Data Protection

   

Stored data (on line or off line) can be protected by using Encrypting File System (EFS) and digital signatures. Stored data security refers to the ability to store data on disk in an encrypted form.

Encrypting File System

With EFS, data can be encrypted as it is stored on disk. EFS uses public key encryption to encrypt local NTFS data. Once a user has encrypted a file, the file automatically remains encrypted whenever the file is stored on disk. And once a user has decrypted a file, the file remains decrypted whenever the file is stored on disk. EFS provides the following features:

  • Users can encrypt their files when storing them on disk. Encryption is as easy as selecting a check box in the file's Advanced Attributes dialog box (accessed via the file's Properties dialog box), as shown in Figure 5-3.

  • Accessing encrypted files is fast and easy. Users see their data in plain text when accessing the data from disk.

  • Encryption of data is accomplished automatically and is completely transparent to the user.

  • Users can actively decrypt a file by clearing the Encrypt Contents check box in the file's Advanced Attributes dialog box.

  • Administrators can recover data that was encrypted by another user. This ensures that data is accessible if the user who encrypted the data is no longer available or has lost his or her private key.

    Figure 5-3. Encrypting files is as easy as selecting the Encrypt Contents check box.

    graphics/f05xo03.jpg

    Note

    EFS encrypts data only when it is stored on disk. To encrypt data as it is transported over a TCP/IP network, two optional features are available ”Internet Protocol security (IPSec) and PPTP encryption.


The default configuration of EFS requires no administrative effort ”users can begin encrypting files immediately. EFS generates an encryption key pair for a user if one does not exist. EFS can use either the expanded Data Encryption Standard (DESX) or Triple-DES (3DES) as the encryption algorithm. Encryption services are available from Windows Explorer. Users can also encrypt a file or folder using the command-line utility cipher . For more information about the cipher command, type cipher /? at a command-line prompt. Users encrypt a file or folder by setting the encryption property for files and folders just as you set any other attribute, such as read-only, compressed, or hidden. If a user encrypts a folder, all files and subfolders created in or added to the encrypted folder are automatically encrypted. It is recommended that users encrypt at the folder level. Files or folders that are compressed cannot also be encrypted. If the user marks a compressed file or folder for encryption, that file or folder will be uncompressed. Also, folders that are marked for encryption are not actually encrypted. Only the files within the folder are encrypted, as well as any new files created or moved into the folder. Once decrypted, a file remains decrypted until you encrypt the file again. There is no automatic reencryption of a file, even if it exists in a directory marked as encrypted.

Data recovery refers to the process of decrypting a file without having the private key of the user who encrypted the file. You might need to recover data with a recovery agent if a user leaves the company, a user loses the private key, or a law enforcement agency makes a request. To recover a file, the recovery agent does the following:

  1. Backs up the encrypted files

  2. Moves the backup copies to a secure system

  3. Imports their recovery certificate and private key on that system

  4. Restores the backup files

  5. Decrypts the files, using Windows Explorer or the EFS cipher command

You can use the Group Policy snap-in to define a data recovery policy for domain member servers, or for stand-alone or workgroup servers. You can either request a recovery certificate or export and import your recovery certificates. You might want to delegate administration of the recovery policy to a designated administrator. Although you should limit who is authorized to recover encrypted data, allowing multiple administrators to act as recovery agents provides you with an alternative source if recovery is necessary.

Digital Signatures

A digital signature is a way to ensure the integrity and origin of data. A digital signature provides strong evidence that the data has not been altered since it was signed and confirms the identity of the person or entity that signed the data. This enables the important security features of integrity and nonrepudiation, which are essential for secure electronic commerce transactions.

Digital signatures are typically used when data is distributed in clear text, or unencrypted form. In these cases, while the sensitivity of the message itself might not warrant encryption, there could be a compelling reason to ensure that the data is in its original form and has not been sent by an impostor because, in a distributed computing environment, clear text can conceivably be read or altered by anyone on the network with the proper access, whether authorized or not.

CAPICOM

Windows Server 2003 includes support for CAPICOM 2.0. This support enables application developers to take advantage of the robust certificate and cryptography features available in CryptoAPI by employing an easy-to-use COM interface. Using this functionality, application developers can easily incorporate digital signing and encryption functionality into their applications. Because CAPICOM is based on COM, application developers can access this functionality in a number of programming environments, such as the Visual C# development tool, the Visual Basic .NET development system, Visual Basic, Visual Basic Scripting Edition, JScript development software, and others.

CAPICOM allows you to do the following:

  • Digitally sign and verify arbitrary data with a smart card or software key

  • Digitally sign and verify executables with Authenticode technology

  • Hash arbitrary data

  • Graphically display certificate selection and detailed information

  • Manage and search CryptoAPI certificate stores

  • Encrypt and decrypt data with a password, or with public keys and certificates


   
Top


Introducing Microsoft Windows Server 2003
Introducing Microsoft Windows Server(TM) 2003
ISBN: 0735615705
EAN: 2147483647
Year: 2005
Pages: 153

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net