Windows 2000 Encrypting File System EFS

The Encrypting File System ( EFS ) available in Windows 2000 lets you encrypt files or folders using public key cryptography. There are obvious advantages to using it on laptops with sensitive data. If the laptop were stolen, and there are theft rings in airports targeting these highly expensive and portable items, then its hoped that the EFS would prevent your privacy from being violated.

EFS Tidbits

• EFS is a feature of NTFSv5 and only works with Windows 2000.
• You cannot encrypt system files or folders, that is, systemroot usually \winnt
• You cannot encrypt compressed files and folders until they are decompressed, its an either or situation.
• Some apps create temporary files within the folder you are working, others use the TEMP folder. If you are using EFS, its best to encrypt the TEMP folder to protect temporary working files.
• Copying a file into an encrypted folder results in the file being encrypted (the folder's attribute).
• Moving a file into an encrypted folder leaves the file ASIS, plaintext or encrypted.
  The difference in copying and moving are due to the different operations. Copying a file requires the creation of a new file being created in the encrypted folder. Since the folder has the encrypted attribute, the new file is encrypted. Moving a file does not involve the actual contents. The operating system simply creates a new entry in the folders directory table and removes the old entry from the directory folder it had been in. Copying involves creating a new file and creating a new entry in the directory table of the folder. Moving only involves creating a new directory entry and deleting the old directory entry.
• Moving or copying EFS files to another file system removes the encryption. NTFSv5 is the only file system that supports EFS. Move or copy the file to FAT, NTFSv4, or FAT32 and the file is converted to plaintext.
• Backing up an encrypted file or folder will maintain the contents in their original encrypted form.
  The restored files can be successfully opened if you use the Certificate Export wizard and the Certificate Import wizard to transfer your certificate and private key to your user profile on the new computer.
• Change the name of an encrypted file or folder. No effect on nature of contents. Stays ASIS. Only directory entry changed.
• EFS protects from unauthorized access but does not prevent, for example, an administrator or user of group with delete access from deleting the file/folder. EFS would prevent decryption of file/folder if the PC were booted using another operating system.
• EFS files accessed remotely will be decrypted by the OS and transmitted across the network in plaintext.
• EFS files are transparently decrypted when access by authorized personnel and held in system cache and are potentially recoverable from the system cache if it is not cleared at shutdown.
• Do not encrypt files when logged in as local administrator. EFS recovery is compromised since the creator and the recovery agent are the same account. This does not apply if you have changed the default recovery agent.

The public keys of the user of EFS and the key recovery agent are used to encrypt the data. The default data recovery agent is the built in administrator account. There are far too many methods to gain access to this account if one has physical access to the box. See Recover Lost Windows NT Administrator Password which is my Windows NT tip but this stuff works under Windows 2000, as most things do. Anyone possessing the Administrator account password can also decrypt files.

You need to backup the encryption certificates and export them. If you don't remove them, you have no real security and you are in danger of lossing access to encrypted files should your HD fail.

• Click Start
• Click Control Panel
• Double-click Administrative Tools
• Double-click Local Security Policy
• Click Public Key Policies
• Click Encrypted Data Recovery Agents
• Right-click on the certificate listed there.
  Normally there is only one, issued by and to Administrator, with the Intended Purposes column reading File Recovery.
• Select All Task
• Select Export
• Click Next which starts the Certificate Export Wizard
• Select Yes to export the private key
• Click Next
• Under Personal Information Exchange for security purposes you will want to select Delete the private key if the export is successful
• Click Next
• Choose a password to protect the private key. Click Next
• Choose a file to export the certificate to
  for max security, save to a floppy and store it securely
• Click Next
• Click Finish to export the certificate

Organizations need policies to insure that EFS is used properly and safely. Microsoft has written the following:

Step-by-Step Guide to Encrypting File System
Best Practices for Encrypting File System
Encrypting File System for Windows 2000
Analysis of Reported Vulnerability in the Windows 2000 Encrypting File System (EFS)
How to Back Up Your Encrypting File System Private Key
How to Restore an Encrypting File System Private Key for Encrypted Data Recovery
Methods for Recovering Encrypted Data Files
5-Minute Security Advisor - Recovering Encrypted Data Using EFS

Related EFS links:

• SAN's The Encrypting File System: How Secure is It?
• Howard Wright's The Encrypting File System: How Secure is It?
• Roberta Bragg's Hardening EFS
• Determine whether Syskey has been applied to a system

If you are depending on the administrator keys to recover files should the user lose his/her keys, unfortunately the local admin keys are also stored in his profile located on the hard drive. If the HD fails or is reformatted, or if Windows is reinstalled, these keys will also be lost. Additionally, for XP users : Windows XP Professional does not make the local Administrator account the data recovery agent! If the user's keys are corrupt or lost in a standalone workstation, you are out of luck. Well, maybe NOT. Elcomsoft has created Advanced EFS Data Recovery to decrypt files encrypted on NTFS partitions in Windows 2000. Files can be decrypted even in a case when the system is not bootable and so you cannot log on, and/or some encryption keys have been tampered. Besides,they say decryption is possible even when Windows is protected using SYSKEY.

If W2K or XP are joined to a W2K domain, the domain admins are recovery agents making EFS less vulnerable to hardware failures.

For the commandline oriented, there is the cipher command. Encryption is performed with the /e switch. Used alone, the /e switch instructs Windows 2000 to encrypt an entire folder. For example, to encrypt a folder named folder1, you'd type the following command:

cipher /e myfolder1

Any files that you later add to myfolder1 will automatically be encrypted.

To encrypt an individual file, the /a switch must also be used. So to encrypt a file named mydocument.txt, you'd enter the command:

cipher /e /a document.txt

Decryption from the command prompt is handled the same way, except that the /d switch replaces /e. You can get a list of all files and folders and their current encryption state simply by running cipher without any parameters.

Microsoft has recently upgraded cipher to support the security function of overwriting deallocated data. Have you deleted a file and want to be sure it can not be recovered. Use ciper.exe.

You can also get the complete list of supported options using the following syntax:

cipher /?

For more info on cipher, read Cipher.exe Security Tool for the Encrypting File System.

Mark Russinovich at www.sysinternals.com has released the freeware utility EFSDump for Windows 2000 which displays what accounts are authorized to access encrypted files.

Windows 2000 introduces the Encrypting File System (EFS) so that users can protect their sensitive data. Several new APIs make their debut to support this factility, including one - QueryUsersOnEncryptedFile - that lets you see who has access to encrypted files. This applet uses the API to show you what accounts are authorized to access encrypted files. Full source code is included.