Microsoft

Prevent encryption when copying files to a server in Windows 2000 Professional

Here's how to transparently encrypt a local file or folder in Windows 2000 Professional, and copy them to a server without that extra step. This tip will take the mystery out of the process.

With Windows 2000 Pro's Encrypting File System (EFS), you can encrypt files for security. EFS installs automatically and hooks into the NTFS file system as a loadable driver. Then, you can encrypt and decrypt files transparently on your system by setting a file attribute. To encrypt or decrypt a local file or folder:

  1. Open the parent folder, right-click the file or folder, and then choose Properties.
  2. Click the Advanced tab. Then, on the Advanced Attributes page, click Encrypt Contents To Secure Data and click OK.

It's possible to copy encrypted files to a server. If the server supports encryption, the copied file is encrypted regardless of the state of the encryption attribute for the target folder or volume.

If you need to share encrypted files with others on the network by placing them on a server, you can either share the export and your encryption certificate with the other users or configure the server so it doesn't encrypt the file.

The latter option assumes you'll apply the appropriate security measures to prevent unauthorized users. If you choose that option, ensure that the files aren't encrypted when you copy or move them to the server. There are two ways to do this: either define an empty recovery policy or set a registry setting. To configure the recovery policy:

  1. Open the Local Security console on the server.
  2. Expand the Security Settings | Public Key Policies | Encrypted Data Recovery Agents branch.
  3. Export all existing certificates to files and store those files in a secure location.
  4. Delete the certificates from this branch.

To take the registry approach, open the Registry Editor and delete the value:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsEncryptionService.

Then, reboot the server.

Reminder: Editing the registry can be risky, so be sure you have a verified backup before making any changes.

Miss a column?

Check out the Windows 2000 Professional archive, and catch up on Jim Boyce's column.

Want more Win2K tips and tricks? Automatically sign up for our free Windows 2000 Professional newsletter, delivered each Tuesday!

Editor's Picks

Free Newsletters, In your Inbox