Manage File Services - MCSA Windows Server 2012 R2 Administration Study Guide Exam 70-411 (2015)

MCSA Windows Server 2012 R2 Administration Study Guide Exam 70-411 (2015)

Chapter 2
Manage File Services

THE FOLLOWING 70-411 EXAM OBJECTIVES ARE COVERED IN THIS CHAPTER:

1. image Configure Distributed File System (DFS)

§ Install and configure DFS namespaces

§ Configure DFS Replication Targets

§ Configure Replication Scheduling

§ Configure Remote Differential Compression settings

§ Configure staging

§ Configure fault tolerance

§ Clone a DFS database

§ Recover DFS databases

§ Optimize DFS replication

2. image Configure File Server Resource Manager (FSRM)

§ Install the FSRM role service

§ Configure quotas

§ Configure file screens

§ Configure reports

§ Configure file management tasks

3. image Configure file and disk encryption

§ Configure Bitlocker encryption

§ Configure the Network Unlock feature

§ Configure Bitlocker policies

§ Configure the EFS recovery agent

§ Manage EFS and Bitlocker certificates including backup and restore

4. image Configure advanced audit policies

§ Implement auditing using Group Policy and AuditPol.exe

§ Create expression-based

§ Create removable device audit policies

In this chapter, I will show you how to set up one of the more important server types: a file server. File servers are important because you need storage allocation where you can store files on your server.

image Microsoft Windows Server 2012 R2 is used for all the server types in this chapter. Although other operating systems can be used, this chapter refers only to Windows Server 2012 R2.

Configuring File Server Resource Manager

As an administrator, when you need to control and manage the amount and type of data stored on your servers, Microsoft delivers the tools to help you do just that. The File Server Resource Manager (FSRM) is a suite of tools that allows an administrator to place quotas on folders or volumes, filter file types, and create detailed storage reports. These tools allow an administrator to properly plan and implement policies on data as needed.

FSRM Features

Many of the advantages of using FSRM come from all of the included features, which allow administrators to manage the data that is stored on their file servers. Some of the advantages included with FSRM are as follows:

Configure File Management Tasks FSRM allows an administrator to apply a policy or action to data files. Some of the actions that can be performed include the ability to encrypt files or run a custom command.

Configure Quotas Quotas give an administrator the ability to limit how much disk space a user can use on a file server. Administrators have the ability to limit space to an entire volume or to specific folders.

File Classification Infrastructure Administrators can set file classifications and then manage the data more effectively by using these classifications. Classifying files, and then setting policies to those classifications, allows an administrator to set policies on those classifications. These policies include restricting file access, file encryption, and file expirations.

Configure File Screens Administrators can set file screening on a server and limit the types of files that are being stored on that server. For example, an administrator can set a file screen on a server so that any file ending in .bmp gets rejected.

Configure Reports Administrators can create reports that show them how data is classified and accessed. They also have the ability to see which users are trying to save unauthorized file extensions.

Installing the FSRM Role Service

Installing FSRM is easy when using either Server Manager or PowerShell. To install using Server Manager, you go into Add Roles And Features and choose File And Storage Services ⇒ File Services ⇒ File Server Resource Manager. To install FSRM using PowerShell, you use the following command:

Install-WindowsFeature -Name FS-Resource-Manager -IncludeManagementTools

Configuring FSRM using the Windows GUI version is straightforward, but setting up FSRM using PowerShell is a bit more challenging. Table 2.1 describes some of the PowerShell commands for FSRM.

TABLE 2.1 PowerShell commands for FSRM

PowerShell cmdlet

Description

Get-FsrmAutoQuota

Gets auto-apply quotas on a server

Get-FsrmClassification

Gets the status of the running file classification

Get-FsrmClassificationRule

Gets classification rules

Get-FsrmFileGroup

Gets file groups

Get-FsrmFileScreen

Gets file screens

Get-FsrmFileScreenException

Gets file screen exceptions

Get-FsrmQuota

Gets quotas on the server

Get-FsrmSetting

Gets the current FSRM settings

Get-FsrmStorageReport

Gets storage reports

New-FsrmAutoQuota

Creates an auto-apply quota

New-FsrmFileGroup

Creates a file group

New-FsrmFileScreen

Creates a file screen

New-FsrmQuota

Creates an FSRM quota

New-FsrmQuotaTemplate

Creates a quota template

Remove-FsrmClassificationRule

Removes classification rules

Remove-FsrmFileScreen

Removes a file screen

Remove-FsrmQuota

Removes an FSRM quota from the server

Set-FsrmFileScreen

Changes the configuration settings of a file screen

Set-FsrmQuota

Changes the configuration settings for an FSRM quota

Configure File and Disk Encryption

Hardware and software encryption are some of the most important actions you can take as an administrator. You must make sure that if anyone steals hardware from your company or from your server rooms that the data they are stealing is secured and cannot be used. This is where BitLocker can help.

Using BitLocker Drive Encryption

To prevent individuals from stealing your computer and viewing personal and sensitive data found on your hard disk, some editions of Windows come with a new feature called BitLocker Drive Encryption. BitLocker encrypts the entire system drive. New files added to this drive are encrypted automatically, and files moved from this drive to another drive or computers are decrypted automatically.

Only Windows 7 Enterprise, Windows 7 Ultimate, Windows 8 Pro, Windows 8 Enterprise, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 include BitLocker Drive Encryption, and only the operating system drive (usually C:) or internal hard drives can be encrypted with BitLocker. Files on other types of drives must be encrypted using BitLocker To Go. BitLocker To Go allows you to put BitLocker on removable media such as external hard disks or USB drives.

BitLocker uses a Trusted Platform Module (TPM) version 1.2 or newer to store the security key. A TPM is a chip that is found in newer computers. If you do not have a computer with a TPM, you can store the key on a removable USB drive. The USB drive will be required each time you start the computer so that the system drive can be decrypted.

If the TPM discovers a potential security risk, such as a disk error or changes made to the BIOS, hardware, system files, or startup components, the system drive will not be unlocked until you enter the 48-digit BitLocker recovery password or use a USB drive with a recovery key as a recovery agent.

BitLocker must be set up either within the Local Group Policy editor or through the BitLocker icon in the control panel. One advantage of using BitLocker is that you can prevent any unencrypted data from being copied onto a removable disk, thus protecting the computer.

BitLocker Recovery Password

The BitLocker recovery password is important. Do not lose it, or you may not be able to unlock the drive. Even if you do not have a TPM, be sure to keep your recovery password in case your USB drive becomes lost or corrupted.

BitLocker requires that you have a hard disk with at least two partitions, both formatted with NTFS. One partition will be the system partition that will be encrypted. The other partition will be the active partition that is used to start the computer. This partition will remain unencrypted.

Features of BitLocker

As with any version of Windows, Microsoft continues to improve on the technologies used in Windows Server 2012 R2 and Windows 8. The following sections cover some of the features of BitLocker.

BitLocker Provisioning

In previous versions of BitLocker (Windows Vista and Windows 7), BitLocker provisioning (system and data volumes) was completed during the postinstallation of the BitLocker utility. BitLocker provisioning was done through either the command-line interface (CLI) or the control panel. In the Windows 8/Windows Server 2012 R2 version of BitLocker, an administrator can choose to provision BitLocker before the operating system is even installed.

Administrators have the ability to enable BitLocker prior to the operating system deployment from the Windows Preinstallation Environment (WinPE). BitLocker is applied to the formatted volume, and BitLocker encrypts the volume prior to running the Windows setup process.

If an administrator wants to check the status of BitLocker on a particular volume, the administrator can view the status of the drive either in the BitLocker control panel applet or in Windows Explorer.

Used Disk Space–Only Encryption

Windows 7 BitLocker requires that all data and free space on the drive must be encrypted. Because of this requirement, the encryption process can take a long time on larger volumes. In Windows 8 BitLocker, administrators have the ability to encrypt either the entire volume or just the space being used. When you choose the Used Disk Space Only option, only the section of the drive that contains data will be encrypted. Because of this, encryption is completed much faster.

Standard User PIN and Password Change

One issue that BitLocker has had in the past is that you need to be an administrator to configure BitLocker on operating system drives. This could become an issue in a large organization because deploying TPM + PIN to a large number of computers can be challenging.

Even with the new operating system changes, administrative privileges are still needed to configure BitLocker, but now your users have the ability to change the BitLocker PIN for the operating system or change the password on the data volumes.

When a user gets to choose their own PIN and password, they normally choose something that has meaning to them and something that is easy to remember. That is a good and bad thing at the same time. It’s a good thing because when your users choose their own PIN and password, they normally don’t need to write it down—they just know it. It’s a bad thing because if anyone knows the user well, they can have an easier time figuring out the person’s PIN and password. Even when you allow your users to choose their own PIN and password, make sure you set a GPO to require password complexity.

Network Unlock

One of the new features of BitLocker is called Network Unlock. Network Unlock allows administrators to easily manage desktop and servers that are configured to use BitLocker. Network Unlock allows an administrator to configure BitLocker to automatically unlock an encrypted hard drive during a system reboot when that hard drive is connected to their trusted corporate environment. For this to function properly on a machine, there has to be a DHCP driver implementation in the system’s firmware.

If your operating system volume is also protected by the TPM + PIN protection, the administrator has to be sure to enter the PIN at the time of the reboot. This protection can actually make using Network Unlock more difficult to use, but they can be used in combination.

Support for Encrypted Hard Drives for Windows

One of the new advantages of using BitLocker is Full Volume Encryption (FVE). BitLocker provides built-in encryption for Windows data files and Windows operating system files. The advantage of this type of encryption is that encrypted hard drives that use Full Disk Encryption (FDE) get each block of the physical disk space encrypted. Because each physical block gets encrypted, it offers much better encryption. The only downside to this is that because each physical block is encrypted, it degrades the hard drive speed somewhat. So, as an administrator, you have to decide whether you want better speed or better security on your hard disk.

Windows 7 and 2008 R2 vs. Windows 8 and 2012 R2

The real question is what’s the difference between Windows 7/Windows 2008 R2 and Windows 8/Windows Server 2012 R2? Table 2.2 shows you many of the common features and how they work then and now.

TABLE 2.2 BitLocker then and now

Feature

Windows 7/Server 2008 R2

Windows 8/Server 2012 R2

Resetting the BitLocker PIN or password

The user’s privileges must be set to an administrator if you want to reset the BitLocker PIN on an operating system drive and the password on a fixed or removable data drive.

Standard users now have the ability to reset the BitLocker PIN and password on operating system drives, fixed data drives, and removable data drives.

Disk encryption

When BitLocker is enabled, the entire disk is encrypted.

When BitLocker is enabled, users have the ability to choose whether to encrypt the entire disk or only the used space on the disk.

Hardware-encrypted drive support

Not supported.

If the Windows logo hard drive comes preencrypted from the manufacturer, BitLocker is supported.

Unlocking using a network-based key to provide dual-factor authentication

Not available.

If a computer is rebooted on a trusted corporate wired-network key protector, then this feature allows a key to unlock and skip the PIN entry.

Protection for clusters

Not available.

Windows Server 2012 R2 BitLocker includes the ability to support cluster-shared volumes and failover clusters as long as they are running in a domain that was established by a Windows Server 2012 R2 domain controller with the Kerberos Key Distribution Center Service enabled.

Linking a BitLocker key protector to an Active Directory account

Not available.

BitLocker allows a user, group, or computer account in Active Directory to be tied to a key protector. This key protector allows protected data volumes to be unlocked.

In Exercise 2.1, you will enable BitLocker on the Windows Server 2012 R2 system.

image EXERCISE 2.1: Enabling BitLocker in Windows Server 2012 R2

1. Open Server Manager by selecting the Server Manager icon or running servermanager.exe.

2. Select Add Roles And Features from the dashboard.

3. Select Next at the Before you begin pane (if shown).

4. Select Role-based or feature-based installation and select Next to continue.

5. Select the Select a server from the server pool option and click Next.

6. At the Select Server Roles screen, click Next.

7. At the Select features screen, click the BitLocker Drive Encryption check box. When the Add Roles and Features dialog box appears, click the Add Features button. Then click Next.image

8. Select the Install button on the Confirmation pane of the Add Roles And Features Wizard to begin BitLocker feature installation. The BitLocker feature requires a restart to complete. Selecting the Restart The Destination Server Automatically If Required option in the Confirmation pane will force a restart of the computer after installation is complete.

9. If the Restart The Destination Server Automatically If Required check box is not selected, the Results pane of the Add Roles And Features Wizard will display the success or failure of the BitLocker feature installation. If required, a notification of additional action necessary to complete the feature installation, such as the restart of the computer, will be displayed in the results text.image

You also can install BitLocker by using the Windows PowerShell utility. To install BitLocker, use the following PowerShell commands:

Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -Restart

Using EFS Drive Encryption

If you have been in the computer industry long enough, you may remember the days when only servers used NTFS. Years ago, most client systems used FAT or FAT32, but NTFS had some key benefits over FAT/FAT32. The main advantages were NTFS security, quotas, compression, and encryption. Encryption is available on a system because you are using a file structure (for example, NTFS) that allows encryption. Windows Server 2012 R2 NTFS allows administrators to use these four advantages including encryption.

Encrypting File System (EFS) allows a user or administrator to secure files or folders by using encryption. Encryption employs the user’s security identification (SID) number to secure the file or folder. Encryption is the strongest protection that Windows provides to help you keep your information secure. Some key features of EFS are as follows:

§ Encrypting is simple; just select a check box in the file or folder’s properties to turn it on.

§ You have control over who can read the files.

§ Files are encrypted when you close them but are automatically ready to use when you open them.

§ If you change your mind about encrypting a file, clear the check box in the file’s properties.

To implement encryption, open the Advanced Attributes dialog box for a folder and check the Encrypt Contents To Secure Data box.

If files are encrypted using EFS and an administrator has to unencrypt the files, there are two ways to do this. You can log in using the user’s account (the account that encrypted the files) and unencrypt the files using the Cipher command. Alternatively, you can become a recovery agent and manually unencrypt the files.

image If you use EFS, it’s best not to delete users immediately when they leave a company. Administrators have the ability to recover encrypted files, but it is much easier to gain access to the user’s encrypted files by logging in as the user who left the company and unchecking the encryption box.

Using the Cipher Command

The Cipher command is useful when it comes to EFS. Cipher is a command-line utility that allows you to change and/or configure EFS. When it comes to using the Cipher command, you should be aware of a few things:

§ Administrators can decrypt files by running Cipher.exe in the Command Prompt window (advanced users).

§ Administrators can use Cipher to modify an EFS-encrypted file.

§ Administrators can use Cipher to import EFS certificates and keys.

§ Administrators can also use Cipher to back up EFS certificates and keys.

Let’s take a look at some of the different switches that you can use with Cipher. Table 2.3 describes many of the different Cipher switches you can use. This table comes from Microsoft’s TechNet site. Microsoft continues to add and improve switches, so make sure you check Microsoft’s website to see whether there are any changes.

TABLE 2.3 Using the cipher switches

Cipher switch

Description

/e

This switch allows an administrator to encrypt specified folders. With this folder encrypted, any files added to this folder will automatically be encrypted.

/d

This switch allows an administrator to decrypt specified folders.

/s: dir

By using this switch, the operation you are running will be performed in the specified folder and all subfolders.

/i

By default, when an error occurs, Cipher automatically halts. By using this switch, Cipher will continue to operate even after errors occur.

/f

The force switch (/f) will encrypt or decrypt all of the specified objects, even if the files have been modified by using encryption previously. Cipher, by default, does not touch files that have been encrypted or decrypted previously.

/q

This switch shows you a report about the most critical information of the EFS object.

/h

Normally, system or hidden files are not touched by encryption. By using this switch, you can display files with hidden or system attributes.

/k

This switch will create a new file encryption key based on the user currently running the Cipher command.

/?

This shows the Cipher help command.

Configuring Distributed File System

One problem that network administrators have is deciding how to share folders and communicating to end users how to find the shares. For example, if you share a folder called Stellacon Documents on server A, how do you make sure your users will find the folder and the files within it? The users have to know the server name and the share name. This can be a huge problem if you have hundreds of shares on multiple servers. If you want to have multiple copies of the folder called Stellacon Documents for fault tolerance and load balancing, the problem becomes even more complicated.

Distributed File System (DFS) in Windows Server 2012 R2 offers a simplified way for users to access geographically dispersed files. DFS allows you to set up a tree structure of virtual directories that allows users to connect to shared folders throughout the entire network.

Administrators have the ability to take shared folders that are located on different servers and transparently connect them to one or more DFS namespaces—virtual trees of shared folders throughout an organization. The advantage of using DFS is that if one of the folders becomes unavailable, DFS has failover capability that will allow your users to connect to the data on a different server.

Administrators can use the DFS tools to choose which shared folders will appear in the namespace and also to decide how the names of these shared folders will show up in the virtual tree listing.

Advantages of DFS

One of the advantages of DFS is that when a user views this virtual tree, the shared folders appear to be located on a single machine. These are some of the other advantages of DFS:

Simplified Data Migration DFS gives you the ability to move data from one location to another without the user needing to know the physical location of the data. Because the users do not need to know the physical location of the shared data, administrators can simply move data from one location to another.

Security Integration Administrators do not need to configure additional security for the DFS shared folders. The shared folders use the NTFS and shared folder permissions that an administrator has already assigned when the share was set up.

Access-Based Enumeration (ABE) This DFS feature (disabled by default) displays only the files and folders that a user has permissions to access. If a user does not have access to a folder, Windows hides the folder from the user’s DFS view. This feature is not active if the user is viewing the files and folders locally.

Types of DFS

The following are types of DFS:

DFS Replication Administrators have the ability to manage replication scheduling and bandwidth throttling using the DFS management console. Replication is the process of sharing data between multiple machines. As explained earlier in the section, replicated shared folders allow you to balance the load and have fault tolerance. DFS also has read-only replication folders.

DFS Namespace The DFS Namespace service is the virtual tree listing in the DFS server. An administrator can set up multiple namespaces on the DFS, allowing for multiple virtual trees within DFS. The DFS Namespace service was once known as Distributed File System in Windows 2000 Server and Windows Server 2003 (in case you still use Server 2003).

In Exercise 2.2, you will install the DFS Namespace service on the file server. You need to start the installation using the Server Manager MMC.

image EXERCISE 2.2: Installing the DFS Namespace Service

1. Open Server Manager by selecting the Server Manager icon or running servermanager.exe.

2. Select Add Roles And Features from the dashboard.

3. Select Next at the Before You Begin pane (if shown).

4. Select Role-Based or Feature-Based installation and select Next to continue.

5. Select the Select A Server From The Server Pool option and click Next.

6. At the Select Server Roles screen, expand File And Storage Services and check the DFS Namespace and DFS Replication check boxes. Then click Next. If a dialog box appears, click the Add Features button.

7. At the Select Features screen, click Next.

8. At the Confirmation screen, click the Install button.

9. After the installation is complete, click the Close button.

10.Close Server Manager.

Once you have installed DFS, it’s time to learn how to manage DFS with the DFS Management MMC. The DFS Management console (see Figure 2.1) gives you one place to do all of your DFS configurations. The DFS Management console allows you to set up DFS Replication and DFS Namespace. Another task you can do in the DFS Management console is to add a folder target—a folder that you add to the DFS namespace (the virtual tree) for all your users to share.

image

FIGURE 2.1 DFS Management console

What’s New in Windows Server 2012 R2

As with any new version of an operation system, Microsoft is trying to make each version of Windows Server better than the previous ones. This is also true with DFS. Microsoft has added many new features to DFS, and the following are just some of the major changes of Windows Server 2012 R2 DFS.

Windows PowerShell Module for DFS Replication

Windows PowerShell cmdlets for DFS replication modules can help administrators perform the majority of their DFS replication tasks. Administrators can use Windows PowerShell cmdlets to perform common administrative tasks such as creating, modifying, and removing DFS replication settings by using Window PowerShell scripts.

One of the nice new advantages of using Windows PowerShell for DFS is the ability to clone DFS replication databases and also to have the ability to restore those DFS databases in the event of an issue or crash.

Administrators have the ability to manage DFS management and replication through the use of the DNS Management and DFS Replication command-line utilities. Administrators who use the command-line tools are not doing anything incorrectly, but it is an inefficient way to do these tasks as well as being extremely time-consuming.

Administrators can use Windows PowerShell instead of command-line utilities and run hundreds of scripted commands, thus making their jobs easier and more efficient.

For an administrator who wants to use the Windows PowerShell cmdlets, the computer system installed with the DFS Management tools must be running Windows Server 2012 R2 or Windows 8.1 or newer. The DFS Management tools are part of the Remote Server Administration tools.

DFS Replication Windows Management Infrastructure Provider

In this book, I have spoken many times about using Windows Remote Management (WinRM) and how WinRM can help you administer a server remotely.

Introduced to Windows Server 2012 R2, the Windows Management Infrastructure (referred to as WMI v2) allows an administrator, using a properly configured firewall, to provide functionality and which provides programmatic access to manage DFS Replication.

Database Cloning

For the first time ever in DFS, Windows Server 2012 R2 includes a new DFS database cloning function. This new feature allows administrators to accelerate replication when creating folders, servers, or recovery systems.

Administrators will now have the ability to extract the DFS database from a single DFS server and then clone that database to multiple DFS servers.

Administrators can use PowerShell and the Export-DfsrClone cmdlet to export the volume that contains the DFS database and configuration .xml file settings. When executing this PowerShell cmdlet, a trigger is engaged that exports the DFS service, and the system will not proceed until the service is completed. Administrators would then use the PowerShell cmdlet Import-DfsrClone to import the data to a specific volume. The service will then validate that the replication was transferred completely.

Recovering a DFS Database

Windows Server 2012 R2 DFS database recovery is a feature that allows DFS to detect a corrupted database, thus allowing DFS to rebuild the database automatically and continue with normal operations of DFS replication. One advantage to this is that when DFS detects and fixes a corrupt database, it does so with no file conflicts.

Prior to this new feature, if a DFS database were determined to be corrupt, DFS Replication would delete the database and start again with an initial nonauthoritative sync process. This would cause newer file versions to be overwritten by older data causing real data loss.

DFS in Windows Server 2012 R2 uses local files and an update sequence number (USN) to fix a corrupt database, allowing for no loss of data.

Optimizing DFS

Windows Server 2012 R2 DFS allows an administrator to configure variable file staging sizes on individual DFS servers. This allows an administrator to set a minimum file size for a file to stage. This increases the staging size of files, and that in turn increases the performance of the replication.

Prior to Windows Server 2012 R2, DFS Replication used a hard-coded 256KB file size to determine staging requirements. If a file size were larger than 256KB, that file would be staged before it replicated. The more file staging that you have, the longer replication takes on a DFS system.

Remote Differential Compression

One issue that can arise occurs when files are changed. There has to be some mechanism that helps files stay accurate. That’s where the Remote Differential Compression (RDC) feature comes into play. RDC is a group of application programming interfaces (APIs) that programs can use to determine whether files have changed. Once RDC determines that there has been a change, RDC then helps to detect which portions of the files contain the changes. RDC has the ability to detect insertions, removals, and rearrangements of data in files. This feature becomes helpful with limited-bandwidth networks when they replicate changes.

To install the RDC feature, use Server Manager and then run the Add Features Wizard, or type the following command at an elevated command prompt:

Servermanagercmd -Install Rdc

Implementing an Audit Policy

One of the most important aspects of controlling security in networked environments is ensuring that only authorized users are able to access specific resources. Although system administrators often spend much time managing security permissions, it is almost always possible for a security problem to occur.

Sometimes the best way to find possible security breaches is actually to record the actions that specific users take. Then, in the case of a security breach (the unauthorized shutdown of a server, for example), system administrators can examine the log to find the cause of the problem.

The Windows Server 2012 R2 operating system and Active Directory offer you the ability to audit a wide range of actions. In the following sections, you’ll see how to implement auditing for Active Directory.

Overview of Auditing

The act of auditing relates to recording specific actions. From a security standpoint, auditing is used to detect any possible misuse of network resources. Although auditing does not necessarily prevent resources from being misused, it does help determine when security violations have occurred (or were attempted). Furthermore, just the fact that others know that you have implemented auditing may prevent them from attempting to circumvent security.

You need to complete several steps in order to implement auditing using Windows Server 2012 R2:

1. Configure the size and storage settings for the audit logs.

2. Enable categories of events to audit.

3. Specify which objects and actions should be recorded in the audit log.

Note that there are trade-offs to implementing auditing. First, recording auditing information can consume system resources. This can decrease overall system performance and use up valuable disk space. Second, auditing many events can make the audit log impractical to view. If too much detail is provided, system administrators are unlikely to scrutinize all of the recorded events. For these reasons, you should always be sure to find a balance between the level of auditing detail provided and the performance-management implications of these settings.

Implementing Auditing

Auditing is not an all-or-none type of process. As is the case with security in general, system administrators must choose specifically which objects and actions they want to audit.

The main categories for auditing include the following:

§ Audit account logon events

§ Audit account management

§ Audit directory service access

§ Audit logon events

§ Audit object access

§ Audit policy change

§ Audit privilege use

§ Audit process tracking

§ Audit system events

In this list of categories, many of the categories are related to Active Directory. Let’s discuss these auditing categories in more detail.

Audit Account Logon Events You enable this auditing event if you want to audit when a user authenticates with a domain controller and logs onto the domain. This event is logged in the security log on the domain controller.

Audit Account Management This auditing event is used when you want to watch what changes are being made to Active Directory accounts. For example, when another administrator creates or deletes a user account, it would be an audited event.

Audit Directory Service Access This auditing event occurs whenever a user or administrator accesses Active Directory objects. Let’s say an administrator opens Active Directory and clicks a user account; even if nothing is changed on that account, an event is logged.

Audit Logon Events Account logon events are created for domain account activity. For example, you have a user who logs on to a server so that they can access files; the act of logging onto the server creates this audit event.

Audit Object Access Audit object access allows you to audit objects within your network such as folders, files, and printers. If you suspect someone is trying to hack into an object (for example, the finance folder), this is the type of auditing that you would use. You still would need to enable auditing on the actual object (for example, the finance folder).

Audit Policy Change Audit policy change allows you to audit changes to user rights assignment policies, audit policies, or trust policies. This auditing allows you to see whether anyone changes any of the other audit policies.

Audit Privilege Use Setting the audit privilege use allows an administrator to audit each instance of a user exercising a user right. For example, if a user changes the system time on a machine, this is a user right. Log on locally is another common user right.

To audit access to objects stored within Active Directory, you must enable the Audit Directory Service Access option. Then you must specify which objects and actions should be tracked.

Exercise 2.3 walks through the steps you must take to implement auditing of Active Directory objects on domain controllers.

EXERCISE 2.3: Enabling Auditing of Active Directory Objects

1. Open the Local Security Policy tool (located in the Administrative Tools program group).

2. Expand Local Policies ⇒ Audit Policy.

3. Double-click the setting for Audit Directory Service Access.

4. In the Audit Directory Service Access Properties dialog box, place check marks next to Success and Failure. Click OK to save the settings.

5. Close the Local Security Policy tool.

Viewing Auditing Information

One of the most important aspects of auditing is regularly monitoring the audit logs. If this step is ignored, as it often is in poorly managed environments, the act of auditing is useless. Fortunately, Windows Server 2012 R2 includes the Event Viewer tool, which allows system administrators to view audited events quickly and easily. Using the filtering capabilities of Event Viewer, they can find specific events of interest.

Exercise 2.4 walks you through the steps that you must take to generate some auditing events and to examine the data collected for these actions. In this exercise, you will perform some actions that will be audited, and then you will view the information recorded within the audit logs. To complete this exercise, you must first have completed the steps in Exercise 2.1 and Exercise 2.3.

EXERCISE 2.4: Generating and Viewing Audit Logs

1. Open the Active Directory Users and Computers tool.

2. Within the Engineering OU, right-click any user account and select Properties.

3. On the user’s Properties dialog box, add the middle initial A for this user account and specify Software Developer in the Description box. Click OK to save the changes.

4. Within the Engineering OU, right-click the Robert Admin user account and select Properties.

5. In the Robert Properties dialog box, add the description Engineering IT Admin and click OK.

6. Close the Active Directory Users and Computers tool.

7. Open the Event Viewer tool from the Administrative Tools program group. Select the Security item under Windows Logs. You will see a list of audited events categorized under Directory Service Access. Note that you can obtain more details about a specific item by double-clicking it.

8. When you have finished viewing the security log, close the Event Viewer tool.

Using the Auditpol.exe Command

There may be a time when you need to look at your actual auditing policies set on a user or a system. This is where an administrator can use the Auditpol.exe command. Auditpol gives administrators the ability not only to view an audit policy but it also allows an administrator to set, configure, modify, restore, and even remove an audit policy. Auditpol is a command-line utility, and there are multiple switches that can be used with Auditpol. The following is the syntax used with Auditpol.

Auditpol command [<sub-command><options>]

Here’s an example of using the command:

Auditpol /get /user:wpanek /category:"Detailed Tracking" /r

Table 2.4 describes some of the switches.

TABLE 2.4 Auditpol commands

Command

Description

/backup

Allows an administrator to save the audit policy to a file

/clear

Allows an administrator to clear an audit policy

/get

Gives administrators the ability to view the current audit policy

/list

Allows you to view selectable policy elements

/remove

Removes all per-user audit policy settings and disables all system audit policy settings

/restore

Allows an administrator to restore an audit policy from a file that was previously created using auditpol /backup

/set

Gives an administrator the ability to set an audit policy

/?

Displays help

Windows Server 2012 R2 Auditing Features

Auditing in Windows Server 2012 R2 and Windows 8 has been enhanced in many ways. Microsoft has increased the level of detail in the security auditing logs. Microsoft has also simplified the deployment and management of auditing policies. The following list includes some of the major enhancements:

Global Object Access Auditing Administrators using Windows Server 2012 R2 and Windows 8 now have the ability to define computer-wide system access control lists (SACLs). Administrators can define SACLs for either the file system or the registry. After the specified SACL is defined, the SACL is then applied automatically to every single object of that type. This can be helpful to administrators in verifying that all critical files, folders, and registry settings on a computer are protected. This is also helpful for identifying when an issue occurs with a system resource.

“Reason for Access” Reporting When an administrator is performing auditing in Windows Server 2012 R2 and Windows 8, they can now see the reason why an operation was successful or unsuccessful. Previously, they lacked the ability to see the reason why an operation succeeded or failed.

Advanced Audit Policy Settings In Windows Server 2012 R2, there are hundreds of Advanced Audit Policy settings that can be used in place of the nine basic auditing settings. These advanced audit settings also help eliminate the unnecessary auditing activities that can make audit logs difficult to manage and decipher.

Expression-Based Audit Policies Administrators have the ability, because of Dynamic Access Control, to create targeted audit policies by using expressions based on user, computer, and resource claims. For example, an administrator has the ability to create an audit policy that tracks all Read and Write operations for files that are considered high-business impact. Expression-based audit policies can be directly created on a file or folder or created through the use of a Group Policy.

Removable Storage Device Auditing Administrators have the ability to monitor attempts to use a removable storage device on your network. If an administrator decides to implement this policy, an audit event is created every time one of your users attempts to copy, move, or save a network resource onto a removable storage device.

Making Active Directory Objects Available to Users

If you have been reading this book from the start, then this section will be familiar. But if you started this book with only exam 70-411 in mind, then you are about to learn how to make resources available to your users through the use of Active Directory.

With Active Directory, a system administrator can control which objects users can see. The act of making an Active Directory object available is known as publishing. The two main publishable objects are Printer objects and Shared Folder objects.

The general process for creating server shares and shared printers has remained unchanged from previous versions of Windows. You create the various objects (printers or file system folders) and then enable them for sharing.

To make these resources available via Active Directory, however, there’s an additional step; you must publish the resources. Once an object has been published in Active Directory, clients will be able to find it.

When you publish objects in Active Directory, you should know the server name and share name of the resource. This information, however, doesn’t matter to your users. A system administrator can change the resource to which an object points without having to reconfigure or even notify clients. For example, if you move a share from one server to another, all you need to do is update the Shared Folder object’s properties to point to the new location. Active Directory clients still refer to the resource with the same path and name that they used previously.

Exercise 2.5 will walk you through the steps required for sharing and publishing a folder for use on your network.

image EXERCISE 2.5: Creating and Publishing a Shared Network Folder

1. Create a new folder in the root directory of your C: partition and name it Test Share.

2. Right-click the Test Share folder and choose Share With ⇒ Specific People.

3. In the File Sharing dialog box, enter the names of users with whom you want to share this folder. In the upper box, enter Everyone and then click Add. Note that Everyone appears in the lower box. Click in the Permission Level column next to Everyone and choose Read/Write from the drop-down menu. Then click Share.

4. You see a message that your folder has been shared. Click Done.

5. Open the Active Directory Users and Computers tool. Expand the current domain and right-click RD OU. Select New ⇒ Shared Folder.

6. In the New Object – Shared Folder dialog box, type Shared Folder Test for the name of the folder. Then type the UNC path to the share (for example, \\serverA\Test Share). Click OK to create the share.

image One of the main benefits of having all of your resource information in Active Directory is that you can easily find the information you’re seeking using the Find dialog box. When setting up objects in Active Directory, I recommend that you always enter as much information as possible for the objects you are creating. The extra effort will pay off when your users start doing searches for these objects. The more information you enter, the more that will be available for users to search to find the appropriate resource they need.

Configuring Offline Folders

If you have been in this industry long enough, you have seen a major change in end-user computers. Years ago, only a few select users had laptops. They were big and bulky, and they weighed almost as much as today’s desktop computers.

The pendulum has swung in the opposite direction. It probably seems like every one of your end users now has a laptop. As an IT administrator, this gives you a whole new set of challenges and problems to address. One challenge that you have to address is how users can work on files while outside of the office. If you have a user who wants to work at home, how do you give them the files they need to get their work done? The answer is offline folders. These folders contain data that can be worked on by users while outside the office. An IT administrator can set up offline folders through the use of Group Policy objects (GPOs).

When you decide to make folders available for offline use, these folders need to synchronize with the laptops so that all of the data matches between both systems. As an administrator, one decision that you will need to make is when the offline folders will be synchronized.

You can set up any combination of these three synchronization options in the GPO:

§ When you select Synchronize All Offline Files Before Logging Off, offline folders are synchronized when the user logs off the network.

§ When you select Synchronize All Offline Files When Logging On, offline folders are synchronized when the user logs on to the network.

§ When you select Synchronize Offline Files Before Suspend, offline folders are synchronized before the user does a system suspend.

In Exercise 2.6, you will configure offline folder options by using a GPO. This exercise uses the Group Policy Management Console (GPMC). If your GPMC is not installed, use the Server Manager MMC (under Features) to install it.

EXERCISE 2.6: Configuring Offline Folder Options

1. Open the Group Policy Management Console.

2. In the left pane, expand your forest and then your domain. Under your domain name, there should be a default domain policy.

3. Right-click the default domain policy and choose Edit.

4. In the User Configuration section, expand Policies ⇒ Administrative Templates ⇒ Network and then click Offline Files.

5. Right-click Synchronize All Offline Files Before Logging Off and choose Edit. The GPO setting dialog box appears. Choose the Enabled option and click OK.

6. Right-click Synchronize All Offline Files When Logging On and choose Edit. The GPO setting dialog box appears. Choose the Enabled option and click OK.

7. Right-click Synchronize Offline Files Before Suspend and choose Edit. The GPO setting dialog box appears. Choose the Enabled option. In the Action drop-down box, make sure Quick is selected. Click OK.

8. Close the GPMC.

Now that you have set up a GPO for synchronization, it’s time to share a folder for offline usage. In Exercise 2.7, you will set up a folder for offline access. You must complete Exercise 2.5 before doing this exercise.

EXERCISE 2.7: Configuring a Shared Network Folder for Offline Access

1. Right-click the Test Share folder you created in Exercise 2.5 and choose Properties.

2. Click the Sharing tab and then click the Advanced Sharing button.

3. When the Advanced Sharing dialog box appears, click the Caching button.

4. When the Offline Settings dialog box appears, choose the All Files And Programs That Users Open From The Shares Will Be Automatically Available Offline option. Click OK.

5. Click OK twice more to close the Properties dialog box.

Summary

This chapter took you through the use of many server tools and utilities such as DFS, BitLocker, and auditing. Distributed File System allows an administrator to set up a tree structure of virtual directories that allow users to connect to a shared folder anywhere throughout the entire network. You also looked at the new changes that have taken place with DFS in Windows Server 2012 R2.

You also learned about EFS and how to use Cipher to modify or configure EFS in a command window. Cipher is the best way to change encrypted directories and files.

This chapter also covered auditing. You looked at what needs to be audited if you are watching Active Directory and its objects. You looked at Auditpol and many of the switches that you would use when configuring Auditpol.

Finally, you learned how to publish share folders to Active Directory. By doing this, your users can search Active Directory to find resources they are looking for.

Exam Essentials

Know How to Configure DFS Distributed File System in Windows Server 2012 R2 offers a simplified way for users to access geographically dispersed files. The DFS Namespace service allows you to set up a tree structure of virtual directories that lets users connect to shared folders throughout the entire network.

Understand EFS and Cipher Users can encrypt their directories and files by using EFS. Understand how Cipher can help an administrator configure or modify an EFS object while in the command prompt.

Understand the Purpose and Function of Auditing Auditing helps determine the cause of security violations and helps troubleshoot permissions-related problems.

Review Questions

1. The company for which you work has a multilevel administrative team that is segmented by departments and locations. There are four major locations, and you are in the Northeast group. You have been assigned to the administrative group that is responsible for creating and maintaining network shares for files and printers in your region. The last place you worked was a large Windows Server 2008 network, where you had a much wider range of responsibilities. You are excited about the chance to learn more about Windows Server 2012 R2.

For your first task, you have been given a list of file and printer shares that need to be created for the users in your region. You ask how to create them in Windows Server 2012 R2, and you are told that the process of creating a share is the same as with Windows Server 2008. You create the shares and use NETUSE to test them. Everything appears to work fine, so you send a message that the shares are available. The next day, you start receiving calls from users who say they cannot see any of resources you created. What is the most likely reason for the calls from the users?

A. You forgot to enable NetBIOS for the shares.

B. You need to force replication for the shares to appear in the directory.

C. You need to publish the shares in the directory.

D. The shares will appear within the normal replication period.

2. You want to publish a printer to Active Directory. Where would you click in order to accomplish this task?

A. The Sharing tab

B. The Advanced tab

C. The Device Settings tab

D. The Printing Preferences button

3. Isabel is a system administrator for an Active Directory environment that is running in Native mode. Recently, several managers have reported suspicions about user activities and have asked her to increase security in the environment. Specifically, the requirements are as follows:

§ The accessing of certain sensitive files must be logged.

§ Modifications to certain sensitive files must be logged.

§ System administrators must be able to provide information about which users accessed sensitive files and when they were accessed.

§ All logon attempts for specific shared machines must be recorded.

Which of the following steps should Isabel take to meet these requirements? (Choose all that apply.)

E. Enable auditing with the Computer Management tool.

F. Enable auditing with the Active Directory Users and Computers tool.

G. Enable auditing with the Active Directory Domains and Trusts tool.

H. Enable auditing with the Event Viewer tool.

I. View the audit log using the Event Viewer tool.

J. View auditing information using the Computer Management tool.

K.Enable failure and success auditing settings for specific files stored on NTFS volumes.

L. Enable failure and success auditing settings for logon events on specific computer accounts.

4. You are the network administrator for a midsize coffee bean distributor. Your company’s network has four Windows 2012 servers, and all of the clients are running either Windows 8 or Windows 7. Most of your end users use laptops to do their work, and many of them work away from the office. What should you configure to help them work on documents when away from the office?

. Online file access

A. Offline file access

B. Share permissions

C. NTFS permissions

5. Your company has decided to implement an external hard drive. The company IT manager before you always used FAT32 as the system partition. Your company wants to know whether it should move to NTFS. Which of the following are some advantages of NTFS? (Choose all that apply.)

. Security

A. Quotas

B. Compression

C. Encryption

6. You are the administrator for a large organization that uses Windows Server 2012 R2. You have been asked by your manager to help protect his folders on his Windows 7 NTFS machine. Your manager wants to make sure he is the only person that can open his files. How do you protect his files?

. Use EFS.

A. Use CDMA.

B. Use FAT32 Security.

C. Use the Convert:FAT32/Encrypt command.

7. You are the administrator of your network, which consists of two Windows Server 2012 R2 systems. One of the servers is a domain controller, and the other server is a file server for data storage. The hard drive of the file server is starting to fill up. You do not have the ability to install another hard drive, so you decide to limit the amount of space everyone gets on the hard drive. What do you need to implement to solve your problem?

. Disk spacing

A. Disk quotas

B. Disk hardening

C. Disk limitations

8. You are the administrator for a large communications company. Your company uses Windows Server 2012 R2, and your user’s files are encrypted using EFS. What command-line command would you use to change or modify the EFS files?

. Convert

A. Cipher

B. Gopher

C. Encrypt

9. You are the administrator for a large organization. You have multiple Windows Server 2012 R2 systems that all contain files that need to be shared for all users. The files and folders constantly move among servers, and users are having a hard time finding files they need. What can you implement to help your users out?

. Encrypting File System (EFS)

A. Distributed File System (DFS)

B. Shared File System (SFS)

C. Published File System (PFS)

10. You have been hired by a small company to implement new Windows Server 2012 R2 systems. The company wants you to set up a server for users’ home folder locations. What type of server would you be setting up?

. PDC server

A. Web server

B. Exchange server

C. File server