Configure efs windows 2003

EFS was primarily designed as a security control to protect local data against compromise when an attacker gained physical access to the computer for example, when someone stole your laptop. However, many folks immediately recognized the benefit of storing data in an encrypted state.

It provides more protection than even NTFS or file-share access control because, whether you can access the data or not, you cannot decrypt the data without the proper private key. Even administrative access does not allow you to decrypt data unless the administrator is also a data recovery agent—see Recipe 4.

So, administrators wanted EFS files stored on file shares on servers. In order to do this, the server must perform the encryption on behalf of the user. This means that the user must delegate their identity to the server. Only very trusted servers should be delegated, because compromise of a server could compromise the identity of every user of that server.

For that reason, by default only domain controllers are trusted for delegation in Active Directory. You must trust all network file servers for delegation if you want them to store EFS-encrypted files. This means that these servers should be very tightly controlled to ensure that no unauthorized access happens such as physical access to the computer where a local attack could compromise the delegated rights.

Trusted for delegation is an attribute of each computer object in Active Directory, which is why Active Directory is required for server-based EFS. In addition, the server must be joined to an Active Directory domain. However, encrypting folders is usually preferred to help prevent against user misconfiguration and to prevent plaintext from being written to the hard drive before the file is encrypted.

Folder encryption is discussed in Recipe 4. If NTFS is not in use, this recipe will not work. Also, because all EFS cryptography is file-based, the larger the file, the more time it will take to encrypt.

On large files, an encryption operation can take minutes to complete. Windows will not inform you of this delay or provide a progress message—you just have to wait for the encryption or decryption to complete. When the Advanced dialog box is displayed, you may not be able to click the Details button.

This happens when the file is not yet encrypted. If you complete this solution first, the Details button becomes available. You want to encrypt a folder on the local hard drive, including any files or subfolders in the folder. This ensures that new files created in this directory are encrypted by default. New files and folders in a folder inherit the attributes of the folder. This is especially important when you want to make a temporary folder encrypted.

Many applications create temporary files and they may contain information that the user considers sensitive. There is one common misuse of this recipe. Many administrators decide to encrypt all folders without considering the performance or compatibility impact it may have.

You should not simply encrypt all folders, as it is a waste of resources and applies security to many objects that do not need EFS. While this folder often contains temporary files that should be encrypted, encrypting it often breaks applications.

Test your required applications before applying EFS to any folder. The Details button is never available when displaying EFS folder information.

This is because the contents of the files in the folder may vary, and the user interface does not have the capability to effectively display multiple file encryption configurations. You must display the EFS information file-by-file or by using efsinfo.

The reason why you need to enter two commands is because cipher. The first command encrypts the contents of the directory, and the second command sets the encryption attribute on the directories to ensure that new files in the directory are encrypted.

You want to make it easier for users to encrypt and decrypt files and folders by adding Encrypt and Decrypt options on the context menus in Windows Explorer.

To configure Windows to add Encrypt and Decrypt context-sensitive menu options, set the following Registry value:. Once this registry modification is made, open Windows Explorer. Right-clicking on any file or folder shows a context menu, which now includes Encrypt and Decrypt options.

This should make it easier for users to quickly encrypt a sensitive file or folder without having to navigate down into the Advanced properties. Remember, however, that this modification also makes it easier for users to downgrade their security by decrypting data that should be encrypted. Educating the users on proper use of EFS is a good step to take before you complete this recipe. Different files may have different users and different DRAs associated with them.

These differences can be due to changing DRA policies, different users using EFS, users explicitly encrypting files for multiple users, etc. The only way to know exactly which users technically, which certificates have access to a given file is to display its information using this recipe.

You can use efsinfo. Right-click the object and click Cut for moving the object or Copy for copying the object. The following command moves a file called Test.

The following command copies a file called Test. Moving or copying an encrypted file or folder is exactly the same as moving or copying any other file or folder. However, you should know what happens to encryption when files are moved or copied. To most applications, this is essentially the same thing. However, to EFS, the operations are completely different. When an encrypted file is moved, it remains encrypted during its move. Even if its new folder is not marked for encryption, it will remain encrypted.

Similarly, an unencrypted file moved into a folder marked for encryption remains unencrypted. However, a copied file inherits the encryption attribute from its new parent folder. So copying a file to a folder marked for encryption results in an encrypted file. You want change the default algorithm used by EFS to use stronger encryption. To change the algorithm EFS uses for encrypting files, set the following Registry value:.

Refer to Table for the value data that pertains to the algorithm you want to use. EFS can use one of several different encryption algorithms. By default, each operating system defaults to the best encryption algorithm available when it was released. However, you can directly modify which algorithms are used with this recipe.

There are several reasons that might make you consider changing the EFS encryption algorithm. For example, your company may establish a policy that requires bit encryption on all sensitive data. Another reason might be the breaking of an older algorithm. If an algorithm is broken, you can follow this recipe to ensure that the algorithm is no longer used. Otherwise one client may encrypt using an algorithm that another client cannot use, and the decryption will fail.

For information on operating systems support for various algorithms, see MS KB You want to ensure that offline files are encrypted by EFS to reduce the threat of data compromise in the event of physical computer compromise. Use the certificate stored in the HRRecovery user object. Log on to the Clientl virtual machine using the username [email protected] and the password [email protected].

Wait 2 minutes to allow certificate autoenrollment to occur. Configure the policy to prevent Sales users' computers from using EFS. Log on to the Clientl virtual machine as [email protected]. Recover Lost Files And Folders. Windows Server Brain Affiliate Marketing current. EasyProfiter Software. Five Minute Profit Sites. Related Category Encrypted. The templates are stored in Active Directory. They define the attributes of certificates to be issued to users or computers.

You can set permissions on certificate templates if you want to prevent some users from obtaining EFS certificates. You may have certain groups of users whom you don't want to be able to encrypt their data. In that case, you can deny those users Enroll permission on the template and they'll be unable to obtain an EFS certificate. The third party CA may have to be configured to issue certificates that meet these requirements. For more information about using third-party certificates, see KB article If you have implemented EFS in an environment that doesn't have a CA, and then you deploy a PKI, you will need to explicitly replace the self-signed certificates that users had been using with CA-issued certificates.

Within a Windows forest, users can store encrypted files on remote servers. The remote files must be stored in either network shares or WebDAV folders. To encrypt remote files in a share, the remote server must be trusted for delegation before users can encrypt files on the remote server.

This is done via the Active Directory Users and Computers tool. Then, to encrypt a file on the remote server, you need to map a network drive. Remotely encrypting files using a share can only be done in a domain because EFS must use Kerberos delegation to impersonate the user. It's important to note that EFS only encrypts data when it's stored on the disk.

It does not encrypt data during transmission over the network. For that purpose, you can use IPsec. Also, if you encrypt a file and then copy or move it to a WebDAV folder, it stays encrypted while in transit. There are some potential problems you should be aware of before implementing EFS in a domain.

For example, a user only has to have NTFS modify write permission to a file to be able to encrypt it. This means that if multiple users have permission to access a file, one of them could encrypt it and make it inaccessible to the others.

All users who share the encrypted file must have an EFS certificate on the computer on which it's stored.