Windows 7 Resource Kit- P15

Chia sẻ: Thanh Cong | Ngày: | Loại File: PDF | Số trang:50

0
47
lượt xem
2
download

Windows 7 Resource Kit- P15

Mô tả tài liệu
  Download Vui lòng tải xuống để xem tài liệu đầy đủ

Tham khảo tài liệu 'windows 7 resource kit- p15', công nghệ thông tin, hệ điều hành phục vụ nhu cầu học tập, nghiên cứu và làm việc hiệu quả

Chủ đề:
Lưu

Nội dung Text: Windows 7 Resource Kit- P15

  1. 3. On the Choose How You Want To Unlock This Drive page, select one or more protec- tion methods: • Use A Password To Unlock This Drive . Users will be prompted to type a password before they can access the contents of the drive . • Use My Smart Card To Unlock The Drive . Users will be prompted to insert a smart card before they can access the contents of the drive . You can use this option with removable drives; however, you will not be able to access the drive using Windows Vista or Windows XP because smart cards cannot be used with the BitLocker To Go Reader . • Automatically Unlock This Drive On This Computer . Windows will automatically unlock non-removable data drives without prompting the user . Selecting this option requires that the system volume be protected by BitLocker . If you move the drive to a different computer, you will be prompted for credentials . 4. On the How Do You Want To Store Your Recovery Key page, choose the method to save the recovery key . Click Next . 5. On the Are You Ready To Encrypt This Drive page, click Start Encrypting . How to Manage BitLocker Keys on a Local Computer To manage keys on a local computer, follow these steps: 1. Open Control Panel and click System And Security . Under BitLocker Drive Encryption, click Manage BitLocker . 2. In the BitLocker Drive Encryption window, click Manage BitLocker . Using this tool, you can save the recovery key to a USB flash drive or a file, or you can print the recovery key . How to Manage BitLocker from the Command Line To manage BitLocker from an elevated command prompt or from a remote computer, use the Manage-bde .exe tool . The following example demonstrates how to view the status . manage-bde -status BitLocker Drive Encryption: Configuration Tool Copyright (C) Microsoft Corporation. All rights reserved. Disk volumes that can be protected with BitLocker Drive Encryption: Volume C: [] [OS Volume] Size: 74.37 GB BitLocker Drive Encryption CHapTER 16 653 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  2. BitLocker Version: Windows 7 Conversion Status: Fully Encrypted Percentage Encrypted: 100% Encryption Method: AES 128 with Diffuser Protection Status: Protection On Lock Status: Unlocked Identification Field: None Key Protectors: TPM Numerical Password Run the following command to enable BitLocker on the C drive, store the recovery key on the Y drive, and generate a random recovery password . manage-bde -on C: -RecoveryKey Y: -RecoveryPassword BitLocker Drive Encryption: Configuration Tool version 6.1.7100 Copyright (C) Microsoft Corporation. All rights reserved. Volume C: [] [OS Volume] Key Protectors Added: Saved to directory Y:\ External Key: ID: {7B7E1BD1-E579-4F6A-8B9C-AEB626FE08CC} External Key File Name: 7B7E1BD1-E579-4F6A-8B9C-AEB626FE08CC.BEK Numerical Password: ID: {75A76E33-740E-41C4-BD41-48BDB08FE755} Password: 460559-421212-096877-553201-389444-471801-362252-086284 TPM: ID: {E6164F0E-8F85-4649-B6BD-77090D49DE0E} ACTIONS REQUIRED: 1. Save this numerical recovery password in a secure location away from your computer: 460559-421212-096877-553201-389444-471801-362252-086284 To prevent data loss, save this password immediately. This password helps ensure that you can unlock the encrypted volume. 654 CHapTER 16 Managing Disks and File Systems Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  3. 2. Insert a USB flash drive with an external key file into the computer. 3. Restart the computer to run a hardware test. (Type "shutdown /?" for command line instructions.) 4. Type "manage-bde -status" to check if the hardware test succeeded. NOTE: Encryption will begin after the hardware test succeeds. After you run the command, restart the computer with the recovery key connected to com- plete the hardware test . After the computer restarts, BitLocker will begin encrypting the disk . Run the following command to disable BitLocker on the C drive . manage-bde -off C: BitLocker Drive Encryption: Configuration Tool Copyright (C) Microsoft Corporation. All rights reserved. Decryption is now in progress. You can also use the Manage-bde .exe script to specify a startup key and a recovery key, which can allow a single key to be used on multiple computers . This is useful if a single user has multiple computers, such as a user with both a Tablet PC computer and a desktop computer . It can also be useful in lab environments, where several users might share several different computers . Note, however, that a single compromised startup key or recovery key will require all computers with the same key to be rekeyed . For detailed information about using Manage-bde .exe, run manage-bde.exe -? from a command prompt . How to Recover Data protected by BitLocker When you use BitLocker, the encrypted volumes will be locked if the encryption key is not available, causing BitLocker to enter recovery mode . Likely causes for the encryption key’s unavailability include: n Modification of one of the boot files . n The BIOS is modified and the TPM is disabled . n The TPM is cleared . n An attempt is made to boot without the TPM, PIN, or USB key being available . n The BitLocker-encrypted disk is moved to a new computer . After the drive is locked, you can boot only to recovery mode, as shown in Figure 16-19 . In recovery mode, you enter the recovery password using the function keys on your keyboard (just as you do when entering the PIN), pressing F1 for the digit 1, F2 for the digit 2, and so BitLocker Drive Encryption CHapTER 16 655 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  4. forth, with F10 being the digit 0 . You must use function keys because localized keyboard support is not yet available at this phase of startup . FIgURE 16-19 Recovery mode prompts you for a 48-character recovery password . If you have the recovery key on a USB flash drive, you can insert the recovery key and press Esc to restart the computer . The recovery key will be read automatically during startup . If you cancel recovery, the Windows Boot Manager will provide instructions for using Startup Repair to fix a startup problem automatically . Do not follow these instructions be- cause Startup Repair cannot access the encrypted volume . Instead, restart the computer and enter the recovery key . MoRe inFo additionally, you can use the BitLocker Repair Tool, Repair-bde.exe, to help recover data from an encrypted volume. If a BitLocker failure prevents Windows 7 from starting, you can run repair-bde from the Windows Recovery Environment (Windows RE) command prompt. For more information about repair-bde, run repair-bde /? at a command prompt. For more information about troubleshooting startup problems, including using repair-bde, refer to Chapter 29. How to Disable or Remove BitLocker Drive Encryption Because BitLocker intercepts the boot process and looks for changes to any of the early boot files, it can cause problems in the following nonattack scenarios: n Upgrading or replacing the motherboard or TPM n Installing a new operating system that changes the MBR or the Boot Manager n Moving a BitLocker-encrypted disk to another TPM-enabled computer n Repartitioning the hard disk n Updating the BIOS n Installing a third-party update outside the operating system (such as hardware firmware updates) 656 CHapTER 16 Managing Disks and File Systems Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  5. To avoid entering BitLocker recovery mode, you can temporarily disable BitLocker, which allows you to change the TPM and upgrade the operating system . When you re-enable BitLocker, the same keys will be used . You can also choose to decrypt the BitLocker-protected volume, which will completely remove BitLocker protection . You can only re-enable BitLocker by repeating the process to create new keys and re-encrypt the volume . To disable or decrypt BitLocker, follow these steps: 1. Log on to the computer as Administrator . 2. From Control Panel, open BitLocker Drive Encryption . 3. To temporarily disable BitLocker by using a clear key, click Suspend Protection and then click Yes . To disable BitLocker permanently, click Turn Off BitLocker and then click Decrypt Drive . How to Decommission a BitLocker Drive permanently Compromises in confidentiality can occur when computers or hard disks are decommissioned . For example, a computer that reaches the end of its usefulness at an organization might be discarded, sold, or donated to charity . The person who receives the computer might extract confidential files from the computer’s hard disk . Even if the disk has been formatted, data can often be extracted . BitLocker reduces the risks of decommissioning drives . For example, if you use a startup key or startup PIN, the contents of the volume are inaccessible without this additional infor- mation or the drive’s saved recovery information . You can decommission a drive more securely by removing all key blobs from the disk . By deleting the BitLocker keys from the volume, an attacker needs to crack the encryption—a task that is extremely unlikely to be accomplished within anyone’s lifetime . As a cleanup task, you should also discard all saved recovery information, such as recovery information saved to AD DS . To remove all key blobs on a secondary drive (data volume), you can format that drive from Windows or the Windows RE . Note that this format operation will not work on a drive that is currently in use . For example, you cannot use it to more securely decommission the drive used to run Windows . To remove all key blobs on a running drive, you can create a script that performs the fol- lowing tasks: 1. Calls the Win32_EncryptableVolume.GetKeyProtectors method to retrieve all key protec- tors (KeyProtectorType 0) . 2. Creates a not-to-be-used recovery password blob (discarding the actual recovery password) by using Win32_EncryptableVolume.ProtectKeyWithNumericalPassword and a randomly generated password sequence . This is required because Win32_EncryptableVolume.DeleteKeyProtector will not remove all key protectors . 3. Uses Win32_EncryptableVolume.DeleteKeyProtector to remove all of the usable key protectors associated with the identifiers mentioned previously . BitLocker Drive Encryption CHapTER 16 657 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  6. 4. Clears the TPM by calling the Win32_TPM.Clear method . For more information about developing a script or application to perform secure decom- missioning on a BitLocker-encrypted drive, refer to the Win32_EncryptableVolume WMI pro- vider class documentation at http://msdn.microsoft.com/en-us/library/aa376483.aspx and the Win32_TPM WMI provider class documentation at http://msdn.microsoft.com/en-us/library /aa376484.aspx . How to prepare aD DS for BitLocker BitLocker is also integrated into AD DS . In fact, although you can use BitLocker without AD DS, enterprises really shouldn’t—key recovery and data recovery agents are an extremely important part of using BitLocker . AD DS is a reliable and efficient way to store recovery keys so that you can restore encrypted data if a key is lost, and you must use Group Policy settings to configure data recovery agents . If your AD DS is at the Windows Server 2008 or later functional level, you do not need to prepare the AD DS for BitLocker . If your AD DS is at a functional level of Windows Server 2003 or earlier, however, you will need to update the schema to support BitLocker . For detailed instructions on how to configure AD DS to back up BitLocker and TPM recovery information, read “Configuring Active Directory to Back Up Windows BitLocker Drive Encryption and Trusted Platform Module Recovery Information” at http://go.microsoft.com/fwlink/?LinkId=78953 . For information about retrieving recovery passwords from AD DS, read “How to Use the BitLocker Recovery Password Viewer For Active Directory Users And Computers Tool to View Recovery Passwords for Windows Vista” at http://support.microsoft.com/?kbid=928202 . How to Configure a Data Recovery agent Earlier versions of Windows supported storing BitLocker recovery keys in AD DS . This works well, but each BitLocker-protected volume has a unique recovery key . In enterprises, this can consume a large amount of space in AD DS . By using a data recovery agent instead of storing recovery keys in AD DS, you can store a single certificate in AD DS and use it to recover any BitLocker-protected volume . To configure a data recovery agent, follow these steps: 1. Publish the future data recovery agent’s certificate to AD DS . Alternatively, export the certificate to a .cer file and have it available . 2. Open a Group Policy object that targets the Windows 7 computers using the Group Policy object Editor and then select Computer Configuration\Policies\Windows Settings \Security Settings\Public Key Policies . 3. Right-click BitLocker Drive Encryption, click Add Data Recovery Agent to start the Add Recovery Agent Wizard, and then click Next . 658 CHapTER 16 Managing Disks and File Systems Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  7. 4. On the Select Recovery Agents page, click Browse Directory (if the certificate is stored in AD DS) or Browse Folders (if you have saved the .cer file locally) . Select a .cer file to use as a data recovery agent . After the file is selected, it will be imported and will appear in the Recovery Agents list in the wizard . You can specify multiple data recovery agents . After you specify all of the data recovery agents that you want to use, click Next . 5. The Completing The Add Recovery Agent page of the wizard displays a list of the data recovery agents that will be added to the Group Policy object . Click Finish to confirm the data recovery agents and close the wizard . The next time Group Policy is applied to the targeted Windows 7 computers, the data re- covery agent certificate will be applied to the drive . At that point, you will be able to recover a BitLocker-protected drive using the certificate configured as the data recovery agent . Because of this, you must carefully protect the data recovery agent certificate . How to Manage BitLocker with Group policy BitLocker has several Group Policy settings located in Computer Configuration\Policies \Administrative Templates\Windows Components\BitLocker Drive Encryption that you can use to manage the available features . Table 16-2 lists these policies, which are written to the registry on targeted computers under the following registry key: HKLM\Software\Policies\Microsoft\FVE TABlE 16-2 Group Policy Settings for BitLocker Drive Encryption POlICy DESCRIPTION Store BitLocker Recovery Enabling this policy silently backs up BitLocker recovery in- Information In Active formation to AD DS . For computers running Windows 7 and Directory Domain Services Windows Server 2008 R2, enable the Fixed Data Drives (Windows Server 2008 And \Choose How BitLocker-Protected Fixed Drives Can Be Windows Vista) Recovered, Operating System Drives\Choose How BitLocker- Protected Operating System Drives Can Be Recovered, or Removable Data Drives\Choose How BitLocker-Protected Removable Drives Can Be Recovered policies . Choose Default Folder For Enabling this policy and configuring a default path for it sets Recovery Password the default folder to display when the user is saving recovery information for BitLocker . The user will have the ability to override the default . BitLocker Drive Encryption CHapTER 16 659 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  8. POlICy DESCRIPTION Choose How Users Can Enabling this policy allows you to control which recovery Recover BitLocker-Protected mechanisms the user can choose . Disabling the recovery Drives (Windows Server 2008 password will disable saving to a folder or printing the key And Windows Vista) because these actions require the 48-digit recovery pass- word . Disabling the 256-bit recovery key will disable saving to a USB key . If you disable both options, you must enable AD DS backup or a policy error will occur . For computers running Windows 7 and Windows Server 2008 R2, enable the Fixed Data Drives\Choose How BitLocker-Protected Fixed Drives Can Be Recovered, Operating System Drives\Choose How BitLocker-Protected Operating System Drives Can Be Recovered, or Removable Data Drives\Choose How BitLocker- Protected Removable Drives Can Be Recovered policies . Choose Drive Encryption Enabling this policy allows configuration of the encryption Method And Cipher Strength method used by BitLocker Drive Encryption . The default if this key is not enabled is 128-bit AES with Diffuser . Other choices that can be configured are 256-bit AES with Diffuser, 128-bit AES, and 256-bit AES . Prevent Memory Overwrite Enabling this policy prevents Windows from overwriting On Restart memory on restarts . This potentially exposes BitLocker secrets but can improve restart performance . Provide The Unique Enable this policy if you want to prevent users from mount- Identifiers For Your ing BitLocker-protected drives that might be from outside Organization organizations . Validate Smart Card Certifi- Enable this policy only if you want to restrict users to smart cate Usage Rule Compliance cards that have an object identifier (OID) that you specify . Operating System Drives Enabling this policy allows configuring additional startup \Require Additional options and allows enabling of BitLocker on a non–TPM- Authentication At Startup or compatible computer . On TPM-compatible computers, a Operating System Drives secondary authentication can be required at startup—either \Require Additional Authen- a USB key or a startup PIN, but not both . tication At Startup (Windows Server 2008 And Windows Vista) Allow Enhanced PINs For Enhanced PINs permit the use of characters including upper- Startup case and lowercase letters, symbols, numbers, and spaces . By default, enhanced PINs are disabled . 660 CHapTER 16 Managing Disks and File Systems Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  9. POlICy DESCRIPTION Operating System Drives Enables you to require a minimum PIN length . \Configure Minimum PIN Length For Startup Operating System Drives Enabling this policy allows you to control which recovery \Choose How BitLocker- mechanisms the user can choose and whether recovery Protected Operating System information is stored in the AD DS . Disabling the recovery Drives Can Be Recovered password will disable saving to a folder or printing the key because these actions require the 48-digit recovery pass- word . Disabling the 256-bit recovery key will disable saving to a USB key . Operating System Drives Enabling this policy allows detailed configuration of the PCR \Configure TPM Platform indices . Each index aligns with Windows features that run Validation Profile during startup . Fixed Data Drives\Configure Enables or requires smart cards for BitLocker to protect Use Of Smart Cards On Fixed non–operating system volumes . Data Drives Fixed Data Drives\Deny Requires drives to be BitLocker-protected before users can Writer Access To Fixed Drives save files . Not Protected By BitLocker Fixed Data Drives\Allow Ac- Allows you to prevent the BitLocker To Go Reader from cess To BitLocker-Protected being copied to fixed data drives, preventing users of earlier Fixed Data Drives From versions of Windows (including Windows Server 2008, Earlier Versions Of Windows Windows Vista, and Windows XP SP2 or SP3) from entering a password to access the drive . Fixed Data Drives\Configure Requires passwords to access BitLocker-protected fixed Use Of Passwords For Fixed drives and configures password complexity . Drives Fixed Data Drives\Choose Enabling this policy allows you to control which recovery How BitLocker-Protected mechanisms the user can choose and whether recovery Fixed Drives Can Be information is stored in the AD DS . Disabling the recovery Recovered password will disable saving to a folder or printing the key because these actions require the 48-digit recovery pass- word . Disabling the 256-bit recovery key will disable saving to a USB key . For information about BitLocker To Go policies (which are configured in the Removable Data Drives node), refer to the section titled “BitLocker To Go” earlier in this chapter . BitLocker Drive Encryption CHapTER 16 661 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  10. The Costs of BitLocker Most security features require a tradeoff . The benefit to any security feature is that it reduces risk and thus reduces the cost associated with a security compromise . Most security features also have a cost—purchase price, increased maintenance, or decreased user productivity . The benefit of using BitLocker is reduced risk of loss of data confidentiality in the event of a stolen hard disk . Like most security features, BitLocker has costs (aside from any software or hardware costs): n If a PIN or external key is required, the startup experience is not transparent to the user . If the user loses his PIN or startup key, he will need to wait for a Support Center representative to read him the password so that he can start his computer . n In the event of hard disk failure or data corruption, recovering data from the disk can be more difficult . MoRe inFo You should implement BitLocker in your organization only if the reduced security risks outweigh these costs. For more information about cost/benefit analysis, read the Security Risk Management Guide at http://technet.microsoft.com/en-us/library /cc163143.aspx. Encrypting File System BitLocker is not a replacement for the EFS introduced in Windows 2000, but it is a supplement to the EFS that ensures that the operating system itself is protected from attack . Best prac- tices for protecting sensitive computers and data will combine the two features to provide a high level of assurance of the data integrity on the system . EFS continues to be an important data-integrity tool in Windows 7 . EFS allows the encryp- tion of entire volumes or individual folders and files and can support multiple users using the same computer, each with protected data . Additionally, EFS allows multiple users to have secure access to sensitive data while protecting the data against unauthorized viewing or modification . EFS cannot be used to encrypt system files, however, and it should be combined with BitLocker to encrypt the system drive where sensitive data must be protected . EFS is susceptible to offline attack using the SYSKEY, but when you combine EFS with BitLocker to encrypt the system volume, this attack vector is protected . EFS uses symmetric key encryption along with public key technology to protect files and folders . Each user of EFS is issued a digital certificate with a public and private key pair . EFS uses the keys to encrypt and decrypt the files transparently for the logged-on user . Authorized users work with encrypted files and folders just as they do with unencrypted files and folders . Un- authorized users receive an Access Denied message in response to any attempt to open, copy, move, or rename the encrypted file or folder . 662 CHapTER 16 Managing Disks and File Systems Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  11. Files are encrypted with a single symmetrical key, and then the symmetrical key is encrypt- ed twice: once with the user’s EFS public key to allow transparent decryption and once with the recovery agent’s key to allow data recovery . The sections that follow describe how to manage EFS keys . For general information about EFS, read “Encrypting File System in Windows XP and Windows Server 2003” at http://technet.microsoft.com/en-us/library/bb457065.aspx . How to Export personal Certificates To prevent being unable to access an encrypted file, you can export your personal certificate . When you export your certificate, you can then copy or move the encrypted file to another computer and still access it by importing the certificate you exported . To export your personal certificate, follow these steps: 1. Open Windows Explorer and select a file that you have encrypted . 2. Right-click the file and then select Properties . 3. Click Advanced on the General tab . 4. Click Details on the Advanced Attributes tab to open the User Access dialog box . 5. Select your user name and then click Back Up Keys to open the Certificate Export Wizard . 6. Click Next to select the file format to use . 7. Click Next and enter a password to protect the key . Repeat the entry and then click Next . 8. Enter a path and filename to save the file to, or browse for a path . Click Next . 9. Click Finish to export the certificate and then click OK to confirm that it was saved successfully . How to Import personal Certificates You can share encrypted files with other users if you have the certificate for the other user . To allow another user to use a file that you have encrypted, you need to import her certificate onto your computer and add her user name to the list of users who are permitted access to the file . To import a user certificate, follow these steps: 1. Click Start, type mmc, and then press Enter to open a blank Microsoft Management Console (MMC) . 2. Click File and then click Add/Remove Snap-in . 3. Select Certificates and click Add . Select My User Account and click Finish . Click OK to close the Add Or Remove Snap-in dialog box . 4. Click Certificates and then double-click Trusted People . Encrypting File System CHapTER 16 663 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  12. 5. Under Trusted People, right-click Certificates . On the All Tasks menu, click Import to open the Certificate Import Wizard . 6. Click Next and then browse to the location of the certificate you want to import . 7. Select the certificate and then click Next . 8. Type the password for the certificate and then click Next . 9. Click Next to place the certificate in the Trusted People store . 10. Click Finish to complete the import . 11. Click OK to acknowledge the successful import and then exit the MMC . How to Grant Users access to an Encrypted File When you have a user’s certificate, you can add that user to the list of users who have access to a file . A user’s certificate will be on a computer automatically if the user has logged on to the computer previously . To add a user whose certificate you have imported to the users who can access a file, fol- low these steps: 1. Open Windows Explorer and highlight the file you want to receive access . 2. Right-click the file and then select Properties . 3. Click Advanced on the General tab . 4. Click Details on the Advanced Attributes tab to open the User Access dialog box . 5. Click Add to open the Encrypting File System dialog box and then select the user you want to permit to use the encrypted file . 6. Click OK to add the user to the list of users who have access to the file . 7. Click OK until you’ve exited out of the dialog boxes . You do not need to grant EFS access to allow users to access files across the network—EFS does not affect shared folders . Symbolic links Windows Vista and Windows 7 include symbolic links . Symbolic links act like shortcuts, but they provide a transparent link to the target file at the file-system level rather than within Windows Explorer . Therefore, although a user can double-click a shortcut from Windows Explorer to open the original file, a symbolic link will actually trick applications into thinking they are directly accessing the target file . As an administrator, you might need to use symbolic links for backward compatibility . For example, if an application expects to find a file in the root of the C drive but you need to move the file to a different location on the local disk, you can create a symbolic link in the root of the C drive to the file’s new location, allowing the application to continue to access the 664 CHapTER 16 Managing Disks and File Systems Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  13. file in the root of the C drive . Windows Vista and Windows 7 use symbolic links for backward compatibility with user profiles in earlier versions of Windows . For more information, read Chapter 15, “Managing Users and User Data .” HoW it WoRKS Symbolic links, Hard links, Junction Points, and Shortcuts W indows Vista and Windows 7 support four different types of links, each pro- viding a slightly different function: n Shortcuts Shortcuts are files with a .lnk extension. If you double-click them within the Windows Explorer shell, Windows will open the target file. However, the file system treats .lnk files just like any other files. For example, opening a .lnk file from a command prompt does not open the target file. n Hard links Hard links create a new directory entry for an existing file, so a single file can appear in multiple folders (or in a single folder using multiple filenames). Hard links must all be on a single volume. n Junction points also known as soft links, junction points reference a folder using an absolute path. Windows automatically redirects requests for a junc- tion point to the target folder. Junction points do not have to be on the same volume. n Symbolic links a pointer to a file or folder. Like junction points, symbolic links are almost always transparent to users. (Occasionally, a program might use an outdated application programming interface [apI] that does not respect a symbolic link.) Symbolic links use relative paths rather than absolute paths. How to Create Symbolic Links By default, only administrators can create symbolic links . However, you can grant other users access using the Computer Configuration\Windows Settings\Security Settings\Local Policies \User Rights Assignment\Create Symbolic Links setting . To create a symbolic link, open a command prompt with administrative privileges and use the mklink command . For example, the following command creates a symbolic link from C:\Myapp .exe to Notepad in the system directory . C:\>mklink myapp.exe %windir%\system32\notepad.exe Symbolic link created for myapp.exe C:\Windows\system32\notepad.exe Symbolic Links CHapTER 16 665 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  14. note Developers can call the CreateSymbolicLink function to create symbolic links. For more information, go to http://msdn.microsoft.com/en-us/library/aa363866.aspx. After you create this symbolic link, the Myapp .exe link behaves exactly like a copy of the Notepad .exe file . Windows Explorer displays symbolic links using the standard shortcut symbol . However, shortcuts always have a .lnk extension, whereas symbolic links can have any extension . At a command prompt, the dir command uses the identifier to distinguish symbolic links and displays the path to the target file . C:\>dir Volume in drive C has no label. Volume Serial Number is BC33-D7AC Directory of C:\ 09/18/2006 04:43 PM 24 AUTOEXEC.BAT 09/18/2006 04:43 PM 10 config.sys 12/27/2006 12:16 PM myapp.exe [C:\Windows\system32\notepad.exe] 12/23/2006 04:47 PM Program Files 11/29/2006 03:31 PM Users 12/27/2006 08:39 AM Windows Because a symbolic link is only a link, any changes made to the link actually affect the target file and vice versa . If you create a symbolic link and then delete the target file, the sym- bolic link will remain, but any attempts to access it will return a File Not Found error because Windows will attempt to access the link target automatically . If you delete a target file and later replace it with a file of the same name, that new file will become the link target . Deleting a link does not affect the link target . Attribute changes to the symbolic link, such as marking a file as hidden or as a system file, are applied to both the symbolic link and the target file . How to Create Relative or absolute Symbolic Links Relative symbolic links identify the location of the target based on their own folder . For ex- ample, a relative symbolic link to a target file in the same folder will always attempt to access a target with the specified filename in the same folder, even if the symbolic link is moved . You can create relative or absolute symbolic links, but all symbolic links are relative by default . For example, consider the following commands, which attempt to create a symbolic link named Link .t xt to a file named Target .t xt and then attempt to access the symbolic link before and after moving the target file . C:\>mklink link.txt target.txt C:\>type link.txt Hello, world. 666 CHapTER 16 Managing Disks and File Systems Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  15. C:\>REM Move link.txt to a different folder C:\>move link.txt C:\links 1 file(s) moved. C:\>cd links C:\links>type link.txt The system cannot find the file specified. C:\links>move \target.txt C:\links C:\links>type link.txt Hello, world. In the previous example, moving the symbolic link to a different folder causes Windows to be unable to locate the target because the symbolic link is a relative link pointing to a file named Target .t xt in the same folder . When both the link and the target are moved to the same folder, the symbolic link works again . Now consider the same example using an absolute symbolic link, created by specifying the full path to the target file: C:\>mklink link.txt C:\target.txt C:\>type link.txt Hello, world. C:\>REM Move link.txt to a different folder C:\>move link.txt C:\links 1 file(s) moved. C:\>cd links C:\links>type link.txt Hello, world. C:\links>move C:\target.txt C:\links\ C:\links>type link.txt The system cannot find the file specified. Symbolic Links CHapTER 16 667 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  16. In the last example, specifying the full path to the target file creates an absolute symbolic link that references the full path to the target file . Therefore, the symbolic link still works after it is moved to a different folder . However, moving the target file makes it inaccessible . How to Create Symbolic Links to Shared Folders You can create symbolic links on the local file system to files stored on other local drives or shared folders . However, when you use the mklink command, you must always specify the absolute path to the remote target file because the mklink command by default assumes that the location is relative . For example, suppose you want to create a symbolic link named C:\Link .t xt that targets a file on a shared folder at Z:\Target .t xt . If you run the following com- mands, you will successfully create a symbolic link at C:\Link .t xt . C:\>Z: Z:\>mklink C:\link.txt target.txt However, that file will link to C:\Target .t xt and not the intended Z:\Target .t xt . To create a link to the Z:\Target .t xt file, you need to run the following command . C:\>mklink C:\link.txt Z:\target.txt The mklink command also allows you to create a symbolic link targeting a Universal Nam- ing Convention (UNC) path . For example, if you run the following command, Windows will create a symbolic link file called Link .t xt that opens the Target .t xt file . Mklink link.txt \\server\folder\target.txt If you enable remote symbolic links (discussed later in this section), they can be used to store symbolic links on shared folders and automatically redirect multiple Windows network clients to a different file on the network . By default, you can use symbolic links only on local volumes . If you attempt to access a symbolic link located on a shared folder (regardless of the location of the target) or copy a symbolic link to a shared folder, you will receive an error . You can change this behavior by configuring the following Group Policy setting: Computer Configuration\Administrative Templates\System\NTFS File System\Selectively Allow The Evaluation Of A SymbolicLink When you enable this policy setting, you can select from four settings: n local link To local Target Enabled by default, this allows local symbolic links to targets on the local file system . n local link To Remote Target Enabled by default, this allows local symbolic links to targets on shared folders . n Remote link To Remote Target Disabled by default, this allows remote symbolic links to remote targets on shared folders . n Remote link To local Target Disabled by default, this allows remote symbolic links to remote targets on shared folders . 668 CHapTER 16 Managing Disks and File Systems Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  17. Enabling remote links can introduce security vulnerabilities . For example, a malicious user can create a symbolic link on a shared folder that references an absolute path on the local computer . When a user attempts to access the symbolic link, he will actually be accessing a different file that might contain confidential information . In this way, a sophisticated attacker might be able to trick a user into compromising the confidentiality of a file on his local computer . How to Use Hard Links Hard links create a second directory entry for a single file, whereas symbolic links create a new file that references an existing file . This subtle difference yields significantly different behavior . You can create hard links by adding the /H parameter to the mklink command . For example, the following command creates a hard link from Link .t xt to Target .t xt . C:\>mklink /H link.txt target.txt Hardlink created for link.txt target.txt As with symbolic links, any changes made to the hard link are made automatically to the target (including attribute changes) and vice versa because the file itself is stored only once on the volume . However, hard links have several key differences: n Hard links must refer to files on the same volume, while symbolic links can refer to files or folders on different volumes or shared folders . n Hard links can refer only to files, while symbolic links can refer to either files or folders . n Windows maintains hard links, so the link and the target remain accessible even if you move one of them to a different folder . n Hard links survive deleting the target file . A target file is deleted only if the target file and all hard links are deleted . n If you delete a symbolic link target and then create a new file with the same name as the target, the symbolic link will open the new target . Hard links will continue to refer- ence the original target file, even if you replace the target . n Hard links do not show up as symbolic links in dir command-line output, and Windows Explorer does not show a shortcut symbol for them . Hard links are indistinguishable from the original file . n Changes made to file permissions on a hard link apply to the target file and vice versa . With symbolic links, you can configure separate permissions on the symbolic link, but the permissions are ignored . Windows XP supports hard links by using the fsutil hardlink command . Windows Vista and Windows 7 hard links are compatible with Windows XP hard links, and the fsutil hardlink com- mand continues to function in Windows Vista and Windows 7 . Symbolic Links CHapTER 16 669 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  18. Disk Quotas Administrators can configure disk quotas to control how much of a volume a single user can fill with files . This is most useful when implemented on a server that hosts shared folders . However, you might also need to implement disk quotas on client computers in environments in which multiple users access a single computer because they can help prevent a single user from completely filling a volume and thereby preventing other users from saving files . Disk quotas have not changed significantly since Windows XP . Before enabling disk quotas, consider whether they are worthwhile . Managing disk quotas requires administrators to monitor disk quota events, such as a user exceeding a disk storage threshold . Administrators must then work with users to either increase the quota or identify files that can be removed . Often, it is less expensive to simply add more disk storage, even if the users do not closely manage their disk usage . How to Configure Disk Quotas on a Single Computer To configure disk quotas on a single computer, follow these steps: 1. Click Start and then click Computer . 2. In the right pane, right-click the drive on which you want to configure the quotas and then click Properties . 3. Click the Quota tab and then click Show Quota Settings . The Quota Settings dialog box appears . 4. Select the Enable Quota Management check box, as shown in Figure 16-20 . FIgURE 16-20 Disk quotas control how much of a disk users can fill . 670 CHapTER 16 Managing Disks and File Systems Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  19. From this dialog box, you can configure the following disk quota options: n Enable Quota Management Quota management is disabled by default . Select this check box to enable quota management . n Deny Disk Space To Users Exceeding Quota limit By default, users are warned only if they exceed their quota limits . Selecting this check box causes Windows to block disk access after the quota is exceeded . Typically, warning users is sufficient, provided that you also log the events and follow up with users who do not clean up their disk space . Denying disk access will cause applications to fail when they attempt to write more data to the disk and can cause users to lose unsaved work . note To determine quota limitations for users, developers can call the ManagementObjectSearcher.Get WMI method to retrieve a ManagementObjectCollection object and then access the collection’s QuotaVolume item. n Do Not limit Disk Usage Does not configure disk quotas for new users by default . You can still use the Quota Entries window to configure disk quotas for users . n limit Disk Space To and Set Warning level To Creates a disk quota by default for new users . The value in the Set Warning Level To box should be lower than that in the Limit Disk Space To box so that the user receives a warning before running out of avail- able disk space . n log Event When A User Exceeds Their Quota limit and log Event When A User Exceeds Their Warning level Configures Windows to add an event when the user exceeds her quota . You should typically select this check box and then monitor the events so that IT support can communicate directly with the user to keep the user within her quotas (or increase the quotas as needed) . Additionally, you can click Quota Entries to configure quota settings for existing users and groups . How to Configure Disk Quotas from a Command prompt To view and manage disk quotas from scripts or from the command line, use the Fsutil admin- istrative command-line utility . Useful Fsutil commands include: n fsutil quota query C: Displays quota information about the C volume, as the follow- ing example shows . C:\>fsutil quota query C: FileSystemControlFlags = 0x00000301 Quotas are tracked on this volume Logging for quota events is not enabled The quota values are incomplete Disk Quotas CHapTER 16 671 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  20. Default Quota Threshold = 0xffffffffffffffff Default Quota Limit = 0xffffffffffffffff SID Name = BUILTIN\Administrators (Alias) Change time = Tuesday, April 11, 2006 7:54:59 AM Quota Used = 0 Quota Threshold = 18446744073709551615 Quota Limit = 18446744073709551615 n fsutil quota track C: Enables disk quotas on the C volume . n fsutil quota disable C: Disables disk quotas on the C volume . n fsutil quota enforce C: Enables disk quota enforcement on the C volume, which causes Windows to deny disk access if a quota is exceeded . n fsutil quota modify C: 3000000000 5000000000 Contoso\User Creates a disk quota entry for the user Contoso\User . The first number (3,000,000,000 in the pre- ceding example) enables a warning threshold at about 3 GB, and the second number (5,000,000,000 in the preceding example) enables an absolute limit of about 5 GB . For complete usage information, run fsutil /? from a command prompt . How to Configure Disk Quotas by Using Group policy Settings To configure disk quotas in an enterprise, use the AD DS Group Policy settings located at Computer Configuration\Administrative Templates\System\Disk Quotas . The following set- tings are available: n Enable Disk Quotas n Enforce Disk Quota Limit n Default Quota Limit And Warning Level n Log Event When Quota Limit Exceeded n Log Event When Quota Warning Level Exceeded n Apply Policy To Removable Media Each of these settings relates directly to a local computer setting described earlier except for Apply Policy To Removable Media . If you enable this setting, quotas also apply to NTFS- formatted removable media . Quotas never apply to fixed or removable media unless they are formatted with NTFS . 672 CHapTER 16 Managing Disks and File Systems Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Đồng bộ tài khoản