The following excerpt is from Chapter 6 of the MCSE Exam Cram 2 book "Designing security for a Microsoft Windows Server 2003 network" written by Ed Tittel, courtesy of Sams Publishing. Click to purchase, check out the complete book excerpt series or go straight to the practice exam if you think you're ready to be tested.
Designing a strategy for the encryption and decryption of files and folders
Windows Server 2003 has a built-in encryption mechanism called Encrypting File System (EFS). This mechanism can be used on all volumes that are formatted with NTFS. EFS uses a system of public and private key cryptography and, therefore, requires an enterprise certificate server that is set to autoenroll the certificates, as discussed in Chapter 2, "Creating the logical design for network infrastructure security."
NOTE: EFS should always be thoroughly tested in a lab or small group before deploying it to a production environment.
A user can encrypt files and folders simply by changing the attribute of the file or folder in the Advanced section of the General tab of its properties, as shown in Figure 6.4. This automatically encrypts the file or folder with a symmetric key and then encrypts the symmetric key (the decryption key) with the user's public key and a designated recovery agent's public key. With this in place, only the user's private key or the recovery agent's private key decrypts the decryption key, which can then be used to decrypt the file. Typically, the designated recovery agent is the administrator of the network. In Windows 2000 Server, the original administrative account for a domain was, by default, the recovery agent. In Windows Server 2003, there is no default recovery agent. You can set the designated recovery agent in Group Policy.
ALERT: Windows Server 2003 has no default recovery agent for a domain. You can set a recovery agent using Group Policy.
Figure 6.4: A user can set the encryption attribute on a file or folder.
As you can see, this system is quite complex from an administrative standpoint but is transparent to the user. You should consider using EFS on any removable drives or portable computers. It is the only type of defense that remains in place if you lose physical control of a hard drive. Without EFS, an attacker could simply take administrative control of the computer and read the information.
With Windows Server 2003 and Windows XP, you can assign multiple users to the same encrypted file or folder and give them access to it at a remote server. You need to keep in mind that the transmission of the data from the server to the client is not encrypted. To maintain encryption during transmission of the file or folder, you need to use Internet Protocol Security (IPSec), as discussed in Chapter 4, "Creating the physical design for network infrastructure security."
If the user's key becomes corrupt and fails to decrypt the file or folder, the recovery agent can decrypt the file or folder and return the information to the user. The file or folder to be decrypted must be on the same computer as the key used to decrypt it. You can either take the encrypted file to the recovery agent's computer or export the recovery agent's key to a floppy disk and use it on the computer where the file exists. You can also export the recovery agent's key from the network and store it on a floppy disk in a secure location. That way, an attacker cannot possibly gain access to the key over the network.
TIP: An attacker could take administrative control over a lost or stolen laptop by simply reinstalling the operating system and making himself the administrator. The attacker would then have access to all files and folders on which no encryption has been used. EFS prevents an attacker from viewing encrypted files and folders, even if he takes administrative control.
Microsoft recommends encrypting a folder, such as the My Documents folder, and then storing the files that you want encrypted in that folder. Any files that are moved or copied to an encrypted folder become encrypted, regardless of whether they are moved from the same volume or from a different volume. However, should you decrypt a file or folder that is already in an encrypted file or folder, that folder remains decrypted until you explicitly encrypt it again. To avoid this confusion, simply encrypt the parent folder and then move the files and folders (that you want to encrypt) into the parent folder.
Click for the next excerpt in this series: Designing a permission structure for files and folders
Click for the book excerpt series or visit purchase the book here.
This was first published in October 2004