Securing Local Data

Encryption of stored files in Windows 2000 is accomplished through the use of the Encrypting File System (EFS). Using public-key encryption, EFS allows files and directories stored on NTFS partitions to be encrypted and decrypted transparently. EFS accesses the user's EFS public and private keys to perform self-encryption. Therefore, files encrypted with EFS can't be shared with (that is, encrypted to) other users. Another encryption method, such as S/MIME, must be used to securely share files with other users. In addition, if files encrypted with EFS are saved to another machine, the user's key information must be imported to that machine for decryption to occur.

When files or folders are encrypted, they are written with a recovery policy that, among other things, designates a recovery agent, which is one user account that can recover the contents of the file in the event that the original key is lost.

EFS encrypts the bulk of a file with a single symmetric key. The symmetric key is then encrypted twice: once with the user's EFS public key to allow decryption, and once with the recovery agent's public key to allow data recovery. See the section Public-Key Encryption vs. Symmetric-Key Encryption in Chapter 18 for more information on data encryption.

More Info

For more in-depth information about EFS, see the Microsoft Windows 2000 Server Distributed Systems Guide.

Creating Your Recovery Policy

It's deceptively simple to encrypt and decrypt files in Windows 2000. Of course, anything that's sensitive enough to be encrypted should be treated very carefully, so we urge you to take a few moments to do some thinking and planning before you start implementing file and folder encryption.

Before you do anything else, you should implement a recovery policy. As mentioned earlier in this chapter, the recovery policy provides a way to recover an encrypted file when its key has been lost. To recover the file the recovery agent's (a specially designated user account) recovery certificate is used. On an Active Directory domain, the recovery agent is set automatically to the Administrator account on the first domain controller of the domain (you should create a special account just for the recovery agent role and then assign the recovery agent role to this account).

Because the recovery agent is such a sensitive role (it's capable of decrypting any file on the domain), it's imperative that you take proper precautions with it. The following steps walk you through adding extra recovery agents, backing up the recovery certificate to a floppy disk, and deleting the locally stored recovery key for extra security:

  1. Launch the Active Directory Users and Computers snap-in.
  2. Right-click the appropriate domain or OU and choose Properties from the shortcut menu.
  3. In the Group Policy tab, select the appropriate policy and click Edit.
  4. In the console tree, select Computer Configuration, then Windows Settings, Security Settings, and finally Public Key Policies.
  5. Under Public Key Policies, select Encrypted Data Recovery Agents.
  6. Right-click the Encrypted Data Recovery Agents folder and choose Add from the shortcut menu.
  7. Use the Add Recovery Agent Wizard to add another recovery agent to the domain or OU (Microsoft recommends two or more recovery agents per OU).

    Recovery agent accounts should be created specifically for the recovery agent role and not be used for anything else. Replace the default Administrator recovery agent with one of the new, specially created, recovery agent accounts to minimize the impact of the Administrator account getting hacked.

  8. Right-click a recovery agent and choose All Tasks and then Export from the shortcut menu.
  9. Use the Certificate Export Wizard to export the recovery key to a floppy disk. The floppy disk should then be stored in a highly secure, preferably off-site, location.
  10. Log on using the recovery agent's account, and then open the Certificates MMC snap-in (if prompted, select My User Account and click OK). You might have to open a blank MMC console and add the Certificates snap-in to it.
  11. From the console tree, select Personal and then Certificates.
  12. Select the certificate corresponding to the recovery key that you exported and then click the Delete toolbar button. Now the only copy of the recovery key is stored separately in a secured location. Even someone with physical access to the computer does not have access to the recovery key.

Encrypting Files and Folders

Encrypting files and folders with EFS is as easy as setting any other file attribute, such as Hidden or Read-Only. To encrypt a file or folder in Windows Explorer, follow these steps:

  1. Right-click the folder (or file) and choose Properties.
  2. In the General tab, click Advanced.
  3. Select the Encrypt Contents To Secure Data check box and then click OK twice.
  4. In the dialog box that appears, decide whether you want to encrypt the parent folder. If you do encrypt this folder, files subsequently added to this folder and its subfolders are encrypted.

Only encrypt entire folders. If you encrypt individual files, but not their folders, a program might create a temporary file (which won't be encrypted) and then save the file over the original file, thereby leaving the file decrypted.

Remember that system files, compressed files, and files on partitions other than NTFS can't be encrypted using EFS. Further, a drive's root folder cannot be encrypted using EFS.

Like normal files, encrypted files and folders can be moved and copied using the Edit menu commands Cut, Copy, and Paste. Files moved or copied by dragging do not necessarily retain their encryption. You can also rename encrypted files and folders as you would any other files.

Encrypted files and folders are not immune from deletion. Any user with appropriate rights can delete an encrypted file.

It's important to mention that the folders themselves are not encrypted, merely the files within the folders. The folders are simply marked as having encrypted files within them.

To ensure the security of temporary files that have been created by applications, mark your system's Temp folder for encryption.

Real World

Encryption Best Practices

Here are some encryption best practices to consider:

  • Encrypt the My Documents folder of sensitive desktops and laptops.
  • Encrypt the Temp folders of appropriate user profiles to protect temporary data, or data that was marooned in the Temp folder following a program crash.
  • If you use spool files while printing, encrypt the Spool folder.
  • Don't tamper with the RSA folder; this is the repository for EFS keys.

Decrypting Files and Folders

EFS allows a user to reverse the encryption process. However, describing this as a mere decryption operation is a bit misleading. Indeed, removing data encryption from a file does cause the file to be decrypted, but any encrypted file is also decrypted every time a user or application accesses it. What we're talking about is permanent decryption so that files can be easily shared with other users.

To indicate that a file should no longer be encrypted or that a folder should no longer encrypt its files, follow these steps:

  1. Right-click the file or folder in Windows Explorer and choose Properties.
  2. Click the General tab and then click Advanced.
  3. Clear the Encrypt Contents To Secure Data check box.

More Info

For a description of the specifics of cryptography, including symmetric-key and public-key methods, visit the security page of the Microsoft Web site at

Recovering Files

Naturally, when you encrypt files to protect them from prying eyes, you run the risk of protecting them from yourself and ultimately losing the data. EFS requires the user's private key (associated with the user's EFS public-key certificate) to decrypt a file. As long as this key is available, EFS-protected files can be accessed. In the event of key loss, a secondary means of retrieving the data is necessary. Consider, too, that a key might be lost due to the voluntary or involuntary departure of a user; for example, a user who encrypts company files might leave the company.

The ability to recover files starts when an individual user backs up his or her EFS public-key certificate and associated private key. To back up this information, the user must export the certificate and key through the Certificates snap-in in the MMC. (See the section entitled Exporting Certificates and Private Keys, earlier in this chapter.) If the private key is ever lost, the user can import the saved EFS private key and certificate and salvage the data. To do so, follow these steps:

  1. Launch the Certificates MMC snap-in.
  2. Select Personal from the console tree, and then right-click the Certificates folder and choose All Tasks and then Import from the shortcut menu.
  3. Use the Certificate Import Wizard to restore the backup key, which allows access to the encrypted file again.

Exported keys and certificates are stored in a standard PKCS #12 (also known as Personal Information Exchange or PFX) format. This format is understood by a number of security-enhanced applications, allowing exchange of keys between independent computers or applications.

If a user is unable to decrypt lost data, an administrator can salvage the data by using a recovery agent certificate. To do so, follow these steps:

  1. Instruct the user with the encrypted files to back up the files using Backup or another Windows 2000 backup program, and send the backup file to the recovery agent using e-mail or removable media.
  2. Log on using a Recovery Agent account, and restore the recovery key using the previous procedure (the recovery key is presumably stored in a secure location such as a vault and deleted from the system when not in use).
  3. On the Recovery Agent's computer, use Backup or another backup program to restore the files to a local folder.
  4. In Windows Explorer, right-click the folder and choose Properties from the shortcut menu.
  5. In the General tab, click Advanced.
  6. Clear the Encrypt Contents To Secure Data check box. This decrypts the files using the recovery agent's recovery certificate.
  7. Back up the decrypted files and e-mail or deliver them to the user, who can then encrypt them using his or her key (which is probably newly issued after the old key was lost). Consider using e-mail encryption when sending the files, if appropriate.

Real World

Protecting Recovery Agent Certificates

Recovery agent certificates should be squirreled away in a secured storage facility to prevent possible data compromise. On receiving the recovery agent certificate, the recovery agent should export it to a diskette or other device that can be protected and then delete it from the machine. When data needs to be recovered, the certificate and associated private key can be imported. Because the associated certificate or recovery policy for encrypted files is updated only when the files are opened, it's important to hang on to old recovery agent certificates. For information on exporting certificates, see the section entitled Exporting Certificates and Private Keys, earlier in this chapter.

Microsoft Windows 2000 Server Administrator's Companion
Microsoft Windows 2000 Server Administrators Companion
ISBN: 0735617856
EAN: 2147483647
Year: 2003
Pages: 320 © 2008-2017.
If you may any questions please contact us: