    70-411 Administering Windows Server 2012

    LAB 6




    Exercise 6.1 Encrypting Files with EFS

    Exercise 6.2 Configring the EFS !ecovery Agent

    Exercise 6.3 "#c$ing %p #nd !estoring EFS Certific#tes

    Exercise 6. Encrypting # &olme with "it'oc$er 

    L!" C#!$$e%&e Configring (etwor$ %nloc$


    The lab environment consists of student workstations connected to a local area

    network, along with a server that functions as the domain controller for a domain

    called The computers required for this lab are listed in Table 6-1.

    T!"$e 6)1Compters !e)ired for '#* +

    Computer Operating System Computer Name

    Server ,& 1. Windows Server 2012 !W/C01

    Server ,& 2. Windows Server 2012 Server01

    In addition to the computers, you also require the software listed in Table 6- to

    complete !ab 6.

    T!"$e 6)2Softw#re !e)ired for '#* +

    Software Location'#* + stdent wor$sheet '#*0+wor$sheetrtf ,provided *y instrctor.

    W*r+i%& ,i-# L!" W*r+s#ee-s

    "ach lab in this manual requires that you answer questions, take screen shots, and

     perform other activities that you will document in a worksheet named for the lab, such

    as !ab#6$worksheet.rtf. %ou will find these worksheets on the book companion site. It

    is recommended that you use a &'( flash drive to store your worksheets, so you can

    submit them to your instructor for review. )s you perform the e*ercises in each lab,open the appropriate worksheet file using +ordad, fill in the required information,

    and save the file to your flash drive.

    A-er c*/0$e-i%& -#is $!" * ,i$$ "e !"$e -*:

    Encrypt files with EFS

    Configre EFS !ecovery Agent

    "#c$ p #nd restore EFS certific#tes

    Encrypt # volme with "it'oc$er 

    Es-i/!-e4 $!" -i/e: 5 /i%-es

    Eercise +1 Encrypting Files with EFS

    verview or files that are e*tremely sensitive, you can use "' to encrypt the

    files./uring this e*ercise, you encrypt a file using "ncrypting ile

    'ystem 0"', which is a built-in feature of 2T'.

    3ompletion time # minutes

    Mindset Question: You h!e se!e"# s#es $eo$#e %ho h!e sensiti!e &te"i# on thei"

    'o&$ute"( I) thei" #$to$s "e sto#en* the sto#en in)o"&tion 'ou#d$ut the 'o&$n+ t ,"et "is-( .o% 'n +ou $"ote't the i&$o"tnt

    dt do'u&ents/

    E%cr0-i%& Fi$es ,i-# EFS

    0( !og in to 'erver#1 as the Contoso1d&inist"to" user account. The 'erver

    4anager console opens.

    2( n 'erver#1, create a C:1Dt folder.

    3( 3reate a te*t file in the 35/ata folder called test(t4t file. Type your name in the

    file, close the file, then click 'ave to save the changes.

    5( 7ight-click the 35/ata folder, and then click roperties. The roperties dialog

     bo* opens.

    6( n the 8eneral tab, click )dvanced. The )dvanced )ttributes dialog bo* appears

    as shown in igure 6-1.

    Fi&re 6)1Configring #dv#nced #ttri*tes

    7( 3lick to select Encrypt contents to secure data. 3lick 9 to close the )dvanced

    )ttributes dialog bo*.

    8( 3lick 9 to close the roperties dialog bo*.

    9( +hen +indows asks you to confirm the changes, click 9.


    What color is the C:\Data folder.



    Is the test.txt file in the C:\Data folder also encrypted?


    ( 7ight-click the 35/ata folder and click roperties. The roperties dialog bo*


    0;( &nder the 8eneral tab, click )dvanced. The )dvanced )ttributes dialog bo*


    00( 3lear the Encrypt contents to secure data check bo*. 3lick 9 to close the

    )dvanced )ttributes dialog bo*.

    02( 3lick 9 to close the roperties dialog bo*.

    03( +hen it asks to confirm attribute changes, click 9.

    05( rom 'erver#1, log off as administrator.

    S#!ri%& Fi$es 8r*-ec-e4 ,i-# EFS ,i-# O-#er (sers

    0( !og into 7+/3#1 as 'ontoso1d&inist"to", 'erver 4anager starts. pen the

    Tools menu and click )ctive /irectory &sers and 3omputers. The )ctive

    /irectory &sers and 3omputers console opens.

    2( 7ight-click the &sers node, click 2ew, then click &ser.

    3( 3reate a new user with the following parameters5

    irst 2ame5 Use"0

    &ser logon name5 Use"0

    3lick 2e*t.

    5( or the assword and 3onfirm password te*t bo*es, type Pss%o"d;0. 3lick to

    select assword never e*pires. +hen an )ctive /irectory /omain 'ervices

    dialog bo* appears, click 9. 3lick 2e*t.

    6( +hen the user is ready to be created, click inish.

    7( &nder the &sers node, double-click &ser1. The &ser1 roperties dialog bo*


    8( 3lick the 4ember f tab.

    9( 3lick the )dd button. +hen the 'elect 8roups dialog bo* opens, type do&in

    d&ins and click 9.

    ( 3lick 9 to close the &ser1 roperties dialog bo*.

    0;( n 'erver#1, log in as 'ontoso1Use"0 with the password of Pss%o"d;0.

    00( pen the 35/ata folder, right-click the test.t*t file and click roperties.

    02( n the 8eneral tab, click )dvanced. The )dvanced )ttributes dialog bo* opens.

    03( 3lick Encrypt contents to secure data. 3lick 9 to close the )dvanced )ttributesdialog bo*. 3lick 9 to close the test roperties dialog bo*.

    05( +hen it asks if you want to encrypt the file and its parent folder, click 9.

    06( If an )ccess /enied message appears, click Ignore, click 3ontinue, click 9, and

    click Ignore. 3lick 9. If an )ccess /enied message appears again, click Ignore

    )ll. +hen you are done, the test.t*t file should be green.

    07( n 'erver#1, log out as &ser1 and log in as Contoso1Ad&inist"to".

    08( pen the 35/ata folder.

    09( /ouble-click to open the Test.t*t file.


    What error message did you get?

     Access is denied.

    0( 3lick 9 to close the message, and then close 2otepad.

    2;( 7ight-click the test.t*t file and click roperties.

    20( 3lick the 'ecurity tab.


    What permissions does Administrator hae?

    !ull control" modify" read # execute" read" and $rite.

    Why $as the contoso\administrator not a%le to open the file?

    &ecause it re'uire special permissions.

    22( 8o back to the 8eneral tab, click the )dvanced button, clear the "ncrypt check bo*, and then click 9.

    23( 3lick 9 to close the test roperties dialog bo*. +hen prompted for

    administrator permissions, click 3ontinue. )fter the )ccess /enied dialog is

    displayed, click 3ancel to close it.


    Were you a%le to decrypt the file?


    25( n 'erver#1, log off as )dministrator and log on as Use"0.

    26( pen the 35/ata folder.

    27( 7ight-click the test.t*t file and click roperties. The roperties dialog bo* opens.

    28( 3lick the )dvanced button to open the )dvanced )ttributes dialog bo*.

    29( 3lick to deselect the Encrypt contents to secure data check bo*, and click 9.

    2( 3lick 9 to close the roperties dialog bo*. +hen it asks you to provide

    administrator permission to change these attributes, click 3ontinue.

    3;( !og off as &ser1 and log on as 'ontoso1d&inist"to".

    30( pen the 35/ata folder.

    32( 7ight-click the test.te*t and click roperties.

    33( 3lick the )dvanced button to open the )dvanced )ttributes dialog bo*.

    35( 3lick to select the Encrypt contents to secure data check bo*. 3lick 9 to close

    the )dvanced )ttributes dialog bo*.

    36( 3lick 9 to close the roperties dialog bo*. +hen it asks to apply to the folder

    and its contents, click 9.

    37( 7ight-click the test.t*t folder and click roperties. 3lick the )dvanced button to

    open the )dvanced )ttributes dialog bo*.

    38( 3lick the /etails button. The &ser )ccess to test.t*t dialog bo* opens as shown

    in igure 6-.

    Fi&re 6)2Certific#te det#ils for testtt file


    39( 3lick the )dd button. +hen the "ncrypting ile 'ystem dialog bo* 0as shown inigure 6-:, click &ser1 and click ;iew 3ertificate.

    Fi&re 6)3EFS certific#tes for testtt

    3( +hen the 3ertificate dialog bo* opens, click the /etails tab.


    What is the Certificate used for? )int: *oo+ at the ,nhanced

    -ey sage field .

    5;( 3lick 9 to close the 3ertificates dialog bo*.

    50( 3lick 9 to close the "ncrypting ile 'ystem dialog bo*.


    *oo+ing at the ser Access to test.txt dialog %ox" $ho has a

    /ecoery Certificate?

    52( Take a screen shot of the &ser )ccess dialog bo* by pressing )lt

    ; Yes

    57( 3lose the test.t*t file.

    58( n 'erver#1, sign out as &ser1.

    "nd of e*ercise. %ou can leave the windows open for the ne*t e*ercise.

    Eercise +2 Configring the EFS !ecovery Agent

    verview /uring this e*ercise, you configure "' 7ecovery )gents so that you

    can recover "' encrypted files although the agent is not the owner of

    the file.

    3ompletion time 1> minutes

    Mindset Question:

    +hen it asks you to add additional features for any of these features, click )dd


    0;( (ack on the 'elect role services page, click 2e*t.

    00( n the +eb 'erver 7ole 0II' page, click 2e*t.

    02( n the 'elect role services page, click 2e*t.

    03( n the 3onfirm installation selections page, click Install.

    05( +hen the 3ertificate )uthority is installed, click 3lose.

    06( n 'erver 4anager, click the "*clamation oint in a yellow triangle and then

    click 3onfigure )ctive /irectory 3ertificate 'ervices.

    07( n the 3redentials page, click 2e*t.

    08( n the 7ole 'ervices page, click 3ertification )uthority, as shown in igure [email protected] 2e*t.

    Fi&re 6)Configring the Certific#tion Athority

    09( +hen it asks what setup type of 3) you should install, click 2e*t.

    0( +hen it asks for the 3) type 0as shown in igure 6->, click 2e*t.

    Fi&re 6)9Specifying the type of CA

    2;( n the 'pecify the type of the private key page, click 2e*t.

    20( n the 'pecify the 3ryptography for 3) page, click 2e*t.

    22( n the 'pecify the name of the 3) page, click 2e*t.

    23( or the ;alidity eriod, click 2e*t.

    25( n the 3) database page, click 2e*t.

    26( n the 3onfirmation page, click 3onfigure.

    27( +hen the 3) is configured, take a screen shot of the 3) is configured by

     pressing )lt

    28( 3lick 3lose.

    29( If it asks to configure additional role services, click 2o.

    C*%i&ri%& -#e EFS Rec*

    Fi&re 6)63pening the 53 p*lic $ey policies

    7( 7ight-click "ncrypting ile 'ystem, and select 3reate /ata 7ecovery )gent. Ifyou double-click "ncrypting ile 'ystem, you will see the )dministrator listed in

    the right pane as shown in igure 6-A.

    Fi&re 6)5&iewing the crrent EFS recovery #gents

    8( n 7+/3#1, log off as 3ontoso&ser1 and log in as Contoso1Ad&inist"to".


    What is needed for a user to %ecome a data recoery agent?

    "nd of e*ercise. %ou can leave the windows open for the ne*t e*ercise.

    Eercise +6 "#c$ing %p #nd !estoring EFS Certific#tesverview /uring this e*ercise, you back up an "' certificate and later

    restore after you delete the cer tificate.

    3ompletion time 1# minutes

    Mindset Question: You hd stnd#one 'o&$ute" tht )i#ed nd hd to =e "e=ui#t( On

    the 'o&$ute"* +ou hd so&e )i#es tht %e"e en'"+$ted %ith EFS(

    Fo"tunte#+* +ou ='-ed u$ the )i#es )"o& ti&e to ti&e to

    "e&o!=#e d"i!e( A)te" +ou "e=ui#t the 'o&$ute"* +ou de'ide to 'o$+

    the )i#es )"o& the "e&o!=#e d"i!e( A#thou,h +ou "e usin, the s&e

    use"n&e nd $ss%o"d tht +ou used =e)o"e* +ou 'nnot o$en the

    )i#es =e'use the+ "e en'"+$ted(

    Fi&re 6)Eporting # certific#te

    7( +hen the 3ertificate "*port +i?ard starts, click 2e*t.

    8( n the "*port rivate 9ey page, click %es, e*port the private key, and then click


    9( n the "*port ile ormat page 0as shown in igure 6-B, click 2e*t.

    Fi&re 6);Specifying the eported form#t

    ( n the 'ecurity page, select the assword check bo*, and type in the password of 

    Pss%o"d;0 in the assword and 3onfirm password te*t bo*es. 3lick 2e*t.


    What is the difference %et$een the cer and the pfx format

    $hen %ac+ing up digital certificates?

    0;( n the ile to "*port page, type C:1Ce"t(=-  in the ile name te*t bo*, 3lick


    00( Take a screen shot of the 3ertificate "*port wi?ard by pressing )lt

    Res-*ri%& -#e EFS Cer-iic!-e

    0( 7ight-click the )dministrator certificate and click /elete. +hen it asks if you

    want to delete the certificate, read the warning and click %es.

    2( 7ight-click 3ertificates, select )ll Tasks, and then select Import.

    3( +hen the 3ertificate Import +i?ard starts, click 2e*t.

    5( n the ile to Import page, type ':1'e"t(=-($)4, and click then 2e*t.

    6( If it asks for a password, type Pss%o"d;0 in the assword te*t bo* and click


    7( n the 3ertificate 'tore page, click 2e*t.

    8( n the 3ompleting the 3ertificate Import +i?ard page, click inish.

    9( +hen the import is successful, click 9.

    ( Take a screen shot of the 3ertificates console by pressing )ltitLo'-e" di))e"/

    0( !og in to 'erver# as the Contoso1Ad&inist"to" user account. The 'erver

    4anager console opens.

    2( n 'erver#, on 'erver 4anager, click 4anage and click )dd 7oles and

    eatures. The )dd 7oles and eature +i?ard opens.

    3( n the (efore you begin page, click 2e*t.

    5( 'elect 7ole-based or feature-based installation and then click 2e*t.

    6( n the 'elect destination server page, click 2e*t.

    7( n the 'elect server roles page, click 2e*t.

    8( n the 'elect features page, select (it!ocker /rive "ncryption.

    9( +hen the )dd 7oles and eatures +i?ard dialog bo* displays, click )dd


    ( n the 'elect eatures page, click 2e*t.

    0;( n the 3onfirm installation selections page, click Install.

    00( +hen (it!ocker is installed, click 3lose.

    02( 7eboot the 'erver#.

    03( !og in to 'erver# as the Contoso1Ad&inist"to". The 'erver 4anager console


    05( &sing 'erver 4anager, open the Tools menu and click 3omputer 4anagement.The 3omputer 4anagement console opens.

    06( "*pand the 'torage node and click /isk 4anagement.

    07( 7ight-click the 3 drive and click 'hrink ;olume.

    08( In the Enter the amount of space to shrink in MB te*t bo*, type 3;;; and click


    09( &nder /isk #, right-click the unused space and click 2ew 'imple ;olume.

    0( +hen the +elcome to the 2ew 'imple ;olume +i?ard starts, click 2e*t.

    2;( n the 'pecify ;olume 'i?e page, click 2e*t.

    20( n the )ssign /rive !etter or ath page, click 2e*t.

    22( n the ormat artition page, click 2e*t.

    23( +hen the wi?ard is complete, click inish.

    25( 3lose 3omputer 4anagement.

    26( 3lick the 'tart button, and then click the 3ontrol anel.

    27( 3lick (it!ocker /rive "ncryption. The (it!ocker /rive "ncryption window

    opens as shown in igure 6-1#.

    Fi&re 6)13pening the "it'oc$er settings

    28( 3lick the down arrow ne*t to the " drive. Then click Turn on (it!ocker. )(it!ocker /rive "ncryption 0"5 window opens.

    29( n the Choose how you want to unlock this drive page, click to select the Use a

     password to unlock the drive. Type a password of Pss%o"d;0 in the Enter your

     password and Reenter your password  te*t bo*es, and then click 2e*t.

    2( n the How do you want to back up your recovery key? page, click 'ave to a file


    3;( +hen the ave Bit!ocker recovery key as dialo" bo# opens, type

    11"%d';01So)t%"e1 before (it!ocker 7ecovery 9ey C8&I/D.t*t and click 'ave.

    3lick 2e*t.

    30( n the (it!ocker /rive "ncryption 0"5 page, select "ncrypt entire drive radio

     button, and click 2e*t.

    32( n the $re you ready to encrypt this drive? page, click 'tart encrypting.

    33( +hen the drive is encrypted, take a screen shot of the (it!ocker window by

     pressing )lt