EFS Best Practices

The following is a list of best practices for utilizing EFS:

• Disable EFS until a recovery policy is enabled and tested.

• Ensure that a DRA is created on stand-alone XP computers.

• Consider implementing Syskey protect (mode 2 or 3) to protect local credentials against password attacks trying to recover EFS keys. Also consider disabling cached logons to prevent the local recovery of passwords in the local LSA cache.

• Change the default DRAs from the default administrator accounts to newly created, specialized DRA accounts.

• The private keys of DRAs or KRAs should be removed from the environment after creation and only installed when recovery is needed.

• Recovery agent certificates must be assigned to special recovery agent accounts that are not used for any other purpose.

• Exported private keys should be stored in one or more secure locations, and password-protected with a long and complex password.

• Do not destroy recovery certificates or private keys when recovery agents are changed, until after the Cipher.exe /U command is run against all encrypted files.

• Help users decide which files and folders should be encrypted (e.g., My Documents, Temp file folders, etc.), and which types should be avoided (e.g., Profile directories, System files, etc.).

• Teach users to encrypt folders instead of individual files to prevent unintentional decryption and to prevent leakage from temporary file creation during the encryption process.

• Avoid using print spool files, or make sure that print spool files are generated in an encrypted folder.