Best Practices

Encryption is a sensitive operation. It is important that encrypted data not become decrypted inadvertently. To this end, it is recommended that users do the following:

• Encrypt the My Documents folder (RootDirectory\UserProfile\My Documents). This ensures that personal folders where most Microsoft® Office documents are saved are encrypted by default.
• Encrypt the Temp folder (RootDirectory\Temp). This ensures that any temporary files created by various applications are encrypted. This avoids any possible leaks.
• Encrypt folders rather than individual files. Applications work on files in various ways — for example, creating temporary files in the same folder during editing. These temporary files might or might not be encrypted, and some applications substitute them for the original when the edit is saved. Encrypting at the folder level ensures that files do not get decrypted transparently in this way.
• Export the private keys for recovery accounts, store them in a safe place on secure media, and remove the keys from computers. This prevents someone from using the recovery account on the computer to read files that are encrypted by others. This is especially important for stand-alone computers where the recovery account is the local Administrator or another local account. For example, someone might steal a portable computer that contains encrypted files. However, because the private key for recovery is not on the computer, the thief cannot log on as the recovery account and use it to recover files.
• The private keys associated with recovery certificates are extremely sensitive. Never leave them lying around. Export each such key into a .pfx file, protected under a strong password, and secure that file on a floppy disk. For more information about protecting recovery keys, see Windows 2000 Professional Help or Windows 2000 Server Help.
• Do not use the recovery agent account for any other purpose.
• Do not destroy recovery certificates and private keys when recovery agent policy changes. Keep them in archives until you are sure that all files that are protected by them have been updated with new recovery agent information.
• Never rename or move the RSA folder because this is the only place EFS looks for private keys.
• In a domain, change the default recovery agent account (the Administrator of the first domain controller installed for the domain) as soon as possible, and set a password for each recovery agent account. This adds an extra layer of protection in case the Administrator account is hijacked, and provides easy tracking of usage of the recovery account.
• Designate two or more recovery agent accounts per organizational unit (a subgroup of computers, or even a single computer, within a domain), depending on the size of the organizational unit. Designate one computer for each designated recovery agent account, and give permission to appropriate administrators to use the recovery agent accounts.
• Implement a recovery agent archive program to ensure that EFS files can be recovered using obsolete recovery keys. Recovery certificates and private keys must be exported and stored in a controlled and secure manner. It is recommended that you store archives in a controlled-access vault, and that you have a master archive and a backup archive. The master archive is located onsite; the backup archive is located in a secure offsite location.
• When you are printing, avoid making a spool file. If you must, ensure that it is created in an encrypted folder.
• Configure system key for stand-alone computers that are not members of a domain to provide system key protection for the EFS users' private keys. For more information, see "Using the System Key" later in this chapter.

© 1985-2000 Microsoft Corporation. All rights reserved.