DISABLE QUOTA MANAGEMENT

10 - - MICROSOFT PRESS MCSA MCSE SELF PACED TRAINING KIT EXAM 70 270 PHẦN 5 PPT 10 - - MICROSOFT PRESS MCSA MCSE SELF PACED TRAINING KIT EXAM 70 270 PHẦN 5 PPT
MICROSOFT PRESS MCSA MCSE SELF PACED TRAINING KIT EXAM 70 270 PHẦN 5 PPT
10-49Lesson 4 Increasing Security by Using EFS

Lesson 4: Increasing Security by Using EFS

Encryption is the process of making information indecipherable to protect it from unau-

thorized viewing or use. A key is required to decode the information. The Encrypting

File System (EFS) provides encryption for data in NTFS files stored on disk. This encryp-

tion is public key–based and runs as an integrated system service, making it easy to man-

age, difficult to attack, and transparent to the file owner. If a user who attempts to access

an encrypted NTFS file has the private key to that file (which is assigned when the user

logs on), the file can be decrypted so that the user can open the file and work with it

transparently as a normal document. A user without the private key is denied access.

Windows XP Professional also includes the Cipher command, which provides the

capability to encrypt and decrypt files and folders from a command prompt. Windows

XP Professional also provides a recovery agent, a specially designated user account

that can still recover encrypted files if the owner loses the private key.

After this lesson, you will be able to■

Describe EFS.

Encrypt folders and files.

Decrypt folders and files.

Control encryption from the command line by using the Cipher command.

Create an EFS recovery agent.

Estimated lesson time: 40 minutes

Overview of EFS

EFS allows users to encrypt NTFS files by using a strong public key–based crypto-

graphic scheme that encrypts all files in a folder. Users with roaming profiles can use

the same key with trusted remote systems. No administrative effort is needed to begin,

and most operations are transparent. Backups and copies of encrypted files are also

encrypted if they are in NTFS volumes. Files remain encrypted if you move or rename

them, and temporary files created during editing and left unencrypted in the paging file

or in a temporary file do not defeat encryption.

You can set policies to recover EFS-encrypted data when necessary. The recovery pol-

icy is integrated with overall Windows XP Professional security policy (see Chapter 16,

“Configuring Security Settings and Internet Options,” for more on security policy). Con-

trol of this policy can be delegated to individuals with recovery authority, and different

recovery policies can be configured for different parts of the enterprise. Data recovery

discloses only the recovered data, not the key that was used to encrypt the file. Several

protections ensure that data recovery is possible and that no data is lost in the case of

total system failure.

EFS is configured either from Windows Explorer or from the command line. It can be

enabled or disabled for a computer, domain, or organizational unit (OU) by resetting

recovery policy in the Group Policy console in Microsoft Management Console (MMC).

You can use EFS to encrypt and decrypt files on remote file servers but not to encrypt

data that is transferred over the network. Windows XP Professional provides network

protocols, such as Secure Sockets Layer (SSL) authentication, to encrypt data over the

network.

Table 10-4 lists the key features provided by Windows XP Professional EFS.

Table 10-4

EFS Features

Feature Description

Transparent encryption In EFS, file encryption does not require the file owner to decrypt and

re-encrypt the file on each use. Decryption and encryption happen

transparently on file reads and writes to disk.

Strong protection of

Public key encryption resists all but the most sophisticated methods of

attack. Therefore, in EFS, the file encryption keys are encrypted by

encryption keys

using a public key from the user’s certificate. (Note that Windows XP

Professional and Windows 2000 use X.509 v3 certificates.) The list of

encrypted file encryption keys is stored with the encrypted file and is

unique to it. To decrypt the file encryption keys, the file owner sup-

plies a private key, which only he or she has.

If the owner’s private key is unavailable, the recovery agent can open

Integral data-recovery

the file using his or her own private key. There can be more than one

system

recovery agent, each with a different public key, but at least one pub-

lic recovery key must be present on the system to encrypt a file.

Many applications create temporary files while you edit a document,

Secure temporary and

and these temporary files can be left unencrypted on the disk. On

paging files

computers running Windows XP Professional, EFS can be imple-

mented at the folder level, so any temporary copies of an encrypted

file are also encrypted, provided that all files are on NTFS volumes.

EFS resides in the Windows operating system kernel and uses the

nonpaged pool to store file encryption keys, ensuring that they are

never copied to the paging file.

Security Alert Even when you encrypt files, an intruder who accesses your computer can

access those files if your user account is still logged on to the computer. Be sure to lock your

console when you are not using the computer, or configure a screensaver to require a pass-

word when the computer is activated. If the computer is configured to go to standby mode

when it is idle, you should require a password to bring the computer out of standby. These

precautions are particularly important on portable computers, which people are more likely to

leave unattended while the user is logged on.