Net Use and Net Share

Q: Brad, one of your users, want to be able to use comman-line utilities to access shared network folders instead of using GUI utilities. Which comman-line utility can be used to map to shared network folders?

A. MAP
B. NET SHARE
C. NET USE
D. NET ACCESS

Ans: (C) Common ways of mapping shared network folders through GUI utilities are My Network Places and Windows Explorer.
The NET USE command is used to map shared network folders.

i answered B, and got it wrong.
ok..here is how i understand the difference between the twos after this answer.
NET SHARE - Folders can be shared through the NET SHARE command-line utility
NET USE- Users can access a shared resource with NET USE command-line utility.
So, NET SHARE is to share folders, and NET USE is to access a shared folder?
am i right?
correct me if i am wrong please guys!

I am also confused on DRA configuration for Encrypted Files. ok here is a question.

Q: Cindy is Payroll Manager at xxx company. The day before the payroll is processed, she is involved in a minor car accident and spends two days in the hospital. She has Windows XP Professional installed as a part of a workgroup and has encrypted the payroll files with EFS. All of the EFS settings for the computer are set to default values. How can these files be accessed in her absence?

A. The Administrator user account can access the files by backing up the files, restoring the files on the computer where the recovery agent is located, and disabling the files' Encrypt the Contents to Secure Data option.

B. The Administrator user account can access the files by using the unencrypt command line utility.

C. The Administrator user account can access the files by using the encrypt-d command line utility.

D. Unless a DRA has been configured, there will be no access to the files.

Ans: (A) By default, a Windows XP Professional computer that is installed as a stand-alone computer or a part of a workgroup has no DRA automatically configured. You will not be able to access her files.

i answered D, and i got it wrong.
i knew that stand-alone comp or a comp in a workgroup has no DRA configured by default, and i wont be able to access the encrypted files unless DRA has been configured..right? thats why i chose D. So, i looked in the book, and i dont see anything that says Administrator account can disable the Encrypted files.
Is this my error, or the book's error?
Please help!

Find more posts tagged with

Comments

sprkymrk

Mikephyu wrote:

So, NET SHARE is to share folders, and NET USE is to access a shared folder?
am i right?

That is correct.

Mikephyu wrote:

So, i looked in the book, and i dont see anything that says Administrator account can disable the Encrypted files.

Try this link:
http://www.microsoft.com/technet/archive/community/columns/security/5min/5min-401.mspx?mfr=true

Backing up encrypted data

Backing up the encrypted files is as easy as backing up any other file. Because the FEK is stored with the file, you don't need to take any special precautions when you back up the file. However, you won't be able to decrypt the file if you don't restore it to a domain or local computer where authorized users can access their private keys.

If you cannot restore the user's keys, and you have access to the DRA keys, the actual process of recovery is very straightforward: move the file to a machine that has the DRA's private key, find the file in Explorer, right-click it to open its Properties dialog, switch to the General tab, click the Advanced button, and clear the "Encrypt contents to secure data" checkbox.

HTH.

royal

On the 2nd question, I think the OPs answer is still correct. At the time of encryption, there was no DRA since it's a standalone workstation not connected to a domain. Therefore, since there was no DRA at the time of encryption, no user can decrypt it except for who encrypted it.

By default, a workstation not connected to a domain (which is the case here) does not have a DRA. XP is allowed to encrypt without a DRA, unlike 2000. In a domain, the domain administrator is a DRA by default. Because of there being no DRA in the workgroup, when she encrypted the file there was no DRA. Because of this, only Cindy has access to that file. If there was a DRA specified, which would be the case if that XP computer was in a domain, the 1st domain controller in that domain would have the actual certificate for the DRA. You can then in that scenario and take that file and put it on that DC and decrypt it since that computer has the cert to decrypt. Or you can export that cert with the private key (which is allowed), and put it on a dedicated highly secured decrypting workstation. Or you can take the cert, and temporarily put it on Cindy's machine (if it was in a domain) and decrypt it there.

coldbug

OMG..it is so confusing..i am having migranes on the second question! let me take some Advils. How come Sybex's Book never mentioned that administrator account can do this.
Well, i am getting Exam Cram 2, anyway..maybe tomorrow at Borders.
thanks guys tho
to Spymark, i visited the site you gave me, and i had to stop reading because i drowned. lol

I must get to the bottom of this..and i am sounding like a retard.
ok..so the Administrator account can access to Cindy's Encrypted file and decript eventhough there was no DRA was configured by default?
Is that good?

This is the problem taking certs with no hands on experience with User Accounts in real life.

coldbug

icroyal wrote:

On the 2nd question, I think the OPs answer is still correct. At the time of encryption, there was no DRA since it's a standalone workstation not connected to a domain. Therefore, since there was no DRA at the time of encryption, no user can decrypt it except for who encrypted it.

what is OP? are you saying the book was still right??
NOOO! tell me he is wrong..lol

If Cindy's computer was not connected to domain, there was no DRA configured by default. Right?
DRA is configured on Administrator account by default ONLY at domain. Right?
So, since her computer was not connected to the domain, then NO ONE can access to her Encrypted file, NOT even an administrator.
How come i got it wrong???

Uhhh..i have a headache!

royal

OP = Original Poster (you)

Domain Environment:
Default DRA = Domain Administrator
Certificate is on 1st Domain Controller
To Decrypt using DRA you can do 3 different things: 1. Back up file and put on the 1st DC which contains the DRA certificate and decrypt there. 2. Export the Certificate with its private key and place that certificate on a secured dedicated efs recovery workstation and place the backed up file there for decryption. 3. Take the certificate and temporarily import it into the user's workstation to decrypt the file. Just make sure you delete the certificate from that workstation afterwards.

Windows XP Workgroup Environment:
No Default DRA
XP Workstations are still allowed to encrypt data
If user's profile is deleted or the person has been injured, nobody will be able to get access to that file since there was no DRA. Of course you can still create a DRA so this doesn't happen.

Windows 2000 Workgroup Environment:
Administrator is default DRA
2000 Workstations are NOT allowed to encrypt data without a DRA chosen.

So yes, if Cindy's computer was not connected to a domain, there is no DRA configured by default. So yes, since her computer is not a domain computer, NOBODY except for Cindy can access the file UNLESS someone did in fact configure a DRA for the workgroup computers prior to the file being encrypted. If this was a 2000 machine, it'd be different since there is a default DRA configured by default.

How come you got it wrong? Well because no practice exam is perfect. I've seen plenty of errors in practice exams. Even Microsoft's exams have been known to have errors even with tons of highly-respected engineers beta testing their exams.

http://technet2.microsoft.com/WindowsServer/en/library/b505401c-5ec8-4f0f-b82b-ea24b28bfbad1033.mspx?mfr=true

A DRA is established by default on Windows 2000 systems. The DRA is optional on Windows XP Professional and Windows Server 2003 in order to provide organizations with greater flexibility in implementing data recovery strategies.

http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx

Windows 2000 mandated a requirement that a recovery policy must be in place before users can encrypt files.

A default recovery policy is automatically put in place for the domain when the administrator logs on to the system (domain controller) for the first time, making the administrator the recovery agent for the domain.

In a network environment, the domain administrator controls how EFS is implemented in the recovery policy for all users and computers in the scope of influence. In a default Windows 2000 or Windows Server 2003 installation, when the first domain controller is set up, the domain administrator is the specified recovery agent for the domain.

Windows XP no longer creates a default DRA on newly installed machines in a workgroup or in a domain.

coldbug

yay!!!!

i got it now..thanks guys
it took a while to get the picture..hehe