Your network consists of a single Active Directory domain. All servers run Windows Server 2008 R2. All client computers run Windows 7. Some users have laptop computers and work remotely from home.
You need to plan a data provisioning infrastructure to secure sensitive files. Your plan must meet the following requirements:
– Files must be stored in an encrypted format.
– Files must be accessible by remote users over the Internet.
– Files must be encrypted while they are transmitted over the Internet.
What should you include in your plan?
A.
Deploy one Microsoft SharePoint Foundation 2010 site. Require users to access the SharePoint site by using a Secure Socket Transmission Protocol (SSTP) connection.
B.
Deploy two Microsoft SharePoint Foundation 2010 sites. Configure one site for internal users.
Configure the other site for remote users. Publish the SharePoint sites by using HTTPS.
C.
Configure a Network Policy and Access Services (NPAS) server to act as a VPN server.
Require remote users to access the files by using an IPsec connection to the VPN server.
D.
Store all sensitive files in folders that are encrypted by using Encrypting File System (EFS).
Require remote users to access the files by using Secure Socket Transmission Protocol (SSTP).
Explanation:
MCITP Self-Paced Training Kit Exam 70-646 Windows Server Administration:Encrypting File System
Encrypting File System (EFS) is another method through which you can ensure the integrity of data. Unlike BitLocker, which encrypts all data on a volume using a single encryption key that is tied to the computer, EFS allows for the encryption of individual files and folders using a public encryption key tied to a specific user account. The encrypted file can only be decrypted using a private encryption key that is accessible only to the user. It is also possible to encrypt documents to other users public EFS certificates. A document encrypted to another users public EFS certificate can only be decrypted by that users private certificate.
Security Groups cannot hold encryption certificates, so the number of users that can access an encrypted document is always limited to the individual EFS certificates that have been assigned to the document. Only a user that originally encrypts the file or a user whose certificate is already assigned to the file can add another users certificate to that file. With EFS there is no chance that an encrypted file on a departmental shared folder might be accessed by someone who should not have access because of incorrectly configured NTFS or Shared Folder permissions. As many administrators know, teaching regular staff to configure NTFS permissions can be challenging. The situation gets even more complicated when you take into account Shared Folder permissions. Teaching staff to use EFS to limit access to documents is significantly simpler than explaining NTFS ACLs.
If you are considering deployment of EFS throughout your organization, you should remember that the default configuration of EFS uses self-signed certificates. These are certificates generated by the users computer rather than a Certificate Authority and can cause problems with sharing documents because they are not necessarily accessible from other computers where the user has not encrypted documents. A more robust solution is to modify the default EFS Certificate Template that is provided with a Windows Server 2008 Enterprise Certificate Authority to enable autoenrollment. EFS certificates automatically issued by an Enterprise CA can be stored in Active Directory and applied to files that need to be shared between multiple users. Another EFS deployment option involves smart cards. In organizations where users authenticate using smart cards, their private EFS certificates can be stored on a smart card and their public certificates stored within Active Directory. You can learn more about configuring templates for autoenrollment in Chapter 10, Certificate Services and Storage Area Networks.
MORE INFO More on EFS
For more information on Encrypting File System in Windows Server 2008, consult the following TechNet article: http://technet2.microsoft.com/windowsserver2008/en/library/f843023b-bedd-40dd9e5b-f1619eebf7821033.mspx?mfr=true.
Quick Check
1. From a normal users perspective, in terms of encryption functionality, how does EFS differ from BitLocker?
2. What type of auditing policy should you implement to track access to sensitive files?
Quick Check Answers
1. BitLocker works on entire volumes and is transparent to the user. EFS works on individual files and folders and be configured by the user.
2. Auditing Object Access.Windows Server 2008 VPN Protocols
Windows Server 2008 supports three different VPN protocols: Tunneling Protocol (PPTP), Layer Two Tunneling Protocol over IPsec (L2TP/IPsec), and Secure Socket Tunneling Protocol (SSTP). The factors that will influence the protocol you choose to deploy in your own network environment include client operating system, certificate infrastructure, and how your organizations firewall is deployed.
Windows XP remote access clients, because these clients cannot use SSTP
SSTP Secure Socket Tunneling Protocol (SSTP) is a VPN technology that makes its debut with Windows Server 2008. SSTP VPN tunnels allow traffic to pass across firewalls that block traditional PPTP or L2TP/IPsec VPN traffic. SSTP works by encapsulating Point-to-Point Protocol (PPP) traffic over the Secure Sockets Layer (SSL) channel of the Secure Hypertext Transfer Protocol (HTTPS) protocol. Expressed more directly, SSTP piggybacks PPP over HTTPS. This means that SSTP traffic passes across TCP port 443, which is almost certain to be open on any firewall between the Internet and a public-facing Web server on an organizations screened subnet.
When planning for the deployment of SSTP, you need to take into account the following considerations:
SSTP is only supported with Windows Server 2008 and Windows Vista with Service Pack 1.
SSTP requires that the client trust the CA that issues the VPN servers SSL certificate.
The SSL certificate must be installed on the server that will function as the VPN server prior to the installation of Routing and Remote Access; otherwise, SSTP will not be available.
The SSL certificate subject name and the host name that external clients use to connect to the VPN server must match, and the client Windows Vista SP1 computer must trust the issuing CA.
SSTP does not support tunneling through Web proxies that require authentication.
SSTP does not support site-to-site tunnels. (PPTP and L2TP do.)MORE INFO More on SSTP
To learn more about SSTP, see the following SSTP deployment walkthrough document at http://download.microsoft.com/download/b/1/0/b106fc39-936c-4857-a6ea-3fb9d1f37063/ Deploying%20SSTP %20Remote%20Access%20Step%20by%20Step%20Guide.doc.