Your network consists of a single Active Directory domain. All servers run Windows Server 2008 R2.
All client computers run Windows 7. Some users have laptop computers and work remotely from
home. You need to plan a data provisioning infrastructure to secure sensitive files. Your plan must
meet the following requirements:
• Files must be stored in an encrypted format.
• Files must be accessible by remote users over the Internet.
• Files must be encrypted while they are transmitted over the Internet.
What should you include in your plan?
A.
Deploy one Microsoft SharePoint Foundation 2010 site. Require users to access the SharePoint
site by using a Secure Socket Transmission Protocol (SSTP) connection.
B.
Deploy two Microsoft SharePoint Foundation 2010 sites. Configure one site for internal users.
Configure the other site for remote users. Publish the SharePoint sites by using HTTPS.
C.
Configure a Network Policy and Access Services (NPAS) server to act as a VPN server. Require
remote users to access the files by using an IPsec connection to the VPN server.
D.
Store all sensitive files in folders that are encrypted by using Encrypting File System (EFS). Require
remote users to access the files by using Secure Socket Transmission Protocol (SSTP).
Explanation:
MCITP Self-Paced Training Kit Exam 70-646 Windows Server Administration:
Encrypting File System Encrypting File System (EFS) is another method through which you can ensure
the integrity of data. Unlike BitLocker, which encrypts all data on a volume using a single encryption
key that is tied to the computer, EFS allows for the encryption of individual files and folders using a
public encryption key tied to a specific user account. The encrypted file can only be decrypted using
a private encryption key that is accessible only to the user. It is also possible to encrypt documents
to other user’s public EFS certificates. A document encrypted to another user’s public EFS certificate
can only be decrypted by that user’s private certificate.
Security Groups cannot hold encryption certificates, so the number of users that can access an
encrypted document is always limited to the individual EFS certificates that have been assigned to
the document. Only a user that originally encrypts the file or a user whose certificate is already
assigned to the file can add another user’s certificate to that file. With EFS there is no chance that an
encrypted file on a departmental shared folder might be accessed by someone who should not have
access because of incorrectly configured NTFS or Shared Folder permissions. As many administrators
know, teaching regular staff to configure NTFS permissions can be challenging. The situation gets
even more complicated when you take into account Shared Folder permissions. Teaching staff to use
EFS to limit access to documents is significantly simpler than explaining NTFS ACLs.
If you are considering deployment of EFS throughout your organization, you should remember that
the default configuration of EFS uses self-signed certificates. These are certificates generated by the
user’s computer rather than a Certificate Authority and can cause problems with sharing documents
because they are not necessarily accessible from other computers where the user has not encrypted
documents. A more robust solution is to modify the default EFS Certificate Template that is provided
with a Windows Server 2008
Enterprise Certificate Authority to enable autoenrollment. EFS certificates automatically issued by an
Enterprise CA can be stored in Active Directory and applied to files that need to be shared between
multiple users.
Another EFS deployment option involves smart cards. In organizations where users authenticate
using smart cards, their private EFS certificates can be stored on a smart card and their public
certificates stored within Active Directory. You can learn more about configuring templates for
autoenrollment in Chapter 10, “Certificate Services and Storage Area Networks.”
MORE INFO More on EFS
For more information on Encrypting File System in Windows Server 2008, consult the following
TechNet article:
http ://technet2.microsoft.com/windowsserver2008/en/library/f843023b-bedd-40dd9e5bf1619eebf7821033.mspx?mfr=true.Quick Check
1. From a normal user’s perspective, in terms of encryption functionality, how does EFS differ from
BitLocker?
2. What type of auditing policy should you implement to track access to sensitive files?
Quick Check Answers
1. BitLocker works on entire volumes and is transparent to the user. EFS works on individual files and
folders and be configured by the user.
2. Auditing Object Access.
Windows Server 2008 VPN Protocols
Windows Server 2008 supports three different VPN protocols: Tunneling Protocol (PPTP), Layer Two
Tunneling Protocol over IPsec (L2TP/IPsec), and Secure Socket Tunneling Protocol (SSTP). The factors
that will influence the protocol you choose to deploy in your own network environment include
client operating system, certificate infrastructure, and how your organization’s firewall is deployed.
Windows XP remote access clients, because these clients cannot use SSTP
■ SSTP Secure Socket Tunneling Protocol (SSTP) is a VPN technology that makes its debut with
Windows Server 2008. SSTP VPN tunnels allow traffic to pass across firewalls that block traditional
PPTP or L2TP/IPsec VPN traffic. SSTP works by encapsulating Point-to-Point Protocol (PPP) traffic
over the Secure Sockets Layer (SSL) channel of the Secure Hypertext Transfer Protocol (HTTPS)
protocol. Expressed more directly, SSTP piggybacks PPP over HTTPS. This means that SSTP traffic
passes across TCP port 443, which is almost certain to be open on any firewall between the Internet
and a public-facing Web server on an organization’s screened subnet.
When planning for the deployment of SSTP, you need to take into account the following
considerations:
■ SSTP is only supported with Windows Server 2008 and Windows Vista with Service Pack 1.
■ SSTP requires that the client trust the CA that issues the VPN server’s SSL certificate.
■ The SSL certificate must be installed on the server that will function as the VPN server prior to the
installation of Routing and Remote Access; otherwise, SSTP will not be available.
■ The SSL certificate subject name and the host name that external clients use to connect to the VPN
server must match, and the client Windows Vista SP1 computer must trust the issuing CA.
■ SSTP does not support tunneling through Web proxies that require authentication.
■ SSTP does not support site-to-site tunnels. (PPTP and L2TP do.)
MORE INFO More on SSTP
To learn more about SSTP, see the following SSTP deployment walkthrough document at http
://download.microsoft.com/download/b/1/0/b106fc39-936c-4857-a6ea-3fb9d1f37063/
Deploying%20SSTP %20Remote%20Access%20Step%20by%20Step%20Guide.doc.