CompTIA Security_ Deluxe Study Guide_ SY0-201 - Emmett Dulaney [200]
Be able to describe the purpose of key recovery Key recovery allows information to be accessed that is encrypted with older keys. For example, key recovery could be used to retrieve information from an ex-employee.
Be able to describe the M of N Control method. The M of N Control method basically states that of n number of people, m number must be present to perform the process of key recovery. For example, if six people are authorized to use a system, three of the six must be present to recover a key. In this example, m = 3 and n = 6. This control method prevents any one person from compromising the key archival system.
Explain the purpose of key renewal. Key renewal isn’t a recommended practice. However, sometimes it may be necessary to renew a key in order to continue to use a system for a short time. The longer keys or certificates are used, the more vulnerable they are to decryption.
Know the purpose of key destruction. Key destruction is an important part of physical control. When a physical key is retired, it should be physically destroyed. When a software key is retired, it should be erased and zeroed out to prevent inadvertent disclosure.
Hands-On Labs
The labs in this chapter are as follows:
Lab 7.1: Hash Rules in Windows Server 2003
Lab 7.2: SSL Settings in Windows Server 2003
Lab 7.3: Encrypting a File System in Linux
Lab 7.4: Look for Errors in IPSec Performance Statistics
Lab 7.1: Hash Rules in Windows Server 2003
This lab requires a test machine (nonproduction) running Windows Server 2003.
On a generic 2003 Server with Active Directory, you must access the local security policy slightly differently. Launch an MMC, then choose to add the GPO Editor, and select Local Computer. Everything else will then work the same.
To create a new hash rule, follow these steps:
1. Choose Start Administrative Tools Local Security Policy.
2. Expand Software Restriction Policies.
3. Right-click Additional Rules and choose New Hash Rule from the context menu.
4. Click the Browse button and choose the file hisecws.inf from the Templates folder (this is under \Winnt\Security\Templates).
5. Notice the file hash that appears and the file information. Click OK.
6. Notice that the new hash rule is added to the right pane along with the default path rules that appear there.
Lab 7.2: SSL Settings in Windows Server 2003
This lab requires a test machine (nonproduction) running Windows Server 2003. To configure the SSL port setting, follow these steps:
1. Open the Internet Information Services Manager by choosing Start Administrative Tools Internet Information Services (IIS) Manager.
2. Expand the left pane entries until your website becomes an option. Right-click the website and choose Properties from the context menu.
3. Select the Web Site tab. Check whether the port number for SSL is filled in. If it isn’t, enter a number here.
4. Click OK and exit the Internet Information Services Manager.
Notice that the SSL port field is blank by default, and any port number can be entered here—this differs from the way some previous versions of IIS worked. The default SSL port is 443; if you enter a number other than that in this field, then clients must know and request that port in advance in order to connect.
Lab 7.3: Encrypting a File System in Linux
This lab requires access to a server running SuSE Linux Enterprise Server 9. To encrypt a filesystem, follow these steps:
1. Log in as root and start YaST.
2. Choose System, then Partitioner.
3. Answer Yes to the prompt that appears. Select a filesystem and click Edit.
4. Select the Encrypt File System check box and click OK.
Lab 7.4: Look for Errors in IPSec Performance Statistics
This lab requires access to a server running Windows Server 2003. To configure IPSec monitoring, follow these steps:
1. Open the System Monitor by choosing Start Administrative