Summary of Exam Objectives | MCSE/MCSA Implementing and Administering Security in a Windows 2000 Network: Study Guide and DVD Training System (Exam 70-214)

In Windows 2000, Microsoft provided users with the ability to encrypt files that contain sensitive information via a feature called the Encrypting File System. In Windows XP/.NET, improvements were made to EFS that added functionality. With EFS, encryption can be set both at the directory level and the file level. This new security feature is efficient in that the encryption/decryption process is totally transparent to users after the files are marked for encryption.

Basic file encryption is accomplished using two methods: secret key and public key. Secret key encryption uses the same key for encrypting and decrypting data (and thus is considered less secure than public key encryption). The secret key algorithm is relatively fast and therefore is appropriate for encrypting large amounts of data. Public key cryptography uses a key pair.

The public key is used to encrypt a file, and the private key is used to decrypt the file. This method of encryption provides more security because only a private key (which is never shared with anyone) can unscramble the ciphertext into plaintext. Slower performance is the price you pay for this higher level of security. Because the process is slow, public key cryptography should only be used on small amounts of data.

Windows EFS uses both methods of encryption. A file is encrypted using a secret key called the FEK, with the DESX (or in Windows XP, 3DES) algorithm. To further protect the FEK from unauthorized access, the FEK is then encrypted by the owner's public key.

When it comes to the user actually working with sensitive data, no additional configuration steps are needed. When a file or directory is marked for encryption, the whole encrypting/decrypting process is transparent to users. A user can identify for the Windows 2000 operating system the files that are to be encrypted through either the Windows Explorer interface or a command-line utility called the Cipher Utility.

File encryption does not modify the normal file operations of renaming or moving. When you move an encrypted file on the same partition, the pointer in the directory is changed, but nothing in the encryption fields is modified. A rename operation on an encrypted file changes only the filename, once again modifying no field tied to the encryption process. Encrypted files can be copied or moved only by those with authorization to access the files.

The new Cipher Utility allows users to encrypt and decrypt files or directories at the command prompt. The included switches for this utility allow users to indicate whether a requested operation should be performed on all files and subdirectories and whether the operation should continue in the event an error has occurred and to force encryption of already encrypted files.

The EfsRecvr Utility can be used to recover an encrypted file if the owner's private key is corrupted or lost. The EfsRecvr utility has switches that are similar to the Cipher Utility in that the recovery agent can indicate how much of the directory structure is to be recovered and whether the process should continue, even if an error occurs.

EFS follows the Windows NT/2000/XP/.NET operating system architectural model. Some of the encryption activity is handled in protected mode, known as kernel mode, whereas other tasks are performed in user mode. Windows 2000 added the EFS driver in kernel mode, which, at initialization time, registers seven EFS callout functions with the NTFS driver. When the NTFS driver needs to do any EFS operation, the NTFS makes a call to one of the appropriate callout functions. The other component employed in kernel mode is known as the KsecDD driver. The role of the KsecDD driver in the encryption process is to send the LPC messages from the EFS driver to the Local Security Authority Subsystem, or LSASS.

Windows 2000 also added to the LSASS, which runs in user mode, a series of internal functions for encryption/decryption operations. In the encryption process, the internal function EncryptFileSrv plays a major role. Also located in user mode is a cryptographic provider, the Microsoft Base Cryptographic Provider. One major responsibility of this cryptographic provider is to provide the RSA encryption operation after a session has been established.

The EFS file information is created by the EncryptFileSrv function call. The information includes a checksum, the data decryption field (DDF), and the data recovery field (DRF). The checksum is used at decryption time to verify the integrity of the EFS file Information. The DDF is a list of owner key entries, and the DRF is a list of recovery agents' key entries. This EFS file information is used with every occurrence of decryption.

The addition of file encryption to Windows provides added security for sensitive data stored on the hard disk and makes it unnecessary for users to seek third-party solutions when they need to ensure the highest level of protection for their data.