Lock down corporate data with EFS

Mike Mullins discusses how to implement EFS on systems running Windows 2000 and Windows XP Professional Edition.

Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.

Windows Encrypting File System (EFS) is comparable to using permissions on files and folders on a Windows NT file system (NTFS). Both methods restrict or control access to data.

But that doesn't mean they're the same. When someone gains unauthorized physical access to your unencrypted files or folders, they're able to read or copy that data. Permissions on files and folders can't protect your files when you lose control of physical access. That's why you need EFS.

You can implement EFS on systems running Windows 2000 and Windows XP Professional Edition. Windows 95/98, Windows Millennium Edition, and Windows XP Home Edition do not support EFS.

Before implementing EFS to protect your corporate data, you need to create a recovery key. Make sure you keep a backup copy of the Encrypted Recovery Agent (ERA); this is your insurance policy to decrypt files throughout your domain.

Stand-alone workstations generate their own public key certificate that you can use for EFS. However, in a domain environment, you'll need to create an ERA before enabling EFS. After creating the ERA, back it up to a media format that you can protect under lock and key.

To create an ERA, follow these steps:

  1. Go to Start | Programs | Administrative Tools | Active Directory Users And Computers. (If you have a stand-alone system, go to Start | Control Panel | Administrative Tools | Local Security Policy, and skip to Step 4.)
  2. Right-click your domain, and select Properties.
  3. On the Group Policy tab, select the Default Domain Policy, and click the Edit button.
  4. Go to Computer Settings | Security Settings | Public Key Policies | Encrypted Data Recovery Agents.
  5. Right-click the policy, and select New | Encrypted Recovery Agent.
  6. Use the wizard to add the recovery agent certificates to the policy.
  7. After creating the certificate, right-click the certificate, select Export, and use the Certificate Export Wizard to export your certificate to some other physically securable media (e.g., CD, floppy, etc.).

After the policy refreshes, all users on your domain will be able to safely encrypt the contents of their files or folders.

Encrypting a file or folder is relatively easy. Follow these steps:

  1. In Windows Explorer, right-click the file or folder you want to encrypt, and select Properties.
  2. In the Encrypted Files Properties dialog box, click Advanced on the General tab.
  3. Select the Encrypt Contents To Secure Data check box, and click OK twice.

Make sure you have a copy of your users' certificates to use for emergency decryption in the event of workstation rebuilds.

Keep in mind that you can't encrypt compressed files or folders. Marking a file or folder for encryption will automatically uncompress the file or folder. In addition, copying or moving a file to a non-NTFS volume will automatically decrypt it.

Final thoughts

It's a good idea to implement EFS in phases after your users have a certificate and you have a good backup copy of that certificate locked in a drawer.

You can expect your biggest boost in security to come when you implement EFS for laptop users. If a user loses a laptop, but he or she encrypted data with the domain account, that data will remain secure.

Editor's Picks

Free Newsletters, In your Inbox