best practices for the encrypting file system

8/13/2019 Best Practices for the Encrypting File System

1/20

Best practices for the Encrypting File System

Article ID: 223316 - View products that this article applies to.

This article was previously published under Q223316

Expand all | Collapse all

On This Page SUMMARY

Microsoft Windows includes the ability to encrypt data directly on volumes that use the NTFS file system so that no otheruser can use the data. You can encrypt files and folders if you set an attribute in the object's Properties dialog box.

Because the encryption/decryption process is transparent to users, make sure that organizations that want to use fileencryption fully promote strong guidelines about its usage.

Back to the top | Give Feedback

MORE INFORMATION The following is the list of standard practices:

Teach users to export their certificates and private keys to removable media and store the media securely when it isnot in use. For the greatest possible security, the private key must be removed from the computer whenever thecomputer is not in use. This protects against attackers who physically obtain the computer and try to access theprivate key. When the encrypted files must be accessed, the private key can easily be imported from the removablemedia.

Encrypt the My Documents folder for all users ( User_profile \My Documents). This makes sure that the personalfolder, where most documents are stored, is encrypted by default.

Teach users to never encrypt individual files but to encrypt folders. Programs work on files in various ways.Encrypting files consistently at the folder level makes sure that files are not unexpectedly decrypted.

The private keys that are associated with recovery certificates are extremely sensitive. These keys must be generatedeither on a computer that is physically secured, or their certificates must be exported to a .pfx file, protected with astrong password, and saved on a disk that is stored in a physically secure location.

Recovery agent certificates must be assigned to special recovery agent accounts that are not used for any otherpurpose.

Do not destroy recovery certificates or private keys when recovery agents are changed. (Agents are changedperiodically). Keep them all, until all files that may have been encrypted with them are updated.

Designate two or more recovery agent accounts per organizational unit (OU), depending on the size of the OU.Designate two or more computers for recovery, one for each designated recovery agent account. Grant permissionsto appropriate administrators to use the recovery agent accounts. It is a good idea to have two recovery agentaccounts to provide redundancy for file recovery. Having two computers that hold these keys provides moreredundancy to allow recovery of lost data.

Implement a recovery agent archive program to make sure that encrypted files can be recovered by using obsoleterecovery keys. Recovery certificates and private keys must be exported and stored in a controlled and securemanner. Ideally, as with all secure data, archives must be stored in a controlled access vault and you must have twoarchives: a master and a backup. The master is kept on-site, while the backup is located in a secure off-site location.

Avoid using print spool files in your print server architecture, or make sure that print spool files are generated in anencrypted folder.
http://support.microsoft.com/kb/223316#appliestohttp://support.microsoft.com/kb/223316#appliestohttp://support.microsoft.com/kb/223316#appliestohttp://support.microsoft.com/kb/223316#tophttp://support.microsoft.com/kb/223316#tophttp://support.microsoft.com/kb/223316#surveyhttp://support.microsoft.com/kb/223316#surveyhttp://support.microsoft.com/kb/223316#surveyhttp://support.microsoft.com/kb/223316http://support.microsoft.com/kb/223316http://support.microsoft.com/kb/223316http://support.microsoft.com/kb/223316http://support.microsoft.com/kb/223316#surveyhttp://support.microsoft.com/kb/223316#tophttp://support.microsoft.com/kb/223316#appliesto


2/20

The Encrypting File System does take some CPU overhead every time a user encrypts and decrypts a file. Plan yourserver usage wisely. Load balance your servers when there are many clients using Encrypting File System (EFS).

How to enable Encrypting File System file sharing

In Windows XP, EFS supports file sharing of encrypted files among multiple users. With this support, you can giveindividual users permission to access an encrypted file. The ability to add additional users is restricted to individual files.Support for multiple users on folders is not provided in either Microsoft Windows 2000 or Windows XP. Also, support forthe use of groups on encrypted files is not provided by EFS.

After a file has been encrypted, file sharing is enabled through a new button in the user interface. A file must be encryptedfirst and then saved before additional users can be added. Users can be added either from the local computer or from theActive Directory directory service if the user has a valid certificate for EFS.

For information about how to enable EFS encryption on folders and files, see the "How to encrypt and decrypt using theEncrypting File System" section.

How to encrypt a file for multiple users

Note This procedure applies to Windows XP only. You cannot encrypt a file for multiple users in Windows 2000.

To do this, follow these steps:

1. Start Microsoft Windows Explorer, and then select the encrypted file that you want to add additional users to.2. Right-click the encrypted file, and then click Properties .3. Click Advanced to access the EFS settings.4. Click Details to add additional users.5. Click Add . The Add dialog box will display any other EFS-capable certificates in your personal store or those of any

other users who may be in your "Other People" and "Trusted People" certificate stores.

If you do not see the user who you want to add, click Find User to search Active Directory. The Select User windowappears. A dialog box displays valid EFS certificates in Active Directory based on your search criteria. If no validcertificate is found for that user, a message will inform you that there are no appropriate certificates for theselected user. In this case, the intended users must send you a copy of their certificate for you to import. You canthen add them to your encrypted file.

6. Select the certificate of the user who you want to add, and then click OK . You will be returned to the Details tab,and the tab will show the multiple users who will have access to the encrypted file and the users' EFS certificates.

7. Repeat this process until you have added all the users who you want to add. Click OK to register the change andcontinue.

Note Any user who can decrypt a file can also remove other users if the user who does the decrypting also has write

permissions on the file.

How to encrypt and decrypt using the Encrypting File System

The following steps encrypt and decrypt a file or folder using the Encrypting File System.

Note These guidelines apply to Windows 2000 and Windows XP.


3/20

Encrypting a folder

Although you can encrypt files individually, we strongly recommend that you designate a specific folder for storingencrypted data.

Encrypt a folder and its contents

Although you can encrypt files individually, generally it is a good idea to designate a specific folder where you will storeyour encrypted files, and to encrypt that folder. If you do this, all files that are created in or moved to this folder willautomatically obtain the encrypted attribute.

To encrypt a folder and its current contents, follow these steps:

1. Right-click the folder that you want to encrypt, and then click Properties .2. In the Properties dialog box, click Advanced .

3. The Advanced Attributes dialog box displays attribute options for compression and encryption. This dialog boxalso includes archive and indexing attributes.

Note Although the NTFS file system supports both compression and encryption, it does not support both at thesame time. This means that you can only select one or the other. A file or folder cannot be both encrypted andcompressed at the same time.

To encrypt the folder, click to select the Encrypt contents to secure data check box, and then click OK .4. Click OK to close the Advanced Attributes dialog box.5. If the folder you chose to encrypt in steps 1 to 3 already contains files, a Confirm Attribute Changes dialog box

will appear.

You can choose to encrypt only the folder so that all files subsequently moved to the folder or created in this folderwill be encrypted. If you want to also encrypt all the contents of this folder, click Apply changes to this folder,subfolders, and files , and then click OK .

Decrypting a folder

To decrypt a folder, use basically the same process but in reverse order:

1. Right-click the folder that you want to decrypt, and then click Properties .2. Click Advanced .3. Click to clear the Encrypt contents to secure data check box to decrypt the data.

4. Click OK to close the Advanced Attributes dialog box.5. Click OK to close the Properties dialog box.6. If the folder has files in it, the Confirm Attribute Changes dialog box appears. You can choose to decrypt only the

folder. However, this will not decrypt any files currently contained in the folder.

If you want to decrypt all the contents of this folder, click Apply changes to this folder, subfolders, and files , andthen click OK .


4/20

Additional information

How files are encrypted

Files are encrypted through the use of algorithms that essentially rearrange, scramble, and encode the data. A key pair israndomly generated when you encrypt your first file. This key pair is made up of a private and a public key. The key pair isused to encode and decode the encrypted files.

If the key pair is lost or damaged and you have not designated a recovery agent, and then there is no way to recover thedata.

Why you must back up your certificates

Because there is no way to recover data that has been encrypted with a corrupted or missing certificate, it is critical thatyou back up the certificates and store them in a secure location. You can also specify a recovery agent. This agent canrestore the data. The recovery agent's certificate serves a different purpose than the user's certificate.

How to back up your certificate

To back up your certificates, follow these steps:

1. Start Microsoft Internet Explorer.2. On the Tools menu, click Internet Options .3. On the Content tab, in the Certificates section, click Certificates .4. Click the Personal tab.

Note There may be several certificates present, depending on whether you have installed certificates for otherpurpose.

5. Select one certificate at a time until the Certificate Intended Purposes field shows Encrypting File System . This is

the certificate that was generated when you encrypted your first folder.6. Click Export to start the Certificate Export Wizard , and then click Next .7. Click Yes, export the private key to export the private key, and then click Next .8. Click Enable Strong protection , and then click Next .9. Type your password. (You must have a password to protect the private key.)10. Specify the path where you want to save the key. You can save the key to a floppy disk, another location on the

hard disk, or a CD. If the hard disk fails or is reformatted, the key and the backup will be lost. (If you back up the keyto a floppy disk or CD, you must store that disk or CD in a secure location.)

11. Specify the destination, and then click Next .For additional information about the Encrypting File System (EFS), visit the following Microsoft Web site:

Encrypting File System in Windows 2000

http://technet.microsoft.com/en-us/library/dd277413.aspx

Encrypting File System in Windows XP and Microsoft Windows Server 2003http://technet.microsoft.com/en-us/library/cc700811.aspx

Back to the top | Give Feedback

Properties Article ID: 223316 - Last Review: January 15, 2009 - Revision: 13.1
http://technet.microsoft.com/en-us/library/dd277413.aspxhttp://technet.microsoft.com/en-us/library/dd277413.aspxhttp://technet.microsoft.com/en-us/library/cc700811.aspxhttp://technet.microsoft.com/en-us/library/cc700811.aspxhttp://support.microsoft.com/kb/223316#tophttp://support.microsoft.com/kb/223316#tophttp://support.microsoft.com/kb/223316#surveyhttp://support.microsoft.com/kb/223316#surveyhttp://support.microsoft.com/kb/223316#surveyhttp://support.microsoft.com/kb/223316http://support.microsoft.com/kb/223316http://support.microsoft.com/kb/223316#surveyhttp://support.microsoft.com/kb/223316#tophttp://technet.microsoft.com/en-us/library/cc700811.aspxhttp://technet.microsoft.com/en-us/library/dd277413.aspx


5/20

APPLIES TO Microsoft Windows XP Professional Microsoft Windows 2000 Advanced Server Microsoft Windows 2000 Datacenter Server Microsoft Windows 2000 Professional Edition Microsoft Windows 2000 Server


6/20

Keywords: kbproductlinkkbhowto kbenvkbinfoKB223316

http://technet.microsoft.com/en-us/library/cc700811.aspx#XSLTsection125121120120

The Encrypting File System101 out of 136 rated this helpful - Rate this topic

By Roberta Bragg

On This Page An Overview of the Encrypting File System What EFS Is Basic How-tos Planning for and Recovering Encrypted Files: Recovery Policy How EFS Works Key Differences Between EFS on Windows 2000, Windows XP, and Windows Server 2003 Misuse and Abuse of EFS and How to Avoid Data Loss or Exposure Remote Storage of Encrypted Files Using SMB File Shares and WebDAV Best Practices for SOHO and Small Businesses Enterprise How-tos

Troubleshooting Radical EFS: Using EFS to Encrypt Databases and Using EFS with Other Microsoft Products Disaster Recovery Overviews and Larger Articles Summary

An Overview of the Encrypting File SystemThe Encrypting File System (EFS) is a component of the NTFS file system on Windows 2000, Windows XPProfessional, and Windows Server 2003. (Windows XP Home doesn't include EFS.) EFS enables transparentencryption and decryption of files by using advanced, standard cryptographic algorithms. Any individualor program that doesn't possess the appropriate cryptographic key cannot read the encrypted data.Encrypted files can be protected even from those who gain physical possession of the computer that the

files reside on. Even persons who are authorized to access the computer and its file system cannot viewthe data. While other defensive strategies should be used, and encryption isn't the correctcountermeasure for every threat, encryption is a powerful addition to any defensive strategy. EFS is thebuilt-in file encryption tool for Windows file systems.However, every defensive weapon, if used incorrectly, carries the potential for harm. EFS must beunderstood, implemented appropriately, and managed effectively to ensure that your experience, theexperience of those to whom you provide support, and the data you wish to protect aren't harmed. Thisdocument will

Provide an overview and pointers to resources on EFS. Point to implementation strategies and best practices. Name the dangers and counsel mitigation and prevention from harm.
http://technet.microsoft.com/en-us/library/cc700811.aspx#XSLTsection125121120120http://technet.microsoft.com/en-us/library/cc700811.aspx#XSLTsection125121120120http://technet.microsoft.com/en-us/library/cc700811.aspx#feedbackhttp://technet.microsoft.com/en-us/library/cc700811.aspx#feedbackhttp://technet.microsoft.com/en-us/library/cc700811.aspx#feedbackhttp://technet.microsoft.com/en-us/library/cc700811.aspx#XSLTsection122121120120http://technet.microsoft.com/en-us/library/cc700811.aspx#XSLTsection122121120120http://technet.microsoft.com/en-us/library/cc700811.aspx#XSLTsection123121120120http://technet.microsoft.com/en-us/library/cc700811.aspx#XSLTsection123121120120http://technet.microsoft.com/en-us/library/cc700811.aspx#XSLTsection124121120120http://technet.microsoft.com/en-us/library/cc700811.aspx#XSLTsection124121120120http://technet.microsoft.com/en-us/library/cc700811.aspx#XSLTsection125121120120http://technet.microsoft.com/en-us/library/cc700811.aspx#XSLTsection125121120120http://technet.microsoft.com/en-us/library/cc700811.aspx#XSLTsection126121120120http://technet.microsoft.com/en-us/library/cc700811.aspx#XSLTsection126121120120http://technet.microsoft.com/en-us/library/cc700811.aspx#XSLTsection127121120120http://technet.microsoft.com/en-us/library/cc700811.aspx#XSLTsection127121120120http://technet.microsoft.com/en-us/library/cc700811.aspx#XSLTsection128121120120http://technet.microsoft.com/en-us/library/cc700811.aspx#XSLTsection128121120120http://technet.microsoft.com/en-us/library/cc700811.aspx#XSLTsection129121120120http://technet.microsoft.com/en-us/library/cc700811.aspx#XSLTsection129121120120http://technet.microsoft.com/en-us/library/cc700811.aspx#XSLTsection130121120120http://technet.microsoft.com/en-us/library/cc700811.aspx#XSLTsection130121120120http://technet.microsoft.com/en-us/library/cc700811.aspx#XSLTsection131121120120http://technet.microsoft.com/en-us/library/cc700811.aspx#XSLTsection131121120120http://technet.microsoft.com/en-us/library/cc700811.aspx#XSLTsection132121120120http://technet.microsoft.com/en-us/library/cc700811.aspx#XSLTsection132121120120http://technet.microsoft.com/en-us/library/cc700811.aspx#XSLTsection133121120120http://technet.microsoft.com/en-us/library/cc700811.aspx#XSLTsection133121120120http://technet.microsoft.com/en-us/library/cc700811.aspx#XSLTsection134121120120http://technet.microsoft.com/en-us/library/cc700811.aspx#XSLTsection134121120120http://technet.microsoft.com/en-us/library/cc700811.aspx#XSLTsection135121120120http://technet.microsoft.com/en-us/library/cc700811.aspx#XSLTsection135121120120http://technet.microsoft.com/en-us/library/cc700811.aspx#XSLTsection136121120120http://technet.microsoft.com/en-us/library/cc700811.aspx#XSLTsection136121120120http://technet.microsoft.com/en-us/library/cc700811.aspx#XSLTsection136121120120http://technet.microsoft.com/en-us/library/cc700811.aspx#XSLTsection135121120120http://technet.microsoft.com/en-us/library/cc700811.aspx#XSLTsection134121120120http://technet.microsoft.com/en-us/library/cc700811.aspx#XSLTsection133121120120http://technet.microsoft.com/en-us/library/cc700811.aspx#XSLTsection132121120120http://technet.microsoft.com/en-us/library/cc700811.aspx#XSLTsection131121120120http://technet.microsoft.com/en-us/library/cc700811.aspx#XSLTsection130121120120http://technet.microsoft.com/en-us/library/cc700811.aspx#XSLTsection129121120120http://technet.microsoft.com/en-us/library/cc700811.aspx#XSLTsection128121120120http://technet.microsoft.com/en-us/library/cc700811.aspx#XSLTsection127121120120http://technet.microsoft.com/en-us/library/cc700811.aspx#XSLTsection126121120120http://technet.microsoft.com/en-us/library/cc700811.aspx#XSLTsection125121120120http://technet.microsoft.com/en-us/library/cc700811.aspx#XSLTsection124121120120http://technet.microsoft.com/en-us/library/cc700811.aspx#XSLTsection123121120120http://technet.microsoft.com/en-us/library/cc700811.aspx#XSLTsection122121120120http://technet.microsoft.com/en-us/library/cc700811.aspx#feedbackhttp://technet.microsoft.com/en-us/library/cc700811.aspx#XSLTsection125121120120


7/20

Many online and published resources on EFS exist. The major sources of information are the Microsoftresource kits, product documentation, white papers, and Knowledge Base articles. This paper provides abrief overview of major EFS issues. Wherever possible, it doesn't rework existing documentation; rather, itprovides links to the best resources. In short, it maps the list of desired knowledge and instruction to theactual documents where they can be found. In addition, the paper catalogs the key elements of largedocuments so that you'll be able to find the information you need without having to work your waythrough hundreds of pages of information each time you have a new question.The paper discusses the following key EFS knowledge areas:

What EFS is Basic how-tos, such as how to encrypt and decrypt files, recover encrypted files, archive keys,manage certificates, and back up files, and how to disable EFS

How EFS works and EFS architecture and algorithms Key differences between EFS on Windows 2000, Windows XP, and Windows Server 2003 Misuse and abuse of EFS and how to avoid data loss or exposure Remote storage of encrypted files using SMB file shares and WebDAV Best practices for SOHO and small businesses Enterprise how-tos: how to implement data recovery strategies with PKI and how to implement

key recovery with PKI Troubleshooting

Radical EFS: using EFS to encrypt databases and using EFS with other Microsoft products Disaster recovery Where to download EFS-specific tools

Using EFS requires only a few simple bits of knowledge. However, using EFS without knowledge of bestpractices and without understanding recovery processes can give you a mistaken sense of security, asyour files might not be encrypted when you think they are, or you might enable unauthorized access byhaving a weak password or having made the password available to others. It might also result in a loss ofdata, if proper recovery steps aren't taken. Therefore, before using EFS you should read the informationlinks in the section "Misuse and Abuse of EFS and How to Avoid Data Loss or Exposure." The knowledgein this section warns you where lack of proper recovery operations or misunderstanding can cause yourdata to be unnecessarily exposed. To implement a secure and recoverable EFS policy, you should have amore comprehensive understanding of EFS.Top Of Page

What EFS IsYou can use EFS to encrypt files stored in the file system of Windows 2000, Windows XP Professional, andWindows Server 2003 computers. EFS isn't designed to protect data while it's transferred from one systemto another. EFS uses symmetric (one key is used to encrypt the files) and asymmetric (two keys are usedto protect the encryption key) cryptography. An excellent primer on cryptography is available in theWindows 2000 Resource Kit as is an introduction to Certificate Services . Understanding both of thesetopics will assist you in understanding EFS.A solid overview of EFS and a comprehensive collection of information on EFS in Windows 2000 arepublished in the Distributed Systems Guide of the Windows 2000 Server Resource Kit. This information,

most of which resides in Chapter 15 of that guide, is published onlineathttp://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/default.mspx . (On this site'spage, use the TOC to go to the Distributed Systems Guide, Distributed Security, Encrypting File System.)There are differences between EFS in Windows 2000, Windows XP Professional, and Windows Server 2003.The Windows XP Professional Resource Kit explains the differences between Windows 2000 and WindowsXP Professionals implementation of EFS, and the document "Encrypting File System in Windows XP andWindows Server 2003" (http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx ) details Windows XP and Windows Server 2003 modifications. The section below, "Key Differencesbetween EFS on Windows 2000, Windows XP, and Windows Server 2003," summarizes these differences.The following are important basic facts about EFS:

EFS encryption doesn't occur at the application level but rather at the file-system level; therefore,
http://technet.microsoft.com/en-us/library/cc700811.aspx#mainSectionhttp://technet.microsoft.com/en-us/library/cc700811.aspx#mainSectionhttp://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsch_key_rveg.mspx?mfr=truehttp://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsch_key_rveg.mspx?mfr=truehttp://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsch_key_rveg.mspx?mfr=truehttp://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dscj_mcs_eako.mspx?mfr=truehttp://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dscj_mcs_eako.mspx?mfr=truehttp://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dscj_mcs_eako.mspx?mfr=truehttp://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/default.mspxhttp://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/default.mspxhttp://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/default.mspxhttp://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspxhttp://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspxhttp://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspxhttp://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspxhttp://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/default.mspxhttp://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dscj_mcs_eako.mspx?mfr=truehttp://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsch_key_rveg.mspx?mfr=truehttp://technet.microsoft.com/en-us/library/cc700811.aspx#mainSection


8/20

the encryption and decryption process is transparent to the user and to the application. If a folderis marked for encryption, every file created in or moved to the folder will be encrypted.Applications don't have to understand EFS or manage EFS-encrypted files any differently thanunencrypted files. If a user attempts to open a file and possesses the key to do so, the file openswithout additional effort on the user's part. If the user doesn't possess the key, they receive an"Access denied" error message.

File encryption uses a symmetric key, which is then itself encrypted with the public key of a publickey encryption pair. The related private key must be available in order for the file to be decrypted.

This key pair is bound to a user identity and made available to the user who has possession of theuser ID and password. If the private key is damaged or missing, even the user that encrypted thefile cannot decrypt it. If a recovery agent exists, then the file may be recoverable. If key archivalhas been implemented, then the key may be recovered, and the file decrypted. If not, the file maybe lost. EFS is an excellent file encryption system there is no "back door."

File encryption keys can be archived (e.g. exported to a floppy disk) and kept in a safe place toensure recovery should keys become damaged.

EFS keys are protected by the user's password. Any user who can obtain the user ID andpassword can log on as that user and decrypt that user's files. Therefore, a strong password policyas well as strong user education must be a component of each organization's security practices toensure the protection of EFS-encrypted files.

EFS-encrypted files don't remain encrypted during transport if saved to or opened from a folderon a remote server. The file is decrypted, traverses the network in plaintext, and, if saved to afolder on the local drive that's marked for encryption, is encrypted locally. EFS-encrypted files canremain encrypted while traversing the network if they're being saved to a Web folder usingWebDAV. This method of remote storage isn't available for Windows 2000.

EFS uses FIPS 140-evaluated Microsoft Cryptographic Service Providers (CSPcomponents whichcontain encryption algorithms for Microsoft products).

Top Of Page

Basic How-tosHow to Encrypt and Decrypt Files, Recover Encrypted Files, Archive Keys, Manage

Certificates, Back Up Files; and Disable EFSEFS functionality is straightforward, and you can find step-by-step instructions in many documents online.Links to specific articles for each possible EFS function, as well as some documents which summarizemultiple functionality, follow. If the document is a Knowledge Base article, the Knowledge Base numberappears in parentheses after the article title.Encrypting and Decrypting The process of encrypting and decrypting files is very straightforward, but its important to decide what toencrypt and to note differences in EFS based on the operating system.

"Encrypting Files in Windows 2000 " (222054) explains setting folder encryption. Remember, oncea folder is marked for encryption, it isn't necessary to manually mark for encryption the filesplaced within it.

"HOW TO: Encrypt a File in Windows XP " (307877) includes error messages and warnings that auser may get when attempting to open files encrypted by another.

Folders aren't encrypted; however, setting the folder property to "encrypt" does mean that allfiles placed in the folder will be automatically encrypted "HOW TO: Encrypt a Folder in WindowsXP" (308989) tells how to set the property.

"HOW TO: Remove File Encryption in Windows XP " (308993) tells how to decrypt a file byremoving the file encryption property.

Sharing Encrypted Files The GUI for sharing encrypted files is available only in Windows XP and Windows Server 2003.

"HOW TO: Share Access to an Encrypted File in Windows XP " (308991) introduces themethodology by which encrypted files can be shared. You can find a short description, including
http://www.microsoft.com/technet/archive/security/topics/issues/fipseval.mspxhttp://www.microsoft.com/technet/archive/security/topics/issues/fipseval.mspxhttp://www.microsoft.com/technet/archive/security/topics/issues/fipseval.mspxhttp://technet.microsoft.com/en-us/library/cc700811.aspx#mainSectionhttp://technet.microsoft.com/en-us/library/cc700811.aspx#mainSectionhttp://support.microsoft.com/default.aspx?scid=kb;en-us;222054&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;222054&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;222054&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;307877&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;307877&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;307877&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;308989&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;308989&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;308989&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;308989&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;308993&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;308993&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;308993&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;308991&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;308991&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;308991&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;308991&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;308993&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;308989&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;308989&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;307877&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;222054&sd=techhttp://technet.microsoft.com/en-us/library/cc700811.aspx#mainSectionhttp://www.microsoft.com/technet/archive/security/topics/issues/fipseval.mspx


9/20

screen shots, in the "5-Minute Security Advisor Using the Encrypting File System ." Remember:sharing encrypted files is a facility that only Windows XP and Windows Server 2003 have.

Top Of Page

Planning for and Recovering Encrypted Files: Recovery PolicyA recovery policy can be an organization's security policy instituted to plan for proper recovery ofencrypted files. It's also the policy enforced by Local Security Policy Public Key Policy or Group PolicyPublic Key Policy. In the latter, the recovery policy specifies how encrypted files may be recovered should

the user private key be damaged or lost and the encrypted file unharmed. Recovery certificate(s) arespecified in the policy. Recovery can be either data recovery (Windows 2000, Windows XP Professional,and Windows Server 2003) or key recovery (Windows Server 2003 with Certificate Services). Windows2000 EFS requires the presence of a recovery agent (no recovery agent, no file encryption), but WindowsXP and Windows Server 2003 don't. By default, Windows 2000 and Windows Server 2003 have defaultrecovery agents assigned. Windows XP Professional doesn't.The data recovery process is simple. The user account bound to the recovery agent certificate is used todecrypt the file. The file should then be delivered in a secure manner to the file owner, who may thenencrypt the file. Recovery via automatically archived keys is available only with Windows Server 2003Certificate Services. Additional configuration beyond the installation of Certificate Services is required. Ineither case, it's most important that a written policy and procedures for recovery are in place. These

procedures, if well written and if followed, can ensure that recovery keys and agents are available for useand that recovery is securely carried out. Keep in mind that there are two definitions for "recovery policy."The first definition refers to a written recovery policy and procedures that describe the who, what, where,and when of recovery, as well as what steps should be taken to ensure recovery components are available.The second definition, which is often referred to in the documents below, is the Public Key Policy that'spart of the Local Security Policy on stand-alone systems, or Group Policy in a domain. It can specify whichcertificates are used for recovery, as well as other aspects of Public Key Policies in the domain. You canfind more information in the following documents:

Windows XP and Windows Server 2003 documentation includes steps "To Add a Recovery Agentfor a Domain ."

A "Five-Minute Security Advisor Recovering Encrypted Data Using EFS " explains the importanceof backing up encrypted files and EFS keys as well as the basics of recovery.

"HOW TO: Back Up the Recovery Agent Encrypting File System Private Key in Windows 2000 " (241201) explains how archiving the private key of the recovery agent ensures that it will beavailable to recover EFS files that are protected by it.

User and recovery agent private keys should be archived. If the recovery private key is corrupt or lost, you can create a new Enterprise Data Recovery Policy

in Windows 2000. Use the article "HOW TO: Reinitialize the EDRP on a Workgroup ComputerRunning Windows 2000 " (257705) to do so. However, you should realize that this won't allow youto recover previously encrypted files. If a backup of the previous recovery agent certificate andprivate key is available, those keys should be used. If a new policy is implemented, currentlyencrypted files should be decrypted and re-encrypted so that the new recovery agent certificatecan be used and thus the files will be recoverable.

Information on the existence of a recovery agent under the control of an administrator ismentioned in" Methods for Recovering Encrypted Data Files "(255742).

Instructions on using Ntbackup to back up encrypted files, as well as information on systemconfiguration and how to use Ntbackup to restore these files, are discussed in "HOW TO: UseNtbackup to Recover an Encrypted File or Folder in Windows 2000 " (313277).

The first step in recovery is determining the recovery agent. "Using Efsinfo.exe to DetermineInformation About Encrypted Files " (243026) describes how to do this using the Windows 2000Resource Kit tool, esfinfo.exe. The Advanced file properties of encrypted files in Windows XP andWindows Server 2003 display this information automatically.

"The Local Administrator Is Not Always the Default Encrypting File System Recovery Agent " (255026) explains why the first account defined (during installation) in a Windows 2000
http://www.microsoft.com/technet/archive/community/columns/security/5min/5min-202.mspxhttp://www.microsoft.com/technet/archive/community/columns/security/5min/5min-202.mspxhttp://www.microsoft.com/technet/archive/community/columns/security/5min/5min-202.mspxhttp://www.microsoft.com/technet/archive/community/columns/security/5min/5min-202.mspxhttp://www.microsoft.com/technet/archive/community/columns/security/5min/5min-202.mspxhttp://technet.microsoft.com/en-us/library/cc700811.aspx#mainSectionhttp://technet.microsoft.com/en-us/library/cc700811.aspx#mainSectionhttp://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_seprocsaddrecagent.mspxhttp://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_seprocsaddrecagent.mspxhttp://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_seprocsaddrecagent.mspxhttp://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_seprocsaddrecagent.mspxhttp://www.microsoft.com/technet/archive/community/columns/security/5min/5min-401.mspxhttp://www.microsoft.com/technet/archive/community/columns/security/5min/5min-401.mspxhttp://www.microsoft.com/technet/archive/community/columns/security/5min/5min-401.mspxhttp://www.microsoft.com/technet/archive/community/columns/security/5min/5min-401.mspxhttp://www.microsoft.com/technet/archive/community/columns/security/5min/5min-401.mspxhttp://support.microsoft.com/default.aspx?scid=kb;en-us;241201&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;241201&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;241201&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;257705&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;257705&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;257705&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;257705&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;255742&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;255742&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;255742&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;313277&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;313277&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;313277&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;313277&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;243026&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;243026&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;243026&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;243026&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;255026&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;255026&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;255026&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;255026&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;243026&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;243026&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;313277&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;313277&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;255742&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;257705&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;257705&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;241201&sd=techhttp://www.microsoft.com/technet/archive/community/columns/security/5min/5min-401.mspxhttp://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_seprocsaddrecagent.mspxhttp://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_seprocsaddrecagent.mspxhttp://technet.microsoft.com/en-us/library/cc700811.aspx#mainSectionhttp://www.microsoft.com/technet/archive/community/columns/security/5min/5min-202.mspx


10/20

Professional computer becomes the recovery agent.Disabling or Preventing Encryption You may decide that you don't wish users to have the ability to encrypt files. By default, they do. You maydecide that specific folders shouldn't contain encrypted files. You may also decide to disable EFS until youcan implement a sound EFS policy and train users in proper procedures. There are different ways o fdisabling EFS depending on the operating system and the desired effect:

System folders cannot be marked for encryption. EFS keys aren't available during the bootprocess; thus, if system files were encrypted, the system file couldn't boot. To prevent other

folders being marked for encryption, you can mark them as system folders. If this isn't possible,then a method to prevent encryption within a folder is defined in "Encrypting File System ."

NT 4.0 doesn't have the ability to use EFS. If you need to disable EFS for Windows 2000computers joined to a Windows NT 4.0 domain, see "Need to Turn Off EFS on a Windows 2000-Based Computer in Windows NT 4.0-Based Domain " (288579). The registry key mentioned canalso be used to disable EFS in Window XP Professional and Windows Server 2003.

Disabling EFS for Windows XP Professional can also be done by clearing the checkbox for theproperty page of the Local Security Policy Public Key Policy. EFS can be disabled in XP andWindows Server 2003 computers joined in a Windows Server 2003 domain by clearing thecheckbox for the property pages of the domain or organizational unit (OU) Group Policy PublicKey Policy.

"HOW TO: Disable/Enable EFS on a Stand-Alone Windows 2000-Based Computer " (243035)details how to save the recovery agent's certificate and keys when disabling EFS so that you canenable EFS at a future date.

"HOW TO: Disable EFS for All Computers in a Windows 2000-Based Domain " (222022) providesthe best instruction set and clearly defines the difference between deleted domain policy (an OU-based policy or Local Security Policy can exist) versus Initialize Empty Policy (no Windows 2000EFS encryption is possible throughout the domain).

Special Operations Let enough people look at anything, and you'll find there are questions that are just not answered byexisting documentation or options. A number of these issues, third-party considerations, and postintroduction issues can be resolved by reviewing the following articles.

Specifications for the use of a third-party Certification Authority (CA) can be found at "Third-PartyCertification Authority Support for Encrypting File System " (273856). If you wish to use third-partyCA certificates for EFS, you should also investigate certificate revocation processing. Windows2000 EFS certificates aren't checked for revocation. Windows XP and Windows Server 2003 EFScertificates are checked for revocation in some cases, and third-party certificates may be rejected.Information about certificate revocation handling in EFS can be found in the white paper"Encrypting File System in Windows XP and Windows Server 2003 ".

When an existing plaintext file is marked for encryption, it's first copied to a temporary file. Whenthe process is complete, the temporary file is marked for deletion, which means portions of theoriginal file may remain on the disk and could potentially be accessible via a disk editor. Thesebits of data, referred to as data shreds or remanence, may be permanently removed by using arevised version of the cipher.exe tool. The tool is part of Service Pack 3 (SP3) for Windows 2000

and is included in Windows Server 2003. Instructions for using the tool, along with the location ofa downloadable version, can be found in "HOW TO: Use Cipher.exe to Overwrite Deleted Data inWindows " (315672) and in "Cipher.exe Security Tool for the Encrypting File System " (298009).

How to make encrypted files display in green in Windows Explorer is explained in "HOW TO:Identify Encrypted Files in Windows XP " (320166).

"How to Enable the Encryption Command on the Shortcut Menu " (241121) provides a registry keyto modify for this purpose.

You may wish to protect printer spool files or hard copies of encrypted files while they're printing.Encryption is transparent to the printing process. If you have the right (possess the key) todecrypt the file and a method exists for printing files, the file will print. However, two issuesshould concern you. First, if the file is sensitive enough to encrypt, how will you protect the
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsck_efs_teqd.mspx?mfr=truehttp://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsck_efs_teqd.mspx?mfr=truehttp://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsck_efs_teqd.mspx?mfr=truehttp://support.microsoft.com/default.aspx?scid=kb;en-us;288579&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;288579&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;288579&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;288579&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;243035&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;243035&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;243035&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;222022&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;222022&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;222022&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;273856&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;273856&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;273856&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;273856&sd=techhttp://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspxhttp://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspxhttp://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspxhttp://support.microsoft.com/default.aspx?scid=kb;en-us;315672&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;315672&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;315672&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;315672&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;298009&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;298009&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;298009&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;320166&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;320166&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;320166&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;320166&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;241121&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;241121&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;241121&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;241121&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;320166&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;320166&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;298009&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;315672&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;315672&sd=techhttp://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspxhttp://support.microsoft.com/default.aspx?scid=kb;en-us;273856&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;273856&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;222022&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;243035&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;288579&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;288579&sd=techhttp://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsck_efs_teqd.mspx?mfr=true


11/20

printed copy? Second, the spool file resides in the \system32\Spool\Printers folder.How can you protect it while its there? You could encrypt that folder, but that would slowprinting enormously. The Windows 2000 Resource Kit proposes a separate printer for the printingof these files and how to best secure that printer in the Distributed Systems, Distributed Security,Encrypting Files System, Printing EFS Files section.

Top Of Page

How EFS WorksEFS Architecture and AlgorithmsTo understand EFS, and therefore anticipate problems, envision potential attacks, and troubleshoot andprotect EFS-encrypted files, you should understand the architecture of EFS and the basic encryption,decryption, and recovery algorithms. Much of this information is in the Windows 2000 Resource KitDistributed Systems Guide, the Windows XP Professional Resource Kit , and the white paper, "EncryptingFile System in Windows XP and Windows Server 2003 ." Many of the algorithms are also described inproduct documentation. The examples that follow are from the Windows XP Professional Resource Kit:

A straightforward discussion of the components of EFS, including the EFS service, EFS driver, andthe File System Run Time Library, is found in "Components of EFS ," a subsection of Chapter 17,"Encrypting File System" in the Windows XP Professional Resource Kit.

A description of the encryption, decryption, and recovery algorithms EFS uses is in the Resource

Kit section "How Files Are Encrypted ." This section includes a discussion of the file encryptionkeys (FEKs) and file Data Recovery Fields and Data Decryption Fields used to hold FEKs encryptedby user and recovery agent public keys.

"Working with Encryption " includes how-to steps that define the effect of decisions made aboutchanging the encryption properties of folders. The table defines what happens for each file(present, added later, or copied to the folder) for the choice "This folder only" or the option "Thisfolder, subfolders and files."

"Remote EFS Operations on File Shares and Web Folders " defines what happens to encrypted filesand how to enable remote storage.

Top Of Page

Key Differences Between EFS on Windows 2000, Windows XP, and WindowsServer 2003EFS was introduced in Windows 2000. However, there are differences when compared with Windows XPProfessional EFS and Windows Server 2003 EFS, including the following:

You can authorize additional users to access encrypted files (see the section "Sharing EncryptedFiles", above). In Windows 2000, you can implement a programmatic solution for the sharing ofencrypted files; however, no interface is available. Windows XP and Windows Server 2003 havethis interface.

Offline files can be encrypted. See "HOW TO: Encrypt Offline Files to Secure Data in Windows XP ." Data recovery agents are recommended but optional. XP doesn't automatically include a default

recovery agent. XP will take advantage of an existing Windows 2000 domain-level recovery agent

if one is present, but the lack of a domain recovery agent wont prevent encryption of files on anXP system. A self-signed recovery agent certificate can be requested by using the cipher

/R:filename command, where filename is the name that will be used to create a *.cer file to holdthe certificate and a *.pfx file to hold the certificate and private key.

The Triple DES (3DES) encryption algorithm can be used to replace Data Encryption Standard X(DESX), and after XP SP1, Advanced Encryption Standard (AES) becomes the default encryptionalgorithm for EFS.

For Windows XP and Windows Server 2003 local accounts, a password reset disk can be used tosafely reset a user's password. (Domain passwords cannot be reset using the disk.) If anadministrator uses the "reset password" option from the user's account in the ComputerManagement console users container, EFS files won't be accessible. If users change the password
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsck_efs_ntmh.mspx?mfr=truehttp://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsck_efs_ntmh.mspx?mfr=truehttp://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsck_efs_ntmh.mspx?mfr=truehttp://technet.microsoft.com/en-us/library/cc700811.aspx#mainSectionhttp://technet.microsoft.com/en-us/library/cc700811.aspx#mainSectionhttp://technet.microsoft.com/en-us/library/bb878161.aspxhttp://technet.microsoft.com/en-us/library/bb878161.aspxhttp://technet.microsoft.com/en-us/library/bb878161.aspxhttp://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspxhttp://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspxhttp://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspxhttp://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspxhttp://technet.microsoft.com/library/bb457116.aspx#EJAAhttp://technet.microsoft.com/library/bb457116.aspx#EJAAhttp://technet.microsoft.com/library/bb457116.aspx#EJAAhttp://technet.microsoft.com/library/bb457116.aspxhttp://technet.microsoft.com/library/bb457116.aspxhttp://technet.microsoft.com/library/bb457116.aspxhttp://technet.microsoft.com/library/bb457116.aspxhttp://technet.microsoft.com/library/bb457116.aspxhttp://technet.microsoft.com/library/bb457116.aspxhttp://technet.microsoft.com/library/bb457116.aspx#EHAAhttp://technet.microsoft.com/library/bb457116.aspx#EHAAhttp://technet.microsoft.com/library/bb457116.aspx#EHAAhttp://technet.microsoft.com/en-us/library/cc700811.aspx#mainSectionhttp://technet.microsoft.com/en-us/library/cc700811.aspx#mainSectionhttp://support.microsoft.com/default.aspx?scid=kb;en-us;312221http://support.microsoft.com/default.aspx?scid=kb;en-us;312221http://support.microsoft.com/default.aspx?scid=kb;en-us;312221http://support.microsoft.com/default.aspx?scid=kb;en-us;312221http://technet.microsoft.com/en-us/library/cc700811.aspx#mainSectionhttp://technet.microsoft.com/library/bb457116.aspx#EHAAhttp://technet.microsoft.com/library/bb457116.aspxhttp://technet.microsoft.com/library/bb457116.aspxhttp://technet.microsoft.com/library/bb457116.aspx#EJAAhttp://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspxhttp://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspxhttp://technet.microsoft.com/en-us/library/bb878161.aspxhttp://technet.microsoft.com/en-us/library/cc700811.aspx#mainSectionhttp://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsck_efs_ntmh.mspx?mfr=true


12/20

back to the previous password, they can regain access to encrypted files. To create a passwordreset disk and for instructions about how to use a password reset disk , see productdocumentation and/or the article "HOW TO: Create and Use a Password Reset Disk for aComputer That Is Not a Domain Member in Windows XP " (305478).

Encrypted files can be stored in Web folders. The Windows XP Professional Resource Kit section"Remote EFS Operations in a Web Folder Environment " explains how.

Windows Server 2003 incorporates the changes introduced in Windows XP Professional and adds thefollowing:

A default domain Public Key recovery policy is created, and a recovery agent certificate is issuedto the Administrator account.

Certificate Services include the ability for customization of certificate templates and key archival.With appropriate configuration, archival of user EFS keys can be instituted and recovery of EFS-encrypted files can be accomplished by recovering the user's encryption keys instead ofdecrypting via a file recovery agent. A walk-through providing a step-by-step configuration ofCertificate Services for key archival is available in "Certificate Services Example Implementation:Key Archival and Recovery ."

Windows Server 2003 enables users to back up their EFS key(s) directly from the command lineand from the details property page by clicking a "Backup Keys" button.

Top Of Page

Misuse and Abuse of EFS and How to Avoid Data Loss or ExposureUnauthorized persons may attempt to obtain the information encrypted by EFS. Sensitive data may alsobe inadvertently exposed. Two possible causes of data loss or exposure are misuse (improper use of EFS)or abuse (attacks mounted against EFS-encrypted files or systems where EFS-encrypted files exist).Inadvertent Problems Due to Misuse Several issues can cause problems when using EFS. First, when improperly used, sensitive files may beinadvertently exposed. In many cases this is due to improper or weak security policies and a failure tounderstand EFS. The problem is made all the worse because users think their data is secure and thus maynot follow usual precautionary methods. This can occur in several scenarios:

If, for example, users copy encrypted files to FAT volumes, the files will be decrypted and thus nolonger protected. Because the user has the right to decrypt files that they encrypted, the file isdecrypted and stored in plaintext on the FAT volume. Windows 2000 gives no warning when thishappens, but Windows XP and Windows Server 2003 do provide a warning.

If users provide others with their passwords, these people can log on using these credentials anddecrypt the user's encrypted files. (Once a user has successfully logged on, they can decrypt anyfiles the user account has the right to decrypt.)

If the recovery agent's private key isn't archived and removed from the recovery agent profile,any user who knows the recovery agent credentials can log on and transparently decrypt anyencrypted files.

By far, the most frequent problem with EFS occurs when EFS encryption keys and/or recovery keys aren'tarchived. If keys aren't backed up, they cannot be replaced when lost. If keys cannot be used or replaced,data can be lost. If Windows is reinstalled (perhaps as the result of a disk crash) the keys are destroyed. If

a user's profile is damaged, then keys are destroyed. In these, or in any other cases in which keys aredamaged or lost and backup keys are unavailable, then encrypted files cannot be decrypted. Theencryption keys are bound to the user account, and a new iteration of the operating system means newuser accounts. A new user profile means new user keys. If keys are archived, or exported, they can beimported to a new account. If a revocation agent for the files exists, then that account can be used torecover the files. However, in many cases in which keys are destroyed, both user and revocation keys areabsent and there is no backup, resulting in lost data.Additionally, many other smaller things may render encrypted files unusable or expose some sensitivedata, such as the following:

"EFS Files Appear Corrupted When You Open Them " (329741) explains that AES is used to encryptfiles after XP SP1 has been installed. This means that these files cannot be decrypted if they're
http://technet2.microsoft.com/windowsserver/en/library/850f536c-de67-4ea5-af81-e1fbe22bedfd1033.mspx?mfr=truehttp://technet2.microsoft.com/windowsserver/en/library/850f536c-de67-4ea5-af81-e1fbe22bedfd1033.mspx?mfr=truehttp://technet2.microsoft.com/windowsserver/en/library/850f536c-de67-4ea5-af81-e1fbe22bedfd1033.mspx?mfr=truehttp://technet2.microsoft.com/windowsserver/en/library/850f536c-de67-4ea5-af81-e1fbe22bedfd1033.mspx?mfr=truehttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/serverhelp/850F536C-DE67-4EA5-AF81-E1FBE22BEDFD.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/serverhelp/850F536C-DE67-4EA5-AF81-E1FBE22BEDFD.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/serverhelp/850F536C-DE67-4EA5-AF81-E1FBE22BEDFD.mspxhttp://support.microsoft.com/default.aspx?scid=kb;en-us;305478&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;305478&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;305478&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;305478&sd=techhttp://technet.microsoft.com/library/bb457116.aspx#EHAAhttp://technet.microsoft.com/library/bb457116.aspx#EHAAhttp://technet.microsoft.com/library/bb457116.aspx#EHAAhttp://technet2.microsoft.com/windowsserver/en/library/9216103D-91C6-40DA-A370-F95CCF4BEACA1033.mspx?mfr=truehttp://technet2.microsoft.com/windowsserver/en/library/9216103D-91C6-40DA-A370-F95CCF4BEACA1033.mspx?mfr=truehttp://technet2.microsoft.com/windowsserver/en/library/9216103D-91C6-40DA-A370-F95CCF4BEACA1033.mspx?mfr=truehttp://technet2.microsoft.com/windowsserver/en/library/9216103D-91C6-40DA-A370-F95CCF4BEACA1033.mspx?mfr=truehttp://technet.microsoft.com/en-us/library/cc700811.aspx#mainSectionhttp://technet.microsoft.com/en-us/library/cc700811.aspx#mainSectionhttp://support.microsoft.com/default.aspx?scid=kb;en-us;329741&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;329741&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;329741&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;329741&sd=techhttp://technet.microsoft.com/en-us/library/cc700811.aspx#mainSectionhttp://technet2.microsoft.com/windowsserver/en/library/9216103D-91C6-40DA-A370-F95CCF4BEACA1033.mspx?mfr=truehttp://technet2.microsoft.com/windowsserver/en/library/9216103D-91C6-40DA-A370-F95CCF4BEACA1033.mspx?mfr=truehttp://technet.microsoft.com/library/bb457116.aspx#EHAAhttp://support.microsoft.com/default.aspx?scid=kb;en-us;305478&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;305478&sd=techhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/serverhelp/850F536C-DE67-4EA5-AF81-E1FBE22BEDFD.mspxhttp://technet2.microsoft.com/windowsserver/en/library/850f536c-de67-4ea5-af81-e1fbe22bedfd1033.mspx?mfr=truehttp://technet2.microsoft.com/windowsserver/en/library/850f536c-de67-4ea5-af81-e1fbe22bedfd1033.mspx?mfr=true


13/20

moved to a pre-XP SP1 computer or a Windows 2000 computer since the AES algorithm won't beavailable.

"EFS, Credentials, and Private Keys from Certificates Are Unavailable After a Password Is Reset " (290260).

"User Cannot Gain Access to EFS Encrypted Files After Password Change or When Using aRoaming Profile ."

You can find instructions for using cipher.exe at "HOW TO: Use Cipher.exe to Overwrite DeletedData in Windows " (315672), which introduces this new tool.

"Access Is Denied Error Message When Encrypting or Decrypting Files or Folders " (264064) maybe the result when encrypting or attempting to encrypt system folders.

Don't encrypt system files. "Logon Process Hangs After Encrypting Files on Windows 2000 ,"(269397) for example, explains that if you've encrypted a system file such as Autoexec.bat, the filecannot be decrypted because its processed before logon.

Finally, keeping data secure takes more than simply encrypting files. A systems-wide approach to securityis necessary. You can find several articles that address best practices for systems security on the TechNetBest Practices pageat http://www.microsoft.com/technet/archive/security/bestprac/bpent/sec2/secentbb.mspx . The articlesinclude

"Security Considerations for End Systems "

"Security Considerations for Administrative Authority " discusses security in an enterprise "Security Entities Building Block Architecture " Attacks and Countermeasures: Additional Protection Mechanisms for Encrypted Files Any user of encrypted files should recognize potential weaknesses and avenues of attack. Just as its notenough to lock the front door of a house without considering back doors and windows as avenues for aburglar, encrypting files alone isn't enough to ensure confidentiality.

Use defense in depth and use file permissions. The use of EFS doesn't obviate the need to use filepermissions to limit access to files. File permissions should be used in addition to EFS. If usershave obtained encryption keys, they can import them to their account and decrypt files. However,if the user accounts are denied access to the file, the users will be foiled in their attempts to gainthis sensitive information.

Use file permissions to deny delete. Encrypted files can be deleted. If attackers cannot decrypt thefile, they may choose to simply delete it. While they don't have the sensitive information, youdon't have your file.

Protect user credentials. If an attacker can discover the identity and password of a user who candecrypt a file, the attacker can log on as that user and view the files. Protecting these credentialsis paramount. A strong password policy, user training on devising strong passwords, and bestpractices on protecting these credentials will assist in preventing this type of attack. An excellentbest practices approach to password policy can be found in the Windows Server 2003 productdocumentation . If account passwords are compromised, anyone can log on using the user ID andpassword. Once user have successfully logged on, they can decrypt any files the user account hasthe right to decrypt. The best defense is a strong password policy, user education, and the use ofsound security practices.

Protect recovery agent credentials. Similarly, if an attacker can log on as a recovery agent, and therecovery agent private key hasn't been removed, the attacker can read the files. Best practicesdictate the removal of the recovery agent keys, the restriction of this account's usage to recoverywork only, and the careful protection of credentials, among other recovery policies. The sectionsabout recovery and best practices detail these steps.

Seek out and manage areas where plaintext copies of the encrypted files or parts of theencrypted files may exist. If attackers have possession of, or access to, the computer on whichencrypted files reside, they may be able to recover sensitive data from these areas, including thefollowing:

o Data shreds (remanence) that exist after encrypting a previously unencrypted file (see the"Special Operations" section of this paper for information about using cipher.exe to
http://support.microsoft.com/default.aspx?scid=kb;en-us;290260&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;290260&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;290260&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;331333&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;331333&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;331333&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;331333&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;315672&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;315672&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;315672&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;315672&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;264064&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;264064&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;264064&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;269397&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;269397&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;269397&sd=techhttp://www.microsoft.com/technet/archive/security/bestprac/bpent/sec2/secentbb.mspxhttp://www.microsoft.com/technet/archive/security/bestprac/bpent/sec2/secentbb.mspxhttp://www.microsoft.com/technet/archive/security/bestprac/bpent/sec2/secentbb.mspxhttp://www.microsoft.com/technet/archive/security/bestprac/bpent/sec2/sconsid.mspxhttp://www.microsoft.com/technet/archive/security/bestprac/bpent/sec2/sconsid.mspxhttp://www.microsoft.com/technet/archive/security/bestprac/bpent/sec2/sconsid.mspxhttp://www.microsoft.com/technet/archive/security/bestprac/bpent/sec2/seconaa.mspxhttp://www.microsoft.com/technet/archive/security/bestprac/bpent/sec2/seconaa.mspxhttp://www.microsoft.com/technet/archive/security/bestprac/bpent/sec2/seconaa.mspxhttp://www.microsoft.com/technet/archive/security/bestprac/bpent/sec2/secentbb.mspxhttp://www.microsoft.com/technet/archive/security/bestprac/bpent/sec2/secentbb.mspxhttp://www.microsoft.com/technet/archive/security/bestprac/bpent/sec2/secentbb.mspxhttp://www.microsoft.com/windowsserver2003/proddoc/default.mspxhttp://www.microsoft.com/windowsserver2003/proddoc/default.mspxhttp://www.microsoft.com/windowsserver2003/proddoc/default.mspxhttp://www.microsoft.com/windowsserver2003/proddoc/default.mspxhttp://www.microsoft.com/windowsserver2003/proddoc/default.mspxhttp://www.microsoft.com/windowsserver2003/proddoc/default.mspxhttp://www.microsoft.com/technet/archive/security/bestprac/bpent/sec2/secentbb.mspxhttp://www.microsoft.com/technet/archive/security/bestprac/bpent/sec2/seconaa.mspxhttp://www.microsoft.com/technet/archive/security/bestprac/bpent/sec2/sconsid.mspxhttp://www.microsoft.com/technet/archive/security/bestprac/bpent/sec2/secentbb.mspxhttp://support.microsoft.com/default.aspx?scid=kb;en-us;269397&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;264064&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;315672&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;315672&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;331333&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;331333&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;290260&sd=tech


14/20

remove them)o The paging file (see "Increasing Security for Open Encrypted Files ," an article in the

Windows XP Professional Resource Kit, for instructions and additional information abouthow to clear the paging file on shutdown)

o Hibernation files (see "Increasing Security for Open Encrypted Files"at http://technet.microsoft.com/library/bb457116.aspx )

o Temporary files (to determine where applications store temporary files and encrypt thesefolders as well to resolve this issue

o Printer spool files (see the "Special Operations" section) Provide additional protection by using the System Key. Using Syskey provides additionalprotection for password values and values protected in the Local Security Authority (LSA) Secrets(such as the master key used to protect user's cryptographic keys). Read the article "Using theSystem Key " in the Windows 2000 Resource Kit's Encrypting File System chapter. A discussion ofthe use of Syskey, and possible attacks against a Syskey-protected Windows 2000 computer andcountermeasures, can be found in the article "Analysis of Alleged Vulnerability in Windows 2000Syskey and the Encrypting File System ."

Top Of Page

Remote Storage of Encrypted Files Using SMB File Shares and WebDAVIf your policy is to require that data is stored on file servers, not on desktop systems, you will need tochoose a strategy for doing so. Two possibilities exist either storage in normal shared folders on fileservers or the use of web folders. Both methods require configuration, and you should understand theirbenefits and risks.

If encrypted files are going to be stored on a remote server, the server must be configured to doso, and an alternative method, such as IP Security (IPSec) or Secure Sockets Layer (SSL), should beused to protect the files during transport. Instructions for configuring the server are discussed in"Recovery of Encrypted Files on a Server " (283223) and "HOW TO: Encrypt Files and Folders on aRemote Windows 2000 Server " (320044). However, the latter doesn't mention a critical step,which is that the remote server must be trusted for delegation in Active Directory. Quite anumber of articles can be found, in fact, that leave out this step. If the server isn't trusted fordelegation in Active Directory, and a user attempts to save the file to the remote server, an"Access Denied" error message will be the result.

If you need to store encrypted files on a remote server in plaintext (local copies are keptencrypted), you can. The server must, however, be configured to make this happen. You shouldalso realize that once the server is so configured, no encrypted files can be stored on it. See thearticle "HOW TO: Prevent Files from Being Encrypted When Copied to a Server " (302093).

You can store encrypted files in Web folders when using Windows XP or Windows Server 2003.The Windows XP Professional Resource Kit section "Remote EFS Operations in a Web FolderEnvironment " explains how.

If your Web applications need to require authentication to access EFS files stored in a Web folder,the code for using a Web folder to store EFS files and require authentication to access them isdetailed in "HOW TO: Use Encrypting File System (EFS) with Internet Information Services "

(243756).Top Of Page

Best Practices for SOHO and Small BusinessesOnce you know the facts about EFS and have decided how you are going to use it, you should use thesedocuments as a checklist to determine that you have designed the best solution.

"Best Practices for Encrypting File System " (223316) lists several best practices. Best Practices: Windows 2000 Resource Kit, "Administrative Procedures ", an article in the EFS

chapter of the Windows 2000 Resource Kit, provides insight into the management proceduresthat should or can be done, including ensuring recovery, disabling EFS, recovery, configuring theagent policy, and viewing recovery agent information. These are best practices from the
http://technet.microsoft.com/library/bb457116.aspxhttp://technet.microsoft.com/library/bb457116.aspxhttp://technet.microsoft.com/library/bb457116.aspxhttp://technet.microsoft.com/library/bb457116.aspxhttp://technet.microsoft.com/library/bb457116.aspxhttp://technet.microsoft.com/library/bb457116.aspxhttp://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsck_efs_djps.mspx?mfr=truehttp://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsck_efs_djps.mspx?mfr=truehttp://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsck_efs_djps.mspx?mfr=truehttp://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsck_efs_djps.mspx?mfr=truehttp://www.microsoft.com/technet/archive/security/news/efs.mspxhttp://www.microsoft.com/technet/archive/security/news/efs.mspxhttp://www.microsoft.com/technet/archive/security/news/efs.mspxhttp://www.microsoft.com/technet/archive/security/news/efs.mspxhttp://technet.microsoft.com/en-us/library/cc700811.aspx#mainSectionhttp://technet.microsoft.com/en-us/library/cc700811.aspx#mainSectionhttp://support.microsoft.com/default.aspx?scid=kb;en-us;283223&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;283223&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;283223&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;320044&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;320044&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;320044&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;320044&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;302093&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;302093&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;302093&sd=techhttp://technet.microsoft.com/library/bb457116.aspx#EHAAhttp://technet.microsoft.com/library/bb457116.aspx#EHAAhttp://technet.microsoft.com/library/bb457116.aspx#EHAAhttp://technet.microsoft.com/library/bb457116.aspx#EHAAhttp://support.microsoft.com/default.aspx?scid=kb;en-us;243756&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;243756&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;243756&sd=techhttp://technet.microsoft.com/en-us/library/cc700811.aspx#mainSectionhttp://technet.microsoft.com/en-us/library/cc700811.aspx#mainSectionhttp://support.microsoft.com/default.aspx?scid=kb;en-us;223316&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;223316&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;223316&sd=techhttp://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dscj_mcs_eako.mspx?mfr=truehttp://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dscj_mcs_eako.mspx?mfr=truehttp://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dscj_mcs_eako.mspx?mfr=truehttp://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dscj_mcs_eako.mspx?mfr=truehttp://support.microsoft.com/default.aspx?scid=kb;en-us;223316&sd=techhttp://technet.microsoft.com/en-us/library/cc700811.aspx#mainSectionhttp://support.microsoft.com/default.aspx?scid=kb;en-us;243756&sd=techhttp://technet.microsoft.com/library/bb457116.aspx#EHAAhttp://technet.microsoft.com/library/bb457116.aspx#EHAAhttp://support.microsoft.com/default.aspx?scid=kb;en-us;302093&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;320044&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;320044&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;283223&sd=techhttp://technet.microsoft.com/en-us/library/cc700811.aspx#mainSectionhttp://www.microsoft.com/technet/archive/security/news/efs.mspxhttp://www.microsoft.com/technet/archive/security/news/efs.mspxhttp://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsck_efs_djps.mspx?mfr=truehttp://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsck_efs_djps.mspx?mfr=truehttp://technet.microsoft.com/library/bb457116.aspxhttp://technet.microsoft.com/library/bb457116.aspx


15/20

administrative perspective. "Best Practices for Encrypting File System " is included in the Windows 2000 Server product

documentation. The white paper "Encrypting File System in Windows XP and Windows Server 2003 " provides

much information about the pluses and minuses of different EFS techniques and many soundpractices for managing encryption.

Top Of Page

Enterprise How-tosHow to Implement Data Recovery Strategies with PKI and How to Implement KeyRecovery with PKIBy default, EFS certificates are self-signed; that is, they don't need to obtain certificates from a CA. Whena user first encrypts a file, EFS looks for the existence of an EFS certificate. If one isn't found, it looks forthe existence of a Microsoft Enterprise CA in the domain. If a CA is found, a certificate is requested fromthe CA; if it isn't, a self-signed certificate is created and used. However, more granular control of EFS,including EFS certificates and EFS recovery, can be established if a CA is present. You can use Windows2000 or Windows Server 2003 Certificate Services. The following articles explain how.

"Using a Certificate Authority for the Encrypting File Service " (223338) provides three reasons forusing a CA.

"Using the Cipher.exe Utility to Migrate Self-Signed Certificates to Certification Authority IssuedCertificates " (295680) explains that using cipher /k will archive the self-signed certificate andrequest a new EFS certificate from the CA.

User, EFS, and Administrator certificates support EFS use; recovery agent certificates are requiredfor recovery operation.

Implementation of certificate services for public key infrastructure (PKI) is detailed in the article"Step-by-Step Guide to Encrypting File System (EFS) " and in "Certificate Services ExampleImplementation: Key Archival and Recovery ".

Top Of Page

TroubleshootingTroubleshooting EFS is easier if you understand how EFS works. There are also well known causes formany of the common problems that arise. Here are a few common problems and their solutions:

You changed your user ID and password and can no longer decrypt your files. There are twopossible approaches to this problem, depending on what you did. First, if the user account wassimply renamed and the password reset, the problem may be that you're using XP and thisresponse is expected. When an administrator resets an XP user's account password, the account'sassociation with the EFS certificate and keys is removed. Changing the password to the previouspassword can reestablish your ability to decrypt your files. For more information, see "UserCannot Gain Access to EFS Encrypted Files After Password Change or When Using a RoamingProfile" (331333), which explains how XP Professional encrypted files cannot be decrypted, evenby the original account, if an administrator has changed the password. Second, if you truly have a

completely different account (your account was damaged or accidentally deleted), then you musteither import your keys (if you've exported them) or ask an administrator to use recovery agentkeys (if implemented) to recover the files. Restoring keys is detailed in " HOW TO: Restore anEncrypting File System Private Key for Encrypted Data Recovery in Windows 2000 " (242296). Howto use a recovery agent to recover files is covered in "Five-Minute Security Advisor RecoveringEncrypted Data Using EFS ."

You've formatted your hard disk and reinstalled the operating system and cannot decrypt yourencrypted files. Unless you've exported your EFS keys, or a recovery agent existed and those keysare available, you may not be able to decrypt your files. If your keys, or those of the recoveryagent, are available, then it should be possible to either import your keys and decrypt the file orimport the recovery agent keys (if necessary) and recover the file. You can determine who the
http://www.microsoft.com/windows2000/en/server/help/sag_seconceptsimpefsbp.htm?id=422http://www.microsoft.com/windows2000/en/server/help/sag_seconceptsimpefsbp.htm?id=422http://www.microsoft.com/windows2000/en/server/help/sag_seconceptsimpefsbp.htm?id=422http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspxhttp://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspxhttp://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspxhttp://technet.microsoft.com/en-us/library/cc700811.aspx#mainSectionhttp://technet.microsoft.com/en-us/library/cc700811.aspx#mainSectionhttp://support.microsoft.com/default.aspx?scid=kb;en-us;223338&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;223338&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;223338&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;295680&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;295680&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;295680&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;295680&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;295680&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;295680&sd=techhttp://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsck_efs_qcdb.mspx?mfr=truehttp://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsck_efs_qcdb.mspx?mfr=truehttp://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsck_efs_qcdb.mspx?mfr=truehttp://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsck_efs_ndie.mspx?mfr=truehttp://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsck_efs_ndie.mspx?mfr=truehttp://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsck_efs_ndie.mspx?mfr=truehttp://www.microsoft.com/technet/security/prodtech/windows2000/w2kccadm/dataprot/w2kadm21.mspxhttp://www.microsoft.com/technet/security/prodtech/windows2000/w2kccadm/dataprot/w2kadm21.mspxhttp://www.microsoft.com/technet/security/prodtech/windows2000/w2kccadm/dataprot/w2kadm21.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/serverhelp/9216103D-91C6-40DA-A370-F95CCF4BEACA.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/serverhelp/9216103D-91C6-40DA-A370-F95CCF4BEACA.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/serverhelp/9216103D-91C6-40DA-A370-F95CCF4BEACA.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/serverhelp/9216103D-91C6-40DA-A370-F95CCF4BEACA.mspxhttp://technet.microsoft.com/en-us/library/cc700811.aspx#mainSectionhttp://technet.microsoft.com/en-us/library/cc700811.aspx#mainSectionhttp://support.microsoft.com/default.aspx?scid=kb;en-us;331333&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;331333&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;331333&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;331333&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;331333&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;242296&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;242296&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;242296&sd=techhttp://www.microsoft.com/technet/archive/community/columns/security/5min/5min-401.mspxhttp://www.microsoft.com/technet/archive/community/columns/security/5min/5min-401.mspxhttp://www.microsoft.com/technet/archive/community/columns/security/5min/5min-401.mspxhttp://www.microsoft.com/technet/archive/community/columns/security/5min/5min-401.mspxhttp://www.microsoft.com/technet/archive/community/columns/security/5min/5min-401.mspxhttp://www.microsoft.com/technet/archive/community/columns/security/5min/5min-401.mspxhttp://www.microsoft.com/technet/archive/community/columns/security/5min/5min-401.mspxhttp://www.microsoft.com/technet/archive/community/columns/security/5min/5min-401.mspxhttp://support.microsoft.com/default.aspx?scid=kb;en-us;242296&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;242296&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;331333&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;331333&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;331333&sd=techhttp://technet.microsoft.com/en-us/library/cc700811.aspx#mainSectionhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/serverhelp/9216103D-91C6-40DA-A370-F95CCF4BEACA.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/serverhelp/9216103D-91C6-40DA-A370-F95CCF4BEACA.mspxhttp://www.microsoft.com/technet/security/prodtech/windows2000/w2kccadm/dataprot/w2kadm21.mspxhttp://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsck_efs_ndie.mspx?mfr=truehttp://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsck_efs_qcdb.mspx?mfr=truehttp://support.microsoft.com/default.aspx?scid=kb;en-us;295680&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;295680&sd=techhttp://support.microsoft.com/default.aspx?scid=kb;en-us;223338&sd=techhttp://technet.microsoft.com/en-us/library/cc700811.aspx#mainSectionhttp://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspxhttp://www.microsoft.com/windows2000/en/server/help/sag_seconceptsimpefsbp.htm?id=422


16/20

recovery agent of a file is by using esfinfo.exe in Windows 2000 or by looking at the Advanced fileproperties in XP Professional or Windows Server 2003.

There is no Advanced button on the file properties page of your Windows XP Home computer, soyou cannot mark the file for encryption. No solution is necessary because Windows XP Homedoesn't have EFS.

Many other common issues have to do with why users get "Access Denied" messages. (The reason is thatthey're attempting to access files encrypted by someone else.) By far, however, the largest issue is therecovery of EFS files after a disk crash. See the following articles for troubleshooting other EFS issues:

The Troubleshooti