This section assumes you're familiar with the basic elements of cryptography. This controls access to the files and folders based on user rights and permissions. EFS takes it one step further and encrypts files and folders. Thus, an unauthorized user will first be denied permission to access a file or folder based on NTFS permissions. If for some reason the permissions are incorrect or someone has found a way around the NTFS permissions, the file itself is encrypted and can only be decrypted by the owner of the file, a user to whom share privileges have been granted or by a recovery agent.
One common way NTFS permissions are circumvented is when laptops are stolen. Thieves can remove the hard drive and install it in a system on which they have administrative privileges, effectively granting themselves full access to the data on the hard drive. If the data is encrypted, the thief will still be unable to access the data.
As the popularity and need for mobile computers continues to increase, file encryption will be increasingly important in securing corporate data. EFS is transparent to the user—files are encrypted and decrypted automatically in the background based on a process we'll review in a moment. However, as with all security measures, there is a trade-off between the use of encryption and system performance.
EFS is notably slow the first time it is used because the encryption keys and certificates are being generated and checked. This information was adapted from the Microsoft article Encrypt or decrypt a folder or file. This is document augh in the Knowledge Base. Last modified on Skip to: content search login. Warning: This registry modification will allow the user to access encrypted files after a remote access password change, but it can also expose the user's account to the threat of attack.
When implementing EFS in a domain, by default the Administrator of the first domain controller is the recovery agent. You should create new recovery agent accounts and remove the recovery agent role from the Administrator account. The recovery agent account s should be used only for that purpose. If a computer was previously a standalone system and then joins a domain that uses a CA to issue EFS certificates, you might not be able to open files that were encrypted with a self-signed certificate prior to joining the domain.
You can access these files by logging off the domain and logging back onto the local computer. You should also be aware of EFS security issues. For example, many applications create temporary files when you're working. These temp files may not be encrypted. You can fix this by encrypting the folder in which the application stores its temp files; then files placed in that folder will automatically be encrypted. Also be aware that an application may copy the contents of an encrypted file to the paging file during use.
The paging file can't be encrypted because it's a system file. Data can remain in the paging file even after the application closes the file, and an unauthorized person could start the computer with a different operating system and read the contents of the paging file. To prevent this, you can configure the local Group Policy to clear the contents of the paging file at shutdown.
She is also a tech editor, developmental editor and contributor to more than 20 additional books. NET magazine. She has authored training materials, corporate white papers, marketing material and product documentation for Microsoft Corp.
She lives and works in the Dallas-Fort Worth area and can be reached at deb shinder. Having both a recovery agent and key archival configured provides two redundant controls against losing data, which is better than relying on just one control. Configuring key archival is covered in Chapter For information on obtaining such a certificate, see the PKI recipes in Chapter You need to store EFS-encrypted files on a network server, and must prepare that server to store the files.
EFS was primarily designed as a security control to protect local data against compromise when an attacker gained physical access to the computer for example, when someone stole your laptop. However, many folks immediately recognized the benefit of storing data in an encrypted state. It provides more protection than even NTFS or file-share access control because, whether you can access the data or not, you cannot decrypt the data without the proper private key.
Even administrative access does not allow you to decrypt data unless the administrator is also a data recovery agent—see Recipe 4. So, administrators wanted EFS files stored on file shares on servers. In order to do this, the server must perform the encryption on behalf of the user. This means that the user must delegate their identity to the server. Only very trusted servers should be delegated, because compromise of a server could compromise the identity of every user of that server.
For that reason, by default only domain controllers are trusted for delegation in Active Directory. You must trust all network file servers for delegation if you want them to store EFS-encrypted files.
This means that these servers should be very tightly controlled to ensure that no unauthorized access happens such as physical access to the computer where a local attack could compromise the delegated rights. Trusted for delegation is an attribute of each computer object in Active Directory, which is why Active Directory is required for server-based EFS.
In addition, the server must be joined to an Active Directory domain. However, encrypting folders is usually preferred to help prevent against user misconfiguration and to prevent plaintext from being written to the hard drive before the file is encrypted. Folder encryption is discussed in Recipe 4. If NTFS is not in use, this recipe will not work.
Also, because all EFS cryptography is file-based, the larger the file, the more time it will take to encrypt. On large files, an encryption operation can take minutes to complete. Windows will not inform you of this delay or provide a progress message—you just have to wait for the encryption or decryption to complete. When the Advanced dialog box is displayed, you may not be able to click the Details button. This happens when the file is not yet encrypted.
If you complete this solution first, the Details button becomes available. You want to encrypt a folder on the local hard drive, including any files or subfolders in the folder. This ensures that new files created in this directory are encrypted by default.
New files and folders in a folder inherit the attributes of the folder. This is especially important when you want to make a temporary folder encrypted. Many applications create temporary files and they may contain information that the user considers sensitive. There is one common misuse of this recipe. Many administrators decide to encrypt all folders without considering the performance or compatibility impact it may have.
You should not simply encrypt all folders, as it is a waste of resources and applies security to many objects that do not need EFS.
While this folder often contains temporary files that should be encrypted, encrypting it often breaks applications.
Test your required applications before applying EFS to any folder. The Details button is never available when displaying EFS folder information. This is because the contents of the files in the folder may vary, and the user interface does not have the capability to effectively display multiple file encryption configurations.
You must display the EFS information file-by-file or by using efsinfo. The reason why you need to enter two commands is because cipher.
The first command encrypts the contents of the directory, and the second command sets the encryption attribute on the directories to ensure that new files in the directory are encrypted.
You want to make it easier for users to encrypt and decrypt files and folders by adding Encrypt and Decrypt options on the context menus in Windows Explorer. To configure Windows to add Encrypt and Decrypt context-sensitive menu options, set the following Registry value:.
Once this registry modification is made, open Windows Explorer. Right-clicking on any file or folder shows a context menu, which now includes Encrypt and Decrypt options. This should make it easier for users to quickly encrypt a sensitive file or folder without having to navigate down into the Advanced properties.
Remember, however, that this modification also makes it easier for users to downgrade their security by decrypting data that should be encrypted. Educating the users on proper use of EFS is a good step to take before you complete this recipe.
Different files may have different users and different DRAs associated with them. These differences can be due to changing DRA policies, different users using EFS, users explicitly encrypting files for multiple users, etc. The only way to know exactly which users technically, which certificates have access to a given file is to display its information using this recipe.
You can use efsinfo. Right-click the object and click Cut for moving the object or Copy for copying the object. The following command moves a file called Test. The following command copies a file called Test.
0コメント