Planning Distributed Security |
The Windows 2000 Encrypting File System (EFS) lets a user encrypt designated files or folders on a local computer for added protection of data stored locally. EFS automatically decrypts the file for use and reencrypts the file when it is saved. No one can read these files except the user who encrypted the file and an administrator with an EFS Recovery certificate. Since the encryption mechanism is built into the file system, its operation is transparent to the user and extremely difficult to attack.
EFS is particularly useful for protecting data on a computer that might be physically stolen, such as a laptop. You can configure EFS on laptops to ensure that all business information is encrypted in users' document folders. Encryption protects information even if someone bypasses EFS and uses low-level disk utilities to try to read information.
EFS is intended primarily for protection of user files on the disk of the local NTFS file system. As you move away from this model (remote drives, multiple users, editing encrypted files) there are numerous exceptions and special conditions to be aware of.
EFS encrypts a file using a symmetric encryption key unique to each file. Then it encrypts the encryption key as well, using the public key from the file owner's EFS certificate. Since the file owner is the only person with access to the private key, that person is the only one who can decrypt the key, and therefore the file.
There is also provision for the original encryption key to be encrypted using the public key of an administrator's EFS File Recovery certificate. The private key from that certificate can be used to recover the file in an emergency. It is highly recommended that an organization establish a recovery agent.
Even if the file can be stolen, over the network or physically, it cannot be decrypted without first logging on the network as the appropriate user. Since it cannot be read, it cannot be surreptitiously modified. EFS addresses an aspect of a policy of data confidentiality.
To implement EFS, a public key infrastructure must be in place and at least one administrator must have an EFS Data Recovery certificate so the file can be decrypted if anything happens to the original author. The author of the file must have an EFS certificate. The files and folders to be encrypted must be stored on the version of NTFS included with Windows 2000.
Open Windows Explorer and right-click a folder or a file. Select Properties. On the General tab, click Advanced. Then select the Encrypt Contents to Secure Data check box. The contents of the file, or of all the files in the selected folder, are now encrypted until you clear the check box.
For more information about best practices for encrypting file systems, see the Windows 2000 Server Help. See also "Encrypting File System" in the Microsoft® Windows® 2000 Server Resource Kit Distributed Systems Guide.
EFS is only supported for the version of NTFS used in Windows 2000. It does not work with any other file system, including previous versions of NTFS.
EFS can be used to store sensitive data securely on shared servers to allow for normal data management (backup). The servers must be well protected and must be "Trusted for Delegation." EFS services will "impersonate" the EFS user and make other network connections on their behalf when encrypting and decrypting files.
EFS uses a Data Recovery policy that enables an authorized data recovery agent to decrypt encrypted files. EFS requires at least one recovery agent. Recovery agents can use EFS to recover encrypted files if users leave the organization or lose their encryption credentials. You need to plan to deploy the PKI components and issue one or more certificates for EFS data recovery. These certificates need to be securely stored offline so they cannot be compromised. EFS can generate its own certificates for EFS users and EFS recovery agents. By default, EFS issues EFS Recovery certificates to the Domain Administrator account as the recovery agent for the domain. For stand-alone computers that are not joined to a domain, EFS issues EFS Recovery certificates to the local Administrator user account as the recovery agent for that computer. Many organizations might want to designate other EFS recovery agents to centrally administer the EFS recovery program. For example, you can create organizational units for groups of computers and designate specific recovery agent accounts to manage EFS recovery for specific organizational units.
You can deploy Microsoft Certificate Services to issue certificates to EFS recovery agents and EFS users. When certificate services are available online, EFS uses the certificate services to generate EFS certificates.
Note that because cluster services do not support reparse points on shared storage, EFS cannot be used if the file server is actually a Windows cluster.
Include strategies for EFS and EFS recovery in your network security deployment plan. EFS strategies might include the following information: