2. Tech
  3. EFS encrypted hard drive to protect data

EFS encrypted hard drive to protect data

xiaoxiao2021-03-06  47

Introduction

In many companies, there are a number of users sharing a computer. Some users carry portable computers while traveling without corporate physical protection, such as customer amenities, airports, restaurants and home. This means that important data is often placed outside of corporate control. Unauthorized users may want to read data stored in a desktop computer. Laptop may be stolen. In all these cases, the company's sensitive data may be stealing.

Encrypted file system (EFS) encrypts the sensitive data file and enhances the availability of data. This solution can effectively reduce the hidden dangers of data stolen. Encryption is an application adopted by mathematics algorithms. After the file is encrypted, only the user who has the correct key can read its content. Microsoft's EFS technology can encrypt data on your computer and control which people have access to or recover data. After the file is encrypted, the user data cannot be read even if an attacker can physically access the computer's data store. All users must have an EFS certificate that can be encrypted and decrypted using EFS. In addition, EFS users must have permission to modify files in the NTFS volume.

EFS includes two types of certificates:

• Encrypt file system certificate. Such certificates allow their holders to use EFS encryption and decryption data, which are often referred to as an EFS certificate. Ordinary EFS users use such certificates. The value of the "Enhanced Key Usage" field of this type of certificate (can be seen in the Microsoft Management Console Management Unit) is "EFS (1.3.6.1.4.1.311.10.3.4). • File recovery certificate. Holders of such certificates can recover anyone encrypted files and folders over the entire domain or other scope. Only domain administrators or very trusted clients (ie, data recovery agents) can hold such certificates. The value of the "Enhanced Key Usage" field of such certificates (can be seen in the Microsoft Management Console Management Unit) is "file recovery (1.3.6.1.4.1.311.10.3.4.1). Such certificates are often referred to as an EFS DRA certificate.

To allow other authorized users to read encrypted data, they need to give them a private key, or make it a data recovery agent. Data Recovery Agents can decrypt all EFS encryption files in domains or organizational units within their range. This document provides specific steps for the main EFS related tasks in SMEs, and also lists several important best practices in EFS implementation processes.

Steps in this document Description You will guide you to complete the following tasks: 

• Create a recovery key to ensure security recovery when the original encryptor cannot restore encrypted data. • Specify a recovery agent that is restored by its implementation when the original user can't restore the encrypted file. • Install EFS in your business. • Configure Windows Explorer to facilitate the use of EFS. • Set file sharing to match the use of EFS. • Import and export data recovery keys to ensure security recovery files and folders. • Recovery when the original user cannot recover data.

Follow the steps in this document, you need to do the following within the system:

• Create a backup data recovery key. • Specify a restore agent. • Enable EFS to encrypt the data in your computer's hard drive. • Configure Windows Explorer to include EFS options.

After completing the above steps, you can:

• Share access for the selected encrypted data. • Manage data recovery keys to restore encrypted data. • Restore encrypted data if necessary.

Back to top

Ready to work

The steps in this document help you configure your computer to use EFS and explain how to use EFS in your business to protect data in your computer's hard drive. Before starting to perform the above steps, we should consult the legal consultant to ensure that the encryption strategy in the plan is in line with relevant laws and regulations. Especially when the company has offices outside the United States, you must be familiar with the export control law associated with encryption software. At the same time, you should also understand some of the basic requirements and conditions of using EFS: • You can use EFS encrypted files and folders only in the NTFS volume. Therefore, EFS cannot protect data in the FAT or FAT32 file system. Unless you need to use the FAT file system for special reasons, it is recommended to convert it to NTFS format. NTFS or EFS is not supported by Windows 95, Windows 98, and Windows ME operating systems. Windows XP Home Edition supports NTFS, but EFS is not supported. • EFS encryption cannot be performed on compressed files or folders. The file or folder will be decompressed for compressed files or folder implementation. • Files with the "System" attribute cannot be encrypted, and files in the SystemRoot folder cannot be encrypted. • A dialog box will pop up when a file or folder is first encrypted. The option settings in this dialog will affect future encryption:

• When encrypted a single file, if you choose to encrypt its parent folder, you will be automatically encrypted when you add files and subfolders in this folder. • When encrypting a folder, if you select Encrypted all files and subfolders, all existing files and subfolders in this folder and files and subfolders added to the folder in the future will be encrypted. • When encrypting the folder, if you select only the folder is encrypted, all existing files and subfolders in the folder will not be encrypted. However, all files and subfolders in the folder will be automatically encrypted during the addition of all files in this folder.

Unless otherwise stated, in the steps described in this document, the server uses a Windows Server 2003 operating system, while the client uses Windows XP Professional.

In the Active Directory environment, assume that the user has a mobile configuration file. Note that the screenshot image in this document reflects a test environment, where information may be slightly available with the information displayed on your computer.

When installing an operating system, you can get all the steps in this document using the Default "Start" menu. If you modify the "Start" menu, the above steps may be slightly different.

Back to top

Generate and back up recovery keys

Unstopped recovery keys may result in an unusable encrypted data loss. When the user holds the EFS encryption certificate cannot decrypt data, the backup recovery key ensures recovery of encrypted data.

Claim

• Credential: To do this, you must use a recovery proxy account that stores file recovery certificates and private keys in this account. Domain administrators are the default recovery agent; in a home or non-domain environment, there is no default recovery agent, but you can create a local recovery agent for all accounts on your computer. In home settings, more common practices are to back up the private key of each EFS certificate holder. • Tools: Certificate Management Unit of Microsoft Management Console (MMC).

Warning: Before changing the default recovery policy, make sure that the default recovery key is backed up. The default recovery key in the domain is stored in the first domain controller in this domain.

• Back up the default recovery key to floppy disk, need to do the following

1. Click Start, "Run", type the MMC, and then click the "OK" button. Open the Microsoft Management Console. 2. In the File menu, select Add / Remove Administration Unit, and then click the Add button. 3. In "Add Independent Management Unit", click "Certificate, and then click the Add button. 4. Select" My User Account "Single Option, click" OK "button .5. Click" Close "Buttons, click" OK "button. 6. Double-click" Certificate - Current User "," Personal ", then double-click" Certificate ".7. In the" The purpose of this certificate is "in the column, click" "" Document Recovery "certificate. 8. Right-click the certificate, select All Tasks, click the" Export "button .9. Follow the instructions in the Certificate Export Wizard to export the certificate and related private key, and .pfx file format saved. Back to top

Create a domain-based recovery agent

To allow a account to read or restore EFS encrypted data, you must specify it as a resume agent. In a domain environment, it is recommended to use a domain account to achieve this. Create a restore agent for all sites, domain or organizational units in the Active Directory® catalog. By default, built-in administrator accounts are domain recovery agents; this situation does not need to create recovery agents.

Claim

• Credential: Domain administrator. • Tools: MMC Active Directory User and Computer Management Unit.

• Create a domain-based recovery agent, you need to do the following

1. Click Start, Control Panel, in the Control Panel window, double-click Administrative Tools, then double-click "Active Directory User and Computer". 2. Right-click the domain that needs to change the resume policy, and then click Properties. 3. Select the Group Policy tab. 4. Right-click the recovery policy you want to change, and then click Edit. 5. In the Console Tree (left column), click Encrypted File System. This option is located in the following navigation path: Computer Configuration, Windows Settings, Security Settings, Public Key Policy, Encrypted File System. 6. In the detailed information bar (right bar), click Right-click to select "Create Data Recovery Agent". Note: Add users from files or Active Directory as a recovery agent in accordance with the prompts of the Create Recovery Proxy Wizard. When adding a recovery agent from a file, the user is identified as "unknown user." This is because the username is not stored in this file. To add a recovery agent from Active Directory, EFS Restore Agent Certificate (file recovery certificate) must be released in Active Directory. However, since the default EFS file recovery certificate template does not release these certificates, you need to create such a template. To achieve this, please click the Default EFS File Recovery Certificate Template to create a new template, right-click this new template, select Properties, and select "Properties" The copy certificate is found in the Properties dialog box and then "Publish the Certificate in Active Directory check box. 7. Follow the instructions in Create Recovery Proxy Wizard to complete the domain-based recovery agent.

Back to top

Create a local recovery agent

In a non-domain environment, such as in a stand-alone computer or in a working group, you can create a local recovery agent. In the case where multiple users share a computer, it is suitable for creating a local recovery agent. On a single user computer, the user easily backed up the recovery key to the removable medium.

Claim

• Credential: Local computer administrator. • Tool: Group Policy Object Editor

• Create a local recovery agent

1. Click Start, "Run", type the MMC, and then click the "OK" button. 2. In the File menu, select Add / Remove Administration Unit, and then click the Add button. 3. In the Add Independent Management Unit, click Group Policy Object Editor, and then click the Add button. 4. In the Group Policy Object, make sure "Local Computers" has been displayed, and then click the "Finish" button. 5. Click the "Close" button, click the "OK" button. 6. In the Local Computer Policy, navigate to Local, Computer Policies, Computer Configuration, Windows Settings, Security Settings, and Public Key Policy. 7. In the detailed information bar, right-click Encrypted File System, and then click Add Data Recovery Agent or Create Data Recovery Agent. Note: Wizard prompts you to enter the restore agent username. You can provide a user name to the wizard with a published file recovery certificate, or browse the recovery certificate file (.cer file), which contains information about the restoration agent. File recovery certificates can be obtained from certification authorities (CA). To identify file recovery certificates, find value in the Enhanced Key Usage field in the Certificate management unit and the detailed information bar (1.3.6.1.4.1.311.10.3.4.1) ". In the local computer file system or Active Directory, the certificate is restored with the .cer file storage file. When adding a recovery agent from a file, the user is identified as "unknown user" because this username is not stored. 8. End the process based on the instructions in the wizard. Back to top

EFS

After completing the generation and backup of the creation and recovery key of the recovery agent, you can start using EFS, so that more efficient protection files and folders are unauthorized access. This section provides a description of the Enable EFS.

Claim

• Credential: You must be a user holds an EFS certificate and have permissions to modify files or folders in the NTFS volume. • Tools: Windows Explorer.

• Using EFS encryption files or folders

1. Open Windows Explorer. 2. Right-click on the file or folder you want to encrypted, select the Properties item in the pop-up menu. 3. In the General tab, click Advanced. 4. Select the Encrypted Content to Protection Data check box, click the "OK" button. 5. In the Properties dialog box, click OK, then perform one of the following steps:

• To encrypt files and their parent folders, in the Encryption Warning dialog box, click Encrypted Files and Parent Folders. • To just encrypt file, in the Encryption Warning dialog box, click "Only Encrypted File". • To just encrypt a folder, in the Confirm Properties Change dialog box, click "Apply to this folder". • To encrypt folders and their subfolders and files, in the Confirm Properties Change dialog box, click "Apply Change to this folder and its subfolders and files". 6. Click the "OK" button to confirm and apply encryption options.

Back to top

Enable encryption / decryption options in the Windows Explorer menu

You can also configure the Windows Explorer when the user right-click the file, add the Encryption and Decryption option to execute EFS in the shortcut menu of the pop-up. To this end, you need to edit the Windows registry and add a new registration item. By default, there is no registration item in the registry.

Warning: The registry edit error may cause serious damage to the system. Therefore, before modifying the registry, you should first backly all valuable data on the computer. Formatting role = "bold" />

Claim

• Credentials: Edit the registry with experienced administrators and pay full attention to the potential risks of this operation. • Tool: Registry Editor. • Enable encryption / decryption options in the Windows Explorer menu

1. Run the "Register Editor", navigate to the following registry path: hkey_local_machine / currentversion / skill / advanced / 2. In the detailed information bar (right bar), click Right click, in the shortcut In the menu, select "New" and "Double-byte Value" in turn. 3. Type EncryptionContextMenu as the name of the double-byte value and press the "Enter" button to confirm. 4. Right-click the newly built dual-byte registry key, click Modify. 5. In the "Numeric Data" field in the Edit Double-Space Value dialog, enter a value, and then click the "OK" button. 6. Click the File menu, select "Exit" and close the Registry Editor.

Note: In Windows Server 2003, you can also add the Encryption Details option to the Explorer menu. To do this, the administrator needs to create a registration table applet (* .reg) containing the following information and run this file for each user:

[HKEY_CLASS_ROOT / * / Shell / Encrypt to User ... / command]

@ = "Rundll32 EFSADU.DLL, ADDUSERTOOBJECT% 1"

Back to top

Enable EFS file sharing

Enterprises typically want to use encryption techniques to help protect sensitive data, but also allow multiple users to access them. With EFS, users can encrypt files and then grant other users to access this encrypted data. To allow several users to access encrypted files, the encrypse of this file will set this file to a shared state, and then allow them to share this encrypted file by adding other users' EFS encryption certificates. In this way, companies can ensure the availability of data while improving security.

You need to know some requirements and restrictions on sharing encrypted data:

• You cannot add user groups to an encrypted file, or you cannot add users to the encrypted folder. • All users added to the encrypted file must have an EFS encryption certificate on the computer where the encrypted file is located. A certificate is usually issued by a certification authority such as VeriSign. In addition, if the user has logged in to the computer and the encrypted files are implemented, the user will have an EFS encryption certificate on this computer. To import certificates, see To Import a Certificate in the Microsoft Technet website, its URL is http://go.microsoft.com/fwlink/?linkid=22846. • In addition, all users who decrypted the file must have permissions to read the file. NTFS permissions must be set correctly to allow users to access. If the user is denied accesses due to NTFS permissions, the user will not be able to read the encrypted file or the decryption operation cannot be implemented. To set file permissions, see To Set, View, Change, or Remove Permissions on Files and Folders in Microsoft Technet, whose URL is http://go.microsoft.com/fwlink/?LinkID = 22847.

Claim

• Credential: Requirements with EFS certificates and files. • Tools: Windows Explorer.

All users added to the file must have an encryption certificate in the computer where the encrypted file is located. • Allow users to encrypt or decrypt files

1. Open Windows Explorer. 2. Right-click the encrypted file you want to change and select "Properties" in the shortcut menu that pops up. 3. In the General tab, click Advanced. 4. In the Advanced Properties, click Details. 5. To add a user to this file, click Add, then perform one of the following steps:

• To add users, and the user's EFS encryption certificate is on this computer, click the certificate, click the "OK" button. • To view the certificate before adding a certificate, click the certificate, and then click View Certificate. • To add users from Active Directory, click Find User, then select the user in the list, and click OK. • To delete users from a file, click the User Name, click Delete.

Note: When the user is added to the file and imports the user's EFS encryption certificate, the certificate is valid for trusted certificate authority (CA). The certificate will then be saved to the "Other People" certificate storage area.

Back to top

Import and export data recovery keys

The data recovery agent must have a data recovery key (DRA key) to ensure recovery of encrypted data without implementation normally. It can be seen that the protection recovery key is important. A good way to prevent recovery keys is to export data recovery certificates and data recovery agents, and save them to securely movable media in a .pfx format file. It can be imported when the lost data is restored.

The following steps outline the process of exporting and importing the DRA key.

Claim

• Credential: You must log in to the administrator account of the first domain controller. • Tools: MMC Certificate Management Unit.

Export data recovery key

• Export the default domain data recovery agent certificate and private key needs to do the following

1. Log in with the administrator account of the first domain controller in the domain. 2. Click Start, and then click Run. 3. Type MMC.exe and press the "Enter" button. 4. Click File, Add / Delete Administration Unit. 5. Click Add. All management unit lists registered on the current computer will pop up. 6. Double-click the Certificate management unit, click My User Account, and then click Finish. 7. In the Add Independent Management Unit dialog box, click the "Close" button, and then in the Add / Delete Administration Power Dialog box, click the "OK" button. MMC currently displays a personal certificate suitable for the administrator account. 8. Navigate to Certificates, "Current User", "Personal", "Certificate". Details Bar (right bar) will display a list of administrator accounts. By default, two certificates are usually displayed. Select the DRA certificate of the default domain. 9. Double-click the DRA certificate of the default domain, select All Tasks, and then click the "Export" button to launch the Certificate Export Wizard. Important: During the export process, select the correct key is critical, because once the export process ends, the original private key and the corresponding certificate will be deleted from the computer. If the key is not restored to the computer, the file recovery will not be possible using the DRA certificate. 10. Click Yes, export private keys, and then click Next. At the end of the export process, the private key will be deleted. 11. On the Export File Format page, click "Personal Information Exchange PKCS # 12 (.pfx)", select "Enable Enhanced Protection" and "If you export success, delete private keys" two check boxes, Click Next. The best practice is that after the export is successful, remove private keys from the system, and enhanced private key protection should be used as a special level of private key security. When exporting private keys, use the .pfx file format. The .pfx file format is based on the PKCS # 12 standard, which is a portable format for storing or transmitting user information including private keys, certificates, and various confidential information. In addition, the .pfx file format (PKCS # 12) also allows a password to protect the private key stored in the file. 12. In the Password "Password Confirmation editing box, enter a strong password, then click Next. The final step is to save the true .pfx file. The certificate and private key can be exported to any writable device, including a network driver or floppy disk. 13. On the Export File page, type or browse the path and specify the file name, and then click Next. Notify whether to export the report is successful. If the file and related private key are lost, any encrypted file that uses the DRA certificate as a data recovery agent will not be decrypted. Once the .pfx file and private key are exported, it is necessary to store the file in a sectable movable medium security location in accordance with the security rules of the company. For example, companies can save .pfx files in one or more CD-ROM discs, store these discs in a secure storage box or compartment, and implement strict physical access controls in these locations. Import data recovery key

If you want to use the exported data recovery key to restore encrypted data, you must first import the key. The import key is more simpler than the export key. To import key stored in a PKCS # 12 format file (.pfx file), double-click the file, open the "Certificate Import Wizard", or run "Certificate Import Wizard", follow the steps below to import the key:

Claim

• Credential: The computer's Domain admin account. • Tools: MMC Certificate Management Unit.

• Import data recovery key

1. Log in to your computer using a valid account. 2. Click Start, "Run". 3. Type MMC.exe and press the "Enter" button. 4. In the MMC, in the File menu, select Add / Delete Administration Unit. 5. Click Add. A list of all administrative units registered on the current computer pop up. 6. Double-click the Certificate management unit, click My User Account, and then click Finish. 7. In the Add Independent Management Unit dialog box, click the "Close" button, and then in the Add / Delete Administration Power Dialog box, click the "OK" button. MMC currently displays a personal certificate suitable for the administrator account. 8. Navigate to Certificate, "Current User", "Personal", "Certificate", right-click the folder, select All Tasks, and then click Import, launch the Certificate Import Wizard. 9. Click Next, enter the files you want to import and its path, and then click Next. 10. If the imported file is PKCS # 12 file, in the Password box in the Password page, enter the password of the file. The best approach is to protect private keys with strong passwords. 11. If you need to export this key again from the computer later, check the "Missing the key to the Export" check box. Click Next 12. The Wizard may prompt you to specify the memory that the certificate and the private key should be imported. To ensure that the private key is imported into your personal memory, do not select the "Certificate Type Automatic Select Certificate Memory", and should be "saved all certificates to the following memory", and then click Next. 13. Highlight Select "Personal" memory and click the "OK" button. 14. Click "Next", then click Finish, end the import process. Notify whether the imported operation is successful. Important: Data Recovery Agents should always use domain-based accounts because local accounts are easy to receive offline physical attacks.

Back to top

Data recovery

If the original user cannot resume encrypted data (for example, the user has left the company), you need a data recovery method so that the company can continue to use this data. This section describes how to recover encrypted files or folders. To this end, you need to use a backup tool to restore the user's encrypted file or folder to your computer, and the recovery key of the file recovery certificate and the data recovery agent is also stored in the computer.

Only the specified recovery agent can perform this operation. That is, in the file or folder to be recovered, you must have a valid DRA private key and certificate.

Claim

• Credentials: Data Recovery Agent. • Tools: Windows Explorer.

• Restore encrypted files or folders

1. Open Windows Explorer. 2. Right-click the file or folder you want to recover, click Properties. 3. In the General tab, click Advanced. 4. Clear the "Encrypted Content to Protection Data" checkbox. 5. Make a backup of a decryption file or a folder and give it to the user. Note: You can return the backup version to the user by email attachment, disk, or network sharing. Another way to recover data is to transfer the private key and certificate of the recovery agent to the computer with an encrypted file, import the private key and certificate, decrypt the file or folder, and then delete the imported private key and certificate. Compared with the method, this method is adopted, the security of the private key is greatly reduced, but it also exempts backup, recovery, and file transfer operations.

Back to top

Best practice

The following best practices can help companies use and manage encrypted files and folders effectively.

• Recovery Agents should restore their files to a secure place. In the Microsoft MMC's certificate management unit, use the Export command to export file recovery certificates and private keys to the floppy disk. Save the floppy disk to a safe place. Thereafter, if the file recovery certificate or private key is damaged or deleted, you can use the "Import" command in the MMC certificate unit, replace the corrupted or deleted certificate with the certificate and private key on the backup to the floppy disk. And private key. • Use the default domain configuration. By default, domain administrators are the default data recovery proxy in Windows 2000 or Windows Server 2003 domain. When the domain administrator logs in with this account, a self-signed certificate will be generated. The private key will be saved in the computer's user profile. The default domain "Group Policy" contains the public key of the certificate, as the default in the domain Data recovery agent. • Update the lost or expired DRA private key immediately. Although the DRA certificate expires is just a small event, the loss and damage of the DRA private key may result in a huge loss of enterprises. The expired DRA certificate (private key) can still be used to decrypt previously encrypted files, but cannot be used for new or updated encrypted files. In the case where the DRA private key is lost or the DRA certificate expires, the best practice is to immediately generate one or more new DRA certificates and implement corresponding updates to the Group Policy. These files will automatically update using new DRA public keys when users encrypt new files or update existing encrypted files. Remind users to update all existing files with new DRAs. In Windows XP, execute the command line tool Cipher.exe (using / u parameter), you can update the encryption key or restore the proxy key in all files in the local drive. The following example shows updates to two encrypted files on the local drive running Cipher.exe: cipher.exe /uc:/Temp/test.txt: Encryption Updated.

C: / my documents / wordpad.doc: encryption updated.

Note: When using the default self-signed certificate in the domain without certificate authority, the effective time of the certificate is 99 years.

The best practices below can help companies protect the data of mobile users to prevent theft or loss:

转载请注明原文地址:https://www.9cbs.com/read-51682.html

9cbs

New Post(0)