Applies To: Windows Server 2008
Encrypting File System (EFS) is a powerful tool for encrypting
files and folders on client computers and remote file servers. It
enables users to protect their data from unauthorized access by other
users or external attackers.
What does EFS do?
EFS is useful for user-level file and folder encryption. EFS
was first introduced in the Microsoft® Windows® 2000 operating system,
and has been enhanced in subsequent releases of the operating system.
Who will be interested in this feature?
The following groups might be interested in EFS:
-
Administrators, IT security professionals, and compliance officers who
are tasked with ensuring that confidential data is not disclosed without
authorization.
-
Administrators responsible for servers or Windows Vista® client computers that are portable.
-
Users who share computers and work with confidential information.
Are there any special considerations?
Before implementing EFS, administrators should plan for
recovery of information in the event that keys or certificates are lost.
EFS supports a robust recovery mechanism which includes three major
changes in this release of Windows:
-
Key Recovery Agent (KRA) changes
-
Data Recovery Agent (DRA) can now be on a smartcard, which eliminates
the need for an offline recovery station and makes remote recovery
possible.
-
The ntbackup tool is no longer included in the operating system.
Instead, the Robocopy utility has been added to Windows Server® 2008 and
can copy EFS-encrypted files without needing the decryption key.
(Copies made in this way will remain encrypted.) Windows Backup supports
backup of EFS files in Windows Server 2008.
What new functionality does this feature provide?
Several important enhancements to EFS are provided in
Windows Server® 2008. These include the ability to store encryption
certificates on smart cards, per-user encryption of files in the client
side cache, additional Group Policy options, and a new rekeying wizard.
Smart card key storage
EFS encryption keys and certificates can be stored on smart
cards, providing stronger protection for the encryption keys. This can
be especially valuable to help protect portable computers or shared
workstations. Using smart cards to store encryption keys may also
provide ways to improve key management in large enterprises.
Why is this functionality important?
Using a smart card to store the EFS keys keeps those keys
off of the hard disk of the computer. This increases the security of
those keys because they cannot be attacked by another user or by someone
who steals the computer.
What works differently?
In Windows Server 2008 and Windows Vista, EFS supports the storage of users’ private keys on smart cards.
Key caching
Using Group Policy settings, you can configure EFS to store private keys on smart cards in non-cached or cached mode.
-
Non-cached mode. Similar to the
traditional way EFS works, all decryption operations requiring the
user’s private key are performed on the smart card.
-
Cached mode. A symmetric key is
derived from the user’s private key and cached in protected memory.
Encryption and decryption operations involving the user’s key are then
replaced with the corresponding symmetric cryptographic operations by
using this derived key. This eliminates the need to keep the smart card
plugged in at all times or to use the smart card processor for every
decryption. It therefore provides a significant increase in performance.
Smart card single sign-on
Smart card single sign-on (SSO) is triggered whenever
the user logs on with a smart card and one of the following conditions
is true:
If the smart card used for the logon is removed from the smart card reader before any encryption operations are performed, Single Sign On is disabled. The user will be prompted for a smart card and PIN at the first EFS operation.
-
The user does not have a valid EFS encryption key on the computer, and smart cards are required for EFS by policy settings.
-
The user has a valid EFS encryption key that resides on the smart card used for logon.
If the smart card used for the logon is removed from the smart card reader before any encryption operations are performed, Single Sign On is disabled. The user will be prompted for a smart card and PIN at the first EFS operation.
How should I prepare for this change?
To prepare to use smart cards to store EFS certificates,
you should examine your existing public key infrastructure (PKI)
implementation and include planning for EFS certificates in your PKI. If
your organization does not have a PKI in place, you cannot use smart
cards to store EFS certificates.
Per-user encryption of offline files
Offline copies of files from remote servers can also be
encrypted by using EFS. When this option is enabled, each file in the
offline cache is encrypted with a public key from the user who cached
the file. Thus, only that user has access to the file, and even local
administrators cannot read the file without having access to the user's
private keys.
 Important |
|---|
| If multiple users share a computer and more than one user tries to use an encrypted, cached copy of a particular file, only the first user to cache the file can access the offline copy of the file. |
Why is this functionality important?
Security is enhanced by the addition of per-user
encryption. Previously, any user of the computer could potentially gain
access to any file in the offline cache.
What works differently?
In the past, the encryption was done by using system
keys; thus, one user could read the offline files of another user. This
situation no longer exists because the encryption is performed with each
user's own public key.
How should I prepare for this change?
Familiarize yourself with the new EFS settings and choose the options that meet your company's specific security needs.
Increased configurability of EFS through Group Policy
EFS protection policies can be centrally controlled and configured for the entire enterprise by using Group Policy.
A number of new Group Policy options have been added to help administrators define and implement organizational policies for EFS. These include the ability to require smart cards for EFS, enforce page file encryption, stipulate minimum key lengths for EFS, enforce encryption of the user’s Documents folder, and prohibit self-signed certificates.
A number of new Group Policy options have been added to help administrators define and implement organizational policies for EFS. These include the ability to require smart cards for EFS, enforce page file encryption, stipulate minimum key lengths for EFS, enforce encryption of the user’s Documents folder, and prohibit self-signed certificates.
Why is this functionality important?
Increased configurability improves the efficiency of
administrators by enabling them to configure and control EFS policies on
an enterprise scale.
What works differently?
Additional settings enhance the effectiveness of Group Policy. To find out more, see What settings have been added or changed? later in this topic.
How should I prepare for this change?
Familiarize yourself with the new EFS settings in Group
Policy and choose the options that meet your company's specific security
needs.
Encrypting File System rekeying wizard
The Encrypting File System rekeying wizard allows the user
to choose a certificate for EFS and to select and migrate existing files
that will use the newly chosen certificate. It can also be used to
migrate users in existing installations from software certificates to
smartcards. The wizard can also be used by an administrator or users
themselves in recovery situations. It is more efficient than decrypting
and reencrypting files.
Why is this functionality important?
The wizard provides a streamlined, step-by-step process to choose certificates or migrate files.
What works differently?
Files are not automatically re-encrypted whenever they
are opened or updated. The wizard provides the user with a high degree
of flexibility.
How should I prepare for this change?
On a test computer, click Start. In the Start Search box, type rekeywiz,
and then press ENTER. This starts the Encrypting File System rekeying
wizard and allow you to become familiar with its operation.
What settings have been added or changed?
In this release of Windows Server 2008, additional EFS
options can be managed with Group Policy. The Group Policy settings
listed in the following table are available in administrative templates.
This table provides a simple description for each setting. For more information about a specific setting, see the Explain tab of each setting in the Group Policy Management Console (GPMC).
You can also use the GPMC or the Local Group Policy Editor
(secpol.msc) to configure the following EFS options. To view or change
these options, expand the Public Key Policies node, right-click Encrypting File System, and then click Properties.
On the General tab, you can configure general options and certificate options. The following general options are available:
In the certificates section, the following options are available:
On the Cache tab you can adjust the behavior of the EFS certificate cache. For more information about caching in EFS, click the Learn more about EFS caching link on the Cache tab.
This table provides a simple description for each setting. For more information about a specific setting, see the Explain tab of each setting in the Group Policy Management Console (GPMC).
| Template and setting | Path and description | Default | ||
|---|---|---|---|---|
|
GroupPolicy.admx—EFS recovery policy processing |
Computer Configuration\Administrative Templates\System\Group Policy—Determines when encryption policies are updated. |
Not configured |
||
|
EncryptFilesonMove.admx—Do not automatically encrypt files moved to encrypted folders |
Computer Configuration\Administrative Templates\System\—Prevents Windows Explorer from encrypting files that are moved to an encrypted folder. |
Not configured |
||
|
OfflineFiles.admx—Encrypt the Offline Files cache |
Computer Configuration\Administrative Templates\Network\Offline Files\—This setting determines whether offline files are encrypted.
|
Not configured |
||
|
Search.admx—Allow indexing of encrypted files |
Computer Configuration\Administrative Templates\Windows Components\Search\—This setting allows encrypted items to be indexed by Windows Search.
|
Not configured |
On the General tab, you can configure general options and certificate options. The following general options are available:
| Option | Notes | Default |
|---|---|---|
|
File encryption using Encrypting File System (EFS) |
If set to Don't allow, EFS cannot be used on this computer. If set to Allow or Not defined, EFS can be used on this computer. |
Not defined |
|
Encrypt the contents of the user's Documents folder |
If enabled, the Documents folder of all users on this computer will automatically be encrypted with EFS. |
Disabled |
|
Require a smart card for EFS |
If enabled, software certificates cannot be used for EFS. |
Disabled |
|
Create caching-capable user key from smart card |
If enabled, the first time a smart card is required for
EFS during a user's session, a cached version of the required keys is
made, as described earlier in this topic. If disabled, a smart card must be inserted whenever encrypting or decrypting a file protected with a certificate on the smart card. |
Enabled |
|
Enable pagefile encryption |
If enabled, the Windows memory paging file will be encrypted with EFS. |
Disabled |
|
Display key backup notifications when user key is created or changed |
If enabled, users will be prompted to back up their EFS keys for recovery whenever a new key is created or a key is changed. |
Domain-joined: Disabled Workgroup or Stand-Alone: Enabled |
| Option | Notes | Default |
|---|---|---|
|
Allow EFS to generate self-signed certificates when a certification authority is not available |
If disabled, users will not be able to use EFS, except with certificates from a certification authority. |
Enabled |
|
Key size for self-signed certificates |
You can select 1024, 2048, 4096, 8192 or 16384 bit keys. Long key sizes increase security but might decrease performance. |
2048 |
|
EFS template for automatic certificate requests |
This is the name of the certificate template used to request an EFS certificate from a certification authority. |
Basic EFS |
|
Note |
|---|
| All EFS templates in Windows Server 2008, both for user and recovery, as well as self-signed EFS certificates now specify a 2048-bit key length by default. |
Do I need to change any existing code?
No change to existing code is required for EFS.
How should I prepare to deploy this feature?
Prior to enabling EFS, you should consider the following:
-
Establish a designated recovery agent and a recovery process.
-
Review the new EFS settings and determine which configurations are best for your specific security requirements.
Is this feature available in all editions of Windows Server 2008?
EFS is an integral part of the file system all editions of
Windows Server 2008, with no difference in functionality among editions.
EFS is available on 32-bit and 64-bit platforms.
EFS is available in Windows Vista® Business, Windows Vista® Enterprise and Windows Vista® Ultimate, and can help significantly in protecting data stored on client computers, particularly portable ones.
TO enable offline file cache:
EFS is available in Windows Vista® Business, Windows Vista® Enterprise and Windows Vista® Ultimate, and can help significantly in protecting data stored on client computers, particularly portable ones.
TO enable offline file cache:
No comments:
Post a Comment