Encrypting File System (EFS)


The Encrypting File System ( EFS ) is a new feature in Windows 2000. EFS is an extension to NTFS version 5.0 which is included with Windows 2000, and allows the user to encrypt files and folders. EFS uses public/private key technology which makes it difficult, but not necessarily impossible to crack.

As is typical with this key technology, the public key is used to encrypt the data, and a private key is used for decryption. After encryption is configured, the encrypt/decrypt process is transparent to the user.

graphics/note_icon.gif

The file/folder encryption and compression attributes are mutually exclusive. You can apply one or the other to a file or folder, but not both.


The first time that a user selects the encryption attribute from the properties dialog of a file or folder, as shown in Figure 8.16, EFS will automatically generate a public key pair, then the private key is certified by a Certificate Authority (CA). If a CA is not available, the public key is self-signed. All of this is transparent to the user.

Figure 8.16. The folder properties dialog box, showing the Advanced Attributes selections.

graphics/08fig16.jpg

So that the data can be recovered in case the user loses their private key, or leaves the company, the local administrator account is designated as the Data Recovery Agent (DRA) . This is the default, and can be changed using the Public Key Policies node of the Local Security Settings MMC as shown in Figure 8.17. Because this account is designated as the DRA, a recovery key that can be used by the local administrator to recover the encrypted data is generated and saved in the local administrators' certificate store. This recovery key can be used only to recover the data. The user's private key is never revealed.

Figure 8.17. The Local Security Settings MMC, showing the Encrypted Data Recovery Agents certificate.

graphics/08fig17.jpg

On a standalone Windows 2000 servers and workstations, the local administrator account is designated as the Data Recovery Agent (DRA). In a domain, the domain administrators account has this role. If the DRA role is removed by a configuration error, the system assumes that no data recovery policy is in place and will refuse to encrypt any files or folders.

The following conditions apply when moving or copying encrypted files:

  • If an encrypted file or folder is moved or copied to another folder on an NTFS formatted volume, it remains encrypted.

  • If an encrypted file or folder is moved or copied to a FAT or FAT32 formatted volume, it is decrypted.

  • If an encrypted file or folder is moved or copied to a floppy, it is decrypted.

  • If a user other than the one who encrypted the file or folder attempts to copy it, they will receive the message "Access is Denied."

  • If a user other than the one who encrypted the file attempts to move it to a folder that was encrypted by the original user, they will be successful.

  • If a user other than the one who encrypted the file or folder attempts to move or copy it to another volume, either NTFS, FAT, or FAT32, they will receive the message "Access is Denied."

graphics/note_icon.gif

The user account with recovery agent rights will be able to copy the file to his/her computer to perform recovery operations.


Recovering an Encrypted File or Folder

To recover an encrypted file or folder, you must use the EFS recovery agent.

To recover a file or folder

  1. Log on to the computer using the EFS Data Recovery Agent account.

  2. Right-click the file or folder and select Properties.

  3. Click the Advanced button.

  4. From the Advanced Attributes dialog box, deselect the Encrypt Contents to Secure Data checkbox.

  5. Click OK twice to save.

Encryption Using the Cipher Command

The cipher command-line utility is supplied so that you can work with encrypted files and folders from the command line. This is handy when you are encrypting or decrypting a large number of files or folders, because you can use wildcards, or run the utility from a script.

 C:\> cipher /f 

The cipher command options are shown in Table 8.1.

Table 8.1. Cipher Command-Line Options

Option

Meaning

No parameters

Displays the encryption state of the files in the current folder

/e

Encrypts the specified folder(s)

/d

Decrypts the specified folder(s)

/s:dir

Performs the operation on the current folder and all subfolders

/a

Encrypts/Decrypts the files in all of the folders that were specified

/I

Continues when an error occurs

/f

Forces all specified files to be encrypted

/q

Non-verbose reporting

/h

Displays hidden or system files

/k

Creates a new key. All other options are ignored

graphics/alert_icon.gif

You might encounter EFS questions on the exam. You should know how to encrypt and decrypt files and folders using both the GUI and the cipher utility. In addition, you should be familiar with the key recovery process.




MCSE Windows 2000 Server Exam Cram2 (Exam 70-215)
MCSE Windows 2000 Server Exam Cram 2 (Exam Cram 70-215)
ISBN: 0789728737
EAN: 2147483647
Year: 2003
Pages: 155

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net