Worried about security issues? Who isn’t? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.

Windows Encrypting File System (EFS) is
comparable to using permissions on files and folders on a Windows
NT file system (NTFS). Both methods restrict or control access to

But that doesn’t mean they’re the same. When
someone gains unauthorized physical access to your unencrypted
files or folders, they’re able to read or copy that data.
Permissions on files and folders can’t protect your files when you
lose control of physical access. That’s why you need EFS.

You can implement EFS on systems running
Windows 2000 and Windows XP Professional Edition. Windows 95/98,
Windows Millennium Edition, and Windows XP Home Edition do not
support EFS.

Before implementing EFS to protect your
corporate data, you need to create a recovery key. Make sure you
keep a backup copy of the Encrypted Recovery Agent (ERA); this is
your insurance policy to decrypt files throughout your domain.

Stand-alone workstations generate their own
public key certificate that you can use for EFS. However, in a
domain environment, you’ll need to create an ERA before enabling
EFS. After creating the ERA, back it up to a media format that you
can protect under lock and key.

To create an ERA, follow these steps:

  1. Go to Start | Programs | Administrative Tools
    | Active Directory Users And Computers. (If you have a stand-alone
    system, go to Start | Control Panel | Administrative Tools | Local
    Security Policy, and skip to Step 4.)
  2. Right-click your domain, and select
  3. On the Group Policy tab, select the Default
    Domain Policy, and click the Edit button.
  4. Go to Computer Settings | Security Settings |
    Public Key Policies | Encrypted Data Recovery Agents.
  5. Right-click the policy, and select New |
    Encrypted Recovery Agent.
  6. Use the wizard to add the recovery agent
    certificates to the policy.
  7. After creating the certificate, right-click
    the certificate, select Export, and use the Certificate Export
    Wizard to export your certificate to some other physically
    securable media (e.g., CD, floppy, etc.).

After the policy refreshes, all users on your
domain will be able to safely encrypt the contents of their files
or folders.

Encrypting a file or folder is relatively easy.
Follow these steps:

  1. In Windows
    Explorer, right-click the file or folder you want to encrypt, and
    select Properties.
  2. In the Encrypted Files Properties dialog box,
    click Advanced on the General tab.
  3. Select the Encrypt Contents To Secure Data
    check box, and click OK twice.

Make sure you have a copy of your users’
certificates to use for emergency decryption in the event of
workstation rebuilds.

Keep in mind that you can’t encrypt compressed
files or folders. Marking a file or folder for encryption will
automatically uncompress the file or folder. In addition, copying
or moving a file to a non-NTFS volume will automatically decrypt

Final thoughts

It’s a good idea to implement EFS in phases
after your users have a certificate and you have a good backup copy
of that certificate locked in a drawer.

You can expect your biggest boost in security
to come when you implement EFS for laptop users. If a user loses a
laptop, but he or she encrypted data with the domain account, that
data will remain secure.