Encrypting a File or Folder
To encrypt a file or folder from the GUI, follow these steps:
a. Open Windows Explorer or My Computer.
b. Right-click the file or folder that you'd like to encrypt or unencrypt and select Properties.
c. On the General tab, click the Advanced button.
d. From the Advanced Attributes dialog box, mark (or clear) the Encrypt Contents to Secure Data check box to encrypt (or unencrypt) the file or folder that you selected. Click OK to close the Advanced Attributes dialog box and then click OK for the properties sheet to apply this setting. (When you encrypt a folder, you are prompted to select between applying this setting to the folder only and applying it to the folder, subfolders, and files.)
e. To share access to an encrypted file, click the Details button from the Advanced Attributes dialog box. You cannot share access to encrypted folders.
f. From the Encryption Details dialog box, click the Add button to add more users' EFS certificates to the encrypted file to share access with those users.
g. From the Select User dialog box, click the user whose EFS certificate you want to add for shared access to the encrypted file and click OK. You see only certificates for users who have encrypted a folder or file previously.
h. Click OK for the Encryption Details dialog box.
i. Finally, click OK for the Advanced Attributes dialog box and then click OK for the Properties window
a. Open Windows Explorer or My Computer.
b. Right-click the file or folder that you'd like to encrypt or unencrypt and select Properties.
c. On the General tab, click the Advanced button.
d. From the Advanced Attributes dialog box, mark (or clear) the Encrypt Contents to Secure Data check box to encrypt (or unencrypt) the file or folder that you selected. Click OK to close the Advanced Attributes dialog box and then click OK for the properties sheet to apply this setting. (When you encrypt a folder, you are prompted to select between applying this setting to the folder only and applying it to the folder, subfolders, and files.)
e. To share access to an encrypted file, click the Details button from the Advanced Attributes dialog box. You cannot share access to encrypted folders.
f. From the Encryption Details dialog box, click the Add button to add more users' EFS certificates to the encrypted file to share access with those users.
g. From the Select User dialog box, click the user whose EFS certificate you want to add for shared access to the encrypted file and click OK. You see only certificates for users who have encrypted a folder or file previously.
h. Click OK for the Encryption Details dialog box.
i. Finally, click OK for the Advanced Attributes dialog box and then click OK for the Properties window
Account Lockout Policy
You can access Group Policy settings by opening the Microsoft Management Console (MMC) and adding the Group Policy snap-in.
The Acount Lockout Policy controls settings related to users attempting to login and entering wrong passwords. While it is possible to set this up so that a person can sit there and try thousands of different passwords in an attempt to find the right one, this is highly unwise and a serious compromise of security. There are three settings for this policy and using them will greatly increase security.
Access the Account Lockout Policy from:
Computer Configuration -> Windows Settings -> Security Settings -> Account Policy -> Account Lockout Policy
The three settings that you can set are: Account Lockout Duration, Account Lockout Threshhold, and Reset Account Lockout After. I recommend setting Account Lockout Threshhold to "5 Invalid Login Attempts". When you do this, it will automatically set the other two settings to "30 Minutes". When you apply these settings, a user will become completely locked out of the system for 30 minutes if they enter the wrong password 5 times.
Password Policy
The Password Policy controls settings related to each user's passwords. It is important to enforce a password policy, because the chances of a user giving out their password (accidently or intentionally) is very high. Thus, requiring them to change their password reasonably often and have it conform to a set of standards that make it very difficult to crack is in your organization's best interests.
The Password Policy controls settings related to each user's passwords. It is important to enforce a password policy, because the chances of a user giving out their password (accidently or intentionally) is very high. Thus, requiring them to change their password reasonably often and have it conform to a set of standards that make it very difficult to crack is in your organization's best interests.
Access the Password Policy from:
Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy
Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy
There are five settings here that you can set. They are: Enforce Password History, Maximum Password Age, Minimum Password Age, Minimum Password Length, and Password Must Meet Complexity Requirements. I recommend that you enforce a password history that is a minimum of 6. This means that a user must change their password six times before they can reuse a password.
For Maximum Password Age, I recommend between 30 and 40 Days - this forces users to change their password every number of days specified in this setting.
Minimum Password Age is also important, because it requires users to use their password a certain amount of time before changing it. A smart user could figure out your system and change their password six times in a row, thus bypassing the password change and compromising your network. I recommend a Minimum Password Age of 1 day, and preferably 7 days. For Minimum Password Length, most enterprises require a minimum length of 8, or sometimes 12. The longer the password, the harder it is to crack. You should definitely enforce Password Must Meet Complexity Requirements.
No comments:
Post a Comment