Sequence of the file encryption process. Controlling the Encrypting File System (EFS) using Group Policy
Let's assume you have a computer running Windows control the most recent version. You play shooting games on it, write your dissertation, do accounting for individual entrepreneurs using a simplified system, and in general, have fun as best you can. But suddenly, completely unreasonably, you begin to feel that something from the outside is threatening the security of some of the data that is stored on your personal computer. You, with a hot look, read numerous cyber forums and realize with horror that all your data on your hard drive is not protected in any way. And if your beloved computer is stolen, and the risk of theft for portable equipment is not so low, then the attacker will be able to get to all the contents hard drive! Oh, my priceless dissertation!
Let's try to figure out whether it is really possible to gain unauthorized access to files if the computer is running operating system Windows 10. Engineers at IBM, and subsequently at Microsoft, spent a lot of effort implementing a system for separating file rights. NTFS systems(when IBM was there it was HPFS). And if Win10 is running on a computer, then it is very, very difficult to gain access to other people’s files without permission, and if access is blocked, it is completely impossible. Windows is reliable protects user files.
But as soon as you boot into another operating system, for example, Linux Mint, then all user files will be at your fingertips. Download whatever you want. And you can boot into Mint either from a flash drive or from a CD-ROM, you just need to get to the UEFI (BIOS) and activate booting from removable drives, if it has not been activated previously, or use the boot menu. Assuming you set a password to log into UEFI and disable selecting a drive to boot as a class, then your files are a little more protected. And an attacker can simply unscrew your computer, pull out hard drive and connect it to your computer, and then download everything that is required. After all, the data in the form of files will be in his hands like an open notebook.
IT specialists know that you can somewhat secure the data on your computer using BitLocker technology. BitLocker is a good thing, but it only allows you to encrypt entire partitions on disks, either physical or virtual. At the same time, the safety of the keys is ensured, including storage in TPM modules. Which is very convenient. However, encrypting everything and everyone is not always convenient, although, of course, using full disk encryption makes some sense. But for some reason everyone forgets about partial encryption of files and directories.
In Windows 10, as in its previous reincarnations, there is an Encrypted File System, which means Encrypted File System (EFS). This function is available from the Pro edition and higher, so if you have the Windows Home version, you need to upgrade to at least Pro. Wikipedia has written a lot about how and what is encrypted in EFS. I will just try to explain everything as simply as possible and give the most detailed instructions to enable protection for your files.
In addition to having a minimum Pro view editors, it is necessary that you work under a user who has a password. The password must be present, let it be a link to the cloud Microsoft service, or a completely autonomous password. Whether you log into the system using a PIN code or using a pattern is not important, what is important is that a password is associated with your account. In addition to having a password in the active account, it is necessary that the protected files and directories are located on a disk or partition with the NTFS file system. Most likely, this is exactly what file system and applies to you.
Data encryption occurs absolutely transparently for users and for the vast majority software products, because encryption occurs at the NTFS file system level. You can encrypt one file or an entire folder at once. You can encrypt it as an empty folder, and then add new files to it and they will also be encrypted, or you can encrypt a folder with files and directories inside. Everything is your choice.
When working with encrypted folders and files, consider the following:
- Files are encrypted until they are transferred to any other file system other than NTFS. For example, you copy an encrypted file to a flash drive. If it is FAT32, and most likely it is there, then the file will be decrypted. In the tenth Windows versions Microsoft has nevertheless implemented a feature where the file remains encrypted even if you transferred it to a flash drive with FAT, so you should be vigilant if you leak any files to your friend. Will he be able to open them later without swearing? If you send a file via email- it will be decrypted (otherwise there is no point in sending it by mail). When transferring a file over the network, decryption will also occur.
- When moving between NTFS partitions, the file remains encrypted. When moving a file from one NTFS disk to another NTFS disk, the file will be encrypted. When you copy a file to a removable hard drive with the NTFS file system, it will be encrypted in a new location.
- If the account password is forcibly changed by a third party, for example, an administrator, or the password of a linked domain account or cloud service is forcibly changed, access to files without a backup certificate (generated during the first encryption) will no longer be possible.
The last point is very important, especially for people with unreliable memory who constantly reset passwords. Here, such a trick can result in permanently encrypted files, unless, of course, you import the saved certificate into the system. However, when the password change is voluntary, such as in accordance with a password change policy, then untimely loss of encrypted files will not occur.
Skeptics will quite rightly note that such protection, however, like BitLocker, is not super reliable, they say, hackers can guess the password if it is weak, and the intelligence services will decipher everything. Indeed, they can simply guess your password if it is short and simple. And that’s why the special services are special services, to have technical feasibility get to the contents of files of too suspicious users. What's more, once you're logged in, you immediately have transparent access to all your EFS-encrypted files. And if there is a Trojan or virus on your computer, then it will gain access to precious files in exactly the same way. Computer hygiene should be strictly observed.
Detailed instructions for enabling encryption using EFS under Win10 Pro on a folder
Below I offer step-by-step, precise instructions on how to encrypt a folder with files in it. An individual file is encrypted in the same way.
Step 1. Let's create a folder. Let it be called “My Pictures”.
Creating a directory
Step 2. Click on the folder right click mice and context menu select “Properties”.
Right click on the folder and get this
Step 3. In the “Properties” menu, go to the extended attributes of the folder by clicking the “Other...” button.
Folder properties
Step 4. Check the box next to “Encrypt content to protect data” and click OK. If you need to cancel encryption, uncheck the same checkbox and the file will be decrypted.
In folder properties extended attributes
Step 5. Finish with “Properties” and click OK or “Apply”.
Step 6. We answer in the dialog box what to “apply” to our folder and all its contents.
Select the desired encryption item
That's it, our folder and all its contents are encrypted using EFS. If you wish, you can check that our folder and all the files in it are securely closed from outsiders.
Step 7. We go through steps 1-3 and see that the “encrypt” checkbox is active. And next to it the “Details” button is active. Click on “details”.
Checking what's encrypted
Step 8. In the window that appears we see that this file has only one certificate for access by only one user, plus no certificates for restoring access are installed.
The folder is encrypted with one certificate
You can also understand that a particular file is encrypted in Windows Explorer; a lock icon appears on the file.
Gallery with encrypted pictures. Only the account owner can view them.
The icon appears in all other file views and Explorer views. True, on some pictograms they are very hard to see and you have to look closely.
The same gallery, only in the form of a table. Locks in the upper right corner of the icon.
After the first files have been encrypted, Windows prompts you to make a copy of the certificate. The same certificate that will allow you to decrypt files if suddenly something goes wrong with your computer (reinstalled the system, reset the password, transferred the disk to another computer, etc.).
Step 9. To save the backup recovery certificate, click on the key archiving icon.
Tray icon calling for archiving the backup certificate to restore encryption
Step 10. In the window that appears, select “Archive now.”
Choosing when to archive
Step 11. In the activation wizard dialog box, click “Next”.
Certificate Export Wizard window
Step 12. If you only use EFS encryption, you can leave the default values. And click on “Next”.
Backup certificate export settings
Step 13. It makes sense to protect the exported certificate with a password. We enter a password, it can be anything, not necessarily from your email or to log into Windows. And click “Next”.
Enter a password to further protect the recovery certificate
Step 15. Confirm the result by clicking OK.
Finishing the export wizard
And that's all. The downloaded certificate should be copied to a safe place. For example, on a floppy disk, flash drive, or in a secure cloud. Leaving a recovery certificate on your computer is a bad idea, so after saving it in a “safe place,” we delete the file from the computer and at the same time empty the recycle bin.
By the way, you can also encrypt the directories into which you synchronize cloud files on your computer, for example, OneDrive, DropBox, Yandex Disk and many others. If you want to encrypt such a folder, you should first turn off the cloud synchronization application or pause synchronization. It is also worth closing all open files in the directory that will be subject to encryption, for example, closing Word, Excel or other programs. After this, you can enable encryption on the selected folder. When the encryption procedure is completed, you can enable synchronization again. IN otherwise, encryption may not affect all files in the folder, because The embedded system can only encrypt writable files. Yes, when synchronizing to the cloud, the files will be decrypted and in the cloud they will no longer be encrypted.
You must sign out of OneDrive before encryption can begin.
Now is the time to test how well EFS encryption works. I created a file with text in an encrypted directory. And then I booted into Linux Mint from a flash drive. This Linux version can easily work with NTFS hard drives, so getting to the contents of my hard drive was not difficult.
Create a file with text in an encrypted folder.
However, when I tried to open files from an encrypted folder, I was disappointed. Not a single file could be opened. Linux Mint viewers have bravely reported that access to specified files they don't have. But all the others opened without a hitch.
Encrypted files in Win10 are visible from Mint, but cannot be opened.
“Yeah!” - said the stern Siberian men. But if you write an encrypted file to a flash drive, it will probably remain encrypted. And then transfer it to another computer, under a different operating system, then suddenly it will open? No, it won't open. Or rather, it will open, but its contents will be completely unreadable. It's encrypted.
An attempt to open an encrypted text file recorded on a flash drive.
In general, it is possible to use EFS, and in some cases it is even necessary. Therefore, if you are running Windows 10 from the Pro edition and higher, assess the risks of strangers accessing your PC or laptop and whether they will be able to obtain your confidential files. Maybe something should be encrypted today?
There are a lot of rumors about Canon lenses on the Internet, I admit honestly, until recently I myself was mistaken about the difference between EF and EF-S lenses. In this article, I tried to collect some information about them, which will help make a choice in favor of one modification or another, put an end to disputes and dispel some myths.
Let's first decipher the abbreviation EF - it comes from the phrase Electro-Focus (“Electrofocus”). With the EF mount came an automatic focusing system built into the optics, i.e. There are no moving parts between the lens and the camera, only contacts, and the electric motor in the lens is responsible for focusing and aperture. By the way, the first EF series lens appeared back in 1987.
EF-S is a modification of the mount for cameras with an APS-C format matrix, which was developed in 2003. The "S" stands for Short Back Focus. The last optical element in such lenses is located closer to the matrix than in EF lenses. For comparison, I’ll give a picture of two lenses with different mount modifications.
Left lens EF, right EF-S
As you can see, on the right lens the last lens is located after the mount thread, i.e. when installed on the camera, it will be noticeably closer to the matrix. In fact, this is the only, but very important difference. The fact is that EF-S optics cannot be used with full-frame cameras. Despite the compatibility of the mount, a protruding lens can damage the camera mirror. Moreover, EF lenses are compatible and can be used with any Canon EOS cameras (DSLRs).
For APS-C format cameras, lens focal lengths must be adjusted. To calculate the focal length equivalent to that obtained on a full-format sensor, you need to multiply the values indicated on the lens by 1.6. There is a widespread opinion on the Internet that for the EF-S series this is not necessary and the real values are indicated on the optics, already taking into account recalculation. This is wrong. As an example, I will give a description of the new Canon EF-S 18-55mm f/3.5-5.6 IS II lens from the company’s official website:
The EF-S 18-55mm f/3.5-5.6 IS II is a high-quality, standard zoom lens that will appeal to photographers who prefer to travel light. With a focal length equivalent of 29-88mm in 35mm format…
As you can see, for these lenses the standard conversion of focal lengths is used and 18-55 turns into 29-88mm. A completely logical question arises: why bother with this whole garden? The fact is that this design made it possible to make lighter, smaller lenses. This is according to Canon, but in fact, it is quite possible that this is done so that inexpensive lenses are not used with expensive full-frame equipment.
Another interesting touch: neither the EF nor the EF-S were licensed to third party optics manufacturers such as Sigma or Tamron. Despite these manufacturers' claims of 100% compatibility, Canon does not provide such a guarantee. Therefore, when purchasing non-branded lenses, they must be tested especially carefully.
Let's draw conclusions about Canon lenses:
- focal length on APS-C cameras is recalculated for all types of lenses;
- ultra-wide angle on cropped cameras is only available with the EF-S 10-22mm lens;
- Unfortunately, fisheye on cropped cameras is not available at all;
- EF lenses are suitable for any Canon cameras;
- When upgrading from an APS-C camera to full frame, EF-S lenses cannot be used.
If you plan to upgrade to a full frame camera in the future, consider purchasing lenses in advance.
There are probably a couple of folders on every user’s computer, the contents of which are clearly not intended for public viewing. This content can be anything, for example, numbers bank cards or personal photographs, that’s not the point, the only important thing is that this data is reliably protected. Usage standard password Windows is not a serious barrier to hacking; encryption should be used to prevent access to data. The simplest example of such protection is archiving with installation good password. However, this method is not without drawbacks.
Firstly, this is inconvenient, since the user will be forced to encrypt and decrypt the archive each time, and secondly, such an archive can be easily copied and then subjected to brute force decryption. More in an efficient way file protection is encryption using EFS technology, also known as the Encrypting File System, used in Windows since version 2000. Unlike BitLocker technology, which first appeared in Vista, EFS does not require a hardware TPM module, but at the same time EFS does not supports encryption of the entire partition.
Encrypting File System encryption is performed using public and private keys that are automatically generated by the system the first time you use the built-in EFS tools. When encrypting a directory or file, EFS creates unique number(FEK), which is encrypted with the master key. In turn, the master key is encrypted with the user key. As for the user's private key, it is also protected, but this time with a hash of the user's system password.
It turns out that files encrypted by the EFS system can only be opened using the account in which they were encrypted. Even if the hard drive with protected data is removed and connected to another computer, it will still not be possible to read it. On the other hand, if a user loses their account password, damages or reinstalls the operating system, previously encrypted files will become inaccessible. Fortunately, Windows developers anticipated this scenario and offered a simple solution, namely saving encryption certificates to removable media.
None presets Encryption using EFS on Windows is not required. Let's say we need to protect a folder with images. In the folder properties select Other
then check the box in additional attributes Encrypt content to protect data.
Click Apply and confirm the request to change attributes.
By the way, you can apply encryption only to one directory or to a directory and all the files and folders in it.
As you can see from the screenshot, the text of the folder name Pictures instead of the usual black it became green, this is how EFS-protected objects are marked in Windows.
The names of all attached files and folders will be indicated in the same color.
Working with encrypted files is practically no different from working with other file system objects. You can view, edit, copy, delete, etc., while encryption and decryption will be performed on the fly, invisible to the user. However, all these actions will only be available to specific account. In principle, you can encrypt any file or folder in this way, with the exception of system ones. Moreover, it is strictly not recommended to encrypt the latter, as this may make it impossible to boot Windows.
If you are encrypting data for the first time, the system will prompt you to create a backup copy of the encryption key and certificate. Do not neglect this advice, because accidental damage to the operating system or loss of your account password Windows entries no one is immune. Click on the message that appears in the system tray and open the wizard backup certificates. If the message does not appear or you accidentally close the wizard window, you can access it through the mmc console, although you will have to tinker a little.
So, in the wizard window, click Archive now and strictly follow the instructions.
Export settings can be left unchanged (PKCS #12 .PFX).
If you wish, you can enable advanced properties.
As expected, set the password as complex as possible.
It is necessary to store certificates and passwords in a safe place, for example in a locked desk drawer.
Next time we will look at the procedure for restoring access to encrypted files, and also learn how to access the Certificate Reservation Wizard if its window was accidentally closed.
To protect potentially sensitive data from unauthorized access when physical access to the computer and disks.
User authentication and resource access rights in NT work when the operating system is booted, but when physically accessing the system it is possible to boot another OS to bypass these restrictions. EFS uses symmetric encryption to protect files, as well as public/private key pair encryption to protect a randomly generated encryption key for each file. By default, the user's private key is protected by user password encryption, and the security of the data depends on the strength of the user's password.
Job Description
EFS works by encrypting each file using a symmetric encryption algorithm, depending on the operating system version and settings (starting with Windows XP, it is theoretically possible to use third-party libraries to encrypt data). This uses a randomly generated key for each file, called File Encryption Key(FEK), the choice of symmetric encryption at this stage is explained by its speed and greater reliability in relation to asymmetric encryption.
FEK (a symmetric encryption key random for each file) is protected by asymmetric encryption using the public key of the user encrypting the file and the RSA algorithm (theoretically, it is possible to use other asymmetric encryption algorithms). The FEK encrypted in this way is stored in the $EFS alternate stream of the NTFS file system. To decrypt data, the encrypted file system driver transparently decrypts the FEK using the user's private key, and then required file using the decrypted file key.
Since file encryption/decryption occurs using the file system driver (essentially an add-on to NTFS), it occurs transparently to the user and applications. It is worth noting that EFS does not encrypt files transferred over the network, so to protect the transferred data, you must use other data protection protocols (IPSec or WebDAV).
Interfaces for interacting with EFS
To work with EFS, the user has the opportunity to use GUI explorer or utility command line.
Using the GUI
In order to encrypt a file or folder containing a file, the user can use the corresponding file or folder properties dialog box by checking or unchecking the “encrypt contents to protect data” checkbox; for files starting from Windows XP, you can add public keys of other users, who will also be able to decrypt this file and work with its contents (if you have the appropriate permissions). When encrypting a folder, all files in it are encrypted, as well as those that will be placed in it later.
Wikimedia Foundation. 2010.
See what "EFS" is in other dictionaries:
EFS- steht für: EFS Flug Service, ein deutsches Charterflugunternehmen EFS Hausgeräte, eine Haushaltsgerätefirma Encrypting File System, System für Dateiverschlüssung unter Microsoft Windows EFS Euro Finanz Service Vermittlungs AG (EFS AG), ein… … Deutsch Wikipedia
Efs- steht für: EFS Flugservice, ein deutsches Charterflugunternehmen EFS Hausgeräte, eine Haushaltsgerätefirma Encrypting File System, System für Dateiverschlüssung unter Microsoft Windows Error Free Second beim Betrieb von Netzelementen Euro Finanz… … Deutsch Wikipedia
EFS- Saltar a navegación, búsqueda El Encrypting File System (EFS) es un sistema de archivos que, trabajando sobre NTFS, lete cifrado de archivos a nivel de sistema. Está disponible para Microsoft Windows 2000 y posteriores. La tecnología… … Wikipedia Español
EFS- may refer to one of the following: *Electronic Filing System, an electronic platform by the Singapore Judiciary *Emergency Fire Service, now Country Fire Service (Australia) *Emperor of the Fading Suns, a turn based, strategy video game… … Wikipedia
EFS- , ein System zur Verschlüsselung von Dateien und Ordnern unter den Betriebssystemen Windows NT und Windows 2000, so dass sie vor dem Zugriff unberechtigter Benutzer geschützt… … Universal-Lexikon
EFS- Cette page d'homonymie répertorie les différents sujets et articles partageant un même nom. Sigles d’une seule lettre Sigles de deux lettres > Sigles de trois lettres Sigles de quatre lettres … Wikipédia en Français
EFS- ● en sg. m. MS GESTFICH Encrypting File System. système de fichiers crypté, intégré par Microsoft dans Windows 2000, et dont l usage est optionnel. Voir TCFS. Je ne sais pas il existe un lien avec efs... Dictionnaire d'informatique francophone
efs- noun the name of the letter F ... Wiktionary
EFS- Encrypting File System (Computing » Security) * Enhance Financial Services Group, Inc. (Business » NYSE Symbols) * Engineered Fiber Selection (Miscellaneous » Clothes) * Effective Financing Statement (Business » Accounting) * Flowchart (EasyFlow) … Abbreviations dictionary
EFS- earliest finishing shift; electric field stimulation; European Fraxiparin Study; event free survival … Medical dictionary
On various Internet security mailing lists, administrators often ask questions about secure, easy-to-use file encryption products for Windows. Just as often, managers are interested in ways to prevent system administrators look into confidential company files. When I suggest using Windows' own Encrypting File System (EFS), most people say they want something stronger and more secure.
But contrary to popular belief, EFS is truly a reliable, easy-to-use, and secure encryption solution that can put even the most curious network administrator to shame. EFS is an excellent tool for protecting confidential files online and on laptop computers which are often targets of theft. Unfortunately, EFS's reputation has suffered undeservedly due to users' refusal to objectively evaluate any security product from Microsoft. In fact, EFS is one of the best security products Microsoft has ever released, but it requires proper knowledge to use it. This article covers the basics of EFS, its purpose and functionality, basic administrative operations, and possible errors.
EFS principles
Microsoft released EFS with Windows 2000 and has continually improved versions of the product for Windows XP and Windows Server 2003. EFS users can encrypt any file or folder to which they have Read and Write permissions. After encryption, the resource is decrypted “on the fly” whenever the rightful owner accesses it. Users who try to access a protected file or folder without the appropriate EFS permissions will see the file or folder name, but will not be able to open, edit, copy, print, email, or move the file or folder. Interestingly, users who have NTFS permission to delete an EFS-protected file can delete it even if they do not have read permission. Like most encryption products, EFS is designed to protect privacy but does not prevent data loss. The EFS task is considered successful if the unauthorized user cannot see the data in any form. Some users claim that even being able to see the name of a protected file or folder is an unforgivable flaw in Windows.
In addition, it is not necessary to be the owner or have Full resolution Control on a file or folder to encrypt it. To do this, Read and Write permissions are enough - the same ones that are necessary to access the resource. Only the user who encrypted it (and others with whom the first user agrees to share the resource) has access to the file or folder. The only general exception is the data recovery agent (DRA). By default (in most cases), Windows assigns the administrator as the DRA agent so that the administrator can access any file or folder encrypted by EFS. In a domain environment, DRA is the domain administrator; in a non-domain environment, DRA is the local administrator.
The file and folder encryption feature is enabled by default, but the user must select each file or folder individually (or indirectly through normal inheritance rules). EFS requires that the file or folder be located on an NTFS disk partition. Then, to protect a file or folder, just right-click on the resource in Windows Explorer, select Properties, and then click on the Advanced button in the General tab. (Note: Do not click the Advanced button in the Security tab.) Finally, you need to check the Encrypt contents to secure data checkbox.
If you select one or more files (as opposed to a folder), EFS asks whether to encrypt only the file(s) or the parent folder and the current file(s). If the latter is selected, EFS marks the folder as encrypted. All files that are added to the folder will be encrypted by default, although any files that were in the folder but not selected during the EFS encryption operation will remain unencrypted. In many cases it is preferable to encrypt the entire folder instead separate files, especially because a number of programs (e.g. Microsoft Word) create temporary files in the same folder as open file. After the program is terminated (for example, in the event of an emergency reboot), temporary files often remain undeleted and are presented in a clean text format, accessible for restoration by an outsider.
By default, in versions of XP Professional and later, EFS highlights encrypted files in green, but the highlighting can be deselected by selecting Folder Options from the Tools menu in Windows Explorer and then clearing the Show encrypted or compressed NTFS files in color check box on the View tab. In Details view Windows Explorer For compressed files, the Attributes column contains, along with the usual Archive (A) attribute, the E attribute. As a result, the set of attributes will look like AE. It should be noted that Windows' built-in mechanisms cannot be used to encrypt and compress files at the same time, although you can compress a file using a third-party utility such as WinZip or PKZIP and then encrypt the compressed file.
Strong cipher
EFS provides strong encryption - so strong that if you lose the EFS private key (used to recover files protected by the EFS encryption), it is likely that the data will no longer be readable. If EFS settings are configured correctly, even an administrator cannot access an encrypted file or folder unless it is designated as a DRA agent.
There is at least one product currently commercially available, Advanced EFS Data Recovery (AEFSDR) from ElcomSoft, which claims to be able to recover EFS-protected files. In fact, the program recovers the password local administrator(simple process if Windows configuration configured unsuccessfully), which can then be used to retrieve the administrator's EFS private key. A user who has a tool to solve the administrator password can perform any actions in the system. Such a user's access to EFS-protected files will be the least of the troubles threatening the enterprise. The risk of unauthorized EFS private key recovery is mitigated by assigning the DRA role in the domain to the domain administrator account rather than to the local administrator account, whose password can be guessed using almost any cracking tool. XP has a new policy that makes it more difficult to carry out these types of attacks. If the recovery tool cannot retrieve the current - and correct - administrator password (many tools reset the password rather than recover it), then EFS protection is still in effect.
How does EFS work?
EFS uses a combination of symmetric and asymmetric encryption. With the symmetric method, the file is encrypted and recovered using a single key. The asymmetric method uses a public key for encryption and a second, but related private key for data recovery. If the user who is granted data recovery rights does not disclose the private key to anyone, the protected resource is not at risk.
EFS is enabled by default on everyone Windows systems 2000 and later. When someone uses EFS for the first time to protect a file or folder, Windows checks that a PKI (public key infrastructure) server is available that can generate EFS digital certificates. Certificate Services in Windows 2003 and Windows 2000 can generate EFS certificates, as can some third-party PKI products. If Windows doesn't detect an acceptable PKI provider, the operating system generates and self-signs an EFS certificate for the user (Figure 1). Self-signed EFS certificates have a shelf life of 100 years, much longer than the lifetime of any user.
If Windows detects a Certificate Services server, it automatically generates and sends a two-year certificate to the user. This is likely because if an organization has an internal PKI service, the PKI server can easily issue and renew EFS certificates after the original expires. In either case, you can view EFS certificates by extending the Microsoft Management Console (MMC) with the Certificates snap-in and looking in the Personal container.
The EFS user's private key (which opens EFS-protected files) is encrypted with the user's master key and is stored in the user's profile under Documents and Settings, Application Data, Microsoft, Crypto, RSA. If a roaming profile is used, the private key is located in the RSA folder on the domain controller (DC) and is downloaded to the user's computer during the registration process. The master key is generated using the current user password and the 56-, 128-, or 512-bit RC4 algorithm. Probably the most important thing to know about EFS is that an EFS user's private key is located in their profile and is protected by a master key derived from the user's current password. Please note that the strength of EFS encryption is determined by the strength of the user's password. If an attacker guesses an EFS user's password or logs in as a legitimate user, a crack will appear in the EFS security.
If a user's password is lost or reset (but not changed by the user), then access to all EFS-protected files may be lost. For this reason, copies of the EFS user's private key should be stored in two or more secure remote storages or assign one or more DRA agents (and export their private keys and make backups in two or more separate and secure remote storage locations). Failure to follow these rules may result in data loss.
When a file or folder is encrypted for the first time, Windows generates a random symmetric key using the 128-bit Data Encryption Standard X (DESX - default on XP and Windows 2000) or the 256-bit Advanced Encryption Standard (AES - on Windows 2003 XP) Pro Service Pack 1). Both algorithms are generally recognized government standards, although the second one is more modern and recommended for use. You can also enable the older government symmetric encryption standard, 168-bit Triple DES (3DES), if your organization's policy requires its use. More detailed information See the Microsoft article “Encrypting File System (EFS) files appear corrupted when you open them” ( http://support.microsoft.com/default.aspx?scid=kb;en-us;329741&sd=tech). The randomly generated symmetric key is known as a file encryption key (FEK). This key is the only one Windows uses to encrypt files and folders, regardless of the number of people accessing the EFS-protected resource.
Once done, Windows encrypts the FEK using a 1024-bit RSA EFS public key and stores the FEK in the file's extended attributes. If DRAs are assigned, the operating system stores another, encrypted copy of the FEK with the DRA's public EFS key. Windows then saves the encrypted instance of the FEK to a file. In XP and later versions, multiple users can have EFS access to a specific file or folder. Each authorized user will have their own FEK, encrypted with a unique EFS public key. In Windows 2000, you can assign only one DRA.
If an authorized user accesses a protected file, Windows restores its instance of the encrypted FEK using the private EFS key associated with the user. Then, using FEK, the encrypted file will be unlocked. Unlike the first versions of EFS in Windows 2000, EFS now securely manages all encrypted files and folders in memory, so there are no pure text fragments left on the disk that could be illegally recovered.
Sharing EFS Files
In Windows 2000, only one user can protect a file with EFS at a time, but in XP Pro and later, multiple users can share a protected EFS file. When working together, the first user to protect a file or folder controls access for the others. After initially securing a file or folder, the user can specify additional users by clicking the Details button (Figure 2). The number of added users is not limited. Each user has their own copy of the FEK, encrypted with their EFS key. This XP innovation is very convenient for sharing EFS-protected files among user groups. Unfortunately, collaboration can only be done at the level of individual files, not folders. A user must encrypt one file or folder or obtain an EFS certificate before it can be assigned to additional users.
DRA Agent
It is very easy to delete a user profile, and administrators often reset user passwords, so network administrators should back up EFS keys or assign one or more DRAs. You can obtain a backup copy of a user's EFS private key by contacting digital certificate EFS in the Certificates console and checking the Copy to file checkbox on the Details tab. In XP Pro and later versions, you can also use the Backup Keys button, which is located under the Details button in the EFS file sharing section. Command line lovers can use the command
Cipher.exe /x
to get backup copies of EFS keys in Windows 2003, as well as in XP Pro SP1 and later versions. When responding to subsequent prompts, you can make copies and/or export the corresponding private key. You should never delete an EFS user's private key, as Windows prompts you to do during export, because this will prevent the user from decrypting their protected files. After you export the private key, you should store the key in two separate offline storage locations. EFS Private Key Backup Procedure individual users differs in labor intensity. Beginning with Windows 2000, Microsoft allows you to select a DRA agent. Every time someone encrypts a file or folder, DRA automatically receives an instance of the FEK. In Windows 2000 (workgroup or domain mode), XP (domain mode only), and Windows 2003 (workgroup or domain mode), the default DRA is set to an administrator, although the administrator can change the user account assigned to the DRA role. Unfortunately, in XP workgroup mode the DRA agent is not defined. This decision was made in response to criticism that EFS-protected files were vulnerable if the administrator password was compromised. Unfortunately, many XP Pro systems run in workgroup mode, and all it takes is a password reset or profile corruption for all EFS users to lose their files. When using EFS (remember that it is active by default and available to users), you should ensure that EFS users have made copies of private keys or have one or more DRAs assigned.
If you plan to assign the DRA role to a user account other than the default administrator account, the successor must be EFS Recovery Agent certified. The EFS Recovery Agent certificate can be requested from Certificate Services or installed from another third-party PKI product. If deployed Windows service 2003 Certificate Services, then you can implement Key Recovery Agents instead of DRAs. Ultimately, Key Recovery Agents will restore lost key instead of directly restoring the file.
Unlike private keys ordinary users EFS, private EFS keys of DRA agents should be exported and removed from computers. If the private keys of DRA agents are stolen, then all files with FEKs protected by the DRA public key may become vulnerable. Therefore, the keys should be exported and stored securely in two remote storage locations. If you need keys to recover encrypted files, you can easily import and use private keys.
Although the default administrator is often designated as the DRA agent, you should specifically prepare one or two user accounts, the likelihood of removal under any circumstances is small. Public key DRA also copies and protects each FEK, so if a DRA user account is accidentally deleted or a password is reset, it is difficult to recover a DRA-protected FEK. If user accounts that have DRA status are changed, it is possible that EFS-protected files have FEKs that are protected by the old DRA keys. When Windows accesses files, DRA-protected FEKs are updated with the latest DRA keys; however, you can use the Cipher command to force a bulk update of all FEKs using the current DRA keys. Regardless of whether the DRA private key is exported and removed from the system, it is very important to store copies of the DRA recovery certificate in two or more secure off-site storage locations.
Additional Notes
EFS does not protect files copied over the network. Windows copies all files opened on a network share in a purely text format. If you need to encrypt in real time files stored on disk and copied over a network, you should use another security method, IP Security (IPsec), Secure Sockets Layer (SSL), or WWW Distributed Authoring and Versioning (WebDAV). Additionally, in XP and later versions, you can enable EFS protection for offline files.
EFS is a local security mechanism. It was designed to encrypt files on local drives. To use EFS to protect files stored on disks remote computers, there must be a trust relationship between these machines to delegate authority. Laptop users often use EFS for file server resources. To use EFS on the server, you must select the Trust this computer for delegation to any service (Kerberos only) or Trust this computer for delegation to specified services only check box in the server's computer account (Figure 3).
You can prevent users from using EFS by blocking it using Group Policy. You should select the Computer Configuration container, right-click on Windows Settings and select Security Settings, Public Key Policies, Encrypting File System. Then you can clear the Allow users to encrypt files using EFS checkbox. You can enable or disable EFS in individual organizational units (OUs).
Before using EFS, you must ensure that your applications are compatible with EFS and the EFS API. If applications are incompatible, then EFS-protected files may be corrupted or, worse, not protected without proper authorization. For example, if you save and modify an EFS-protected file with the edit.com program (16-bit executable file) included in Windows, then all additional users will lose access to this file. Most Microsoft applications (including Microsoft Office, Notepad and Wordpad) are fully compatible with EFS.
If an authorized user copies EFS-protected files to a FAT partition, the EFS protection will be removed. An unauthorized user should not be allowed to move or copy files to any Windows partitions. An unauthorized user can boot in addition to the permission system Windows NTFS, using a bootable floppy disk or a CD-ROM program that allows you to mount an NTFS share directory (e.g. Knoppix, NTFSDOS, Peter Nordahl-Hagen bootable floppy disk). As a result, he will be able to copy or move the file, but if he does not have the authorized user's EFS key, the file will remain encrypted.
Best Practices
The following are best practices for working with EFS.
- Define the number and identify DRA accounts.
- Generate DRA certificates for DRA accounts.
- Import DRA certificates into Active Directory(AD).
- Export and delete DRA private keys, storing them in two separate, secure, offline vaults.
- Introduce end users to the application methods and features of EFS.
- Periodically test DRA file recovery.
- If necessary, periodically run the Cipher command with the /u parameter to update the FEKs for added or removed DRAs.
EFS is a reliable and secure method of encrypting files and folders on Windows 2000 and later systems. Network administrators should build and enforce DRA policies and educate end users about the benefits and limitations of EFS.
Roger Grimes - Windows Editor IT Pro and Security Consultant. He has CPA, CISSP, CEH, CHFI, TICSA, MCT, MCSE: Security and Security+ certificates.
