Get a glimpse inside Roberta Bragg's new book "Hardening Windows systems" with this series of book excerpts. This...
excerpt from Chapter 1, "An immediate call to action," explains why you should disable EFS if you don't have a policy in place to manage it. Click for the complete book excerpt series or purchase the book.
Unless you have implemented a policy for the management of EFS that includes recovery procedures and key backup, disable EFS. EFS is enabled by default, but not turned on. Accordingly, it is easy for users to use the service to encrypt files without understanding how to protect themselves from data loss. EFS can be disabled in Group Policy. The local group policy, created by using the group policy snap-in and selecting the local computer, can be used to disable EFS on a single computer, while a domainbased Group Policy can be used to disable EFS for an entire domain.
To disable EFS:
1. Open the default domain GPO.
2. For a Windows Server 2003 domain:
a. Right-click the Public Key Policies, Encryption File System policy.
b. Right-click the Encrypting Files System folder and select Properties.
c. Select to uncheck the Allow Users to Encrypt Files Using Encrypting File System (EFS).
3. For a Windows 2000 domain:
a. Right-click the Public Key Policies, Encrypted Data Recovery node.
b. In the details pane, right-click the certificate designated for File Recovery and select Delete.
c. Right-click the Encrypting Data Recovery Agents folder and select Delete Policy.
More information on how best to manage EFS is included in Chapter 10.
Click for the next excerpt in this series: Ban wireless networks that don't meet tough security policy requirements.
Click for book details or purchase the book.