To back up private keys, disable EFS on users' PCs

Although this feature is easy to use, administrators have concerns with the use of EFS. These concerns are related to the ability to recover encrypted files and the protection of private keys used for encryption, which are associated with each user's account and the recovery agent's account. Because the private keys necessary for decryption are stored in the user's profile, if the profile gets deleted or corrupted, the user can no longer access their encrypted files.

Without using a custom solution, backing up and storing a user's private keys (without backing up the entire profile) can be a time-consuming process. Also, using nondefault recovery agents requires installation of the Certificate Authority feature, which also needs to be managed properly. To avoid these additional tasks, it is better to disable EFS on users' machines.

The EFS service works differently on Win 2000 and XP. To disable EFS on Windows 2000, do the following:

Disabling EFS on Windows XP requires a different

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Windows Storage Management File classification the automated way with Windows Server 2008 R2 Using DFS to create file system virtualization in Windows Server 2008 File server migration tips for Windows Server 2008 Planning a file server migration to Windows 2008 Self-healing NTFS keeps admins one step ahead of data corruption The efficacy of backup-as-a-service solutions Server Message Block 2.0: A new protocol for the millennium Using WBAdmin to create backups in Windows Server 2008 Breaking down the Windows Server Backup tool for Windows 2008 Keeping an eye on network disk space with Windows Server 2008 Windows Disaster Recovery and Business Continuity How to repair damaged Master Boot Records and boot sectors Use Bad Block Copy to recover data from damaged media Uninterruptible power supplies, surge protectors and lightning strikes Unstoppable Copier recovers data from bad files by ignoring errors Flexibility of NTBACKUP has been lost in Windows Vista Perform bare metal restore of Windows Server 2003 using NTBACKUP Volume Shadow Copy Service lets users restore, recover files Email archiving: What's right for your enterprise? Windows management products earn top honors Top 10 Windows restore and recovery tips of 2006 Windows Disaster Recovery and Business Continuity Research

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

procedure. XP offers greater flexibility in configuring the scope of reach of EFS. If your intention is to disable EFS for a single file, you can simply assign the system attribute to the file. For example, to apply the system attribute to the info1.txt file, type the following at the command prompt: attrib +s info1.txt.

If instead you want to prevent EFS on the folder level, you can create a desktop.ini file in the folder. This file should contain the following two lines:
[Encryption]
Disable=1

This will affect the folder itself and all its files. However, it does not have any impact on its subfolders and their content.

If you prefer, you can disable EFS at the system level. Editing the Registry can do this. Set the following entry of DWORD type to the value 1:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS\EfsConfiguration.

About the author: Rahul Shah currently works at a software firm in India, where he is a systems administrator maintaining Windows servers. He has also worked for various software firms in testing and analytics, and also has experiences deploying client/server applications in different Windows configurations.

More information on this topic:

Rate this Tip To rate tips, you must be a member of SearchWindowsServer.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.