Encryption File System (EFS) is a component of the NTFS file system of Windows 2000, Windows XP Professional, and Windows Server 2003. (Windows XP Home does not include EFS.) EFS implements transparent file encryption and decryption with advanced standard encryption algorithms. Any personal or program that does not have a suitable key cannot read encrypted data. Even if the physics has a computer that resides the encrypted file, the encryption file is still protected. Even users who have access to computer and their file systems are also unable to read them. Other defense strategies should also be taken, encrypting this solution is not to solve the appropriate countermeasures for each threat, and encrypts another powerful measures other than other defense strategies. EFS is a built-in file encryption tool for the Windows file system.
However, any defense tool, if it is not properly used, it will also bring potential hazards. It must be fully understood, properly implemented and effectively manage EFS, ensuring that users provide technical support experience and the desired data from hope.
1. What is EFS 2, basic knowledge, encryption and decryption method, encrypted file recovery method, key archive, certificate management, file backup, and EFS disabled method. 3, how the EFS works, the EFS structure and algorithm 4, Windows 2000, Windows XP, and Windows Server 2003 EFS exists between EFS, EFS misuse and abuse, and how to prevent data loss or exposure 6, use SMB file sharing and WebDAV remote storage 7, fault recovery 8, download specific EFS tools
What is EFS users can encrypt files stored in Windows 2000, Windows XP Professional, and Windows Server 2003 computer file systems. EFS is not designed to protect data from one system to another. EFS uses symmetrical (encrypted files using a key) and asymmetrical (using two keys to protect the encryption key) encryption.
Below is an important basic fact of EFS:
EFS encryption does not occur in the application layer, but is located in the file-system layer, so the encryption and decryption process is transparent to the user and application. If a folder marks is encrypted, each file created from or shifted into the folder will be encrypted. The application does not have to understand EFS or manage EFS encryption files, it seems that there is no difference between uncoated files. If the user wants to open the file and have a corresponding operation key, open the file does not require the user to perform any additional operations. If the user does not have a key, the error message of "Rejecting Access" will be received. The file encryption uses a symmetric key, which is encrypted using the public key encrypted with the public key. If you want to decrypt the file, you must have the relevant private key. This key is a binding user ID, and only users with the user ID and password have this key pair. If the private key is destroyed or lost, the user of the encrypted file cannot decrypt it. If you have a restore agent, you can restore the file. If the key memory is used, the key can be restored and the file can be decrypted. If there is no key memory, the file may be lost. EFS is the best file encryption system - there is no "back door" problem / li> file encryption key can archive (eg, exported into the floppy disk), and placed in a secure position, ensuring that the key can be recovered once corrupted. The EFS key relies on the user's password. Any user, as long as the identity and password of the user can be logged in, it can be logged in as the user, and the files of the user can be decrypted. Therefore, each unit must take a strong password policy to enhance user education during implementation of safety, ensuring protecting EFS encryption files. EFS encryption file, if you save or open in the folder of the remote server, it is no longer an encrypted state. The file is decrypted to transfer in a broad text manner, and if saved to a folder marked as a private drive, the file is encrypted locally. EFS encryption file, if you save it to the web folder using WebDAV, it is still encrypted in the network. Windows 2000 does not have such a remote storage method. EFS uses FIPS 140-Evaluating Microsoft Encryption Service Provider Encryption and Decryption File Encryption and Decryption Process is very simple, but determines which content to encrypt, pay attention to the difference in EFS on different operating systems, especially important.
Using EFS Encryption Data in Windows 2000 1. Right-click Start button, click Browse, and browse to files or folders you want to encrypted. 2. Right-click the required file or folder, and then click Properties. 3. Click Advanced, and then click Connect to Protection Data Check box, and then click OK. 4. Repeat step 2-3 for each file or folder to encrypted. Note: If you encrypt a folder, all files and folders contained in the folder will be encrypted.
Using the Cipher.exe tool You can display or encrypt data at the MS-DOS command prompt using the Cipher.exe tool. If you want to encrypt a file using the Cipher.exe tool, type the command similar to the downlink at the MS-DOS command prompt: Cipher [/ e | / d] [/ s: dir] [/ i] [/ f] [ / Q] [DIRNAME [...]] The following table defines each command line parameter switch. If you want to see this information at the MS-DOS Command Prompt, type Cipher /?. Parameter switch Description / e encrypt specified directory. These directories will be marked so that the file added later will be encrypted. / D decrypt the specified directory. These directories will be marked so that the file added later will not be encrypted. / S executes the specified operation on the directory and all subdirectories in a given directory. / I continues to perform the specified operation even after an error occurs. By default, the cipher will stop when you encounter an error. / F Forced to perform encryption operations for all specified directories, even those encrypted directories. The encrypted directory will be skipped by default. / Q only reports the most important information. DIRNAME specifies a mode or specifying a directory. When not using parameters, the CiPher will display the current directory and the encrypted state of all files therebet. You can use multiple directory names and wildcards. There must be a space between multiple parameters. Remarks: EFS does not work for files that use the System properties. If you encrypt your Windows system file, your computer may become unused. Also note that EFS cannot be used for compressed files or folders. Cipher.exe This command line utility also has some other parameter switches available. If you want to view them, use the cipher /? Command. The encrypted files in Windows 2000 include encrypted file services (EFS) that can be directly encrypted files and folders on storage media from locally or over the network. EFS is directly integrated with the Windows 2000 command interpreter, so it is completely transparent to most programs. To establish an EFS encryption, do the following: 1. Right-click a folder and click Properties. 2. On the General tab, click Advanced. 3. Click Select Encrypted Content to Protection Data Check box, click OK, then click OK again. 4. According to different situations, click the Apply to this folder or apply it to the folder, subfolders, and files. Note that once the folder marks are encrypted, it is not necessary to manually mark the file as encryption when the file is placed.
Encrypting files in Windows XP Use Windows XP Encryption File System (EFS) to store files on your hard drive in encrypted format. Encryption is a process that converts data to other people that cannot read. If the data is stored on the hard disk, you can use EFS to encrypt data. Note: The administrator can restore data encrypted by another user. How to encrypt files You can only encrypt files formatted as a volume of the NTFS file system. To encrypt the file, follow these steps: 1. Click Start, point to All Programs, point to Accessories, and then click Windows Explorer. 2. Find the file you wish to encrypt, right-click the file, and then click Properties. 3. On the General tab, click Advanced. 4. Under "Compression or Encryption Properties", select "Encrypt Content to Protection Data" check box, and then click OK. 5. Click OK. If you need an encrypted file in an undue folder, an encrypted warning dialog appears. Use one of the following steps: • If you only want to encrypt the file, click "Only Encrypted File", then click Confirm. • If you wish to encrypt the file and the folder where the file is located, click Encrypted File and His Parent Folders, and then click OK. If another user tries to open the encrypted file, this attempt will fail. For example, if another user tries to open a encrypted Microsoft Word document, a similar note appears: Word cannot open this document: Username No Access Permissions (Drive: / File Name .doc) If another user tries to Encrypted files Copy or move to another location on the hard disk, the following message appears: Copy the file or folder When the file name cannot be copied: Access is rejected. Please make sure the disk is not full or not written and the file is not used. • You cannot encrypt files or folders on volumes using the FAT file system. You must store the file or folder you want to encrypted in the NTFS volume. • You cannot store encrypted files or folders on remote servers that have not been confidently confident. To resolve this issue, configure the remote server as the trusted appointment. To do this: 1. Log in to the domain controller as an administrator privilege account. 2. Start an Active Directory user and computer management unit. 3. In the left pane, the domain container is expanded. Find your target server, right-click the server, and then click Properties. 4. On the General tab, select the "Trust this computer as a delegate" check box (if this check box has not been selected). When you appear, when you appear, click OK. 5. Click OK, then exit Active Directory users and your computer. • You cannot access encrypted files from the Macintosh client computer. • You cannot open documents stored in other users in the encrypted folder you created.
If another user creates a document in the encrypted folder, the document (by default) is encrypted as only this user has access to the document. Therefore, you may contain files you can't open in the folder you encrypted. If you need to access these files, request your user account to the list of user accounts for shared encrypted files.
Removing file encryption encryption in Windows XP is a process that converts data to other people that cannot read. If the data is stored on the hard disk, you can use EFS to encrypt data. Remarks: Only users of encrypted files can restore encrypted data unless the user specifies the recovery agent before encryption file. To ensure that you can decrypt file in the future, you should export your certificate and private key each time and save it in a safe location. If you delete file encryption, only the following person can decrypt the encrypted file. • User of encrypted files • Any user assigned to recovery agent before file encryption • Users who have a recovery agent or any user or initial encrypted file of the private key • Any user who has been visited this file access to the user administrators group Members cannot decrypt files unless the people of the encrypted file assign them to resume before encryption files. Note: You must be the original encryptor or the specified recovery agent of the file to use the following steps. If you have not deleted encrypted licenses, you will receive the following error message: Error Applying Attributesan Error Occurred Applying Attributes To The File: Path: / FileName Access Is Denied To delete a file encryption, please: 1. Using Windows Resource Management Browse to the location where you want to decrypt the encrypted file. 2. Right-click the encrypted file and click Properties. 3. On the General tab, click Advanced. 4. Click to clear "Encrypted Content to Protection" check box, click OK, then click OK again.
How to delete a folder and admission: You must be the original encrypted agent of the file or the specified recovery agent to use the following steps. If you have not deleted encrypted licensing, you will receive the following error message: Error Applying AttributeSan Error Occurred Applying Attributes To The File: Path: / FileNameAccess Is Denied 1. Browse to the encrypted folder you wish to decrypt using Windows Explorer s position. 2. Right-click the folder and click Properties. 3. On the General tab, click Advanced. 4. Click to clear "Encrypted Content to Protection" check box, click OK, then click OK again. 5. When prompted to confirm the properties change: • If you only need to decrypt the folder, click "Apply to this folder only to this folder" and click OK. • If you want to decrypt this folder and its content, click "Apply to this folder, subfolders and file", and then click OK. Shared encryption files are only available in Windows XP and Windows Server 2003 with a GUI of shared encrypted files. How to share access encrypted files Note: Only users of the administrators group or users encrypt the file can add users to the file. If you are not allowed to add a user to an encrypted file, you will receive the following error message: EfsadueError In adding new user (s). Error Code 5. You can keep file encryption security while allowing specific users to access your encryption file. To allow access to your encryption file, do the following: 1. Right-click the encrypted file and click Properties. 2. Click General tab (if you have not yet selected), then click Advanced. 3. Click Details and click Add. 4. Select the user who wants to share the encrypted file, and then click OK. 5. After adding the user, click Sense.
• Unable to access encrypted files from the Macintosh client. • You may not be able to open the document stored in your encrypted folder. If a user creates a document in the encrypted folder, only the user created the document can open it unless the user grants other user access rights. Therefore, you may contain files you cannot open in your encrypted folder. If you need to access these files, let the creators of these files add your user account to the user list that can share the encrypted file. • The EFS document indicates that users who are granted to the EFS encryption file must have editable to edit the "NTFS write" permission to the file. However, if the file is a Microsoft Office document, the user must have the "modification" permission to the file to edit the document. "Modify" permissions include "write" permissions. Planning and recovering encrypted files: Recovery Policy Recovery Policy is one of the unit's security policies to plan properly recover encrypted files. The public key policy of the local security policy or the public key policy of the group policy is also enforced. If it is a group policy's public key policy, the recovery policy describes how the encrypted file is recovered if the user's private key destruction or loss is lost. The recovery certificate is specified in the policy. Recovery can either data recovery (Windows 2000, Windows XP Professional, and Windows Server 2003), or Key Recovery (Windows Server 2003 with certificate services) Windows 2000 EFS requires recovery agent (without recovery agent, you can't encrypt File), but Windows XP and Windows Server 2003 are not like this. By default, Windows 2000 and Windows Server 2003 assign a default recovery agent. Windows XP Professional is not the case.
The data recovery process is simple. The user account that is bound to the recovery agent certificate is used to decrypt the file. Subsequently, the file is transmitted to the file owner in a secure manner, which can encrypt the file. Recovery by automatic archive key can only be done using the Windows Server 2003 certificate service. Other configurations are required after installing the certificate service. In any case, recovery written strategies and processes are very important. These processes, if the design is improved and fully compliant, ensure that the recovery key and the agent can restore safely. Be sure to remember "recovery strategy. • There are two definitions that refer to written recovery policies and processes. It illustrates what is recovered, what, where, and when to ensure that the recovery component should be taken Operation step content. Second definition, often refer to the contents of the document below, for public key policies, is part of the independent system local security policy or domain's group policy. It also specifies which certificates are used to recover, and domain Other contents of public key strategies.
Disable or block encryption you may not want the user to have an encrypted file. This is the case by default. Users can specify a specific folder should not contain an encrypted file. The user can also determine the disable EFS until the user implements a comprehensive EFS policy with a suitable process and training the user. There are a variety of different methods for disabling EFS, depending on the operating system and the desired effect.
The system folder cannot be marked as encryption. The startup process cannot use an EFS key, so if the system file is encrypted, the system file cannot be started. To prevent other folder marks as encryption, users can marke them as the system folder. If it is impossible, the method is blocked in the folder. NT 4.0 does not have functions that use EFS. Disable Windows XP Professional EFS can also be implemented by clearing a checkbox in the property page of the local security policy public key policy. By clearing the domain or organizational unit (OU) Group Policy Public Key Policy, you can disable EFS in the XP and Windows Server 2003 computers in the Windows Server 2003 domain. The working principle of EFS. EFS Structure and Algorithm To understand EFS, estimate various issues, predict potential attacks, solve problems in EFS encryption files and protect files, users should understand EFS structure and basic encryption, decryption, and recovery algorithms.
EFS exists between Windows 2000, Windows XP, and Windows Server 2003, in Windows 2000. However, there is a difference in EFS in Windows XP Professional EFS and Windows Server 2003: The user can authorize other users to access encrypted files. In Windows 2000, users can use a programming solution for shared encrypted files, however, the interface is not provided. Windows XP and Windows Server 2003 provide interfaces. You can encrypt the offline file. It is recommended to use a data recovery agent, but just options. XP does not automatically contain the default recovery agent. If existing, XP will use the existing Windows 2000-level recovery agent, but no domain recovery proxy does not prevent the XP system from encryption. To request a self-signature recovery agent certificate, you need to use the Cipher / R: FileName command, where filename is the file name that will be used to generate the * .cer file and the * .pfx file containing the certificate and the private key. "Triple DES" (3DES) encryption algorithm can be used to replace "Data Encryption Standard X" (DESX), and in subsequent version of XP SP1, Advanced Encryption Standard (AES) is the default encryption algorithm for EFS. For Windows XP and Windows Server 2003 local accounts, password reset disks can be used to securely reset the user's password. (You cannot use the disk to reset the domain password.) If the administrator uses the "Reset Password? Computer Management Console User Toolbox, the EFS file cannot be accessed. If the user will change the password back to the previous password, Re-access the encrypted file.
Some things may also induce problems when there is any problem caused by misuse. First, use the case where it may be unintentionally publicly sensitive. In most cases, this is due to improper or fragile security strategies and errors understand EFS. Since users think that their data is secure, they can do not have to use usual precautions, which will cause everything even worse. This happens in the following cases:
For example, if the user copies the encrypted file to the FAT volume, the file will be decrypted and is not protected. Since the user has the right to decrypt their encrypted files, the file is decrypted and stored in a clear text to the FAT volume. This happens, Windows 2000 does not give prompt information, but Windows XP and Windows Server 2003 provide prompt information. If the user supplies its own password to others, these people can use these credentials to log in and decrypt the user's encrypted file. (Once the user logs in success, they can decrypt any files that the user account is entitled to decrypt.) If the resume agent is not archived, it is deleted from the recovery proxy configuration file, know any user of this recovery agent credentials You can log in, and any encrypted file is done transparently. So far, the most common problem encountered by EFS, occurs when the EFS encryption key and / or the recovery key is not archived. If these keys do not have back up, they cannot be replaced when they are missing. If these keys cannot be used or replaced, the data will be lost. These keys will be damaged if Windows is reloaded (perhaps the disk destruction). These keys will be corrupted if the user profile is destroyed. In these situations or any other case, the key is destroyed or lost and the backup key is not available, then the encrypted file cannot decrypt. Encryption key Binds the user account, and the repeated update of the operating system means a new user account. The new user profile means a new user key. If the key archive, they can be imported into the new account. If the file's revocation agent exists, you can use the account to recover the file. However, in most cases of key failure, both the user and the revoking key are unavailable, and there is no backup, resulting in loss of data. In addition, other smaller things may also cause encrypted files that cannot be used or some sensitive data.
Attacks and Countermeasures: Any user of other protection mechanism encrypted files in encrypted files should recognize potential vulnerabilities and various attack methods. Just like just locking the front door of the house without considering the back door and the window will also become the path of thief, ensuring that the confidentiality is not enough to encrypt files.
Use depth defense and use file license. Using EFS does not exclude using file permissions to limit file access. In addition to EFS, file permissions should also be used. If the user gets an encryption key, import them into their own account and decrypt the file. However, if the user account is rejected to access this file, the user tries to get the sensitive information will fail. Use file permissions to refuse to delete. You can delete the encrypted file. If an attacker does not decrypt file, it is possible to select the deletion of the file. Attackers can't get sensitive information, but also allow users to have the file. Protect user credentials. If an attacker finds the identity and password of the user who can decrypt file decryption, the attacker can log in in and read the file like the user. Therefore, protecting these credentials is particularly important. In order to protect these credentials, strong password strategies can be used, and the training users use strong passwords, which use best practices to protect these credentials, which help prevent such attacks. Best practices for password policies. If the account password is destroyed, anyone can use the user ID and password to log in. Once the user is successful, they can decrypt any files that the user account is entitled to decrypt. The best defense method is to adopt strong password strategies, user education, and comprehensive security practices. Protect recovery agent credentials. Similarly, if an attacker can log in as a recovery agent, and the restore agent private key is not removed, the attacker can read the file. Best practices are in the recovery strategy, to indicate the deletion of the restoration agent key, limit the account to that recovery work and carefully protect the credentials. This section is about recovery operations and best practices, see the steps below for details. Find those regions that have a clear copy of the encrypted file or a partial copy copy of the encrypted file, and strict management. If an attacker has or can access a computer that resides the encrypted file, they may resume sensitive data from these areas: the following content: Data Debris (Data Residual), still exists after encrypted files before encryption. Page File Sleep File Temporary File Printer Background Print Print file Use the system key to provide additional protection. Additional protection can be provided using Syskey to provide additional protection for a cipher value and a value protected by a local security mechanism (LSA) (such as the master key encryption key used to protect the user). Fault Recovery Users should plan EFS failure recovery and list it as part of the business continuous operation plan. Three questions need to pay attention:
In the Windows 2000 network, use the recovery proxy and archived users and the restore proxy key. Backup encrypted files should be part of best practices. The backup system status is also very important because it is possible to recover by recovering the user profile (which contains the key). In Windows 2000 networks that provide EFS certificates using certificate services, and in Windows Server 2003 networks with EFS certificates and key archives, fault recovery plans should also contain recovery plans for certification services.
Download specific EFS tool esfinfo.exe: http://www.microsoft.com/windows/existing/efsinfo-o.aspcipher.exe: http://support.microsoft.com/default.aspx ? scID = Kb; zh-cn; 298009
