Once you have secured your files and assigned user access and recovery agents, you should take steps to aid in data recovery in the event that something happens to your user account. First, you should back up your encryption key and then your user certificate.
Backing Up Your EFS Key
1. Click the Start button and choose Run...
2. Type mmc and click OK.
3. On the File menu, choose Add/Remove Snap-in and then click Add.
4. Under Available Standalone Snap-ins, click Certificates, and then click Add.
5. On the Certificates snap-in dialog, select My user account and then click Finish.
6. Click Close and OK to finish installing the new snap-in.
7. In the left pane of the console window you will see a new heading has been created on the tree display. Click the plus sign next to Certificates - Current User to expand it.
8. Next expand Personal and then expand Certificates.
9. In the right pane, select the entry that says File Recovery in the Intended Use column.
10. Right-click the certificate you just found, point to All Tasks and then click Export to start the Certificate Export Wizard.
11. Click Next.
12. Select Yes, export the private key and click Next.
13. Select Personal Information Exchange - PKCS #12 (.PFX) and also select Enable strong protection, and then click Next to continue.
14. Specify a password. (Note: this is the password that will be required to reinstall you backup. Make sure to pick a strong password that you will remember. I recommend choosing a password that is different from your Windows login password.)
15. Specify a filename and location to save the exported key. I recommend using your Windows user name for the filename and saving it to a removable storage device such as a floppy disk or USB thumb drive. You may also burn the file to a CD.
16. Verify the settings and then click Finish.
17. In the future you will not have to add the Certificates snap-in. Instead you will be able to start at step 7.
Backing Up Your EFS Certificate
1. Start Microsoft Internet Explorer.
2. On the Tools menu, click Internet Options.
3. On the Content tab, in the Certificates section, click Certificates.
4. Click the Personal tab.
5. Select one certificate at a time until the Certificate Intended Purposes field shows Encrypting File System. This is the certificate that was generated when you encrypted your first folder.
6. Click Export to start the Certificate Export Wizard, and then click Next.
7. Click Yes, export the private key to export the private key, and then click Next.
8. Click Enable Strong protection, and then click Next.
9. Type your password. (I recommend not using your Windows password.)
10. Specify the path where you want to save the key. You can save the key to a floppy disk, another location on the hard disk, or a CD. If the hard disk fails or is reformatted, the key and the backup will be lost. (If you back up the key to a floppy disk or CD, you must store that disk or CD in a secure location.)
11. Specify the destination, and then click Next.
Windows 2003 users have the option to backup using a button on the Details page under Advanced Properties when encrypting a file.
Remember to store your encryption key and certificate in a safe place, preferably on removable media.
Finally, you may wish to step up the protection that EFS offers by using the stronger 3DES algorithm. Don't worry about enabling this after encrypting other files. You will still be able to access files that were encrypted with the default DESX algorithm.
Enabling Advanced Encryption By Using 3DES
1. Click the Start button and choose Run...
2. Type gpedit.msc and click OK to start the Group Policy Editor.
3. In the left pane navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.
4. Open the System Cryptography: Use FIPS compliant algorithms for encryption object. (Note that this settings applies to EFS and IPSec).
5. Select enabled and click OK.
Despite its own shortcomings, Encrypted File System still provides a fairly high level of data security. In the digital age, you can't be too safe. It's always a good idea to take advantage of the file protection features that Windows provides. In the event that your system is compromised or stolen, you can have the peace of mind of knowing that your data will be returned intact and unadulterated.
In a future article we will examine the new data protection features being offered in Microsoft Vista. As you will see, Microsoft's dedication to data security is paramount in its latest release.
DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware.
Showing posts with label Advanced Data Protection in Windows. Show all posts
Showing posts with label Advanced Data Protection in Windows. Show all posts
Implementing EFS
The first step in implementing Encrypted File System is to encrypt the files you would like to protect. This is done very easily and Microsoft has integrated the feature into the Windows shell.
Encrypting a File or Folder with EFS
1. Browse to a file or folder in either My Computer or Explorer, right-click and choose Properties...
2. Click the Advanced... button.
3. Put a check mark in the box that says Encrypt contents to secure data and click OK.
4. Click OK to close the Properties dialog.
5. If you are changing a folder that already contains files, you will receive a confirmation dialog. Click OK.
You can easily distinguish between encrypted and unencrypted files in My Computer or Windows Explorer. Encrypted files will be listed in green. This allows you to tell at a glance whether or not your files are still secure. It's also worth noting that encryption can be added in conjunction with other file attributes.
Next, you need to determine if any other users should be allowed access. If so, they need to be added.
Allowing Multiple User Access to Protected Files
1. Right-click the file and choose Properties...
2. Click Advanced and then click Details.
3. Click the Add button to allow additional users.
While setting up additional users, you should also take the time to select your Data Recovery Agents. This will help prevent data loss as I described earlier in this article.
The Encryption Details dialog box is not available for folder objects. You must allow multiple users and select recovery agents on a file-by-file basis.
Encrypting a File or Folder with EFS
1. Browse to a file or folder in either My Computer or Explorer, right-click and choose Properties...
2. Click the Advanced... button.
3. Put a check mark in the box that says Encrypt contents to secure data and click OK.
4. Click OK to close the Properties dialog.
5. If you are changing a folder that already contains files, you will receive a confirmation dialog. Click OK.
You can easily distinguish between encrypted and unencrypted files in My Computer or Windows Explorer. Encrypted files will be listed in green. This allows you to tell at a glance whether or not your files are still secure. It's also worth noting that encryption can be added in conjunction with other file attributes.
Next, you need to determine if any other users should be allowed access. If so, they need to be added.
Allowing Multiple User Access to Protected Files
1. Right-click the file and choose Properties...
2. Click Advanced and then click Details.
3. Click the Add button to allow additional users.
While setting up additional users, you should also take the time to select your Data Recovery Agents. This will help prevent data loss as I described earlier in this article.
The Encryption Details dialog box is not available for folder objects. You must allow multiple users and select recovery agents on a file-by-file basis.
How EFS works
By default EFS uses DESX (56-bit) in Windows 2000 and DESX (128-bit) in Windows XP. Windows XP SP1 and higher use AES (256-bit) by default. Optionally 3DES (168-bit) in Windows XP and Windows 2003 (and Windows 2000 with High Encryption Pack) may be used.
All of these algorithms make use of a random cipher key so they present a fairly strong encryption. The Average Joe is not going to crack this thing in any reasonable amount of time. Also note that 3DES complies with Federal Information Processing Standards (FIPS 140-1 Level 1) and is significantly stronger than the default DESX encryption. You have to enable the use of 3DES. I'll show you that later in this article as well.
Keep in mind that EFS works off of your Windows account credentials. The stronger your Windows password, the more secure your encryption is going to be.
Even with its higher level of protection, EFS is not without limitations. If your logon credentials ever become compromised, EFS can be rendered fairly useless. EFS also works with a file's ACL provided by NTFS. Since EFS is dependent upon the file system, copying an EFS protected file to a non-NTFS volume will effectively remove its security as well.
Even copying a file across NTFS volumes in Windows will remove its protection. So EFS alone is not enough. To properly secure your data, you must also set up the proper access control policies as well.
In the event that you lose your EFS key backup or the encrypting account becomes corrupted, you can assign another user to act as a Data Recovery Agent. This is required in Windows 2000 and it defaults to the Domain Administrator in a domain environment. Selecting a DRA is optional in Windows XP.
All of these algorithms make use of a random cipher key so they present a fairly strong encryption. The Average Joe is not going to crack this thing in any reasonable amount of time. Also note that 3DES complies with Federal Information Processing Standards (FIPS 140-1 Level 1) and is significantly stronger than the default DESX encryption. You have to enable the use of 3DES. I'll show you that later in this article as well.
Keep in mind that EFS works off of your Windows account credentials. The stronger your Windows password, the more secure your encryption is going to be.
Even with its higher level of protection, EFS is not without limitations. If your logon credentials ever become compromised, EFS can be rendered fairly useless. EFS also works with a file's ACL provided by NTFS. Since EFS is dependent upon the file system, copying an EFS protected file to a non-NTFS volume will effectively remove its security as well.
Even copying a file across NTFS volumes in Windows will remove its protection. So EFS alone is not enough. To properly secure your data, you must also set up the proper access control policies as well.
In the event that you lose your EFS key backup or the encrypting account becomes corrupted, you can assign another user to act as a Data Recovery Agent. This is required in Windows 2000 and it defaults to the Domain Administrator in a domain environment. Selecting a DRA is optional in Windows XP.
Advanced Data Protection in Windows
In my last article I gave an introduction to basic data protection methods available in Windows. The methods I outlined provide a moderate level of protection that, due to their inherent shortcomings, may not be enough. For those who require a higher level of security, Windows provides two more methods of protecting your data.
Both of the advanced methods I'll be describing utilize encryption. In layman's terms, encrypting a file scrambles its contents and rewrites it to the drive. It can only be unscrambled if the proper credentials are provided.
The effectiveness of file encryption is dependent upon the algorithm being used and the strength of the encryption key that is provided. However, without the necessary encryption key, a file is effectively unreadable. Since this method of protection does not rely on the operating system, it provides a much more secure form of data protection.
The method I'll be covering in this article is an NTFS feature known as Encrypted File System. This encryption method is built into the file system and is available to any operating system that supports NTFS. By default, this is Windows 2000 and newer.
In Windows 2000 and Windows XP, EFS is only available in the Professional editions. This is because the home versions use a different NTFS driver that lacks support for EFS. Newer versions of Windows support EFS in all versions.
Encrypted File System in Windows relies on your user information to create the encryption key. It creates a sort of password hash based on your account SID. This is important to remember, because if you change accounts you will no longer have access to your files. I'll describe how to back up your key later in this article in case something goes awry.
In Windows, EFS must be enabled on a file-by-file basis. (Encrypting a folder actually applies EFS to each of the child files.) In its original design, you were only able to encrypt files under your own user directory. Now, however, you can encrypt any file based on your account credentials.
Both of the advanced methods I'll be describing utilize encryption. In layman's terms, encrypting a file scrambles its contents and rewrites it to the drive. It can only be unscrambled if the proper credentials are provided.
The effectiveness of file encryption is dependent upon the algorithm being used and the strength of the encryption key that is provided. However, without the necessary encryption key, a file is effectively unreadable. Since this method of protection does not rely on the operating system, it provides a much more secure form of data protection.
The method I'll be covering in this article is an NTFS feature known as Encrypted File System. This encryption method is built into the file system and is available to any operating system that supports NTFS. By default, this is Windows 2000 and newer.
In Windows 2000 and Windows XP, EFS is only available in the Professional editions. This is because the home versions use a different NTFS driver that lacks support for EFS. Newer versions of Windows support EFS in all versions.
Encrypted File System in Windows relies on your user information to create the encryption key. It creates a sort of password hash based on your account SID. This is important to remember, because if you change accounts you will no longer have access to your files. I'll describe how to back up your key later in this article in case something goes awry.
In Windows, EFS must be enabled on a file-by-file basis. (Encrypting a folder actually applies EFS to each of the child files.) In its original design, you were only able to encrypt files under your own user directory. Now, however, you can encrypt any file based on your account credentials.
Subscribe to:
Posts (Atom)
