Although the idea behind the Encrypting File System (EFS) in Windows 2000 seems pretty straightforward, there is a great deal more to it than first meets the eye. The purpose of this article is to explain how EFS actually works, and to provide practical configuration advice for system admins.
Why use EFS? The simple answer is that relying on NTFS permissions alone is sometimes not enough. There are simply too many utilities that will allow a user to bypass NTFS security on the market, such as NTFSDOS. Beyond the utilities, imagine the scenario with a mobile user. If the user’s laptop were stolen, the thief would only need to either remove the hard drive and place it into another W2K system, or reinstall W2K and take ownership of the folder as the new administrator account. In either scenario, highly confidential data is not safe. If you’re looking for more security EFS may be the answer you’re looking for, and you can’t beat the price.
I’m going to try not to bore you with the details of what you probably already know. Here’s the useful beginner stuff, just to get it out of the way:
- EFS can only be used on NTFS formatted volumes.
- EFS cannot encrypt files if any of the following attributes are set: Read-only, System or Compressed.
- If you have ‘write’ permissions to a file, you can encrypt it.
- If the user who encrypted the file moves it to a FAT volume, the file is no longer encrypted.
- EFS encryption is relatively transparent to the user. To encrypt a file, the user need only set the encryption attribute on the file, or save it to an encrypted folder.
- EFS is file-system encryption. That means that when an EFS-encrypted file moves over the network, it is NOT encrypted.
- EFS does not prevent a user with the appropriate NTFS permissions from deleting a file.
- To encrypt many files at once, use Cipher.exe from the command line.
- When an encrypted file is opened, so are temporary copies if they exist.
- Users cannot share encrypted files.
- Only the user who encrypted a file can open it (with exceptions, of course!)
The last item on the list is important. Although the only person who can open an EFS-encrypted file is officially the person who encrypted it, there is still a back door of s orts – the recovery agent. The recovery agent is by default the domain Administrator account (more on this later, but there can be more than one), and can open files that were EFS-encrypted by another user. The reason for this is simple. If a user somehow loses their private key, or snaps and go encryption-crazy on their last day on the job, we have a way to recover their files.