The official blog for Windows Server Essentials and Small Business Server support and product group communications.
EPS Team Blogs
[Today’s post comes to us courtesy of JoAnn McKimpson from the SBS Marketing Team]
Every day, your users work with information that is valuable to your business. However, this same information—including your customer databases, product price lists, and financial information—is constantly at risk of discovery. You see the reports in the papers nearly every day: laptops are stolen, removable hard drives are sent to the wrong recipient. Savvy businesses realize they need help to secure their business information and protect it from inadvertent or deliberate disclosure.
That’s why Microsoft created Encrypting File System (EFS), a powerful tool for encrypting files and folders on servers and client computers. EFS helps secure confidential information that should not be disclosed without authorization, information that resides on remote servers or on portable computers such as laptops or netbooks, or confidential information on computers that are shared by multiple workers at a business. With EFS, you can protect your business’s information in case someone gains physical possession of the computer that the files reside on. Even people who are authorized to access the computer and its file system can’t view the data that they shouldn’t. Files are encrypted when you close them, but are automatically ready to use when you open them. If you change your mind about encrypting a file, clear the check box in the file's properties.
EFS is an integral part of the file system and is transparent to your users and applications; you don’t need to install any special software to work with encrypted files. It’s available on Windows Small Business Server (Windows SBS) 2008 and the Windows 7 Professional, Enterprise, and Ultimate operating systems, including both 32-bit and 64-bit platforms.
EFS helps secure the information that is contained in your folders and files by creating a unique key that uses a combination of the server’s credentials and the user’s credentials. When you first apply EFS to a folder, any files that are created in that folder or moved into that folder are encrypted, and only you and the recovery agent are given access to encrypt or decrypt the file. You can give any other user access to individual files in this folder. However, users can only be added to the access list individually; it is not possible to grant an entire group access to a file. Also, although you can give users access to individual files, it is not possible to give users access to an entire folder.
After a folder is marked for encryption, it isn't necessary to manually mark the files in it for encryption. But when you move a file out of the encrypted folder, the file may be decrypted, depending on whether you move the file into an NTFS volume. The best practice is to keep a file in its encrypted folder until the file is no longer needed.
If a person or program doesn’t possess the correct key to read the encrypted file or folder, an “Access Denied” message appears. EFS is an excellent file encryption system—there is no "back door”—however, anybody who can obtain the user ID and password can log on as that user and decrypt that user's files.
Because EFS is so secure, it’s critical to enforce a strong password policy. It’s also a best practice to archive and back up the recovery keys for your domain and keep them in a safe place to ensure recovery should the keys become damaged or lost. If you don’t take these precautions, you can permanently lose the information in encrypted files and folders. We will cover recovery keys in the next section of this post.
When encrypting removable media, it is important to keep in mind that the encrypted files will only be accessible on computers that have certificates for users who are listed as having access to the file (or the recovery agent key). This means that if you are working on an encrypted file at work, and you bring it home to finish up on your home computer, you will only be able to access this file if your home computer has your user certificate.
Similarly, you should take great care when you enable EFS on a SharePoint site. Any user who has access to a SharePoint site can encrypt any file on that site. However, once that file is encrypted, only users listed as having access to that file (or the recovery agent) will be able to access it.
For more information on EFS Best Practices, read this TechNet article*: http://support.microsoft.com/kb/223316/en-us.
As previously mentioned, it is essential to back up your user certificates and recovery key before you use EFS to encrypt anything on your computer or the server. Once you have backed up these certificates, you can encrypt folders and files either directly or using group policy
The first step in backing up user certificates and recovery keys is to create a domain-based data recovery agent. By default, the local administrator is set as the recovery key. This means that if the machine is lost or stolen, the domain administrator will not be able to access encrypted files. Instead, it is best to set the domain administrator as the recovery agent.
To create a domain-based recovery agent:
To add additional recovery agents, right-click the Encrypting File System node, and then click Add Data Recovery Agent. This will open the Add Recovery Agent Wizard.
Once you have set the domain recovery agent, you should back up the certificate. To export the domain EFS recovery agent's private key:
Now that you have set the domain recovery agent and backed up the certificate, you can begin to use EFS to help protect files and folders from unauthorized access. The following sections provide instructions on enabling EFS by selecting specific folders and files and by using group policy.
In Windows SBS 2008, there are two ways you can use EFS to help protect business information. The first is the easier one to implement: select the specific folders or files on your server that you want to encrypt. These steps are also the same for encrypting folders or files in Windows 7 Professional. Follow these steps to select specific folders or files:
This method helps secure your information in cases where unauthorized users attempt to access the files from within your business, or for when the server or its hard drives are removed from your business.
To allow a user to encrypt or decrypt a file:
Note: When a user is added to a file and the user's EFS encryption certificate is imported, the certificate is validated to a trusted root certification authority (CA). The certificate is then stored in the Other People certificate store for that user.
The second way to encrypt folders and files is to create a group policy for computers in your business so that specific files and folders on those computers use EFS. The most useful group policies enforce encryption of the user’s Documents folder and encrypt offline files. They give remote users or users with laptops the ability to work with information while on the road, but they keep the information secure should the laptop or hard drive fall into unfriendly hands.
You should be aware, however, that using Folder Redirection group policy, which redirects specific user folders to server locations, can result in those files being encrypted multiple times. This is unnecessary and can adversely affect file server performance.
Follow these steps to create an EFS group policy:
The next time the user uses the computer, the new settings will be applied. To verify that the policy has been correctly applied:
Note: It can take a few minutes for these settings to propagate. Also, the user’s machine may need to be restarted.
As we’ve discussed, encrypted data is readable only to users who possesses the required private key to unlock the data and to the recovery agent. It is important for you to realize that if the user's private key is lost or damaged, the encrypted data becomes unusable unless there is a means to restore the plaintext or the private key to the user. Your organizations can lose access to valuable encrypted information unless there is a means for someone else besides the user to recover the encrypted information.
In order for you to successfully retrieve that user’s data, the EFS user must have a valid EFS user certificate, and at least one EFS recovery agent account must have a valid EFS recovery certificate. Thus, when you deploy EFS or secure mail, you should implement a recovery program and policies to ensure that users' encrypted data can be recovered.
When Group Policy is downloaded to computers, the Encrypted Data Recovery Agent Group Policy settings contain the certificates for each designated recovery agent account within the scope of the policy. EFS uses the information in the current Encrypted Data Recovery Agent Group Policy settings to create and update DRFs. A recovery agent certificate contains the public key and information that uniquely identifies the recovery agent account.
To retrieve an encrypted file or folder:
After you import the certificate, you should have access to decrypt the encrypted files: right-click the file, click Properties > Advanced, and then uncheck Encrypt contents to secure data. This will decrypt the file.
Using EFS is especially important for those of us who use devices such as laptops and external hard drives away from the office. Encrypting the Documents folder helps ensure that the information is kept from prying eyes and, when used with the redirected folders policy in Windows SBS 2008, also helps ensure that the information is maintained and backed up on the server. When used together, these methods create a centrally-managed business policy that helps add security to your business information. It is important to properly back up recovery keys so that you can access a users’ files if disaster strikes.
For more information on the Encrypting File System, read this TechNet article: http://technet.microsoft.com/en-us/library/cc700811.aspx.
*Written originally for Windows XP but still valid for current EFS implementations
such a harsh and unfriendly process maybe make a wizard?