|< Day Day Up >|| |
Windows Small Business Server includes the ability to encrypt individual files or entire subdirectories in a totally transparent way. To their creator, encrypted files look exactly like regular files—they can be opened, read, modified, or deleted just like any other file. No changes to applications are required to use them. However, to anyone except the creator/encryptor, the files are unavailable, and even if someone did manage to gain access to them, the files would be gibberish because they’re stored in encrypted form. In this section, we’ll cover the basics about how to enable encryption on a folder or file.
|More Info|| |
For more details about encryption, including how to share encrypted files and how to un-encrypt files in the event an employee leaves, see Chapter 10, “Shares, Permissions, and Group Policy.”
Encryption is simply an advanced attribute of the file, just as compression is. However, a file cannot be both compressed and encrypted at the same time— the attributes are mutually exclusive. Encrypted files are available only to the encryptor or to those individuals who are explicitly granted access, but the files can be recovered by the domain recovery agent if necessary. Encrypted files can be backed up by normal Windows Small Business Server backup procedures, and the files remain encrypted. Restoring encrypted files retains their encryption.
By default, no user except the actual creator of an encrypted file has access to the file. Even a change of ownership does not remove the encryption. This prevents sensitive data, such as payroll and annual reviews, from being accessed by the wrong users, even if those users have administrative rights. The catch is that encryption is enabled for an individual user, not for a group of users, which limits its effectiveness. Although you can add individual users with the appropriate certificates to the list of users who can access a file, you can’t add groups of users to the list. On our wish list for the Encrypting File System (EFS) is the ability to make the encryption transparent to either a group of users or any user with a specific key, smartcard, or other security identifier or combination of security identifiers.
Encryption is available only on NTFS and only on versions of NTFS beginning with Windows 2000. If the owner/encryptor of an encrypted file copies it to a disk or to another computer that doesn’t support encryption, the encryption will be removed.
When you encrypt a folder, all new files created in that folder are encrypted from that point forward. You can also elect to encrypt the current contents when you perform the encryption. Be warned, however: If you choose to encrypt the contents of a folder when it already contains files or subfolders, those files and subfolders are encrypted for the user performing the encryption only. This means that even files that are owned by another user are encrypted and are thus available for your use only—the owner of the files will no longer be able to access them. Of course, if you don’t have the Modify privilege on the file owned by someone else, you won’t be able to encrypt it.
When new files are created in an encrypted folder, the files are encrypted for use by the creator of the file, not the user who first enabled encryption on the folder. Unencrypted files in an encrypted folder can be used by all users who have security rights to use files in that folder, and the encryption status of the files does not change unless the file names themselves are changed. Users can read, modify, and save the files without converting them to encrypted files, but any changes in the name of the files triggers an encryption, and the encryption makes the files available only to the person who triggers the encryption.
To encrypt a file or folder, complete the following steps:
In Windows Explorer, right-click the folder or files you want to encrypt, and choose Properties from the shortcut menu.
Click Advanced on the General tab to open the Advanced Attributes dialog box shown in Figure 8-5.
Figure 8-5: The Advanced Attributes dialog box.
Select the Encrypt Contents To Secure Data option, and click OK to return to the main Properties window for the folder or file. Click OK or Apply to enable the encryption. If any files or subfolders are already in the folder, you’re presented with the dialog box shown in Figure 8-6.
Figure 8-6: Choosing whether to encrypt the files already in a folder or just new files.
If you choose Apply Changes To This Folder Only, all the current files and subfolders in the folder remain unencrypted, but any new files and folders are encrypted by the creator as they are created. If you choose Apply Changes To This Folder, Subfolders, And Files, all the files and folders below this folder are encrypted so that only you can use them, regardless of the original creator or owner of the file.
Click OK and the encryption occurs.
Users can choose to have files that are encrypted appear in a different color in Windows Explorer. When they do, the file will appear in green text as shown in Figure 8-7 for the file Encrypted.txt. Notice that even though all new files in this folder are encrypted, the files that were already in the folder have not been encrypted.
Figure 8-7: Encrypted file is shown in green.
|< Day Day Up >|| |