10-49Lesson 4 Increasing Security by Using EFS
Lesson 4: Increasing Security by Using EFS
Encryption is the process of making information indecipherable to protect it from unau-
thorized viewing or use. A key is required to decode the information. The Encrypting
File System (EFS) provides encryption for data in NTFS files stored on disk. This encryp-
tion is public key–based and runs as an integrated system service, making it easy to man-
age, difficult to attack, and transparent to the file owner. If a user who attempts to access
an encrypted NTFS file has the private key to that file (which is assigned when the user
logs on), the file can be decrypted so that the user can open the file and work with it
transparently as a normal document. A user without the private key is denied access.
Windows XP Professional also includes the Cipher command, which provides the
capability to encrypt and decrypt files and folders from a command prompt. Windows
XP Professional also provides a recovery agent, a specially designated user account
that can still recover encrypted files if the owner loses the private key.
After this lesson, you will be able to■ Describe EFS.
■ Encrypt folders and files.
■ Decrypt folders and files.
■ Control encryption from the command line by using the Cipher command.
■ Create an EFS recovery agent.
Estimated lesson time: 40 minutesOverview of EFS
EFS allows users to encrypt NTFS files by using a strong public key–based crypto-
graphic scheme that encrypts all files in a folder. Users with roaming profiles can use
the same key with trusted remote systems. No administrative effort is needed to begin,
and most operations are transparent. Backups and copies of encrypted files are also
encrypted if they are in NTFS volumes. Files remain encrypted if you move or rename
them, and temporary files created during editing and left unencrypted in the paging file
or in a temporary file do not defeat encryption.
You can set policies to recover EFS-encrypted data when necessary. The recovery pol-
icy is integrated with overall Windows XP Professional security policy (see Chapter 16,
“Configuring Security Settings and Internet Options,” for more on security policy). Con-
trol of this policy can be delegated to individuals with recovery authority, and different
recovery policies can be configured for different parts of the enterprise. Data recovery
discloses only the recovered data, not the key that was used to encrypt the file. Several
protections ensure that data recovery is possible and that no data is lost in the case of
total system failure.
EFS is configured either from Windows Explorer or from the command line. It can be
enabled or disabled for a computer, domain, or organizational unit (OU) by resetting
recovery policy in the Group Policy console in Microsoft Management Console (MMC).
You can use EFS to encrypt and decrypt files on remote file servers but not to encrypt
data that is transferred over the network. Windows XP Professional provides network
protocols, such as Secure Sockets Layer (SSL) authentication, to encrypt data over the
network.
Table 10-4 lists the key features provided by Windows XP Professional EFS.
Table 10-4 EFS Features
Feature Description
Transparent encryption In EFS, file encryption does not require the file owner to decrypt and
re-encrypt the file on each use. Decryption and encryption happen
transparently on file reads and writes to disk.
Strong protection of
Public key encryption resists all but the most sophisticated methods of
attack. Therefore, in EFS, the file encryption keys are encrypted by
encryption keys
using a public key from the user’s certificate. (Note that Windows XP
Professional and Windows 2000 use X.509 v3 certificates.) The list of
encrypted file encryption keys is stored with the encrypted file and is
unique to it. To decrypt the file encryption keys, the file owner sup-
plies a private key, which only he or she has.
If the owner’s private key is unavailable, the recovery agent can open
Integral data-recovery
the file using his or her own private key. There can be more than one
system
recovery agent, each with a different public key, but at least one pub-
lic recovery key must be present on the system to encrypt a file.
Many applications create temporary files while you edit a document,
Secure temporary and
and these temporary files can be left unencrypted on the disk. On
paging files
computers running Windows XP Professional, EFS can be imple-
mented at the folder level, so any temporary copies of an encrypted
file are also encrypted, provided that all files are on NTFS volumes.
EFS resides in the Windows operating system kernel and uses the
nonpaged pool to store file encryption keys, ensuring that they are
never copied to the paging file.
Security Alert Even when you encrypt files, an intruder who accesses your computer can
access those files if your user account is still logged on to the computer. Be sure to lock your
console when you are not using the computer, or configure a screensaver to require a pass-
word when the computer is activated. If the computer is configured to go to standby mode
when it is idle, you should require a password to bring the computer out of standby. These
precautions are particularly important on portable computers, which people are more likely to
leave unattended while the user is logged on.
Bạn đang xem 10 - - MICROSOFT PRESS MCSA MCSE SELF PACED TRAINING KIT EXAM 70 270 PHẦN 5 PPT