Configuring, Managing, and Troubleshooting Encrypting File System (EFS)

Objective:

Configure, manage, and troubleshoot Encrypting File System (EFS).

Users can encrypt their files by using EFS. The encryption attribute on a file or folder can be toggled the same as any other file attribute. When you set the encryption attribute on a folder, all its contents, whether subfolders or files, are also encrypted.

The encryption attribute, when assigned to a folder, affects files the same way that the compression attribute does when a file is moved or copied. Files that are copied into the encrypted folder become encrypted. Files that are moved into the encrypted folder retain their former encryption attribute, whether or not they were encrypted. When you move or copy a file to a file system that does not support EFS, such as FAT16 or FAT32, the file is automatically decrypted.

Exam Alert

EFS requirements The file system must be set to NTFS if you want to use EFS, and no file can be both encrypted and compressed at the same time.

Encrypting File System Basics

Windows XP Professional has the capability to encrypt files directly on any NTFS volume. This ensures that no other user can use the encrypted data. Encryption and decryption of a file or folder is performed in the object's Properties dialog box. Administrators should be aware of the rules to put into practice to manage EFS on a network:

• Only use NTFS as the file system for all workstation and server volumes.

• Keep a copy of each user's certificate and private key on a floppy disk or other removable media.

• Remove the user's private key from the computer except when the user is actually using it.

• When users routinely save documents only to the My Documents folder, you can make certain their documents are encrypted by having each user encrypt his or her own My Documents folder.

• Use two recovery agent user accounts that are reserved solely for that purpose for each organizational unit (OU) if computers participate in a domain. Assign the recovery agent certificates to these accounts.

• Archive all recovery agent user account information, recovery certificates, and private keys, even if obsolete.

• When planning a network installation, keep in mind that EFS does take up additional processing overhead, and plan to incorporate additional CPU processing power in your plans.

EFS uses certificates to manage the encryption. When a file is encrypted, the user's encryption certificate is assigned to the file. When the user opens the file, the encryption certificate is checked and the user is allowed to open and work with the file. When another user attempts to open the file, the user is unable to do so. Therefore, EFS is suitable for data that a user wants to maintain as private, but not for files that are shared.

To copy file encryption certificates, you use the Export command in the Certificates snap-in. You should be able to follow the process in Step by Step 12.1 to perform this process.

Step by Step 12.1 Exporting File Encryption Certificates 1. Log on to the computer as the user whose encryption certificate you are exporting. Click Start, Run, type mmc in the Open text box, and press Enter. 2. Click the File menu and select Add/Remove Snap-in. 3. Click the Add button. 4. Select Certificates from the list and click the Add button. 5. The Certificates Snap-in dialog box opens, as shown in Figure 12.1. Select the My User Account option. Click the Finish button. Figure 12.1. The users account holds the file encryption certificates. 6. Click the Close button, then click OK to return to the console window. 7. Navigate to the Personal node and select the certificate to export. 8. Click the Action menu and select All Tasks, then select Export. The Export Certificate Wizard starts. 9. Click Next to bypass the first screen. 10. Select Personal Information Exchange PKCS #12 (.PFX) and select the box to Enable Strong Protection (requires IE 5.0, NT 4.0 SP4 or above). Click Next. 11. Type the path to which to export the key. Click Next. 12. Click Finish to confirm.

Permissions do not have any authority over the encryption attribute. A person who has Full Control or Take Ownership permission for a file that has been encrypted with EFS is not able to access the file unless that person is also an authorized user of the file. User accounts that are designated data recovery agents can also decrypt encrypted files. However, even an Administrator for the computer or domain is not able to decrypt an encrypted file without being a designated data recovery agent.

A unique encryption key is assigned to each encrypted file. You can share an encrypted file with other users in Windows XP Professional, but you are restricted from sharing an entire encrypted folder with multiple users, or sharing a single file with a security group. This is related to the way that EFS uses certificates, which are applicable individually to users; and how EFS uses encryption keys, which are applicable individually to files. The following section reviews how to share encrypted files.

How Did They Encrypt That?

EFS uses algorithms that scramble and encode the data within a file. The application program interface, named CryptoAPI, is the EFS component that generates the encryption. When a person encrypts a file for the first time, a pair of keysone public, one privateis randomly created. This pair of keys works both to generate the encryption on the file, and later, to unlock the file to decrypt it.

Designated recovery agents are user accounts authorized to decrypt encrypted files. When a user account is designated as a recovery agent, you essentially are granting it a copy of the key pair. If you lose the key pair, or they become damaged, and if there is no designated recovery agent, there is no way to decrypt the file and the data is permanently lost.

Preparing a Disk for EFS

Windows XP Professional supports a disk formatted with the File Allocation Table (FAT) or the New Technology File System (NTFS). However, EFS works only on a disk that is formatted with the NTFS file system. By default, the disk format is FAT, although as you probably have discerned from Chapter 5, NTFS provides many more features and options than FAT, such as compression, encryption, and granular file permissions.

The only thing that you really need to do to prepare the hard disk for EFS is to make certain that it is formatted with NTFS. If it is not, you can convert the hard disk format from FAT to NTFS or format the partition as NTFS. There are two ways to go about this:

• Use the command-line Convert.exe utility to change an existing FAT16 or FAT32 partition that contains data to NTFS without losing the data.

• Use the graphical Disk Management utility to format a new partition, or an empty FAT partition, to NTFS. If the volume contains data, you will lose it. (You can also use the command-line Format.exe utility to format a partition as NTFS.)

Exam Alert

NTFS and partition conversions Every now and then you see an exam answer that displays the convert command with the /fs:FAT switch. Ignore it. This is always incorrect. Converting a hard disk partition to NTFS is a one-way proposition. After the partition is formatted with NTFS, it cannot be converted back to FAT. The only way to restore the FAT file system is to reformat the partition, erasing all the data, and then restoring the data from a backup. In addition, you may run into a question that prompts for reversion to Windows 98 or Windows Me after the hard disk partition has been converted to NTFS. This too is always incorrect. It is not possible to revert to these operating systems after you have converted the hard disk to NTFS. Your only option is to reformat the hard disk partition and reinstall the older operating system.

Convert.exe is really simple to use and typically problem-free, although you should make certain to back up the data on the partition before you convert it as a precaution. Having already read Chapter 5, you should be fully able to convert a hard disk partition to NTFS. However, Step by Step 12.2 provides full instructions if you want to follow along.

You can format a new or empty hard disk partition as NTFS by using the Disk Management utility. Although you are probably an old hat with Disk Management, you can follow along with the procedure in Step by Step 12.3 if you prefer.

Step by Step: 12.3 Using Disk Management to Format a Hard Disk Partition as NTFS 1. Log on to the computer as an administrator. 2. Right-click My Computer and select Manage from the shortcut menu. 3. The Computer Management utility opens. Navigate to the Storage node and then to the Disk Management node, as shown in Figure 12.2. Figure 12.2. You can use Disk Management to format a partition. 4. Right-click the partition that you intend to format. Click Format on the shortcut menu. 5. Type a volume name in the text box provided, if you wish. 6. Select NTFS from the file system options. You can also make changes to disk allocation unit size, as well as enable file and folder compression on the partition. 7. Click OK. 8. Click OK to start the formatting process.

Establishing an EFS Policy

You can establish a policy, using either Group Policy or Local Security Policy, that applies directly to EFS. (Both Group Policy and Local Security Policy are described in greater detail at the end of this chapter.) To generate this policy, you can open the Group Policy object editor. EFS policies are located in the Computer Configuration node, below Windows Settings, then Security Settings, then Public Key Policies, in the node named Encrypting File System. Right-click the Encrypting File System node and, from the shortcut menu, select All Tasks, as shown in Figure 12.3.

Figure 12.3. Policies applicable to EFS are found in the Computer Configuration node.

The two options that you have are Add Data Recovery Agent and Do Not Require Data Recovery Agents. Remember that without data recovery agents, a damaged or lost key could render a person's entire set of encrypted files useless. Therefore, it is recommended that every EFS certificate is generated along with a data recovery agent.

Group Policy can be used to apply either setting on an organizational unit-, site-, or domain-basis. This gives you a great deal of granular control over who is automatically given data recovery agents and who is not.

When you select the Add Data Recovery Agent policy, a wizard starts. In this wizard, you select the user or users who will be given the recovery agent designation. If you are participating in Active Directory, you merely need to browse for the users and select them. If not, you need to request certificates for each user first and then look for the certificate files for those users. (They are easy to find. Certificate files use a .cer extension.) After you have completed the wizard, each EFS certificate that is generated will be accompanied by a recovery agent's certificate.

Using EFS with a Certification Authority (CA)

You can use different types of certificates with EFSthird-partyissued certificates, CA-issued certificates, and self-signed certificates. If you have developed a security system on your network that utilizes mutual authentication based on certificates issued by your own CA, you can extend the system to EFS to further secure encrypted files.

When an enterprise CA creates certificates, it bases the actual certificate on a template. In a Windows 2000 or Windows Server 2003 Active Directory environment, the certificate templates are stored in the Active Directory itself and are used to define what types of certificates can be issued to users, computers, and resources, as well as the attributes of those certificates. The certificate templates that support EFS are

• Administrator

• Basic EFS

• User

The Basic EFS certificate template is able to be used for only EFS functions. The Administrator and User certificate templates apply to EFS as well as other areas. Each user has to be granted the Enroll permission for a certificate template to receive the certificate. If you want to ensure that users are granted only the User type of certificate for EFS, rather than the basic EFS template, you do not need to delete the template. Instead, you simply remove the Enroll permission for it.

The Certificates snap-in console can be used to request EFS certificates. To request a certificate, you can follow the procedure in Step by Step 12.4.

Storing Certificates in Windows XP

When a Windows XP Professional user obtains a public key certificate, Windows XP writes the certificate to the Registry in the user's individual hive and then stores it in the user's personal certificate store, which is simply a folder containing the certificate in plaintext format at

[View full width]
 %systemdrive%\Documents and Settings\%username%\Application Data\ Microsoft \SystemCertificates\My\Certificates 

Plaintext is acceptable for public keys because they are supposed to be freely available. To guard against outside manipulation, public key certificates are digitally signed by CAs.

Private keys, by their very nature, must be secured, and as a result they are encrypted through the use of a 64-byte-long, random symmetric key called the user's master key. Windows XP places private keys in each user's profile folder:

 %systemdrive%\Documents and Settings\%username%\Application Data\ Microsoft\Crypto\RSA 

All contents of this RSA folder are encrypted with the user's master key. The folder cannot be renamed or moved without causing problems with private key usage or application. EFS must be able to access the public and private keys to encrypt and decrypt files.

Note that both of the folders that store public and private keys are incorporated in the user's profile. When administrators implement roaming profiles, the keys are copied to the local computer at logon and discarded at logoff.

Allowing EFS to Self-Sign Certificates

When Windows XP is in a workgroup or is configured as a stand-alone computer, EFS automatically generates EFS certificates rather than obtaining them from a CA. A user only needs to encrypt a file for a unique EFS certificate to be generated.

When EFS generates certificates, they are automatically self-signed. In addition, when EFS is unable to renew a CA-generated certificate, it generates a self-signed certificate. Whereas EFS attempts to renew all certificates, renewal is not necessary for self-signed certificates because they are valid for a full century. Aside from the 100-years-in-the-future expiration date, self-signed certificates are easy to spot. Their Issued By and Issued To attributes are identical. You can view all these attributes in the Certificates console snap-in.

You can generate a self-signed certificate using the cipher command-line utility. To do so, open a Command Prompt window and type cipher /k, which results in the key output shown in Figure 12.4.

Figure 12.4. The cipher command is used to generate new keys for a user, as well as perform other encryption functions.

You can use Internet Explorer to back up your certificates. To do so, open the browser window, select the Tools menu, and then click Internet Options. Click the Content tab and then click the Certificates button in the Certificates section. You see the dialog depicted in Figure 12.5.

Figure 12.5. Certificate information is displayed on the Content tab of Internet Options for Internet Explorer.

Click the certificate that you want to back up and then click the Export button. (If there are multiple certificates to choose from, double-click them and view each certificate's Detail tab, and in the Show list, click Extensions Only. The Enhanced Key Usage attribute of the certificate states Encrypting File System if it has been generated for EFS.)

After you click the Export button, the Certificate Export Wizard begins and you can follow along with the same process that was described in Step by Step 12.1 at the beginning of this chapter.

Encrypting Files

There are two ways to encrypt a file:

1. Use the cipher command-line utility.

2. Change the Advanced attributes of the file or folder.

You use cipher at a command prompt. If you were going to encrypt a file named Myfile.txt located in the C:\MYDIR folder, the full command to use is

 cipher /e /s:c:\mydir\myfile.txt 

To change the Advanced encryption attribute of a file, navigate to the file, using either My Computer or Windows Explorer, then right-click it. From the shortcut menu, select Properties. On the General tab, click the Advanced button in the Attributes section. The Advanced Attributes dialog box opens, as shown in Figure 12.6.

Check the box next to Encrypt Contents to Secure Data and click OK. Then click OK again to close the file's Properties sheet. You are given a warning dialog that lets you choose between encrypting just the file that you had selected, or both the file and its parent folder. Select one of the options and click OK.

Exam Alert

Mutually exclusive Advanced Attributes In the Advanced Attributes dialog box, if you select the Compress Contents to Save Disk Space check box, the check mark disappears from the Encrypt Contents to Secure Data check box. These two attributes are mutually exclusiveyou can select only one. For any exam solution that provides for a file or folder being both encrypted and compressed, consider it as a wrong answer.

After a file has been encrypted, you can view its encryption attribute details by again right-clicking the file, selecting Properties, and clicking the Advanced button on the General tab. In the Advanced Attributes dialog box, click the Details button. The Encryption Details For dialog box opens, as shown in Figure 12.7.

You can see who is able to open the encrypted file, and you can add other user accounts to share the encrypted file and view the designated data recovery agent, if any. Click the Add button to share the encrypted file. A dialog box listing all the EFS-capable certificates for users opens. If a user has never been issued a certificate (whether through the Certificates snap-in or by encrypting a file in the past), the user's account does not appear in this dialog box.

After a file is encrypted, an unauthorized user attempting to open the file is given an error message that says the user does not have access privileges. If an unauthorized user tries to move or copy an encrypted file, the user receives an Access is denied error message.

Decrypting Files

The process of decryption is the opposite of encryption. You can either use the cipher command or change the Advanced attribute for encryption on the file.

To use the cipher command to decrypt the file, click Start, Run, type cmd in the Open text box, and press Enter. At the command prompt, type cipher /d /s:c:\myfolder\myfile.txt and press Enter. The file will be decrypted.

To use the Advanced Attributes method, open either My Computer or Windows Explorer and navigate to the file. Right-click the file and select Properties. On the General tab, click the Advanced button. In the ensuing Advanced Attributes dialog box, clear the Encrypt the Contents to Secure Data check box. Click OK and then click OK again.

If you are not the person who originally encrypted the file, or if you are not the designated recovery agent, then you will receive an error for applying attributes that says the access is denied.

Troubleshooting EFS

The cipher command can be helpful in discovering information about the encrypted files on your computer, in addition to enabling you to encrypt and decrypt files. Table 12.1 shows the optional switches that you can use with the cipher command. When you use cipher without any switches, it displays the encryption state of the current folder and its contents. When you see the results, either the character U or E appears in front of each file or folder. U means the object is unencrypted and E means that it is encrypted.

You might encounter several problems when using EFS:

• Lost or damaged encryption certificate for a user Log on and access the file as the designated recovery agent and then decrypt the file.

• Data recovery agent key is not backed up Use the Export Certificate Wizard to back up the data recovery agent key to some form of removable media, such as a floppy disk or CD.

• Check boxes are unavailable for Encrypt Contents to Secure Data, as well as Compress Contents to Save Disk Space The file is not stored on an NTFS volume. Use the convert /fs:ntfs command to convert the hard disk.

• You are not allowed to encrypt the file You do not have Write access for the file.

• You can encrypt a file on PC#1, but you cannot encrypt a file on PC#2 Your profile is not available on PC#2; therefore, you should implement roaming profiles.

• A user reports that files are not encrypted even though the user executed the cipher /e command Not an error. The user misunderstood how EFS affects a user while working. You can check to see whether the file has been fully encrypted by looking at its advanced attributes.

• A user cannot open an encrypted file The user does not have the correct EFS certificate and does not have a private key to use. If the key is expired, the certificate is archived.

• An encrypted file is no longer encrypted after it has been copied or moved The user moved the file to a disk partition that is formatted with FAT32.

• Virus scanner receives Access is denied error The virus scanner cannot scan any files encrypted by other users on the hard drive. Those users need to log on and run the virus scanner themselves.

• The Access is denied message is displayed when the user attempts to decrypt a remote file The computer is not trusted for delegation. Open the Active Directory Users and Computers snap-in. Navigate to the computer object. Right-click the computer and select Properties from the shortcut menu to see whether the computer is trusted.