Chapter 17: Encrypting File System


Microsoft Windows XP Encrypting File System (EFS) enables users to encrypt individual files, folders, or entire data drives. Because EFS provides strong encryption through industry standard algorithms and public key cryptography, encrypted files are confidential even if an attacker bypasses system security. EFS users can share encrypted files with other users on file shares and in Web folders. Many EFS features can be configured through Group Policy settings or command-line tools, facilitating enterprise management.

Related Information

  • For more information about NTFS, see File Systems in this book.

  • For more information about solutions for mobile users, see Supporting Mobile Users in this book.

Overview of EFS

Security features such as logon authentication or file permissions protect network resources from unauthorized access. However, anyone with physical access to a computer such as a stolen laptop can install a new operating system on that computer and bypass the existing operating system s security. In this way, sensitive data can be exposed. Encrypting sensitive files by means of EFS adds another layer of security. When files are encrypted, their data is protected even if an attacker has full access to the computer s data storage.

Only authorized users and designated data recovery agents can decrypt encrypted files. Other system accounts that have permissions for a file even the Take Ownership permission cannot open the file without authorization. Even the administrator account cannot open the file if that account is not designated as a data recovery agent. If an unauthorized user tries to open an encrypted file, access is denied.

Benefits of EFS

EFS allows users to store confidential information about a computer when people who have physical access to your computer could otherwise compromise that information, intentionally or unintentionally. EFS is especially useful for securing sensitive data on portable computers or on computers shared by several users. Both kinds of systems are susceptible to attack by techniques that circumvent the restrictions of access control lists (ACLs). In a shared system, an attacker can gain access by starting up a different operating system. An attacker can also steal a computer, remove the hard drive(s), place the drive(s) in another system, and gain access to the stored files. Files encrypted by EFS, however, appear as unintelligible characters when the attacker does not have the decryption key.

Because EFS is tightly integrated with NTFS, file encryption and decryption are transparent. When users open a file, it is decrypted by EFS as data is read from disk. When they save the file, EFS encrypts the data as it is written to disk. Authorized users might not even realize that the files are encrypted because they can work with the files as they normally do.

In its default configuration, EFS enables users to start encrypting files from My Computer with no administrative effort. From the user s point of view, encrypting a file is simply a matter of setting a file attribute. The encryption attribute can also be set for a file folder. This means that any file created in or added to the folder is automatically encrypted.

How EFS Works

  1. EFS uses a public-private key pair and a per-file encryption key to encrypt and decrypt data. When a user encrypts a file, EFS generates a file encryption key (FEK) to encrypt the data. The FEK is encrypted with the user s public key, and the encrypted FEK is then stored with the file.

  2. Files can be marked for encryption in a variety of ways. The user can set the encryption attribute for a file by using Advanced Properties for the file in My Computer, by storing the file in a file folder set for encryption, or by using the Cipher.exe command-line utility. EFS can also be configured so that users can encrypt or decrypt a file from the shortcut menu accessed by right-clicking the file.

  3. To decrypt files, the user opens the file, removes the encryption attribute, or decrypts the file by using the cipher command. EFS decrypts the FEK by using the user s private key, and then decrypts the data by using the FEK.

New for Windows XP Professional

EFS in Windows XP Professional includes the following new features:

  • Additional users can be authorized to access encrypted files.

  • Offline Files can be encrypted.

  • Data Recovery Agents are recommended but optional.

  • The triple-DES (3DES) encryption algorithm can be used to replace DESX.

  • A password reset disk can be used to safely reset a user s password.

  • Encrypted files can be stored in Web folders.

Configuring EFS for Your Environment

EFS is enabled by default. Users can encrypt files if they have permission to modify the files. Because EFS relies on a public key to encrypt files, users need a public-private key pair and a public key certificate for encryption. Because EFS can use self-signed certificates, however, EFS does not require administrative effort before use.

Note 

The use of self-signed certificates for EFS is not recommended in a domain environment. Configuring certification authorities to deliver EFS certificates to users as part of your public key infrastructure simplifies the manageability for recovery agents.

If EFS is not appropriate in your environment, or if you have files that you do not want to be encrypted, you can disable EFS in various ways. There are also a number of ways in which you can configure EFS to meet the specific needs of your organization.

In order to use EFS, all users must have EFS certificates. If you do not currently have a public key infrastructure (PKI), you can use self-signed certificates. If you have certification authorities, however, you might want to configure them to provide EFS certificates.

You will also need to consider a disaster recovery plan if you use EFS on your system.




Microsoft Windows XP Professional Resource Kit 2003
Microsoft Windows XP Professional Resource Kit 2003
ISBN: N/A
EAN: N/A
Year: 2005
Pages: 338

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net