Microsoft introduced Encrypting paper System (EFS) through Windows 2000, and has steadily boosted it in its later operating systems. It provides strong, reliable, seamless encryption. As soon as enabled, users can encrypt and also decrypt files and folders as desired. EFS-protected records are encapsulated through open, industry-standard encryption ciphers. It"s hard security. If the user"s EFS decryption vital is lost, and also no backup or recovery precautions to be taken beforehand, it deserve to be an overwhelming to difficult to recoup the safeguarded files. This chapter covers how EFS works, exactly how it need to be collection up, cautionary tales, and also best practices.

You are watching: Which file attribute cannot be set on ntfs folders if encryption has been enabled?

how EFS Works

EFS calls for Windows 2000 or later on with NTFS disk volumes and also uses both symmetric and asymmetric cipher algorithms. It is globally permitted by default, definition that any type of user can encrypt any record or folder at any type of time simply by selecting to allow it. Files and also folders should be personal selected for encryption, although regular inheritance rules apply.

Note

EFS is not sustained within XP Home.

Encrypting a File

come disable or permit EFS worldwide in group policy, select Computer ConfigurationWindows SettingsSecurity SettingsPublic key Policies and right-click the Encrypting paper System leaf, pick Properties, and permit or eliminate the permit users come encrypt files using EFS examine box. It can likewise be permitted or disabled utilizing the registry crucial HKLMSOFTWAREPolicies MicrosoftWindowsNTCurrentVersionEFSEfsConfiguration or HKLMSOFTWARE MicrosoftWindowsNTCurrentVersionEFSEfsConfiguration. A DWord worth of 1 will disable EFS; a value of 0 will enable EFS. EFS is globally enabled by default.

To encrypt a record or folder, a user just right-clicks the thing in home windows Explorer, choose the Properties choice under the general tab, clicks the progressed button, and permits the Encrypt materials to certain data option (see figure 13-1).

*
figure 13-1

Note

Why Microsoft walk not placed the EFS choice under the main Security tab under paper Properties in addition to all the other file security settings is a mystery.

If a file in a subfolder is selected because that encryption, Windows will certainly prompt the user to decide whether to encrypt only the selected paper or to encrypt all documents in the current folder. Even when the user decides to encrypt all documents (current and future) in the folder, EFS encrypts each document individually and uses separate document encryption keys. If the record contains lot of data streams (i.e., alternate data streams), all data streams will certainly be encrypted, but not the file"s attributes.

EFS can be used to encrypt nearly any Windows file or folder, but Microsoft make some essential exceptions. EFS cannot encrypt the following:

User profiles, because that is where the user"s EFS secrets are stored

Windows system and also root files, because doing therefore would also encrypt the files needed to use EFS

Any file with the mechanism attribute set, consisting of Hiberfil.sys and also the pagefile

Files compressed using Windows NTFS compression

Files stored on FAT volumes

Drive mountain or reparse points

Note

EFS-protected papers are no indexed through the contents Indexing organization to stop accidental data leakage.

When files are gift encrypted, windows creates a short-lived log document called Efs0.log in the mechanism Volume info folder ~ above the exact same drive together the encrypted file. The zero in the record name might be incremented (e.g., Efs1.log) till the paper name is unique. Microsoft offers the log file to store track of the standing of the present or pending EFS transactions. In the occasion of a crash, EFS will usage the log to remove any kind of uncompleted transactions.

Another temporary paper called Efs0.tmp (or incremented to any kind of unique document name prefer the log in file) is produced in the exact same folder together the file being encrypted. The components of the original plaintext file are copied into the momentary file, after i beg your pardon the original plaintext paper is overwritten through the brand-new encrypted data. Once EFS is perfect encrypting the file, the log and temporary records are erased. In older versions that EFS, once the EFS temporary record was deleted, the initial plaintext from the temporary document was left on disk, which could enable data leakage or discovery. This problem can be lessened by always encrypting whole folders, instead of individual files. You can likewise use the Cipher.exe energy to wipe all free space of any plaintext data left behind through EFS encryption.

Encrypted paper names are eco-friendly when perceived in home windows Explorer. This is a see attribute that have the right to be turn on and also off by selecting Tools ð Folder choices ð View, and permitting or disabling show encrypted or compressed NTFS documents in color in windows Explorer.

alternate EFS Methods

One or much more files have the right to be encrypted at as soon as by using the command-line Cipher.exe utility. Cipher.exe deserve to participate in end a dozen cryptographic tasks, including countless involving EFS. To encrypt multiple documents at once, use Cipher"s /E parameter. To turn off EFS on one or much more files, use its /D parameter. Girlfriend can additionally use Cipher without any type of command-line parameters to show existing EFS files.

Some establishments may uncover it less complicated to enable EFS by put Encrypt and Decrypt top top the Windows traveler context menu when a document is right-clicked v the mouse. To permit this feature, develop a DWORD worth of 1 because that EncryptionContextMenu (which girlfriend will need to create) under HKLMSoftware MicrosoftWindowsCurrentVersionExplorerAdvanced.

Decrypting Files

one of the most beautiful things about EFS is exactly how transparently the decryption works. If a logged top top authorized user opens the file, EFS decrypts the record on the fly into its clear-text representation. If the user copies the document over the network, sends out it in one e-mail, or duplicates it come a non-NTFS partition, the file decrypts transparently. This also way that if intruders have the right to log on together the user or data restore agent, they deserve to also accessibility the files in your unprotected state. This last suggest is a large potential weakness.

If the user duplicates the record to another NTFS partition, or if the file is backed up to an NTFS-aware ice drive, the encryption continues to be with the file. If an intruder boots approximately Windows to accessibility the encrypted papers without the user"s password, they continue to be encrypted. If the authorized user copies or move an EFS-protected paper from one encrypted folder to an unencrypted folder top top the exact same volume, the file remains encrypted. However, if the user duplicates or move an unencrypted record into one encrypted folder, the file will it is in encrypted.

document Security and EFS

The defense mechanisms that recognize whether a user can access or change a particular file are totally separate native EFS mechanisms. This has countless repercussions. First, a user must have Read and also Modify (or Write, or readjust in the Share) permissions come encrypt a file. Second, if many users can modify a paper prior come EFS being implemented on the file, the an initial user to encrypt effectively avoids all others from gift able to read or change the file, unless EFS file-sharing is enabled. Third, the document names the encrypted records can still it is in seen and viewed by various other users that have Read or List access to the protected file(s). This is a potential information leakage difficulty that have the right to only it is in remedied by removed the not authorised user"s Read and also List permissions.

Lastly, even when just one user has the capacity to encrypt a file, any user with Modify (or Write) permissions have the right to delete it. While this may be surprising to those brand-new to computer security, EFS is encryption software, not integrity software. Encryption prevents unauthorized individuals from gift able come read, print, extract, copy, or move a file. The confidentiality the the record remains intact at all times. However, the file can be deleted by anyone v the appropriate record permissions, i beg your pardon is an integrity problem. Many encryption program such together EFS only deal with confidentiality problems. Integrity involves must be addressed using normal NTFS file permissions (i.e., eliminate Modify or create permissions indigenous unauthorized users).

EFS Certificate

Every time a file is encrypted or decrypted, windows looks because that the user"s EFS certificate. If this is the an initial time the user has actually encrypted a record on a specific system, windows will very first determine even if it is a public key infrastructure (PKI) server qualified of supporting EFS (like Microsoft"s Certificate Services) is active and participating. If so, Windows will request a digital certificate capable of supporting EFS on behalf of the user, and also install it come the user"s regional profile. If a PKI server is not available, Windows will certainly generate a self-signed EFS certificate and also install it to the user"s profile. Numbers 13-2 and also 13-3 display an EFS certificate produced by a Microsoft Certificate services PKI server. EFS certificates room 1,024 bits by default. PKI-supplied EFS digital certificates are great for two years and also will automatically renew prior to they expire, by default. Self-signed EFS certificates are great for 100 years.

*
number 13-2

*
figure 13-3

Note

The expiration period of self-signed EFS digital certifications may seem a month short of the 100-year mark on first examination since the total expiration duration does no take into account leap years, therefore the expiration duration is 100 × 365 days, not precisely 100 years.

An EFS certificate has the user"s private and public encryption keys. Every user (or occasionally computer, in the situation of Offline files) has only one EFS certificate because that every stand-alone device or domain computer. Every record the user encrypts will involve the user"s solitary EFS certificate.

As declared above, a user"s EFS certificate, with both public and also private keys, is stored in the user"s neighborhood profile. If the user has actually a roaming profile, the EFS certificate will be save on computer in the networked roaming profile, and locally where the user logs on. If the user encrypts files on a maker that walk not have their EFS secrets stored locally, they will need to import their EFS certificate in your ar or make sure the device is Trusted for Delegation (more ~ above this below).

The save on computer of the user"s EFS key in their local profile is very important point. If the user loses accessibility to their local profile, either since of corruption or an inadvertent activity (e.g., such together reinstalling home windows to fix one more problem), their EFS key could become unrecoverable if no backed up. If a data recovery policy has not been characterized beforehand (covered below), the defended files can easily be shed forever. This problem is not an unusual problem.

The user"s EFS certificate, which have the right to have up to 16,384 bits of defense (it would certainly be really slow and also overkill), is safeguarded by a 512-bit master key. The user"s EFS private keys are save in C:Documents and also Settings\Application DataMicrosoftCryptoRSA and are encrypted by the user"s grasp key, i m sorry is save on computer in C:Documents and Settings\ applications DataMicrosoftProtect and encrypted based on the user"s password.

If one administrator resets the user"s password ~ above a stand-alone computer, it reasons a brand-new master key to be generated, and also the user"s EFS certificate can no longer be extracted. Users should always, if possible, readjust their own password (and not allow an administrator reset). If a user"s password is reset, transforming the password earlier to the vault password or making use of a previously produced Password Reset Diskette (if produced for the user"s old password) should permit the user"s EFS secrets to be extracted again.

Note

Important: Administrators resetting a user"s password v the normal approaches on a stand-alone computer can reason the user come lose accessibility to your EFS-protected files. Uneven impossible, always permit users to adjust their own password. If one administrator resets a password and also the user loses access to your EFS-protected files, the user"s original EFS crucial will have to be restored (if donate up), or the data recovery agent will need to recover the files (if a data recovery agent to be in usage at the moment the records were encrypted).

record Encryption Key

The actual encryption process behind the scene is much more complicated, the course. Once a record is an initial chosen because that encryption, the windows CryptoAPI will certainly generate a symmetric encryption key, called the paper Encryption vital (FEK). Every encrypted record has a unique FEK. No matter exactly how many civilization can encrypt a solitary file, just one FEK is offered to do the encrypting and also decrypting. And just like any type of symmetric encryption algorithm, the very same EFS an essential that encrypts the record is offered to decrypt it.

FEK Ciphers EFS uses Data Encryption conventional XOR (DESX), Triple-Data Encryption conventional (3DES), or advanced Encryption typical (AES) ciphers to create the FEK. By default, EFS uses the 128-bit DESX algorithm in windows XP (pre-SP1), a slight development over the U.S. Government"s older Data Encryption conventional (DES) algorithm standard, for the FEK symmetric key. Check out www.rsasecurity.com/rsalabs/node.asp?id=2232 for much more information ~ above the differences between DES and DESX.

Note

Non-U.S. Versions of EFS may use 56-bit DESX instead of 128-bit.

Windows XP Pro and later can also be configured to usage the stronger 168-bit 3DES cipher algorithm instead of DESX by allowing System cryptography: usage FIPS compliant algorithms because that encryption, hashing, and signing situated in team Policy or Local computer system Policy under computer Configuration home windows SettingsSecurity SettingsLocal PoliciesSecurity Options. The Federal details Processing requirements (FIPS) space U.S. Federal government recommended or required standards for federal government agencies, contractors, and solutions. If enabled, all new EFS encryptions in XP pre-SP1 will usage 3DES, but any type of files formerly encrypted by DESX will still be able to be decrypted there is no a problem. A good article ~ above the efficient strength that DES, DESX, and also 3DES deserve to be uncovered at www.networkcomputing.com/1006/1006colmoskowitz.html.

Note

When FIPS-compliant ciphers are enabled, that affects countless other home windows features beyond EFS. If enabled, windows will usage TLS v 3DES, SHA-1, and RSA publicly keying material rather of the an ext widely supported standard that SSL for client/server HTTPS transactions, IPSec will usage 3DES rather of DESX, and Terminal solutions (and RDP services) will just use 3DES for encryption.

Windows XP pro SP1 and later and also Windows Server 2003 usage the new and considerably stronger 256-bit AES open, symmetric cipher standard, through default, to develop FEKs because that EFS. Home windows 2000 have the right to use 56-bit DES or 128-bit DESX if installed with SP1 or later and high encryption. At any time possible, AES should be provided to carry out the most secure implementation that EFS feasible (i.e., AES is an ext secure than 3DES).

DDF and also DRF

when a user encrypts a file, the file"s FEK is encrypted through the user"s personal EFS public an essential from the user"s EFS digital certificate. The resulting encrypted FEK is save on computer in one of the file"s prolonged attributes, called $EFS, in the Data Decryption field (DDF) area. All individuals who are allowed to encrypt/ decrypt the record will have their own identical copy of the FEK encrypted by their very own EFS public key, and stored in the DDF attribute field. Every DDF includes the user"s SID, the folder whereby the EFS key is save (called the container name, based on the computer and also user"s SIDs), cryptographic provider name (usually Microsoft basic Cryptographic Provider or amplified Provider), the user"s name, the EFS certificate hash, and, finally, the encrypted FEK.

If a recovery agent is identified (covered in more detail below), a copy the the FEK is encrypted by the EFS recovery agent"s public key and save in a document attribute field referred to as the Data Recovery ar (DRF). There will certainly be a DRF entry because that every recovery agent characterized at the moment the record was encrypted (or re-encrypted). The creation and naming of EFS tricks are shown in number 13-4.

*
number 13-4

brand-new EFS alternatives in XP and XP SP2

In home windows 2000, EFS was added as a new driver. In home windows XP and also later, EFS is combined as component of NTFS. Microsoft added new EFS features in windows XP and also later (some the the topics have currently been spanned above):

Data restore agents room optional, yet highly recommended.

The 3DES and also AES encryption algorithms have the right to be used instead of DESX.

Additional users deserve to be authorized to accessibility shared encrypted files.

Offline documents can be encrypted.

A Password Reset Disk have the right to be provided to safely reset a user"s password come a vault password.

Encrypted papers can it is in stored in internet server (WebDAV) folders.

EFS paper Sharing windows XP Pro and later enable multiple individuals to re-superstructure EFS-protected files. The an initial user encrypting the record must add the extr users. Every EFS customers must have Read and also Modify (or Write, or adjust on the share) permissions and an currently existing EFS certificate set up on the local machine or reachable using active Directory. To implement the additional users, the original encrypting user chooses the Details button (see number 13-5) under the progressed Attributes dialog box, under file Properties. Climate the user clicks the add button (see figure 13-6) come add more users. Unfortunately, EFS file-sharing can not be set on folders and also cannot be offered to groups. The latter issue is conveniently understandable since EFS certificates space issued per user and also cannot be common by groups.

*
figure 13-5

*
number 13-6

Offline file Encryption Windows" Offline files feature enables users come store and use remotely available files offline when their access to the remote document server is interrupted, deliberately or unintentionally. Beginning with windows XP Pro, Microsoft allows administrators come encrypt offline documents for added security. Offline records works using shared folders (or internet pages) with customer and server support. Each participating re-publishing on the computer system must be configured to enable Offline papers (see number 13-7), back the server"s setups are often permitted by default. As soon as the user"s computer connects to the remote record server share, the records are download to a neighborhood offline cache location on the client computer. ~ the user works v the offline files and also reconnects come the server, the files are synchronized v the server, v the latest versions indigenous either location updating the other. File synchronization can take place when the user"s computer goes offline, during logoff and logon, or in ~ predetermined schedules.

*
number 13-7

Starting through Windows XP, you have the right to specify that the offline files that room stored locally be encrypted for included security. Interestingly, although girlfriend must have actually already enabled Offline Files, participating users room not compelled to have previously encrypted files. When the offline folder cache is encrypted, the folder cache is encrypted through a distinct EFS device (i.e., computer) digital certificate. Unfortunately, this way that all individuals of the same computer will have their personal offline files encrypted with the very same EFS key. Per Microsoft, this will readjust in future windows versions.

To encrypt the Offline papers database on a local computer:

Click the begin button and also then click the manage Panel menu option. If manage Panel is in classic view, double-click Folder Options. If control Panel is in classification view, click the Appearance and Themes link, and then click Folder Options.

Click the Offline documents tab.

If Offline records are not already enabled, click the allow Offline papers option.

Click the Encrypt offline records to for sure data option (see number 13-7). Click OK.

Windows will now automatically encrypt offline papers as they are stored in the regional Offline records database. Requirements include the following:

The neighborhood offline folder cache need to be save on an NTFS partition.

The first user logging ~ above the local system after ~ offline folder encryption is allowed must it is in a local administrator. This is due to the fact that a it is registered entry have to be made and the registry adjust requires admin rights.

EFS and also Offline Folder encryption should not be disabled by the Administrator or group policy.

There are plenty of group plan settings that impact Offline documents (www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prde_ffs_phvy.asp, but only one affects the EFS standing of Offline Files, the Encrypt the Offline papers cache option. If enabled, the offline documents cache will certainly be encrypted if the client is windows XP or later. Once you allow offline folder cache encrypting, the whole database is encrypted, no individual files. You cannot selectively choose which files to encrypt.

A great, short record on Offline EFS is located at www.microsoft.com/technet/prodtechnol/winxppro/maintain/encryptoffline.mspx.

Encrypted Web files EFS can likewise be used to encrypt papers on WebDAV-enabled directories top top IIS 6 net servers. WebDAV represents Web-based spread Authoring and Versioning. It is an open up standard indigenous RFC 2518. In order because that WebDAV to it is in used, both the client and the server have to support it. Home windows 2000 and also later have a WebDAV customer enabled, referred to as the Web client service. The separate service is not needed if in other words 5.x or later is installed or if Microsoft Office 2000 and also later is used. The WebDAV company must be enabled in IIS 6 together a web extension. As soon as enabled, any kind of virtual brochure created on IIS becomes immediately WebDAV-enabled. If EFS is also enabled on the server (the default option), any type of EFS encrypted record stored in a virtual magazine remains encrypted when duplicated to and from a WebDAV-enabled client. Normally, EFS-protected papers do not stay encrypted when copied over network connections.

If the document on the internet server is not encrypted, it need to be encrypted locally on the server is possible. The internet server does not need to be trusted because that delegation for WebDAV come take benefit of EFS. If the file is unencrypted ~ above the server, and then encrypted through the client, a plaintext variation of the document is copied down come the client, encrypted, and then sent earlier up come IIS. Back WebDAV is a great solution for keeping EFS-protected papers encrypted throughout the wire, IPSec could be a much better option due to the fact that it will job-related with any type of protocol, not just HTTP.

using EFS on Servers

acquiring EFS working for local computer systems is easy, as described above. Getting EFS functioning on a document server so far users deserve to use it come encrypt files across a network take away a bit an ext work. In order for EFS to job-related on a (remote) server, because that a far user, 3 things should be true:

The server have to be a domain member that offers Kerberos authentication.

The server have to be trusted for delegation (covered below).

The user have to be logged on v a domain account that can be delegated.

By default, user accounts are usually enabled for delegation, uneven in the Account tab under User account object, the adhering to option is enabled: Account is sensitive and also cannot be delegated. Delegated trust is needed so the the user"s EFS private vital stored in the user"s local profile deserve to be passed to the remote server come encrypt and also decrypt the EFS-protected files.

All server computers can it is in trusted for delegation, however whether delegation is enabled by default counts on the type of server computer. Domain controller computers are trusted for delegation during the domain controller promotion process. Member servers space not reliable by default and also must be allowed in active Directory Users and Computers (see figure 13-8).

*
number 13-8

In windows Server 2000 and also 2003 domains, there room two or three options to consider in trusting a computer for delegation:

carry out not to trust this computer for delegation. If selected, remote individuals cannot use EFS on the selected server.

trust this computer system for delegation to any type of service (Kerberos only). As soon as this choice is selected top top a computer, all services under the regional System account top top the computer will be trusted because that delegation. This way an administrator top top that computer system may install any service, and also then that service will have actually the capacity to accessibility any network resource by impersonating a user. This alternative will occupational for EFS, yet it likewise makes a system susceptible to some varieties of malicious attacks (i.e., trojan attacks, etc.).

trust this computer system for delegation to specified solutions only. This is new with windows Server 2003, and also is called constrained delegation. V constrained delegation, the administrator deserve to specify which business Principal name (SPNs) this account is able come delegate to. This is the safest option to enable, but it bring away much an ext effort to collection up for any type of service, including EFS.

When enabled on a file server because that remote users, EFS quiet does not encrypt documents read from the server and sent end the network. If network security is additionally desired, usage WebDAV, IPSec, or SSL to defend EFS papers in transmission.

setting Up an EFS recovery Policy

EFS is good encryption. Unfortunately, by save on computer EFS tricks in the user"s local profile and using the user"s master key to protect the EFS private key, there is a good chance that the user"s EFS tricks may one day become inaccessible. Administrators must assume this will happen and prepare because that recovery. EFS recovery have the right to be completed by

Backing up each user"s EFS secrets individually

Having one or an ext Default recovery Agents

Allowing Certificate services to earlier up EFS keys automatically

You should choose one that these choices and perform an EFS restore strategy. Users can back up their very own EFS keys to a file and then save them in a for sure place. If this method is used, users should store their backup EFS secrets in a different physical location away native their major site, to protect against loss native a solitary disaster.

Backing up EFS keys Individually users can earlier up your EFS tricks using countless methods, consisting of the following:

Using the certificates console snap-in

Using Cipher.exe

Using EFS GUI

To usage the certificates console snap-in, the user must perform the adhering to steps:

Start the Microsoft monitoring console by choosing Start ð Run, and kind Mmc.exe in the open up dialog box.

Choose paper ð Add/Remove Snap-in native the food selection bar.

Click the add button.

Select the certificates console and click Add, Finish, Close, and then OK.

Expand the personal and Certificates sheet objects.

Highlight the exactly EFS certificate (look because that the Encrypting document System choice under Enhanced vital Usage under the Details tab).

Under the Details tab, select the Public crucial field and also then click the Copy to record button (see number 13-9).

Click next in the Certificate Export sorcerer’s dialog box.

Select Yes, export the exclusive key, and then click Next.

Click next in the paper Format violin dialog box.

Type a strong and complicated password twice, to defend the private vital from compromise, and then click Next.

Type in a file name and also location in i m sorry to save the backed up EFS keys and click Next.

Click finish to develop the back-up copy.

Move to one or much more removable media alternatives and store in a secure location.

*
figure 13-9

In windows XP agree SP1 and later, you have the right to use the Cipher.exe energy to earlier up user EFS keys. At a command prompt, kind in Cipher.exe /X and also press Enter. The currently logged ~ above user"s EFS crucial will be donate up. Relocate the resulting backup keys to a secure offsite location.

In windows 2003 and later, individuals can ago up their EFS keys in the common EFS GUI. Select file ð nature ð Advanced, and click the Details button. Climate click the back-up Keys button (see number 13-10) and follow the Certificate Export magician as formerly covered above in the first method.

*
number 13-10

Relying on finish users to back-up their EFS secrets is risky. Countless users will discover it too complex and others will certainly simply overlook the great advice. A better option is not to count on the end user"s actions because that EFS recovery.

producing a Default Recovery certified dealer By default in windows Server 2000 and also Server 2003, the neighborhood administrator (on a stand-alone computer) or domain administrator (on a domain member) is the designated Default Recovery certified dealer (DRA). Home windows XP Pro machines in a domain environment additionally designate the domain administrator as the default DRA, yet stand-alone XP Pro equipments do not have any DRA installed by default. This last decision was made by Microsoft to stop neighborhood password attacks from compromising the regional administrator"s or user"s accounts and also then leveraging the accessibility to restore EFS files.

You should, uneven you have actually an different method, constantly have one or much more DRAs defined. Anytime a paper is encrypted, the DRA has actually a copy that the FEK save in the DRF record attribute. In the event that a user"s EFS vital is lost, the DRA agent can log on and recover the files. The DRA should disable the EFS protection during the recovery process, and also then copy the records where they space requested. This is due to the fact that if the DRA walk not remove the EFS encryption, all over they copy them to (excepting copies off the local NTFS volume) will an outcome in the documents remaining encrypted and also tied to only the DRA. As soon as unencrypted, the documents can be replicated to the original user, or to whoever is requesting access, and also can it is in re-encrypted, if desired.

If a DRA is used, two or much more DRA accounts must be created and also used. This is since every file encrypted makes a back-up copy that the FEK and also encrypts it through the DRA"s private EFS key. If just one DRA is used and something happens to the account (e.g., it is deleted, corrupted, etc.), every the DRF duplicates could it is in lost. If a DRA user account is added, only the files newly encrypted, or re-encrypted, will finish up with the new DRA"s DRF being added to the file. Hence, if one old DRA is deleted before the brand-new DRA"s account has had actually a chance to produce DRFs for all encrypted files, papers without a valid DRF deserve to be included. If a new DRA is added, take into consideration running the Cipher.exe /U command to update all documents with the new DRA DRF. The /U choice can also be provided if the user gets a new EFS digital certificate.

If at every possible, the DRA shouldn"t it is in the administrator, together is the default. This is since the administrator is a high-profile target and if the account is compromised, every encrypted files can be recovered. Instead, it is better to create one or two brand-new DRA accounts, install/import DRA certificates to your accounts, and also then run the Cipher.exe /U command under both user accounts. Including a new DRA calls for Microsoft Certificate solutions or a PKI Certificate Authority that supports EFS restore Agent certificate (see number 13-11). In Microsoft Certificate Services, you must publish the EFS restore Agent design template to the Certificate solutions server.

*
figure 13-11

The suitable template permissions need to be collection so that the correct user accounts can request the certificate. The customers then need to manually inquiry the certificate (unless auto-enrollment is enabled, which it shouldn"t be because that EFS Recovery certified dealer certificates), and a Certificate authority manager needs to grant the certificate request.

After the certificates are set up in the user"s neighborhood profiles, the new DRA users have the right to be added as restore Agents. Come add new DRAs, open the suitable Group plan Object and choose Computer ConfigurationWindows SettingsSecurity SettingsPublic key Policies. Right-click the Encrypting paper System sheet object, choose add Data Recovery agent (see number 13-12), and follow the wizard"s prompts.

*
number 13-12

For extra security, a DRA"s exclusive EFS crucial should it is in exported and removed native the device (a selection made possible during the Certificate Export wizard process), and also only included back once needed. Also, the DRA"s account need to be disabled until needed. The way, if the DRA"s account is compromised, the intruder doesn"t automatically have access to all encrypted files. Then operation the Cipher.exe /U command to upgrade the DRF file attributes.

utilizing Certificate solutions Alternately, you deserve to configure home windows Server 2003 Microsoft Certificate services to automatically earlier up (i.e., archive) users" EFS secrets if the server is used to problem EFS certificate to users. In order come configure crucial archival, one or more users must have a key Recovery certified dealer certificate. The key Recovery Agent theme must have the appropriate permissions and be published to the Certificate authority server. Climate the suitable users should request KRA certificates and install them.

The proper EFS certificate theme (its default surname is simple EFS) should have actually the save subject"s encryption private vital option selected (see number 13-13). Then, whenever an EFS certificate is issued come a user, the user"s private an essential will it is in archived come a for sure location. If the user"s private crucial is ever needed, it can be manually extracted by the key Recovery Agent and installed earlier to the user.

*
figure 13-13

DRA versus KRA EFS recovery can be completed automatically making use of the DRA or KRA. This normally begs the inquiry of which is a much better strategy. Overall, either is fine, but here room the benefits and disadvantages.

Advantages of making use of a DRA:

It does not need a PKI infrastructure.

Data restore policies deserve to be managed centrally using the energetic Directory.

Users do not have actually to regulate certificates or exclusive keys.

Decryption have the right to be limited to the user only (requires deleting DRA keys while preserving policy).

Disadvantages of utilizing a DRA:

An administrative procedure must recoup user data. Users cannot recoup their own data.

Data recovery wake up on a file-by-file basis as a hand-operated process.

Users have to re-enroll for new certificates. This is since only data is recovered, not the original keys of a user.

Administrators must revoke old certificates. This is since it is suspect that once a an essential is lost it"s been compromised.

Stand-alone workstations, or workstations in non-Active catalog environments, can not be centrally managed.

Data restore is details to the EFS application.

Advantages of using a KRA:

Users do not have to perform re-enrollment because that certificates, change security settings, etc.

Existing certificates perform not have to be revoked.

Users do not need to recover any type of data or e-mail because of lost personal keys.

All data encrypted by a public crucial in a certificate can be recovered after a private an essential has to be recovered.

Disadvantages of using a KRA:

User an essential recovery is a manual process involving administrators and also users.

It permits administrative access to the private secrets of users.

Nonrepudiation assurance might not it is in guaranteed.

See more: 2Nh3+H2So4=(Nh4)2So4 - 2Nh_3(Aq) + H_2So_4(Aq)

Choose a recovery an approach that works for her environment. Execute not allow EFS without an initial enabling, and testing, an EFS restore method.