MTA 98-368 - Concepts A
BYOD is a concept adopted by some companies to save on cost and increase productivity, this is by allowing users to use their over devices for work and personal use; as you can imagine there are many risks to this. The follow are technologies used to eliminate, control or reduce these risks.
Bring Your Own Device (BYOD)
this is one-way encryption, used when there is no intention to decrypt the data, passwords are a common example
Hash function
Lowers the probability of service failure.
High Availability of Microsoft Azure
(Internet Key Exchange) is needed for VPN Reconnect.
IKEv2
Windows 8.1 and newer, macOS, Android, iOS and Windows 10 Phone (Linux is not supported).
Intune platform support
this is when we would only want to remove any corporate data added to the device. Leaving installed applications in place.
Intune selective wipe
are scalable to meet increased demand within a certain time window.
Microsoft Azure applications
is a cloud-based service for document share and collaboration.
Office 365
is another Microsoft solution for mobility access; the app allows you to connect to remote PCs, virtual apps and desktops from one app (you will need permission from a system admin).
Remote Desktop app
is used to manage devices attached to a domain. It has a Portal App which allows users of Windows 8 and 10 to view and install applications that administrators make available to them.
SCCM
An authentication factor using biometrics, such as a fingerprint scanner.
Something you are
Authentication factor that relies on a piece of knowledge (password, PIN).
Something you know
the clue is in the name with this one, this type of malware is designed to spy on user activity.
Spyware
requires 2 drives to be useful and is a good option for performance, however is does not provide full protection.
Storage Spaces: Simple
Appears at the right of the taskbar and gives you easy access to system functions. The System Tray will appear on your main display when using dual monitors.
System tray/ notification area
is a series of interconnected LANs, this allows us to communicate with other networks and share resources, for example using a browser to access a webserver. The Internet is classed as a public network, it is open for anyone to use and isn't managed by anyone.
The Internet
In this model, an organisation pays a cloud provider for the use of infrastructure (servers, compute power, storage). This allows an organisation to set up their own Cloud based servers and would only need to worry about the install and licensing of the Operating System and software, no hardware to support or purchase. • Microsoft Azure and Amazon EC2 are examples of IaaS.
Infrastructure as a Service
Full wipe will revert the device back to factory settings.
Intune full wipe
This provided many features that FAT32 did not have, such as compression, encryption, disk quotas and file permissions; the maximum (efficient) drive size is 2TB.
NTFS (New Technology File System)
Bing, Bing App linking provides a link within a website that directs the user to the websites app when ie using a mobile device.
Office 365 Search service
SharePoint for Library and Document services. OneDrive is a well-used feature in Office 365 offering both free and paid versions
Office 365 Storage services
Lync online and Skype for Business
Office 365 communication service
On-premises IT refers to the physical equipment that is hosted within an organisation. This may include servers, workstations, laptops and printers. While most of these devices are still required for users to carry out their daily duties, at the server end (where costs are highest) Cloud Services are seeing a shift away from on-premises IT.
On-premises IT
available on mobile devices, built into Windows 8/8.1/10, Server OSs also support OneDrive - Server 2008 SP2 and newer. OneDrive is not built into Windows 7, macOS or Linux but the application can be downloaded
OneDrive
is when the public key is available to anyone and the private key is only used by the organisation securing the data. This means that anyone can encrypt and secure data, but without the private key it cannot be decrypted. A Public key can be sent to someone or published in a certificate, SSL & PGP both use this method.
Public-key encryption (asymmetric encryption)
can automatically verify and correct data to avoid file system errors. It should be used in drives over 2TB; currently used in servers but is possible with Windows 10.
ReFS
Centralises applications on the same trusted and reliable platform that governments, financial services companies and other large organisations use for sensitive information.
Remote App feature of Microsoft Azure
is a virtual application that provides access to applications running from a server; virtual apps can be accessed from a variety of devices and platforms, including Windows, Windows RT (mobile), iOS, macOS and Android. The app is essentially streamed to the device. Note - RDP is used to create a session between the client and server for access to the virtual apps.
RemoteApp
used to secure connections to websites using encryption. It uses a certificate on the server, this has been signed by a certificate authority and is presented to the web browser; this provides both authentication and security.
SSL
(2-way or 3-way); 3-way requires at least 5 drives and 2-way mirror can only tolerate one drive failure.
Storage Spaces: Mirror
for storage efficiency and to protect your files from drive failure by keeping multiple copies.
Storage Spaces: Parity
Microsoft is trying the phase out Control Panel and replace it for the Settings Menu, which is seen in Windows 10. This UI is seen to be more user friendly and aesthetically pleasing.
Windows 10 Settings Panel
is another common tab, not only do we love to personalise our desktop and screens but users are also passionate about their background images of their pets. Within Windows 10 we can now spread out the taskbar across multiple monitors, this would be configured in the personalisation tab. (If you have Windows 10 have a play around with the settings menu).
Windows 10 Settings Panel:Personalisation
typically used to gather information about the device (OS version, CPU, RAM etc.), enable Remote Desktop and add a device to a Domain (you will need a Domain administrator account to do this).
Windows 10 Settings Panel:System
is a server role that encrypts and limits access to documents such as Word, web pages, email and much more.
Windows Rights Management Services (AD RMS)
You can configure the Start menu, profiles, display settings, shortcuts, and group configurations and capabilities
Within the OS
is a Microsoft solution that is native with Windows 10, user data is stored on the server and synchronised to the users device when connected to the internet. The good thing about Work Folders is that any files can be worked on locally without a connection to the corporate network; any changes will be automatically synced and can be manually synced if the file does not appear. Work folders can be hosted from an Azure VM and work from inside Office apps.
Work Folders
provides seamless two-factor authentication and single sign-on to workplace resources and applications for mobile devices; it is certificate based and the device doesn't need to be on the Domain.
Workplace Join
a software program capable of reproducing itself that can spread from one computer to the next over a network; consuming bandwidth and stealing data are two of many worm abilities.
Worm
is an open vendor neutral file system typically used for DVDs and other optical media.
UDF (Universal Disk Format) file system
is a common way to allow access to your company network from an external connection (e.g. for someone working from home). Tunnelling protocols are used which include encryption and device authentication.
VPN (Virtual Private Network)
A piece of code that is capable of copying itself and typically has a detrimental effect, such as corrupting the system or destroying data
Virus
Using a firewall, antivirus, keeping systems updated and user education are effective
Ways to lower the risk of malware
Microsoft's latest storage solution is Storage Spaces
local storage
A security system that requires more than one method of proving someone or something is who or what it is declared to be. Different methods are used to independently verify the user's identity for a transaction or sign-in attempt, such as a password plus a fingerprint. Each layer increases the difficulty an attacker faces trying to breach the security of a target.
multifactor authentication (MFA)
Microsoft offers several solutions for online applications and data storage. Examples include OneDrive, Microsoft Azure storage, OneNote, Outlook and Office 365
Cloud storage services
Keeping a device up to date is one of the best ways of securing it and updates should not be ignored. This should also apply to apps and software; updates and patches are released when new features are available, or security flaws need patching. In a domain environment you can manage updates centrally using Windows Server Update Services (WSUS).
Configure updates
Is a starting point for configuring your device. It has applets which enable you to make changes, for example the System applet enables you to add a computer to a domain.
Control Panel
An authentication factor using something physical, such as a smart card or token.
Something you have
supports multi-touch, Windows experience and Workplace JoinStart Menu/Screen integration, and enables end users to use the latest devices to interact with their remote Windows 8 or 10 desktop.
Multi-touch Remote
is made up of different hard drives that can HDD, SSD or a mixture of both. From here, highly available volumes can be created which can have extra redundancy and performance enhancements. The 'Spaces' that are created are technically virtual storage and more disk space can be added if capacity is running low. This is essentially Microsoft version of RAID, but with an easier interface for standard users.
A storage pool
(Active Directory Rights Management Services) can be used to define who can open, modify, print or forward a document.
AD RMS
is resources made available for partner organisations to access using a browser; this is classes as a private network.
An Extranet
is internal resources which are accessed using a browser; it is a private network. You may have one of these in your work place, using an internal web page, SharePoint etc.
An Intranet
also known as public-key cryptography, two mathematically related keys are used; one to encrypt and one to decrypt.
Asymmetric encryption
can also be used and will connect automatically on the launch of a specified set of applications.
Auto-Triggered VPNs
is a cloud-based directory and identity management service. It can be integrated with your on-premises AD DS, allows AD DS users to authenticate to Azure using existing credentials.
Azure Active Directory
Single Sign-On (SSO), which simplifies user access to thousands of cloud applications on Windows, Mac and iOS devices.
Azure Active Directory enables
you can encrypt an entire drive or simple volume; it requires a Trusted Platform Module (TPM) which is a chip on the motherboard. This chip generates and stores the actual encryption keys and automatically unlocks your PC's drive when it boots, you can then sign in just by typing your Windows login password. Without a TPM you would need extra authentication like a password or a digital key on a USB flash drive. It is important to note that BitLocker will encrypt the OS volume and any other drives should be encrypted using other encryption methods; such as BitLocker to go or EFS.
BitLocker Drive Encryption
means that you encrypt a removable storage device, commonly USB. Unlike BitLocker drive encryption the USB can be secured with a password or smartcard. You must be very careful with this one, if you copy a file from the encrypted drive to a nonencrypted drive the file will be decrypted.
BitLocker To Go
you can either access BitLocker from Control Panel or user the PowerShell cmdlet Manage-bde.
BitLocker can be managed
Allows you to control data access and governance even further than NTFS and share permissions. This means you can classify documents with tags, such as confidential, archive, or even a specific job role; classification can be added manually or automatically. Access to documents can also be controlled based on the configuration or health of the device trying to access it (making sure the device has an up to date AV etc.). Some documents can be classified as PII (personally identifiable information), you can then allow any HR member to view files with this tag.
Dynamic Access Control (DAC)
moving files to the encrypted folder will result in them being encrypted.
ESF encrypted folder (moving files to)
allows you to encrypt a file or folder so other users cannot access it. It is a feature of NTFS
Encrypting File System (EFS)
This file system is not really seen anymore but exFAT used in USB Flash drives and SD cards, the maximum file size on FAT 32 is 4GB
File Allocation Table (FAT)
is the industry standard which uses IPSec (IP Security). Port 1701
L2TP (Layer 2 Tunneling Protocol)
Microsoft Intune client needs to be installed. You need local administration rights on the device. To manage mobile devices however, the Company Portal app must be installed, and the user would self enrol using their Intune username.
Manage devices with Intune,
is a cloud computing service created by Microsoft for building, testing, deploying, and managing applications and services through a global network of Microsoft managed data centres. It provides software as a service (SaaS), platform as a service and infrastructure as a service and supports many different programming languages, tools and frameworks, including both Microsoft-specific and third-party software and systems.
Microsoft Azure
A cloud-based management solution that allows you to manage your computers when they are not inside your corporate network.
Microsoft Intune
Allows you to sign into different devices and access data that is synced across the devices; single sign-on to services such as Outlook, OneDrive, Windows Store
Microsoft account
Many devices offer encryption: Android devices provide an encryption option from the start-up menu and Windows 10 phones have a Device Encryption setting within the phone settings.
Mobile device encryption
uses a single key to encrypt and decrypt, both sender and receiver have the secret key.
Symmetric encryption
is a feature introduced in Windows 7, this feature allows you to view recently accessed documents from any program that is pinned to your taskbar. To do this, right-click on any program that has an icon in the taskbar, and it will bring up a list of recently modified documents; you can also pin documents to the jump list. You can then modify the configuration Taskbar properties to increase the number of items displayed in the jump lists.
The Jump List
is available in Windows 7 and 10; Windows 8 has the Start Screen and is highly customisable in Windows 10. In Windows 8.1, notifications about updates are shown on the Start Screen.
The Start Menu