Author: techrepublic.com.com
Thursday, March 10 2005 1:48 PM
Learn the necessary steps that you need to take on the Win2K / XP client.
Most readers may have heard of EFS now, which is an Encrypting File System included in Microsoft Windows 2000 and Windows XP Professional systems. The file system allows Windows 2000 and XP system users to encrypt files or folders running on NTFS partitions. There have been many articles involve positive and negative impacts from this feature. In this article, I will discuss the above two aspects from the perspective of EFS in the actual use of EFS - instead of understanding the techniques behind the ESP and system administrators using ESP reasons. . I will also give the necessary steps to disable EFS on Windows 2000 and XP systems.
EFS Basics EFS is included in Windows 2000 and XP systems that allow users to add a security layer to data over NTFS protection. The former is NT has been used for many years. EFS does not work on the data stored on the FAT or FAT32 partition.
EFS is designed to be easy to use, even transparent to end users. Therefore, it is possible that users use it but feel that it does not exist. EFS uses 128-bit DESX encryption to protect data stored in the encrypted file and encrypted folder. It uses PKI instead of the username and password to associate files with users encrypted the file. In this way, the encrypted data can not be read when the user changes the account password. EFS is allowed by default in Windows 2000 and XP Professional systems, and any user has permission to modify its encrypted file or directory. The specific method is to select the hook box below the file or folder advanced property, as shown in Figure A.
Figure A
In the right way of use, EFS can avoid sensitive data to be read by users of NTFS protection. From an optimistic aspect, EFS does have the ability to improve security, but it will also bring a false sense of security to users, which makes it negative. The system is rarely erroneous in the use of EFS, but once it will generate a terrible consequence. It is very important to understand the work that EFS is capable of completing. EFS will provide some false security information, now let us remove this information.
EFS can't do what EFS protection data is not read, not to protect it is not deleted. Trying to replicate the EFS encryption file will fail, so many people will not delete files as unauthorized users. But actually these files can be deleted.
ESP protection is stored in the local NTFS partition. EFS does not protect the data when the file is sent across the network. this is a big problem. Because EFS is designed to be transparent to the end user, the file will be automatically decrypted before passing the file before passing the file to the network or by email, so the file can be in the destination system. Read it. The loss of such errors may be huge for users who don't understand this and firmly believe that sensitive data remains safe.
EFS cannot be used across the network's image drive, unless the server and client work in the same activity directory forest, and the server is trusted to authorize. By default, only domain controllers in an ADS environment are trusted to authorize. Understanding these restrictions is critical to effectively using EFS. Microsoft thinks that EFS is easy to use, but use EFS or requires appropriate end user training. How many users do in the network you are responsible for understanding these concepts? Or more important: How many users in the network you are responsible for use EFS across the network without understanding the EFS principle?
When EFS is misused, many of the unfortunate information on EFS (especially from Microsoft materials), that is, end users can always complete the operation, never accidentally or deliberately use similar EFS. Techniques have to make things. But if you have to support your computer system as your rice bowl, you will know that the end user will not always complete the operation correctly. If EFS is used in the environment you manage (to remember that EFS is permitted by default), you must understand what problems may occur, and what measures you can do to solve these problems. Any technical support engineer or network administrator first should first consider any users who have modified permissions (write capabilities) to file or folders. So this rule can be used to apply on files that are not created by the user. Is this a problem in your network environment? Do you have multiple users sharing the same system? If the answer is affirmative, a problem will occur. Do you use the domain controller as a file server in your event directory environment? If yes, it is possible that a user encrypts a file, so a large group of users who were originally allowed to modify the file could not access this file. In the case of EFS default, end users have sufficient rights to do so may cause trouble.
Note If the user has a full control of the file, they can also change NTFS permissions to reject anyone to access files. This is why you should always modify the permissions of non-managed users and groups. Indeed, there is almost no system administrator allows the end user to specify who can access data in the network.
The problem caused by EFS is difficult to find that if you do not consider EFS as a possible reason, it is difficult to determine what caused by what you have encountered. When the user attempts to access the files encrypted by others, the user gets one of the following two information depending on the access method or application of the application: reject access or the file is corrupted.
If there is a refusal access, most end users will think that the reason is that the system administrator is unlocked, so they will seek administrators. If the staff is only looking for a fault reason by viewing the permissions of the file or folder, there is no indication that the user access is rejected. The reason why the issue can only be revealed only the advanced properties of the file. Many artificial will be wasted to find other potential probabilities, such as group privileges, etc.
For these two prompt information related to the user who cannot read the EFS file, it is good to refuse access. If you receive information indicating the corruption of the file, the user may delete this file. Since EFS does not prevent the user's delete action, the user can complete this. If you try to resolve the problem of a file corruption problem doesn't take into account the ESP as a potential factor, things even more bad than the file corruption. There have been some tragic stories that may appear under hypothetics. Such as follows:
Two work shared the same Windows XP Professional system at different time segments. Working in the evening of the evening class has a large number of stop time available to browse all aspects of the system. After discovering the Encrypt Contents to Secure Data (Encrypted File Content To ensure data security) settings, he decides to activate this function. "Is there any harm of data security?" He said to himself.
He also chose a file shared by another user in the folder. The default EFS setting will display not only the file is encrypted, and the parent folder is also encrypted. Users accept this information and click OK. Each file created in this folder is now created and cannot be read by other users. The evenings users have modified these documents and confirmed that there is no problem and firmly believes that all work is normal.
When the white class user tries to open the file in the folder, she receives a message indicating that the file data may damage. Then she called the technical support personnel to report a problem. As part of the work, the files in the folder need to be written every day, so this problem needs to be quickly resolved. Technical support staff began to find problems. He tried to delete the file and restore this file from the backup of the night, but unfortunately the EFS file is still in an encrypted state, so the recovered file seems to be damaged. Technical support people believe that this indicates that the application of the editing this file has issued a problem. So he reinstalls the program, but the problem still exists. Due to the need to quickly solve this problem and have backup data, technical support personnel decide to reinstall the operating system. The reinstallation of the operating system erases the key used to decrypt the data, now, the file is completely unable to read! Of course, even if there is no mistake, the data loss caused by EFS is still possible. After the system is backed up, if the system crashes and cannot be started, what happens? There are many ways to avoid this potential trouble. But abandoning using EFS is considered to be within consideration. The system status or EFS password can be backed up and restored to the reinstalled system so that access to the data can be reinforced. If you use EFS on your network, you will no longer have pure "best solutions" - this will be a must-have (note that you can take some steps in an active directory environment to avoid such errors, making the use environment more secure. But these steps are not part of the EFS default settings).
The laptop is the best occasion of using EFS I want to discuss the last question is whether you need to use EFS. EFS does not help with data security in the environment where data is most prone to attack (such as transferring on network and Internet). Most of the most movable storage media used in everyday use, it does not work on the floppy disk, and the data is easily lost in the case of using these storage media. So in what environment, when should I use EFS? Microsoft draws very vividly in the white paper related to EFS. According to the description of the white paper, EFS is designed to penetrate the protection of the protection of local data in NTFS to be physically controlled. I hope that your network environment is not as vulnerable to the argment of thieves as most of the desktop client systems (if this is true, you should not store sensitive data on these systems).
This also makes a specific computer system a main occasion of using EFS: laptops. If the laptop users on your network must store sensitive data on these systems, they must be encrypted. If you will use EFS technology above, you should ensure that you follow Microsoft's best way, and extract private keys from the operating system to store on the floppy disk, or use a better way to store on your smart card. Similarly, if you need this feature that you'd better use the Windows XP system, the reason is that EFS is relatively simple in physical control systems, and those steps that prevent the use of EFS are not implemented on Windows 2000 systems. I will then explain this.
Remove EFS from Win2K / XP Workstations If you find EFS do not apply to your network environment, you need to disable EFS on Windows 2000 or Windows XP systems. I will first introduce the disabled process on Windows 2000.
Windows 2000 Microsoft guarantees that recovery encrypted data is possible, even if you accidentally delete user accounts that encrypt the file. To recover data, you need a user to be specified as a recovery agent on each Windows 2000 system. According to the default setting, the user is an administrator. This means that the system administrator can decrypt any files encrypted on the local system according to the default setting. This will also provide a simple way to break the EFS protection of the Windows 2000 system. If the notebook is stolen, then the thief can access the encrypted data as long as you log in with an administrator account. The administrator account access system is simple, just need to start the system with the floppy disk of the NTFSDOS tool with Winternals, then delete the SAM file to make the system administrator password can be empty. Even other accounts are used as a recovery agent, the thief that has already been provided now can change the password of the account and log in with this account. Therefore, not only need to store on the laptop's user's private key on the floppy disk or smart card, but also need to save the recovery agent account information. This situation makes the ESF are very inconvenient during actual use. Why don't you delete a restore agent? The reason is that this will disable EFS on the Windows 2000 system. Of course, you can also use this method to disable EFS. As shown in Figure B, open the local system security policy and then delete the system administrator authentication from the folder marked Encrypted Data Recovery Agents (Encrypted Data Recovery Agent).
Figure B
Windows XPWindows XP is designed to allow deletion of recovery proxy, which improves weaknesses in Windows 2000. For users who wish to use EFS on their own notebooks, they are good news. But this also means that you have to find a different way to disable ESP on Windows XP. We still use group strategies to disable EFS on an XP system in an active directory network, but first must import a administrator template into the domain set policy. If you have never created one .adm file before this, don't worry, this is a simple process. First, copy the text in the list A to a text file in the Notepad.
Now save this file in an EFS-Disable.adm. Introduction to the domain [If you are not familiar with this process, right-click the domain in the AD Users and Computers tool, then select Properties. Click the Group Policy tab and then click Edit. Once the domain is introduced into the group policy, turn on the Computer Configuration box. Left click on the Administrative Templates folder. You can see the Add / REMOVE TEMPLATES option. Select this option and click the Add button. Find the .adm file you just created, and then click Open. Click Close again. Now you have completed all settings. You can see a directory called the Special EFS Handling under Administrative Templates.
Figure C
Set Disable XP and .NET EFS (disable XP and .NET EPS) to allow (as shown in Figure C). All XP systems in this domain will disable EFS. This happens in the local system Windows XP Professional System Group Policy will not take effect in a SP1 ADS environment. You may see the error message as shown in Figure D.
Figure D
If you have found that this method does not work on the local XP system, you can manually modify the registry through the .reg file: [HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows NT / CurrentVersion / EFS] "EFSCONFIGURATION" = DWORD: 00000001 Double-click the .reg file and select import it into the registry. I have successfully tested this method on the system where I have not run SP1.
EFS can add additional security you need in your local network when you are fully prepared and properly used. I hope that after reading this article, you can easily determine if EFS technology should be used. If it is true that it is necessary to use this technology, you need to take a closer browsing Microsoft's white paper with this topic and review the specific steps of its best implementation. Microsoft on EFS advertising makes everyone feel easy to use, while white paper will provide you with more information needed to properly configure EFS.
