Exam Objectives Frequently Asked Questions | MCSE/MCSA Implementing and Administering Security in a Windows 2000 Network: Study Guide and DVD Training System (Exam 70-214)

The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the Exam Objectives presented in this chapter, and to assist you with real-life implementation of these concepts.

Q.		Do encrypted files have be stored on the local hard drive, which would result in users' having to be responsible for backing up their hard drives daily?
A.		EFS is not limited in design to storage only on the local hard drive. The encrypted file can be stored on any file server located on the network. EFS is responsible for file encryption and is not assigned the additional task of securing packets on the network. The functionality of packet security on the network is part of Secure Sockets Layer (SSL). You might need to configure a remote server to be trusted for delegation.
Q.		Our corporation is an international company. Can I use the 128-bit encryption at some locations and not at others without having encryption problems?
A.		By default, EFS provides standard 56-bit encryption to its U.S. customers. For security reasons, customers can obtain the 128-bit encryption by ordering the Enhanced CryptoPAK from Microsoft. The files encrypted with the Enhanced CryptoPAK cannot be decrypted, accessed, or recovered on a system that supports 56-bit encryption only.
Q.		How would you summarize the basic steps that occur in Windows 2000 when a file is encrypted?
A.		The basic steps are: When a user executes an encryption request, the NTFS driver makes a request to the appropriate EFS callout function. The requester's user profile is loaded into the Registry if it is not already there. A log file is created that records events as they occur during the encryption process. EFS identifies the user's key pair and then uses the public key to create an entry for the user in the data decryption field. Entries are created in the data recovery field for each recovery agent. A backup file is created and used to guarantee a fault-tolerant EFS. All entries in the DDF and DRF are added to the file's header. Encryption of the file occurs. The log file and the backup file are deleted at the end of the encryption process. The requester's profile is unloaded from the Registry if needed.
Q.		How much training is needed for users of sensitive data that requires encryption?
A.		The Windows Encrypting File System is transparent to users after a file or directory is marked for encryption. Setting the encryption attribute through the graphical interface is a simple matter of checking or unchecking a check box. Minimum training might be needed to introduce the Windows Explorer interface and the new switches for the copy command and to introduce the Cipher Utility.
Q.		What happens to data if a system crashes during the encryption process?
A.		EFS is designed to be fault-tolerant. Throughout the entire encryption process, a log file keeps track of certain operations as they are completed. If a system crashes before a file is completely encrypted, the Local Security Authority service looks for log files at boot time. If the LSASRV locates any Encryption log file, the contents are read. Usually, the LSASRV copies the backup file over the original semi-encrypted file and then deletes the backup and log files. If the LSASRV finds that the original file has not been modified, it deletes the backup and log files.
Q.		When does encryption actually occur when reading or writing to an encrypted file?
A.		The NTFS driver calls the EFS callback function EfsRead, when an encrypted file needs to be read. The data is decrypted as the NTFS driver reads it from the hard drive and before it is placed in the file system cache. When an application writes to an encrypted file, the data in the file system cache is in plaintext. When the application or the Cache Manager flushes the data to disk, the NTFS driver calls the EFS callback function, EfsWrite, to encrypt the data.
Q.		Can I use compression and encryption at the same time on a file?
A.		No. Compression and encryption are incompatible. The Windows graphical interface clearly shows that compression and encryption cannot both be enabled at the same time on a file. The interface has check boxes for the compression and encryption attributes. Selecting one check box deselects the other check box.
Q.		Can I store an encrypted file in an unencrypted directory?
A.		A user who is trying to mark a file for encryption in a directory that is not marked for encryption receives a message stating, "You have chosen to encrypt a file that is not in an encrypted directory. The file can become decrypted when it is modified. Because files saved in encrypted directories are encrypted by default it is recommended that you encrypt the file and the parent folder." The user can then choose whether to encrypt the file and parent folder or to encrypt the file only.