Where Does EFS Fit into your Security Plan?

By Deb Shinder with permission from WindowSecurity.com

Close-Up Of Numbers On Digital Screen
Nicolas Balcazar /EyeEm/Getty Images

The ability to encrypt data – both data in transit (using IPSec) and data stored on the disk (using the Encrypting File System) without a need for third party software is one of the biggest advantages of Windows 2000 and XP/2003 over earlier Microsoft operating systems. Unfortunately, many Windows users don’t take advantage of these new security features or, if they do use them, don’t fully understand what they do, how they work, and what the best practices are to make the most of them.

In this article, I'll discuss EFS: its use, its vulnerabilities, and how it can fit into your overall network security plan.

The ability to encrypt data – both data in transit (using IPSec) and data stored on the disk (using the Encrypting File System) without a need for third party software is one of the biggest advantages of Windows 2000 and XP/2003 over earlier Microsoft operating systems. Unfortunately, many Windows users don’t take advantage of these new security features or, if they do use them, don’t fully understand what they do, how they work, and what the best practices are to make the most of them.

I discussed the use of IPSec in a previous article; in this article, I want to talk about EFS: its use, its vulnerabilities, and how it can fit into your overall network security plan.

The Purpose of EFS

Microsoft designed EFS to provide a public key based technology that would act as a sort of “last line of defense” to protect your stored data from intruders.

If a clever hacker gets past other security measures -- makes it through your firewall (or gains physical access to the computer), defeats access permissions to gain administrative privileges – EFS can still prevent him/her from being able to read the data in the encrypted document. This is true unless the intruder is able to log on as the user who encrypted the document (or, in Windows XP/2000, another user with whom that user has shared access).

There are other means of encrypting data on the disk. Many software vendors make data encryption products that can be used with various versions of Windows. These include ScramDisk, SafeDisk and PGPDisk. Some of these use partition-level encryption or create a virtual encrypted drive, whereby all data stored in that partition or on that virtual drive will be encrypted. Others use file level encryption, allowing you to encrypt your data on a file-by-file basis regardless of where they reside. Some of these methods use a password to protect the data; that password is entered when you encrypt the file and must be entered again to decrypt it. EFS uses digital certificates that are bound to a specific user account to determine when a file can be decrypted.

Microsoft designed EFS to be user-friendly, and it is indeed practically transparent to the user. Encrypting a file – or an entire folder – is as easy as checking a checkbox in the file or folder’s Advanced Properties settings.

Note that EFS encryption is only available for files and folders that are on NTFS-formatted drives. If the drive is formatted in FAT or FAT32, there will be no Advanced button on the Properties sheet. Also note that even though the options to compress or encrypt a file/folder are presented in the interface as checkboxes, they actually work like option buttons instead; that is, if you check one, the other is automatically unchecked.

A file or folder cannot be encrypted and compressed at the same time.

Once the file or folder is encrypted, the only visible difference is that encrypted files/folders will show up in Explorer in a different color, if the checkbox to Show encrypted or compressed NTFS files in color is selected in the Folder Options (configured via Tools | Folder Options | View tab in Windows Explorer).

The user who encrypted the document never has to worry about decrypting it to access it. When he/she opens it, it is automatically and transparently decrypted – so long as the user is logged on with the same user account as when it was encrypted.

If someone else tries to access it, however, the document will not open and a message will inform the user that access is denied.

What’s Going on under the Hood?

Although EFS seems amazingly simple to the user, there’s a lot going on under the hood to make this all happen. Both symmetric (secret key) and asymmetric (public key) encryption are used in combination to take advantage of the benefits and disadvantages of each.

When a user initially uses EFS to encrypt a file, the user account is an assigned a key pair (public key and corresponding private key), either generated by the certificate services – if there is a CA installed on the network – or self-signed by EFS. The public key is used for encryption and the private key is used for decryption...

To read the complete article and see the full-sized images for the Figures click here: Where Does EFS Fit into your Security Plan?