Encrypting File System (EFS)

One of the hot items in the news lately has been data theft. There have been far too many cases of thieves either accessing sensitive data over the Internet or stealing laptop computers that contain thousands of names, Social Security numbers, bank account numbers, and the like. Too many people assume that as long as an asset is password protected that their data is safe. This is far from the case.

Any amateur with a password-cracking program can gain access to a computer, and accessing data from a stolen computer is as simple as installing a new operating system on the hard drive, or just adding the hard drive to another computer. After files are accessed, they can be read or copied.

The Encrypting File System (EFS), first introduced in Windows 2000, has been updated for Windows Server 2003. EFS is an extension to NTFS and provides file-level encryption. EFS uses public/private key technology, which makes it difficult, but not necessarily impossible, to crack. As is typical with this key technology, the public key is used to encrypt the data, and a private key is used for decryption.

The public key is just thatpublic. It can be passed around and is used to encrypt a file or an email message. Public keys are good for information exchange, such as secure mail. A user can publish her public key, and people can use this key to encrypt any mail they are sending to her. They can be assured that no one else can read the message, because it can be decrypted and read only by using the private key, which is kept secure by the receiver.

Exam Alert: Public/Private Key Technology

This technology is covered at length on the 70-298 Designing Security for a Microsoft Windows Server 2003 Network exam. More information about this technology can be found at http://windowssdk.msdn.microsoft.com/en-us/library/ms732314.aspx.

Encryption in EFS works by using a public/private key pair with a per file encryption key. When a user encrypts a file, EFS generates a file encryption key (FEK) and uses the public key to encrypt it. When the user wants to read or decrypt the file, the FEK is decrypted using the private key. The FEF is used to decrypt the file.

Note:

The file encryption and compression attributes are mutually exclusive. You can apply one or the other to a file, but not both.

Although you can mark a folder as encrypted, the folder itself is not actually encrypted. EFS provides only file-level encryption. By marking a folder as encrypted, any files that are created or moved into the folder are automatically encrypted. Any existing files in the folder at the time that you set the encryption attribute are not automatically encrypted unless you select the option to apply changes to the folder, subfolder, and files on the Confirm Attribute Changes dialog.

The first time a user selects the encryption attribute from the properties dialog box of a file or folder, EFS will automatically generate a public key pair; then the private key is certified by a Certificate Authority (CA). If a CA is not available, the public key is self signed. All this is transparent to the user.

In Step by Step 13.17, we will use EFS to encrypt a folder, create a file in that folder, and then copy a file to that folder to see the effects of the encryption process.

Step by Step 13.17 Encrypting a file or folder 1. In Windows Explorer, create a folder and name it Secure. Create a file in this folder and name it Test1.txt. 2. In Windows Explorer, right-click the folder you just created and select Properties from the pop-up menu. 3. This displays the Advanced Attributes dialog box shown in Figure 13.38. Figure 13.38. The Advanced Attributes dialog box allows you to turn on either compression or encryption. 4. Click the OK button twice to save the changes and close the Properties dialog box. 5. Create a text file in the root directory and name it Secure1.txt. Move the file to the Secure folder. 6. Create a text file in the Secure folder and name it Secure2.txt. 7. Observe in Windows Explorer that both new files in the Secure folder (Secure*.txt) are displayed in green and that the original file is unchanged, as shown in Figure 13.39. This indicates that they are encrypted. Figure 13.39. Encrypted files and folders will be displayed in green. 8. Log off the server, and then log back on again using a domain user (not administrator account). Try to open the secure files in the secure folder. You should receive the message Access is denied.

As you saw in the exercise, turning on encryption for a file or folder is pretty simple. In addition, after encryption is turned on for a folder, every file that is created or moved into that folder is automatically encrypted, without any user intervention. Any existing files are not affected.

The following conditions apply when moving or copying encrypted files:

• When a folder is encrypted, all files and subfolders added to that folder are automatically encrypted.

• If an encrypted file or folder is moved or copied to another folder on an NTFS formatted volume, it remains encrypted.

• If an encrypted file or folder is moved or copied to a FAT or FAT32 formatted volume, it is decrypted.

• If an encrypted file or folder is moved or copied to a floppy, it is decrypted.

• If a user other than the one who encrypted the file or folder attempts to copy it, he will receive the message Access is denied.

• If a user other than the one who encrypted the file attempts to move it to a folder that was encrypted by the original user, she will be successful.

• If a user other than the one who encrypted the file or folder attempts to move or copy it to another volume (NTFS, FAT, or FAT32), he will receive the message Access is denied.

After encryption is configured, the encrypt/decrypt process is transparent to the user and to applications. When a user opens a file, it is automatically decrypted and will be reencrypted when the user saves it. Because encryption is a file-level process, the application is unaware that it is working with an encrypted file. However, you must be careful to set the encryption attribute on for the folder that the file is stored in, because some applications, such as Microsoft Word, will create temporary files, and they will not be encrypted unless they are in an encrypted folder.

Sharing Encrypted Files

In some situations, the data in a file will need to be shared with other users, or possibly a group of users. However, it will still be important to keep the contents secure. In this situation, you can specifically share the encrypted file with other users. However, keep the following points in mind:

• After the user is given permission to the file, he or she can also grant others permission to use the file.

• Encrypted files can be shared, but not encrypted folders. Note that this refers only to EFS sharing, and an encrypted folder can always be an NTFS file share.

• Any user who is being granted access must have an EFS certificate. This certificate can reside in Active Directory, in the user's roaming profile, or in the user's profile on the server where the shared file is located.

Note: Certificate Required

As we mentioned earlier, all users that are being granted access must have a certificate. The easiest way to get a certificate is to encrypt a file or folder, which will automatically generate an EFS certificate for that user.

To share an encrypted file, follow the procedure in Step by Step 13.18.

EFS Recovery Agents

So how can encrypted data be recovered if users lose their private key or leave the company? On standalone Windows servers and workstations (not members of a domain), the Data Recovery Agent (DRA) role must be manually assignedit is not created automatically. In a domain, the domain administrator's account will automatically be granted this role.

Because this account is designated as the DRA, a recovery key is generated and saved in the local administrators' certificate store that can be used by the local administrator to recover the encrypted data. This recovery key can be used only to recover the data. The user's private key is never revealed.

If the DRA role is removed by a configuration error, the system assumes that no data recovery policy is in place and will refuse to encrypt any files or folders.

Note:

The user account with recovery agent rights will be able to copy the file to his/her computer to perform recovery operations.

Any user can be a recovery agent; no other rights are required.

Creating a Domain DRA

After a user has encrypted a file, an EFS certificate is automatically created for them. This certificate is needed before the user can be designated as a recovery agent.

In the following Step by Step, we will perform the two steps needed to create a DRA: First, publish the certificate to the user account, and then add the user account as an EFS Recovery Agent.

Step by Step 13.19 Adding an EFS Recovery Agent 1. Open the Active Directory Users and Computers MMC. From the View menu, select Advanced Features. 2. Locate the user you want to add, right-click the entry, and select Properties. 3. On the User Properties dialog box, select the Published Certificates tab. 4. Click the Add from Store button; this displays the Select Certificate dialog box shown in Figure 13.42. Figure 13.42. Select the entry for the desired user that lists the EFS certificate. 5. Select the entry for the user that lists the EFS certificate, and then click the OK button. 6. This returns you to the User Properties dialog box. The certificated should be shown under the list of certificates published for the account, as shown in Figure 13.43. Click OK to close. Figure 13.43. The certificate is published to the user account. 7. In Active Directory Users and Computers, right-click the domain entry and select Properties from the pop-up menu. On the Properties dialog box, click the Group Policy tab. 8. On the Group Policy tab, highlight the Default Domain Policy entry, and then click the Edit button. This opens the Group Policy Editor. 9. In the Group Policy Editor, expand Computer Configuration, Windows Settings, Security Settings, Public Key Policies, and then highlight the entry for Encrypting File System (see Figure 13.44). Figure 13.44. The administrator's certificate is published by default. 10. Right-click the Encrypting File system entry, and then select Add Recovery Agent from the pop-up menu. This starts the Add Recovery Agent Wizard. Click Next to continue. 11. On the Select Recovery Agents dialog box, click the Browse Directory button. From the Select Users dialog box, enter the name of the user account you want to add, and then click OK. 12. Click Next, and then click Finish.

Recovering an Encrypted File or Folder

To recover an encrypted file or folder, the recovery agent must copy the file to his computer, if in a domain, or log on to the computer with the local administrator account on a standalone computer.

To recover a file or folder, follow these steps:

If the computer is a member of a domain, move the file back to the user's computer.

Encryption Using the Cipher Command

The cipher command-line utility is supplied so that you can work with encrypted files and folders from the command line. This is handy when you are encrypting or decrypting a large number of files or folders, because you can use wildcards or run the utility from a script.

The cipher command options are listed in Table 13.2.

Exam Alert:

You might encounter EFS questions on the exam. You should know how to encrypt and decrypt files and folders using both the GUI and the cipher utility. In addition, you should be familiar with the key recovery process.