Disabling EFS

Previous page
Table of content
Next page

EFS is enabled by default but can be disabled for individual files or individual file folders, or disabled entirely for a computer or domain. Disabling EFS for a stand-alone computer requires adding an entry to the registry.

Disabling EFS for an Individual File

Although files can be made unencryptable by setting the system attribute or placing the file in the %systemroot% folder or any of its subfolders, these options are undesirable in many cases. For example, system files are also normally hidden from view, and a user might want a file that is unencryptable to be visible to other users.

Note 

Even with Write permission, users cannot encrypt files or folders in the %systemroot% folder, or files or folders that have their system attribute set. If these types of files and folders could be encrypted, it might render the system useless. This is because many of these files are needed for the system to start up, and decryption keys are not available during the startup process to decrypt them.

Denying Write permissions for a file also makes it unencryptable by the users or groups within the scope of the denial. Simply attributing the file as read-only, however, does not prevent encryption. A user who has Write permissions can encrypt read-only files.

In most cases, the best solution is to disable EFS for a folder rather than an individual file.

Disabling EFS for a File Folder

To disable encryption within a folder, create a file called Desktop.ini that contains:

[Encryption]
Disable=1

Save the file in the directory in which you want to disable EFS. If a user attempts to encrypt the folder or any files in the folder, a message tells the user that An error occurred applying attributes to the file: filename. The directory has been disabled for encryption.

Note 

The Desktop.ini file affects only the current folder and the files in it. If you create a subfolder, both the subfolder and any files in it can be encrypted. Also, encrypted files can be copied or moved, without losing their encryption, into the directory that contains the Desktop.ini file.

Disabling EFS for a Stand-Alone Computer

A registry entry must be added to disable EFS for a stand-alone computer.

To disable EFS on a stand-alone computer by editing the registry

  1. In the Run dialog box, type regedit.exe.

  2. Navigate to the subkey HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows NT\CurrentVersion\EFS.

  3. On the Edit menu, point to New, and then click DWORD Value.

  4. Enter EfsConfiguration for the value name and 1 for the value data to disable EFS (a value of 0 enables EFS).

  5. Restart the computer.

  6. If EFS is disabled and a user tries to encrypt a file or folder, a message tells the user that An error occurred applying attributes to the file: filename. The directory has been disabled for encryption.

    Note 

    Do not edit the registry unless you have no alternative. The registry editor bypasses standard safeguards, allowing settings that can damage your system, or even require you to reinstall Windows. If you must edit the registry, back it up first and see the Registry Reference in the Microsoft Windows 2000 Server Resource Kit at http://www.microsoft.com/reskit



Previous page
Table of content
Next page
Microsoft Windows XP Professional Resource Kit 2003
Microsoft Windows XP Professional Resource Kit 2003
ISBN: N/A
EAN: N/A
Year: 2005
Pages: 338
BUY ON AMAZON
Certified Ethical Hacker Exam Prep
A Practitioners Guide to Software Test Design
Systematic Software Testing (Artech House Computer Library)
Mapping Hacks: Tips & Tools for Electronic Cartography
Pocket Guide to the National Electrical Code(R), 2005 Edition (8th Edition)
Microsoft Office Visio 2007 Step by Step (Step By Step (Microsoft))
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy