areas of the hard drive and registry.

UAC, like many security innovations, can cause compatibility issues with legacy applications.

You can simultaneously centrally manage the behavior of UAC for many computers by using Group Policy.

You Learned (cont.)

SummarySummary

Encrypting File System and BitLocker are used to encrypt data. Part of an administrator’s job is to ensure that those people who should have access to encrypted resources do have access and to make encryption as transparent to users as possible.

The Encrypting File System Wizard can help users to manage their encrypted files and EFS certificates.

You Learned (cont.)

SummarySummary

The primary troubleshooting issues you will encounter with EFS are lost certificates and how to help users share encrypted files.

You learned how to export an EFS certificate and an associated private key.

You learned how to import a certificate from a trusted person.

You Learned (cont.)

SummarySummary

You learned how to import or restore from backup an EFS certificate and private key.

You learned how to add a certificate to an EFS encrypted file.

You learned how to renew a certificate for a Recovery Agent.

You learned how to configure EFS Group Policy settings.

You Learned (cont.)

SummarySummary

BitLocker encrypts all of the data stored on the Windows operating system volume and works in conjunction with Trusted Platform Modules.

You learned how to prepare a drive for BitLocker by using the BitLocker Drive Preparation Tool.

You learned how to access the Manage BitLocker Keys Wizard.

You Learned (cont.)

SummarySummary

You can configure the behavior of BitLocker by using Group policy.

Most authentication issues concern user names and passwords. Other common authentication issues involve authentication by using smart cards.

You learned how to finding a user’s user name and reset a user’s password.

You Learned (cont.)

SummarySummary

Smart card certificates are used in conjunction with a PIN number to authenticate a user to the domain.

You learned how to renew a certificate and approve a certificate request.

You Learned (cont.)

Date post:	11-Jan-2016
Category:	Documents
Upload:	simon-gray
View:	226 times
Download:	1 times

Troubleshoot Access, Authentication, and User Account Control Issues Lesson 8.

Documents