You can use this option with removable drives; however, you will not be able to access the drive using Windows Vista or Windows XP because smart cards cannot be used with the BitLocker T
Trang 13. On the Choose How You Want To Unlock This Drive page, select one or more tion methods:
protec-• Use A Password To Unlock This Drive Users will be prompted to type a password before they can access the contents of the drive
• Use My Smart Card To Unlock The Drive Users will be prompted to insert a smart card before they can access the contents of the drive You can use this option with removable drives; however, you will not be able to access the drive using Windows Vista or Windows XP because smart cards cannot be used with the BitLocker To Go Reader
• Automatically Unlock This Drive On This Computer Windows will automatically unlock non-removable data drives without prompting the user Selecting this option requires that the system volume be protected by BitLocker If you move the drive to
a different computer, you will be prompted for credentials
4. On the How Do You Want To Store Your Recovery Key page, choose the method to save the recovery key Click Next
5. On the Are You Ready To Encrypt This Drive page, click Start Encrypting
How to Manage BitLocker Keys on a Local Computer
To manage keys on a local computer, follow these steps:
1. Open Control Panel and click System And Security Under BitLocker Drive Encryption, click Manage BitLocker
2. In the BitLocker Drive Encryption window, click Manage BitLocker Using this tool, you can save the recovery key to a USB flash drive or a file, or you can print the recovery key
How to Manage BitLocker from the Command Line
To manage BitLocker from an elevated command prompt or from a remote computer, use the Manage-bde exe tool The following example demonstrates how to view the status
Trang 2BitLocker Version: Windows 7 Conversion Status: Fully Encrypted Percentage Encrypted: 100%
Encryption Method: AES 128 with Diffuser Protection Status: Protection On
Lock Status: Unlocked Identification Field: None Key Protectors:
TPM Numerical Password
Run the following command to enable BitLocker on the C drive, store the recovery key on the Y drive, and generate a random recovery password
manage-bde -on C: -RecoveryKey Y: -RecoveryPassword
BitLocker Drive Encryption: Configuration Tool version 6.1.7100 Copyright (C) Microsoft Corporation All rights reserved
Volume C: []
[OS Volume]
Key Protectors Added:
Saved to directory Y:\
External Key:
ID: {7B7E1BD1-E579-4F6A-8B9C-AEB626FE08CC}
External Key File Name:
7B7E1BD1-E579-4F6A-8B9C-AEB626FE08CC.BEK Numerical Password:
ID: {75A76E33-740E-41C4-BD41-48BDB08FE755}
Password:
460559-421212-096877-553201-389444-471801-362252-086284 TPM:
Trang 32 Insert a USB flash drive with an external key file into the computer
3 Restart the computer to run a hardware test
(Type "shutdown /?" for command line instructions.)
4 Type "manage-bde -status" to check if the hardware test succeeded
NOTE: Encryption will begin after the hardware test succeeds.
After you run the command, restart the computer with the recovery key connected to plete the hardware test After the computer restarts, BitLocker will begin encrypting the disk Run the following command to disable BitLocker on the C drive
com-manage-bde -off C:
BitLocker Drive Encryption: Configuration Tool Copyright (C) Microsoft Corporation All rights reserved
Decryption is now in progress.
You can also use the Manage-bde exe script to specify a startup key and a recovery key, which can allow a single key to be used on multiple computers This is useful if a single user has multiple computers, such as a user with both a Tablet PC computer and a desktop computer It can also be useful in lab environments, where several users might share several different computers Note, however, that a single compromised startup key or recovery key will require all computers with the same key to be rekeyed
For detailed information about using Manage-bde exe, run manage-bde.exe -? from a
command prompt
How to Recover Data protected by BitLocker
When you use BitLocker, the encrypted volumes will be locked if the encryption key is not available, causing BitLocker to enter recovery mode Likely causes for the encryption key’s unavailability include:
n Modification of one of the boot files
n The BIOS is modified and the TPM is disabled
n The TPM is cleared
n An attempt is made to boot without the TPM, PIN, or USB key being available
n The BitLocker-encrypted disk is moved to a new computer After the drive is locked, you can boot only to recovery mode, as shown in Figure 16-19 In recovery mode, you enter the recovery password using the function keys on your keyboard
Trang 4forth, with F10 being the digit 0 You must use function keys because localized keyboard support is not yet available at this phase of startup
FIgURE 16-19 Recovery mode prompts you for a 48-character recovery password
If you have the recovery key on a USB flash drive, you can insert the recovery key and press Esc to restart the computer The recovery key will be read automatically during startup
If you cancel recovery, the Windows Boot Manager will provide instructions for using Startup Repair to fix a startup problem automatically Do not follow these instructions be-cause Startup Repair cannot access the encrypted volume Instead, restart the computer and enter the recovery key
MoRe inFo additionally, you can use the BitLocker Repair Tool, Repair-bde.exe, to help recover data from an encrypted volume If a BitLocker failure prevents Windows 7 from
starting, you can run repair-bde from the Windows Recovery Environment (Windows RE) command prompt For more information about repair-bde, run repair-bde /? at a command
prompt For more information about troubleshooting startup problems, including using
repair-bde, refer to Chapter 29.
How to Disable or Remove BitLocker Drive Encryption
Because BitLocker intercepts the boot process and looks for changes to any of the early boot files, it can cause problems in the following nonattack scenarios:
n Upgrading or replacing the motherboard or TPM
n Installing a new operating system that changes the MBR or the Boot Manager
n Moving a BitLocker-encrypted disk to another TPM-enabled computer
n Repartitioning the hard disk
n Updating the BIOS
n Installing a third-party update outside the operating system (such as hardware firmware updates)
Trang 5To avoid entering BitLocker recovery mode, you can temporarily disable BitLocker, which allows you to change the TPM and upgrade the operating system When you re-enable BitLocker, the same keys will be used You can also choose to decrypt the BitLocker-protected volume, which will completely remove BitLocker protection You can only re-enable BitLocker
by repeating the process to create new keys and re-encrypt the volume To disable or decrypt BitLocker, follow these steps:
1. Log on to the computer as Administrator
2. From Control Panel, open BitLocker Drive Encryption
3. To temporarily disable BitLocker by using a clear key, click Suspend Protection and then click Yes To disable BitLocker permanently, click Turn Off BitLocker and then click Decrypt Drive
How to Decommission a BitLocker Drive permanently
Compromises in confidentiality can occur when computers or hard disks are decommissioned For example, a computer that reaches the end of its usefulness at an organization might be discarded, sold, or donated to charity The person who receives the computer might extract confidential files from the computer’s hard disk Even if the disk has been formatted, data can often be extracted
BitLocker reduces the risks of decommissioning drives For example, if you use a startup key or startup PIN, the contents of the volume are inaccessible without this additional infor-mation or the drive’s saved recovery information
You can decommission a drive more securely by removing all key blobs from the disk By deleting the BitLocker keys from the volume, an attacker needs to crack the encryption—a task that is extremely unlikely to be accomplished within anyone’s lifetime As a cleanup task, you should also discard all saved recovery information, such as recovery information saved to
AD DS
To remove all key blobs on a secondary drive (data volume), you can format that drive from Windows or the Windows RE Note that this format operation will not work on a drive that is currently in use For example, you cannot use it to more securely decommission the drive used to run Windows
To remove all key blobs on a running drive, you can create a script that performs the lowing tasks:
1. Calls the Win32_EncryptableVolume.GetKeyProtectors method to retrieve all key tors (KeyProtectorType 0)
2. Creates a not-to-be-used recovery password blob (discarding the actual recovery
password) by using Win32_EncryptableVolume.ProtectKeyWithNumericalPassword
and a randomly generated password sequence This is required because
Win32_EncryptableVolume.DeleteKeyProtector will not remove all key protectors
3. Uses Win32_EncryptableVolume.DeleteKeyProtector to remove all of the usable key
Trang 64. Clears the TPM by calling the Win32_TPM.Clear method
For more information about developing a script or application to perform secure
decom-missioning on a BitLocker-encrypted drive, refer to the Win32_EncryptableVolume WMI vider class documentation at http://msdn.microsoft.com/en-us/library/aa376483.aspx and the
pro-Win32_TPM WMI provider class documentation at http://msdn.microsoft.com/en-us/library /aa376484.aspx
How to prepare aD DS for BitLocker
BitLocker is also integrated into AD DS In fact, although you can use BitLocker without AD
DS, enterprises really shouldn’t—key recovery and data recovery agents are an extremely important part of using BitLocker AD DS is a reliable and efficient way to store recovery keys
so that you can restore encrypted data if a key is lost, and you must use Group Policy settings
to configure data recovery agents
If your AD DS is at the Windows Server 2008 or later functional level, you do not need to prepare the AD DS for BitLocker If your AD DS is at a functional level of Windows Server 2003
or earlier, however, you will need to update the schema to support BitLocker For detailed instructions on how to configure AD DS to back up BitLocker and TPM recovery information, read “Configuring Active Directory to Back Up Windows BitLocker Drive Encryption and Trusted
Platform Module Recovery Information” at http://go.microsoft.com/fwlink/?LinkId=78953 For
information about retrieving recovery passwords from AD DS, read “How to Use the BitLocker Recovery Password Viewer For Active Directory Users And Computers Tool to View Recovery
Passwords for Windows Vista” at http://support.microsoft.com/?kbid=928202
How to Configure a Data Recovery agent
Earlier versions of Windows supported storing BitLocker recovery keys in AD DS This works well, but each BitLocker-protected volume has a unique recovery key In enterprises, this can consume a large amount of space in AD DS By using a data recovery agent instead of storing recovery keys in AD DS, you can store a single certificate in AD DS and use it to recover any BitLocker-protected volume
To configure a data recovery agent, follow these steps:
1. Publish the future data recovery agent’s certificate to AD DS Alternatively, export the certificate to a cer file and have it available
2. Open a Group Policy object that targets the Windows 7 computers using the Group Policy object Editor and then select Computer Configuration\Policies\Windows Settings
\Security Settings\Public Key Policies
3. Right-click BitLocker Drive Encryption, click Add Data Recovery Agent to start the Add Recovery Agent Wizard, and then click Next
Trang 74. On the Select Recovery Agents page, click Browse Directory (if the certificate is stored in
AD DS) or Browse Folders (if you have saved the cer file locally) Select a cer file to use
as a data recovery agent After the file is selected, it will be imported and will appear in the Recovery Agents list in the wizard You can specify multiple data recovery agents After you specify all of the data recovery agents that you want to use, click Next
5. The Completing The Add Recovery Agent page of the wizard displays a list of the data recovery agents that will be added to the Group Policy object Click Finish to confirm the data recovery agents and close the wizard
The next time Group Policy is applied to the targeted Windows 7 computers, the data covery agent certificate will be applied to the drive At that point, you will be able to recover a BitLocker-protected drive using the certificate configured as the data recovery agent Because
re-of this, you must carefully protect the data recovery agent certificate
How to Manage BitLocker with Group policy
BitLocker has several Group Policy settings located in Computer Configuration\Policies
\Administrative Templates\Windows Components\BitLocker Drive Encryption that you can use to manage the available features Table 16-2 lists these policies, which are written to the registry on targeted computers under the following registry key:
Enabling this policy silently backs up BitLocker recovery formation to AD DS For computers running Windows 7 and Windows Server 2008 R2, enable the Fixed Data Drives
in-\Choose How BitLocker-Protected Fixed Drives Can Be Recovered, Operating System Drives\Choose How BitLocker-Protected Operating System Drives Can Be Recovered, or Removable Data Drives\Choose How BitLocker-Protected Removable Drives Can Be Recovered policies
Choose Default Folder For Recovery Password
Enabling this policy and configuring a default path for it sets the default folder to display when the user is saving recovery information for BitLocker The user will have the ability to override the default
Trang 8POlICy DESCRIPTION
Choose How Users Can Recover BitLocker-Protected Drives (Windows Server 2008 And Windows Vista)
Enabling this policy allows you to control which recovery mechanisms the user can choose Disabling the recovery password will disable saving to a folder or printing the key because these actions require the 48-digit recovery pass-word Disabling the 256-bit recovery key will disable saving
to a USB key If you disable both options, you must enable
AD DS backup or a policy error will occur For computers running Windows 7 and Windows Server 2008 R2, enable the Fixed Data Drives\Choose How BitLocker-Protected Fixed Drives Can Be Recovered, Operating System Drives\Choose How BitLocker-Protected Operating System Drives Can Be Recovered, or Removable Data Drives\Choose How BitLocker-Protected Removable Drives Can Be Recovered policies Choose Drive Encryption
Method And Cipher Strength
Enabling this policy allows configuration of the encryption method used by BitLocker Drive Encryption The default if this key is not enabled is 128-bit AES with Diffuser Other choices that can be configured are 256-bit AES with Diffuser, 128-bit AES, and 256-bit AES
Prevent Memory Overwrite
On Restart
Enabling this policy prevents Windows from overwriting memory on restarts This potentially exposes BitLocker secrets but can improve restart performance
Provide The Unique Identifiers For Your Organization
Enable this policy if you want to prevent users from ing BitLocker-protected drives that might be from outside organizations
mount-Validate Smart Card cate Usage Rule Compliance
Certifi-Enable this policy only if you want to restrict users to smart cards that have an object identifier (OID) that you specify
Operating System Drives
\Require Additional Authentication At Startup or Operating System Drives
\Require Additional tication At Startup (Windows Server 2008 And Windows Vista)
Authen-Enabling this policy allows configuring additional startup options and allows enabling of BitLocker on a non–TPM-compatible computer On TPM-compatible computers, a secondary authentication can be required at startup—either
a USB key or a startup PIN, but not both
Allow Enhanced PINs For Startup
Enhanced PINs permit the use of characters including case and lowercase letters, symbols, numbers, and spaces
upper-By default, enhanced PINs are disabled
Trang 9POlICy DESCRIPTION
Operating System Drives
\Configure Minimum PIN Length For Startup
Enables you to require a minimum PIN length
Operating System Drives
\Choose How Protected Operating System Drives Can Be Recovered
BitLocker-Enabling this policy allows you to control which recovery mechanisms the user can choose and whether recovery information is stored in the AD DS Disabling the recovery password will disable saving to a folder or printing the key because these actions require the 48-digit recovery pass-word Disabling the 256-bit recovery key will disable saving
to a USB key Operating System Drives
\Configure TPM Platform Validation Profile
Enabling this policy allows detailed configuration of the PCR indices Each index aligns with Windows features that run during startup
Fixed Data Drives\Configure Use Of Smart Cards On Fixed Data Drives
Enables or requires smart cards for BitLocker to protect non–operating system volumes
Fixed Data Drives\Deny Writer Access To Fixed Drives Not Protected By BitLocker
Requires drives to be BitLocker-protected before users can save files
Fixed Data Drives\Allow cess To BitLocker-Protected Fixed Data Drives From Earlier Versions Of Windows
Ac-Allows you to prevent the BitLocker To Go Reader from being copied to fixed data drives, preventing users of earlier versions of Windows (including Windows Server 2008, Windows Vista, and Windows XP SP2 or SP3) from entering
a password to access the drive Fixed Data Drives\Configure
Use Of Passwords For Fixed Drives
Requires passwords to access BitLocker-protected fixed drives and configures password complexity
Fixed Data Drives\Choose How BitLocker-Protected Fixed Drives Can Be Recovered
Enabling this policy allows you to control which recovery mechanisms the user can choose and whether recovery information is stored in the AD DS Disabling the recovery password will disable saving to a folder or printing the key because these actions require the 48-digit recovery pass-word Disabling the 256-bit recovery key will disable saving
to a USB key For information about BitLocker To Go policies (which are configured in the Removable Data Drives node), refer to the section titled “BitLocker To Go” earlier in this chapter
Trang 10The Costs of BitLocker
Most security features require a tradeoff The benefit to any security feature is that it reduces risk and thus reduces the cost associated with a security compromise Most security features also have a cost—purchase price, increased maintenance, or decreased user productivity The benefit of using BitLocker is reduced risk of loss of data confidentiality in the event of
a stolen hard disk Like most security features, BitLocker has costs (aside from any software or hardware costs):
n If a PIN or external key is required, the startup experience is not transparent to the user If the user loses his PIN or startup key, he will need to wait for a Support Center representative to read him the password so that he can start his computer
n In the event of hard disk failure or data corruption, recovering data from the disk can
Encrypting File System
BitLocker is not a replacement for the EFS introduced in Windows 2000, but it is a supplement
to the EFS that ensures that the operating system itself is protected from attack Best tices for protecting sensitive computers and data will combine the two features to provide a high level of assurance of the data integrity on the system
prac-EFS continues to be an important data-integrity tool in Windows 7 prac-EFS allows the tion of entire volumes or individual folders and files and can support multiple users using the same computer, each with protected data Additionally, EFS allows multiple users to have secure access to sensitive data while protecting the data against unauthorized viewing or modification EFS cannot be used to encrypt system files, however, and it should be combined with BitLocker to encrypt the system drive where sensitive data must be protected EFS is susceptible to offline attack using the SYSKEY, but when you combine EFS with BitLocker to encrypt the system volume, this attack vector is protected
encryp-EFS uses symmetric key encryption along with public key technology to protect files and folders Each user of EFS is issued a digital certificate with a public and private key pair EFS uses the keys to encrypt and decrypt the files transparently for the logged-on user Authorized users work with encrypted files and folders just as they do with unencrypted files and folders Un-authorized users receive an Access Denied message in response to any attempt to open, copy, move, or rename the encrypted file or folder
Trang 11Files are encrypted with a single symmetrical key, and then the symmetrical key is
encrypt-ed twice: once with the user’s EFS public key to allow transparent decryption and once with the recovery agent’s key to allow data recovery
The sections that follow describe how to manage EFS keys For general information about EFS, read “Encrypting File System in Windows XP and Windows Server 2003” at
http://technet.microsoft.com/en-us/library/bb457065.aspx
How to Export personal Certificates
To prevent being unable to access an encrypted file, you can export your personal certificate When you export your certificate, you can then copy or move the encrypted file to another computer and still access it by importing the certificate you exported
To export your personal certificate, follow these steps:
1. Open Windows Explorer and select a file that you have encrypted
2. Right-click the file and then select Properties
3. Click Advanced on the General tab
4. Click Details on the Advanced Attributes tab to open the User Access dialog box
5. Select your user name and then click Back Up Keys to open the Certificate Export Wizard
6. Click Next to select the file format to use
7. Click Next and enter a password to protect the key Repeat the entry and then click Next
8. Enter a path and filename to save the file to, or browse for a path Click Next
9. Click Finish to export the certificate and then click OK to confirm that it was saved successfully
How to Import personal Certificates
You can share encrypted files with other users if you have the certificate for the other user To allow another user to use a file that you have encrypted, you need to import her certificate onto your computer and add her user name to the list of users who are permitted access to the file
To import a user certificate, follow these steps:
1 Click Start, type mmc, and then press Enter to open a blank Microsoft Management
Console (MMC)
2. Click File and then click Add/Remove Snap-in
3. Select Certificates and click Add Select My User Account and click Finish Click OK to close the Add Or Remove Snap-in dialog box
4. Click Certificates and then double-click Trusted People
Trang 125. Under Trusted People, right-click Certificates On the All Tasks menu, click Import to open the Certificate Import Wizard
6. Click Next and then browse to the location of the certificate you want to import
7. Select the certificate and then click Next
8. Type the password for the certificate and then click Next
9. Click Next to place the certificate in the Trusted People store
10. Click Finish to complete the import
11. Click OK to acknowledge the successful import and then exit the MMC
How to Grant Users access to an Encrypted File
When you have a user’s certificate, you can add that user to the list of users who have access
to a file A user’s certificate will be on a computer automatically if the user has logged on to the computer previously
To add a user whose certificate you have imported to the users who can access a file, low these steps:
1. Open Windows Explorer and highlight the file you want to receive access
2. Right-click the file and then select Properties
3. Click Advanced on the General tab
4. Click Details on the Advanced Attributes tab to open the User Access dialog box
5. Click Add to open the Encrypting File System dialog box and then select the user you want to permit to use the encrypted file
6. Click OK to add the user to the list of users who have access to the file
7. Click OK until you’ve exited out of the dialog boxes You do not need to grant EFS access to allow users to access files across the network—EFS does not affect shared folders
Symbolic links
Windows Vista and Windows 7 include symbolic links Symbolic links act like shortcuts, but
they provide a transparent link to the target file at the file-system level rather than within Windows Explorer Therefore, although a user can double-click a shortcut from Windows Explorer to open the original file, a symbolic link will actually trick applications into thinking they are directly accessing the target file
As an administrator, you might need to use symbolic links for backward compatibility For example, if an application expects to find a file in the root of the C drive but you need to move the file to a different location on the local disk, you can create a symbolic link in the root of the C drive to the file’s new location, allowing the application to continue to access the
Trang 13file in the root of the C drive Windows Vista and Windows 7 use symbolic links for backward compatibility with user profiles in earlier versions of Windows For more information, read Chapter 15, “Managing Users and User Data ”
HoW it WoRKS
Symbolic links, Hard links, Junction Points, and Shortcuts
Windows Vista and Windows 7 support four different types of links, each viding a slightly different function:
pro-n Shortcuts Shortcuts are files with a lnk extension If you double-click them within the Windows Explorer shell, Windows will open the target file
However, the file system treats lnk files just like any other files For example, opening a lnk file from a command prompt does not open the target file.
n Hard links Hard links create a new directory entry for an existing file, so a single file can appear in multiple folders (or in a single folder using multiple filenames) Hard links must all be on a single volume.
n Junction points also known as soft links, junction points reference a folder using an absolute path Windows automatically redirects requests for a junc- tion point to the target folder Junction points do not have to be on the same volume.
n Symbolic links a pointer to a file or folder Like junction points, symbolic links are almost always transparent to users (Occasionally, a program might use an outdated application programming interface [apI] that does not respect
a symbolic link.) Symbolic links use relative paths rather than absolute paths.
How to Create Symbolic Links
By default, only administrators can create symbolic links However, you can grant other users access using the Computer Configuration\Windows Settings\Security Settings\Local Policies
\User Rights Assignment\Create Symbolic Links setting
To create a symbolic link, open a command prompt with administrative privileges and
use the mklink command For example, the following command creates a symbolic link from
C:\Myapp exe to Notepad in the system directory
C:\>mklink myapp.exe %windir%\system32\notepad.exe
Symbolic link created for myapp.exe <<===>> C:\Windows\system32\notepad.exe
Trang 14note Developers can call the CreateSymbolicLink function to create symbolic links For more information, go to http://msdn.microsoft.com/en-us/library/aa363866.aspx.
After you create this symbolic link, the Myapp exe link behaves exactly like a copy of the Notepad exe file Windows Explorer displays symbolic links using the standard shortcut symbol However, shortcuts always have a lnk extension, whereas symbolic links can have
any extension At a command prompt, the dir command uses the <SYMLINK> identifier to
distinguish symbolic links and displays the path to the target file
C:\>dir
Volume in drive C has no label
Volume Serial Number is BC33-D7AC
Directory of C:\
09/18/2006 04:43 PM 24 AUTOEXEC.BAT 09/18/2006 04:43 PM 10 config.sys 12/27/2006 12:16 PM <SYMLINK> myapp.exe [C:\Windows\system32\notepad.exe] 12/23/2006 04:47 PM <DIR> Program Files
11/29/2006 03:31 PM <DIR> Users 12/27/2006 08:39 AM <DIR> Windows
Because a symbolic link is only a link, any changes made to the link actually affect the target file and vice versa If you create a symbolic link and then delete the target file, the sym-bolic link will remain, but any attempts to access it will return a File Not Found error because Windows will attempt to access the link target automatically If you delete a target file and later replace it with a file of the same name, that new file will become the link target Deleting
a link does not affect the link target Attribute changes to the symbolic link, such as marking a file as hidden or as a system file, are applied to both the symbolic link and the target file
How to Create Relative or absolute Symbolic Links
Relative symbolic links identify the location of the target based on their own folder For ample, a relative symbolic link to a target file in the same folder will always attempt to access
ex-a tex-arget with the specified filenex-ame in the sex-ame folder, even if the symbolic link is moved You can create relative or absolute symbolic links, but all symbolic links are relative by default For example, consider the following commands, which attempt to create a symbolic link named Link txt to a file named Target txt and then attempt to access the symbolic link before and after moving the target file
C:\>mklink link.txt target.txt C:\>type link.txt
Hello, world.
Trang 15C:\>REM Move link.txt to a different folder C:\>move link.txt C:\links
1 file(s) moved.
C:\>cd links C:\links>type link.txt
The system cannot find the file specified.
C:\links>move \target.txt C:\links C:\links>type link.txt
Hello, world.
In the previous example, moving the symbolic link to a different folder causes Windows
to be unable to locate the target because the symbolic link is a relative link pointing to a file named Target txt in the same folder When both the link and the target are moved to the same folder, the symbolic link works again
Now consider the same example using an absolute symbolic link, created by specifying the full path to the target file:
C:\>mklink link.txt C:\target.txt C:\>type link.txt
Trang 16In the last example, specifying the full path to the target file creates an absolute symbolic link that references the full path to the target file Therefore, the symbolic link still works after
it is moved to a different folder However, moving the target file makes it inaccessible
How to Create Symbolic Links to Shared Folders
You can create symbolic links on the local file system to files stored on other local drives or
shared folders However, when you use the mklink command, you must always specify the absolute path to the remote target file because the mklink command by default assumes
that the location is relative For example, suppose you want to create a symbolic link named C:\Link txt that targets a file on a shared folder at Z:\Target txt If you run the following com-mands, you will successfully create a symbolic link at C:\Link txt
C:\>Z:
Z:\>mklink C:\link.txt target.txt
However, that file will link to C:\Target txt and not the intended Z:\Target txt To create a link to the Z:\Target txt file, you need to run the following command
C:\>mklink C:\link.txt Z:\target.txt
The mklink command also allows you to create a symbolic link targeting a Universal
Nam-ing Convention (UNC) path For example, if you run the followNam-ing command, Windows will create a symbolic link file called Link txt that opens the Target txt file
Mklink link.txt \\server\folder\target.txt
If you enable remote symbolic links (discussed later in this section), they can be used to store symbolic links on shared folders and automatically redirect multiple Windows network clients to a different file on the network
By default, you can use symbolic links only on local volumes If you attempt to access a symbolic link located on a shared folder (regardless of the location of the target) or copy a symbolic link to a shared folder, you will receive an error You can change this behavior by configuring the following Group Policy setting:
Computer Configuration\Administrative Templates\System\NTFS File System\Selectively Allow The Evaluation Of A SymbolicLink
When you enable this policy setting, you can select from four settings:
n local link To local Target Enabled by default, this allows local symbolic links to
targets on the local file system
n local link To Remote Target Enabled by default, this allows local symbolic links to
targets on shared folders
n Remote link To Remote Target Disabled by default, this allows remote symbolic
links to remote targets on shared folders
n Remote link To local Target Disabled by default, this allows remote symbolic links
to remote targets on shared folders
Trang 17Enabling remote links can introduce security vulnerabilities For example, a malicious user can create a symbolic link on a shared folder that references an absolute path on the local computer When a user attempts to access the symbolic link, he will actually be accessing a different file that might contain confidential information In this way, a sophisticated attacker might be able
to trick a user into compromising the confidentiality of a file on his local computer
How to Use Hard Links
Hard links create a second directory entry for a single file, whereas symbolic links create a new file that references an existing file This subtle difference yields significantly different behavior
You can create hard links by adding the /H parameter to the mklink command For
example, the following command creates a hard link from Link txt to Target txt
C:\>mklink /H link.txt target.txt Hardlink created for link.txt <<===>> target.txt
As with symbolic links, any changes made to the hard link are made automatically to the target (including attribute changes) and vice versa because the file itself is stored only once
on the volume However, hard links have several key differences:
n Hard links must refer to files on the same volume, while symbolic links can refer to files
or folders on different volumes or shared folders
n Hard links can refer only to files, while symbolic links can refer to either files or folders
n Windows maintains hard links, so the link and the target remain accessible even if you move one of them to a different folder
n Hard links survive deleting the target file A target file is deleted only if the target file and all hard links are deleted
n If you delete a symbolic link target and then create a new file with the same name as the target, the symbolic link will open the new target Hard links will continue to refer-ence the original target file, even if you replace the target
n Hard links do not show up as symbolic links in dir command-line output, and Windows
Explorer does not show a shortcut symbol for them Hard links are indistinguishable from the original file
n Changes made to file permissions on a hard link apply to the target file and vice versa With symbolic links, you can configure separate permissions on the symbolic link, but the permissions are ignored
Windows XP supports hard links by using the fsutil hardlink command Windows Vista and Windows 7 hard links are compatible with Windows XP hard links, and the fsutil hardlink com-
mand continues to function in Windows Vista and Windows 7
Trang 18Disk Quotas
Administrators can configure disk quotas to control how much of a volume a single user can fill with files This is most useful when implemented on a server that hosts shared folders However, you might also need to implement disk quotas on client computers in environments
in which multiple users access a single computer because they can help prevent a single user from completely filling a volume and thereby preventing other users from saving files Disk quotas have not changed significantly since Windows XP
Before enabling disk quotas, consider whether they are worthwhile Managing disk quotas requires administrators to monitor disk quota events, such as a user exceeding a disk storage threshold Administrators must then work with users to either increase the quota or identify files that can be removed Often, it is less expensive to simply add more disk storage, even if the users do not closely manage their disk usage
How to Configure Disk Quotas on a Single Computer
To configure disk quotas on a single computer, follow these steps:
1. Click Start and then click Computer
2. In the right pane, right-click the drive on which you want to configure the quotas and then click Properties
3. Click the Quota tab and then click Show Quota Settings The Quota Settings dialog box appears
4. Select the Enable Quota Management check box, as shown in Figure 16-20
FIgURE 16-20 Disk quotas control how much of a disk users can fill
Trang 19From this dialog box, you can configure the following disk quota options:
n Enable Quota Management Quota management is disabled by default Select this
check box to enable quota management
n Deny Disk Space To Users Exceeding Quota limit By default, users are warned
only if they exceed their quota limits Selecting this check box causes Windows to block disk access after the quota is exceeded Typically, warning users is sufficient, provided that you also log the events and follow up with users who do not clean up their disk space Denying disk access will cause applications to fail when they attempt
to write more data to the disk and can cause users to lose unsaved work
note To determine quota limitations for users, developers can call the
ManagementObjectSearcher.Get WMI method to retrieve a ManagementObjectCollection
object and then access the collection’s QuotaVolume item.
n Do Not limit Disk Usage Does not configure disk quotas for new users by default
You can still use the Quota Entries window to configure disk quotas for users
n limit Disk Space To and Set Warning level To Creates a disk quota by default for
new users The value in the Set Warning Level To box should be lower than that in the Limit Disk Space To box so that the user receives a warning before running out of avail-able disk space
n log Event When A User Exceeds Their Quota limit and log Event When A User Exceeds Their Warning level Configures Windows to add an event when the user
exceeds her quota You should typically select this check box and then monitor the events so that IT support can communicate directly with the user to keep the user within her quotas (or increase the quotas as needed)
Additionally, you can click Quota Entries to configure quota settings for existing users and groups
How to Configure Disk Quotas from a Command prompt
To view and manage disk quotas from scripts or from the command line, use the Fsutil istrative command-line utility Useful Fsutil commands include:
admin-n fsutil quota query C: Displays quota information about the C volume, as the
follow-ing example shows
C:\>fsutil quota query C:
FileSystemControlFlags = 0x00000301 Quotas are tracked on this volume Logging for quota events is not enabled The quota values are incomplete
Trang 20Default Quota Threshold = 0xffffffffffffffff Default Quota Limit = 0xffffffffffffffff SID Name = BUILTIN\Administrators (Alias) Change time = Tuesday, April 11, 2006 7:54:59 AM Quota Used = 0
Quota Threshold = 18446744073709551615 Quota Limit = 18446744073709551615
n fsutil quota track C: Enables disk quotas on the C volume
n fsutil quota disable C: Disables disk quotas on the C volume
n fsutil quota enforce C: Enables disk quota enforcement on the C volume, which
causes Windows to deny disk access if a quota is exceeded
n fsutil quota modify C: 3000000000 5000000000 Contoso\User Creates a disk
quota entry for the user Contoso\User The first number (3,000,000,000 in the ceding example) enables a warning threshold at about 3 GB, and the second number (5,000,000,000 in the preceding example) enables an absolute limit of about 5 GB
pre-For complete usage information, run fsutil /? from a command prompt
How to Configure Disk Quotas by Using Group policy Settings
To configure disk quotas in an enterprise, use the AD DS Group Policy settings located at Computer Configuration\Administrative Templates\System\Disk Quotas The following set-tings are available:
n Enable Disk Quotas
n Enforce Disk Quota Limit
n Default Quota Limit And Warning Level
n Log Event When Quota Limit Exceeded
n Log Event When Quota Warning Level Exceeded
n Apply Policy To Removable MediaEach of these settings relates directly to a local computer setting described earlier except for Apply Policy To Removable Media If you enable this setting, quotas also apply to NTFS-formatted removable media Quotas never apply to fixed or removable media unless they are formatted with NTFS
Trang 21Disk Tools
Microsoft provides several free tools that are very useful for managing disks and file systems,
as the sections that follow describe For information about tools used for troubleshooting disk problems, refer to Chapter 30
Disk Usage
Perhaps the biggest challenge of managing file systems is managing disk usage Quotas can help, but often you will still need to manually identify folders and files that are consuming large amounts of disk space
The free Disk Usage (Du) tool, available for download from http://technet.microsoft.com
/en-us/sysinternals/bb896651.aspx, can identify the mount of disk space a folder and its
sub-folders consume Run Du exe with the folder you want to analyze, as in the following example
Du C:\users\
Du v1.33 - report directory disk usage Copyright (C) 2005-2007 Mark Russinovich Sysinternals - www.sysinternals.com
Files: 96459 Directories: 19696 Size: 51,641,352,816 bytes Size on disk: 47,647,077,498 bytes
EFSDump
Users can share EFS-encrypted files by adding other user certificates to a file However, ing the users who have rights to files would be very time-consuming using the Windows Explorer graphical interface To list users who have access to encrypted files more easily, use
audit-EFSDump, available for download from http://technet.microsoft.com/en-ca/sysinternals
C:\Users\User1\Documents\Encrypted\MyFile.txt:
DDF Entry:
Trang 22COMPUTER\User1:
User1(User1@COMPUTER) DDF Entry:
COMPUTER\User2:
User2(User2@COMPUTER) DRF Entry:
SDelete
When you delete a file, Windows removes the index for the file and prevents the operating system from accessing the file’s contents However, an attacker with direct access to the disk can still recover the file’s contents until it has been overwritten by another file—which might never happen Similarly, files that have been EFS-encrypted leave behind the unencrypted contents of the file on the disk
With the SDelete tool, available for download from http://technet.microsoft.com/en-us
/sysinternals/bb897443.aspx, you can overwrite the contents of free space on your disk to
prevent deleted or encrypted files from being recovered
To use SDelete to overwrite deleted files on the C drive, run the following command
Sdelete -z C:
SDelete - Secure Delete v1.51 Copyright (C) 1999-2005 Mark Russinovich Sysinternals - www.sysinternals.com
SDelete is set for 1 pass
Free space cleaned on C:
Streams
NTFS files can contain multiple streams of data Each stream resembles a separate file but
is listed within a single filename Streams are accessed using the syntax file:stream, and by
default, the main stream is unnamed (and hence is accessed when you simply specify the filename)
For example, you can use the echo command to create a file or a specific stream To create
a stream named Data for the file named Text txt, run the following command
Echo Hello, world > text.txt:data
Directory listings will show that the Text txt file is zero bytes long, and opening the file in a text editor will show nothing However, it does contain data in the Data stream, which you can demonstrate by running the following command
Trang 23More < text.txt:data
Hello, world
Legitimate programs often use streams However, malicious software also uses streams to
hide data You can use the Streams program, available at http://technet.microsoft.com/en-ca
/sysinternals/bb897440.aspx, to list streams For example, to list all files with streams within
the Windows directory, run the following command
Streams -s %windir%
Streams v1.56 - Enumerate alternate NTFS data streams Copyright (C) 1999-2007 Mark Russinovich
Sysinternals - www.sysinternals.com
C:\Windows\Thumbs.db:
:encryptable:$DATA 0 C:\Windows\PLA\System\LAN Diagnostics.xml:
:0v1ieca3Feahez0jAwxjjk5uRh:$DATA 2524 :{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA 0 C:\Windows\PLA\System\System Diagnostics.xml:
:0v1ieca3Feahez0jAwxjjk5uRh:$DATA 5384 :{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA 0 C:\Windows\PLA\System\System Performance.xml:
:0v1ieca3Feahez0jAwxjjk5uRh:$DATA 500 :{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA 0 C:\Windows\PLA\System\Wireless Diagnostics.xml:
:0v1ieca3Feahez0jAwxjjk5uRh:$DATA 3240 :{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA 0 C:\Windows\ShellNew\Thumbs.db:
:encryptable:$DATA 0 C:\Windows\System32\Thumbs.db:
:encryptable:$DATA 0
As you can see from this output, several files in subdirectories within the C:\Windows\
directory have a stream named $DATA
Sync
In some cases, Windows might cache data before writing it to the disk When a computer
is shut down normally, all cached data is written to the disk If you plan to shut down a computer forcibly (by initiating a Stop error or disconnecting the power), you can run the Sync command to flush all file system data to the disk Sync is also useful to ensure that all data is written to removable disks
Trang 24You can download Sync from http://technet.microsoft.com/en-ca/sysinternals/bb897438.aspx
The simplest way to use Sync is to run it with no parameters and with administrative privileges, which flushes data for all disks
sync
Sync 2.2: Disk Flusher for Windows 9x/Me/NT/2K/XP Copyright (C) 1997-2004 Mark Russinovich
Sysinternals - www.sysinternals.com
Flushing: F
MoveFile and pendMoves
Files can’t be moved when they’re in use by the operating system or an application If a file
is constantly in use, you can schedule Windows to move the file during startup using the
MoveFile tool, available for download from http://technet.microsoft.com/en-ca/sysinternals
/bb897556.aspx
Use MoveFile exactly as you would use the move command as in the following example
Movefile file.txt test\file.txt
Movefile v1.0 - copies over an in-use file at boot time Move successfully scheduled.
The file will not be moved immediately However, the next time the computer is restarted, Windows will move the file If you want to delete a file that is constantly in use (a common
requirement for removing malicious software), provide "" as the destination as in the
follow-ing example
Movefile file2.txt ""
Movefile v1.0 - copies over an in-use file at boot time Move successfully scheduled.
Trang 25The same download that includes MoveFile includes the PendMoves tool, which displays moves and deletions that have been scheduled You can simply run the command without parameters, as the following example demonstrates
pendmoves
PendMove v1.1 Copyright (C) 2004 Mark Russinovich Sysinternals - wwww.sysinternals.com
Source: C:\Users\User1\Documents\file.txt Target: C:\Users\User1\Documents\dest\file.txt
Source: C:\Users\User1\Documents\file2.txt Target: DELETE
Time of last update to pending moves key: 2/27/2008 10:08 AM
Summary
Windows 7 uses local storage, which is typically based on hard disks, to store critical ing system files Users rely on the same storage for confidential files Because the integrity of the operating system and the security of your organization depend on the disks and file sys-tems stored within each Windows computer, you must carefully consider your client-storage management requirements
operat-Fortunately, Windows 7 provides simple disk and volume management using either graphical or command-line tools Windows Vista and Windows 7 improve on Windows XP by allowing partitions to be dynamically resized and thereby allowing administrators to reconfig-ure partitions without reformatting a disk or using third-party tools
Windows 7 provides several features for managing disks and file systems To provide data recovery in the event of a failed hard disk, corrupted files, or accidentally deleted data, Windows 7 provides both manual and scheduled backups If backups are available online, users can use Previous Versions to recover a file without contacting the Support Center System Image backup and restore enables you to replace a hard disk and get a computer
up and running within minutes without needing to reinstall user applications
To improve random access disk performance, ReadyBoost can use removable flash age to cache disk contents ReadyBoost will prompt the user automatically when compatible media is attached unless an administrator has disabled the feature ReadyBoost offers the biggest performance gains on computers with slow disk access
stor-As with earlier versions of Windows, Windows 7 supports EFS to encrypt user files To crypt the system volume, including the hibernation and paging file, Windows 7 also supports BitLocker Drive Encryption BitLocker requires a decryption key before Windows can start The