INF204x Module 2 Lab 2: Using Encrypting File System (EFS) on Windows 10 Clients Estimated Time: 30 minutes You have a standalone Windows 10 client computer that you share with your colleagues. You plan to take advantage of the Encrypting File System to control access to selected files on the local computer. Objectives After completing this lab, students will be able to: Encrypt files and folders by using EFS Share access to encrypted files Lab Environment The lab consists of two virtual machines: LON-WIN10 - Windows 10 Enterprise client (Adatum.com Active Directory domain member) with IPv4 address of 172.16.0.40 LON-DC1 Windows Server 2012 R2 Datacenter server (Adatum.com Active Directory domain controller) with IPv4 address of 172.16.0.10 Exercise 1: Encrypt local files and folders by using EFS In this exercise, you will create two local user accounts on a Windows 10 computer, you will log on as the first user and encrypt a file by using EFS, and log on as the second user and ensure that the file is not accessible. The main tasks for this exercise are as follows: 1. Create two Windows 10 local user accounts 2. Encrypt a file by using EFS as the first user. 3. Attempt to access the encrypted file as the second user. Task 1: Create two Windows 10 local user accounts 1. Sign in to the lab virtual machine LON-WIN10 with the following credentials (note that these are local, rather than domain, credentials): USERNAME:.\Admin PASSWORD: Pa$$w0rd 2. On your lab virtual machine, click the Windows logo in the lower left corner and click Settings in the Start menu. 3. In the Settings app, click Accounts 4. Click Other users
5. Click Add someone else to this PC 6. On the Create an account for this PC page, specify the following information: User name: luser1 Enter password: luser1pa$$ Re-enter password: luser1pa$$ Password hint: Default 7. Click Next 8. Click again Add someone else to this PC 9. On the How will this person sign in? page, click I don t have this person s sign-in information 10. On the Let s create your account page, click Add a user without a Microsoft account. 11. On the Create an account for this PC page, specify the following information: User name: luser2 Enter password: luser2pa$$ Re-enter password: luser2pa$$ Password hint: Default 12. Click Next 13. Launch File Explorer 14. Create folder C:\Data 15. Sign out from the lab virtual machine. Task 2: Encrypt a file by using EFS as the first user 1. Sign in to the lab virtual machine (LON-WIN10) with the following credentials (note that these are local, rather than domain, credentials): USERNAME:.\luser1 PASSWORD: luser1pa$$ 2. Launch File Explorer and navigate to C:\Data folder. 3. Create a file named File1.txt, type a random text in it, and save it in the C:\Data folder. 4. Right-click on File1.txt and select Properties from the context-sensitive menu. 5. In the Properties dialog box, click Advanced. 6. In the Advanced Attributes dialog box, enable the checkbox next to Encrypt contents to secure data. 7. Click OK. 8. Back in the Properties dialog box, click OK.
9. When prompted with the Encryption Warning dialog box, select Encrypt the file only and click OK. Note that, in general, you should choose the option to Encrypt the file and its parent folder (recommended). In some cases, if the file is modified, the editing software might create a temporary, unencrypted copy of the file in the same folder. By using this option, you ensure that such files are also encrypted. We use the option to Encrypt the file only for demo purposes only. Keep in mind that you should back up encryption keys, so you can recover encrypted files if the encryption key stored in your user profile is lost or damaged. The encryption key is part of the EFS certificate and is generated automatically when you encrypt a file for the first time. You will receive at that point notification to Back up file encryption certificate and key giving you the option to back up certificate to removable media. Selecting this option will automatically trigger Certificate Export Wizard, guiding you through the process of exporting the certificate. Alternatively, you can also use the option to Back up keys appearing in the User Access to filename dialog box, accessible via Details command button on the Advanced Attributes dialog box of any encrypted file. 10. Note that the file is displayed in green color. Right-click on it again and select Properties from the context-sensitive menu. 11. In the Properties dialog box, click Advanced again. 12. In the Advanced Attributes dialog box, click Details next to Encrypt contents to secure data label. 13. In the User Access to File1.txt, note that the current user account (luser1) is the only one who can access this file. 14. Click Add. 15. In the Encrypting File System dialog box, you should see only the single certificate for luser1. Effectively, at this point, you cannot grant access to the encrypted file to other users. 16. Click Cancel three times to close all dialog boxes. Task 3: Attempt to access the encrypted file as the second user. 2. Sign in to the lab virtual machine with the following credentials (note that these are local, rather than domain, credentials): USERNAME:.\luser2 PASSWORD: luser2pa$$ 3. Launch File Explorer and navigate to C:\Data folder. 4. Double click the File1.txt file. 5. Verify that you get the Access is denied message.
6. Click OK and close Notepad. Results: After completing this exercise, you will have created two Windows 10 local user accounts, encrypted a file by using the first of them, and verified that the second one does not have access to the encrypted file. Exercise 2: Share access to encrypted files In this exercise, you will first encrypt a file as the second user, grant access to the previously encrypted file to the second user, and verify that the second user at that point can access the file. The main tasks for this exercise are as follows: 1. Encrypt a file by using EFS as the second user. 2. Grant shared access to the previously encrypted file. 3. Verify that the second user can access the shared encrypted file. Task 1: Encrypt a file by using EFS as the second user 1. While signed on as the second user, create a file named File2.txt, type a random text in it, and save it in the C:\Data folder. 2. Right-click on File2.txt and select Properties from the context-sensitive menu. 3. In the Properties dialog box, click Advanced. 4. In the Advanced Attributes dialog box, enable the checkbox next to Encrypt contents to secure data. 5. Click OK. 6. Back in the Properties dialog box, click OK. 7. When prompted with the Encryption Warning dialog box, select Encrypt the file only and click OK. By encrypting a file as the second user, you generate an EFS certificate that now can be used by the first use to provide shared access to File1.txt. Task 2: Grant shared access to the previously encrypted file. 2. Sign in to the lab virtual machine with the following credentials: USERNAME:.\luser1 PASSWORD: luser1pa$$ 3. In the File Explorer and navigate to C:\Data folder. 4. Right-click on File1.txt and select Properties from the context-sensitive menu. 5. In the Properties dialog box, click Advanced. 6. In the Advanced Attributes dialog box, click Details next to Encrypt contents to secure data label.
7. In the User Access to File1.txt, click Add. 8. Note that you can see at this point an additional EFS certificate for luser2. Make sure it is selected and click OK. 9. Back in the User Access to File1.txt dialog box, you should at this point see both luser1 and luser2 as the users who can access the file. 10. Click OK three times to close all dialog boxes. Task 3: Verify that the second user can access the shared encrypted file. 2. Sign in to the lab virtual machine with the following credentials: USERNAME:.\luser2 PASSWORD: luser2pa$$ 3. Launch File Explorer and navigate to C:\Data folder. 4. Double click the File1.txt file. 5. Verify that you can successfully open the file. 6. Click OK and close Notepad. Results: After completing this exercise, you will have encrypted a file as the second user to generate an EFS certificate, grant shared access to the previously encrypted file as the first user, and verify that you can access that file successfully as the second user.