Disable EFS

This excerpt from Chapter 1 of Roberta Bragg's "Hardening Windows systems" explains why you should disable EFS if you don't have a policy in place to manage it.

Hardening Windows Systems Get a glimpse inside Roberta Bragg's new book "Hardening Windows systems" with this series of book excerpts. This excerpt from Chapter 1, "An immediate call to action," explains why you should disable EFS if you don't have a policy in place to manage it. Click for the complete book excerpt series or purchase the book.


Disable EFS

Unless you have implemented a policy for the management of EFS that includes recovery procedures and key backup, disable EFS. EFS is enabled by default, but not turned on. Accordingly, it is easy for users to use the service to encrypt files without understanding how to protect themselves from data loss. EFS can be disabled in Group Policy. The local group policy, created by using the group policy snap-in and selecting the local computer, can be used to disable EFS on a single computer, while a domainbased Group Policy can be used to disable EFS for an entire domain.

    To disable EFS:
    1. Open the default domain GPO.
    2. For a Windows Server 2003 domain:
      a. Right-click the Public Key Policies, Encryption File System policy.
      b. Right-click the Encrypting Files System folder and select Properties.
      c. Select to uncheck the Allow Users to Encrypt Files Using Encrypting File System (EFS).

    3. For a Windows 2000 domain:
      a. Right-click the Public Key Policies, Encrypted Data Recovery node.
      b. In the details pane, right-click the certificate designated for File Recovery and select Delete.
      c. Right-click the Encrypting Data Recovery Agents folder and select Delete Policy.

More information on how best to manage EFS is included in Chapter 10.

Click for the next excerpt in this series: Ban wireless networks that don't meet tough security policy requirements.


Click for book details or purchase the book.
This Content Component encountered an error

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close