Backing Up Certificates with Private Keys

In this exercise, we'll use the Certificates snap-in in the MMC to export a certificate with private keys to a floppy disk. You'll also see how to remove private keys during the export process, if desired.

1. Click Start | Run, type mmc in the Open text box, and then click OK.

2. In the MMC, click File | Add/Remove Snap-in. Then, in the Add/Remove Snap-in dialog, click Add.

3. In the Add Standalone Snap-in dialog, scroll down to locate Certificates. Select Certificates and then click Add.

4. In the Certificates Snap-in dialog, select My User Account

(selected by default) and then click Finish.

5. Click Close to close the Add Standalone Snap-in dialog. Then, click OK to close the Add/Remove Snap-in dialog and return to the MMC.

6. Click the + to the left of Certificates - Current User to expand the node. Click the + to expand the Personal node beneath. Click Certificates to select this node.

7. Click the certificate that displays the words File Recovery, as shown in Figure 9.37.

8. Right-click the certificate, select All Tasks, and then select Export. (Notice that you can also request and renew certificates here.)

Figure 9.37 Key Backup from Microsoft Management Console

File Ad,on Vi.»

Favorite: «indo. Help

-ISlxl

iapU

fe X Ef H, 1 S

É -if Local Computer Policy É if Default Domain Policy [indigo.smallbu5hess.lo É fp Certificates - Cuirent User □ B Personal usía

S3 □ Trusted Root Certification Authorities

B ffi) Enterprise Trust

S-Q Intermediate Certification Authorities

S3 □ Active Directory User Object

S Q Trusted Publishers

S □ Unhusted Certificates

H-ffl Third-Party Root Certification Authorities

S Q Trusted People

S Q Other People

El-lfi Certificate Enrollment Requests

_| Console Root MssuedTo | Issued By | Expiration Dale | Intended Purposes | Friendly Name

É -if Local Computer Policy É if Default Domain Policy [indigo.smallbu5hess.lo É fp Certificates - Cuirent User □ B Personal usía

S3 □ Trusted Root Certification Authorities

B ffi) Enterprise Trust

S-Q Intermediate Certification Authorities

S3 □ Active Directory User Object

S Q Trusted Publishers

S □ Unhusted Certificates

H-ffl Third-Party Root Certification Authorities

S Q Trusted People

S Q Other People

El-lfi Certificate Enrollment Requests

_| Console Root MssuedTo | Issued By | Expiration Dale | Intended Purposes | Friendly Name

9. The Certificate Export Wizard is launched; click Next.

10. In the Export Private Key dialog, you can export the certificate with or without the private key. The private key is password protected, so if you select this option, you'll be prompted for a password in a subsequent screen. Select whichever option you want to use (in this example, we've selected Yes, export the private key) and then click Next.

11. The next screen Export File Format provides several options. If you selected No in the previous screen, this screen will enable the first set of options as shown in Figure 9.38. If you selected Yes in the previous screen, this screen will enable the second set of options, shown in Figure 9.39.

Figure 9.38 Export File Format for Certificate Only (Excludes Private Key)

Certificate Export Wizard

Export File Format

Certificates can be exported in a variety of file formats.

Select the format you want to use: <* £ER encoded binary X.509 (,CER)j C Base-64 encoded X.509 (.CER)

f Cryptographic Message Syntax Standard - PKCS #7 Certificates (,P7B)

^ Include all certificates in the certification path if possible C Personal Information Exchange - PKCS #12 (.PFX)

^ Include all certificates in the certification path if possible

Enable strong protection (requires IE 5.0., NT 4,0 SP4 or above) V Delete the private key if the export is successful

Figure 9.39 Export File Format Including Private Key with Certificate

Certificate Expoit Wizard

Export File Formal

Certificates can be exported in a variety of file formats.

Select the format you want to use:

C DER encoded binary X.509 (.CER) C Base-64 encoded X.509 (.CER)

C Cryptographic Message Syntax Standard - PKCS #7 Certificates (,P7B) Include all certificates in the certification path if possible personal Information Exchange - PKCS #12 (.PFX)] I Include all certificates in the certification path if possible 17 Enable strong protection (requires IE 5,0, NT 4.0 SP4 or above) Delete the private key if the export is successful

12. If you have more than one certificate in the path and want to export all certificates, select the check box labeled Include all certificate in the certificate path if possible.

13. The second check box in this section (shown in Figure 9.19), Enable strong protection (requires IE 5.0, NT 4.0 SP4 or above), is selected by default. If you are using Windows NT 4.0 or earlier, you cannot use strong protection.

14. The third check box, Delete the private key if the export is successful, can be selected if you want to delete the private key. The key will only be deleted if the export is successful. Alternately, you can delete the key manually after verifying the successful export. Click Next to proceed.

15. The next screen requires a password if you chose to export the certificate with the private key. Enter your password twice and then click Next.

16. The next screen, File to Export, asks you to specify the file name or to Browse to a location to which you want to export. Often, this location is a floppy disk or other removable media. Click Browse and locate the removable media to which you want to export the certificate. (For this exercise, we called the file back-updra and exported to the local drive.) Click Next to continue.

17. The final screen in the wizard is the Completing the Certificate Export Wizard screen shown in Figure 9.40. This screen verifies the selections you've made and gives you the opportunity to make modifications if any of the settings are not as you want. To make modifications, click Back. If all settings meet your requirements, click Finish.

Figure 9.40 Certificate Export Wizard Successful Completion

Figure 9.40 Certificate Export Wizard Successful Completion

18. If the export is successful, you'll get a notification dialog, shown in Figure 9.41. This indicates the file was successfully exported to the location you specified with the settings you selected. If you selected the option to Delete the private key if the export is successful, your private key has also been deleted. The wizard will close and you'll return to the MMC.

Figure 9.41 Export Successful Notice

You can use the same steps to import a certificate. In the MMC Certificates snap-in, you would select Personal | Certificates, right-click on Certificates (or select Certificates and then click Action on the menu), and select Import and follow the instructions in the Certificate Import Wizard.

Printing Encrypted Files

One of the places security can be weak is in the area of printing. When a file is encrypted with EFS, it is automatically and transparently decrypted and displayed on the user's monitor. That file can then be printed to a local or network printer. If the data is particularly sensitive, this can create a security hole. If your users will require the ability to print sensitive documents that are stored in an encrypted state, you should consider setting up a more secure printing environment.

When a user uses the Print function, the document is copied into a spool (.spl) file that resides on the local print provider (local computer or print server). By default, these spool files are stored in the following location:

Systemroot\System32\Spool\Printers

By default (and by design), that folder is unencrypted. This makes sense because you don't necessarily need every single print spool file to be encrypted, just those for sensitive documents. If you were to encrypt this folder, the process of encrypting and decrypting spool files would slow the printing process significantly and unnecessarily.

Continued

Instead, create a separate printer to be used for encrypted files. This defined printer ideally should be a local printer that is not shared to avoid the all-too-common "print and sprint" problem where users print to a shared printer and sprint down the hall to grab the document before someone sees the sensitive information. The defined printer can use the same hardware (same actual printer) as the regular printer, but the definition of this secure printer will be slightly different.

Once you've used the Add a Printer Wizard and added the appropriate printer and associated driver, right-click the printer and select Properties. You can click the Advanced tab and select the Print directly to the printer option button, as shown in Figure 9.42. You'll notice that most of the other options are disabled when you make this selection. By sending print jobs directly to the printer, a spool file is not created. This is one way you can improve security when printing EFS protected files. The downside to this method is that print jobs cannot be prioritized or scheduled.

Figure 9.42 Create Secure Printer

Laser Piinlei Properties

General | Sharing | Ports Advanced j Security j Device Settings j i* Always available r Available from | = | =

Priority |1_

Driver: | HP LaserJet 6P/GMP PostScript ^J _ NewDriver... |

C~ ¿pool print documents so program finishes printing faster f Start printing after last page is spooled Start printingjmmediately r Hold mismatched documents p" Print spooled documents first

Keep printed documents 17 £nable advanced printing features

Printing Defaults... Print Processor... Separator Page...

Alternately, you can create an encrypted folder and direct the print spool function for that printer to this encrypted folder. The result will be that all files spooled from the designated secure printer will be encrypted until printed. By default, spooled files are deleted after the print job is complete, so the temporary file will be encrypted and then deleted for maximum security.

To change the location of the spool folder for a specific printer, you must use the Registry Editor. As you know, editing the Registry directly can cause serious and unexpected consequences that render your system unstable or unusable. Be sure to update your Automated System Recovery set prior to making changes to the Registry. Assuming you've taken appropriate

Continued safeguards, you can change the location of the print spool folder for a specific printer by taking the following steps:

1. Create a spool folder on the local computer.

2. Launch the Registry Editor by clicking Start | Run and then type regedt32 in the Open: text box. Click OK.

3. Locate the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Print \Printers\<printernarne>

4. Locate the SpoolDirectory, which has a data type of REG_SZ. This is shown in Figure 9.43.

Figure 9.43 SpoolDirectory in Registry

Figure 9.43 SpoolDirectory in Registry

5. Double-click SpoolDirectory or right-click and choose Modify.

6. Change the Value: to the path to the new folder. For example, the path might be c:\windows\secureprintspool.

7. Close the Registry Editor and reboot to make the change go into effect.

8. The printer named in the Registry key should now send spool files to the desired folder.

9. Locate the new spool folder and enable encryption on the folder by right-clicking the folder, clicking the Advanced button, and selecting Encrypt contents to secure data. Click OK to close the Advanced Attributes dialog, and click OK to close the print spool folder Properties dialog.

Continued

It's important to note that if you forget to create the new secure spool folder and you specify a path in the Registry SpoolDirectory entry for the specified printer, the files will spool to the default spool folder, which will not be encrypted and will not protect files during the print process. Also note that you can make changes to the location of the printer spool folder for all printers via the Server properties in Printers and Faxes Properties (on the Advanced tab of the Print Server Properties). This will affect all printers unless you have specifically created a new spool folder via the Registry, as we just did.

By specifying a separate print spool folder, encrypting it, and sending secure documents to the secure printer, you can ensure that sensitive files that are encrypted by EFS will be secured during the printing process. Of course, securing the paper copy of the document is another challenge that's outside the scope of this chapter and often outside the control of the IT department.

Disabling EFS

You can disable EFS for a computer or for the entire domain via the EFS policy just discussed. If you want to disable it for the local computer, verify that Local Computer is selected as the GPO (step 4s and 9 in the preceding exercise). If you want to disable it for the domain, select the domain as the GPO and clear the check box (again, steps 4 and 9).

You can also disable EFS via the Registry. As always, it is recommended that you always try to use the user interface to make changes to the system rather than accessing the Registry directly. Incorrectly editing the Registry, as you know, can make a system unusable. As a best practice, it's always wise to update your Automated System Recovery (ASR) floppy disk before modifying the Registry.

However, if you choose this method, you can use these steps to modify the Registry to disable EFS on the local computer.

1. Click Start | Run, type regedt32, and then click OK.

2. Locate the following Registry key by expanding the nodes in the left pane:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\EFS

3. With the EFS node selected, click Edit on the menu, select New, and then select DWORD Value.

4. Type efsconfiguration in the Value name box and then press Enter.

5. Double-click the EfsConfiguration Registry key you just created and type the number 1 in the Value Data box.

6. Click OK to accept the change, and then close the Registry Editor by selecting File | Close.

Third-Party Encryption Options

You can use a third-party data encryption program, and within Windows Server 2003, you can use third-party certificates with EFS. There are numerous third-party data encryption software programs on the market that can be used instead of EFS. There are pros and cons to implementing third-party software, which you'll need to evaluate for your organization. For example, EFS works fine in a native Windows environment, but if you have a network of mixed operating systems, you might run into interoperability issues. There are operating system-independent solutions available as well, and these might make sense if you are running a mixed network. However, many third-party options use password-based recovery systems, which can leave them vulnerable to attack. EFS uses cryptography instead of password-based access, making it far more secure. Many third-party options also require user intervention—the user must take an action to cause a file to be encrypted or decrypted. This also creates a security hole when users don't want to take the time or don't understand exactly how to encrypt/decrypt files. If you choose to implement a third-party solution, you might use the option in Windows Server 2003 to disable EFS to avoid conflicts.

The benefits to using EFS in a Windows environment is that it is fully integrated into the operating system and can rely on the security structure already in place. It uses keys and certificates to keep data safe, which is a more secure solution that relying on passwords. It also is completely transparent to the user once an encrypted folder has been set up. The user simply opens, edits, and closes the file, and the encryption/decryption is handled automatically.

Although you can implement third-party solutions, make sure you've thoroughly researched the cost, the impact on users, and the relative security of the solution and compared it to the features of EFS.

Third-Party Certificates

Once EFS chooses a certificate, it cannot be modified via the user interface but can be modified in the Registry. Moreover, EFS dos not automatically switch certificates if another one becomes available. Such would be the case when EFS uses a self-signed certificate and later is able to connect to a CA. If you want to use a third-party certificate, you can install it via the Certificates snap-in in the MMC. The specified certificate can be used for a user account, service account, or computer account. Once the account is specified in the Certificates snap-in, you can import a third-party certificate.

EXAM 70-298

EXAM 70-298

Was this article helpful?

0 0
Computer Hard Drive Data Recovery

Computer Hard Drive Data Recovery

Learn How To Recover Your Hard Drive Data After A Computer Failure.

Get My Free Ebook


Post a comment