The Encrypting File System (EFS) in Windows XP and Windows 2003 includes several features that were not included in the Windows 2000 EFS. In this tip, we'll look at the major differences between the Windows 2000 EFS implementation (let's call it "the older EFS") and the Windows XP/2003 implementation ("the newer EFS"). We'll focus on the way in which Microsoft implements the newer EFS, as well as various EFS issues such as resetting users' forgotten passwords and RAS users getting Access Denied error messages.
This short excerpt from
New Features of EFS
Compared to Windows 2000, the newer EFS version in Windows XP and Windows Server 2003 includes several changes. Here's a list of some of the new features:
- Encrypted files are marked green so you can easily distinguish them.
In Windows Explorer, choose Tools, Folder Options. On the View tab, select the option Show Encrypted or Compressed NTFS files in Color. This setting makes compressed files appear in blue and encrypted files in green.
- You can share your encrypted files with other individuals.
You can share encrypted files with other individuals, but not groups. A user with whom you want to share encrypted files must have an encryption certificate on your computer. This can be achieved by a couple of methods: The user can log onto your computer and encrypt a file; or a network user can simply export his or her certificate and you can then import the certificate on your computer.
- EFS offers a client-side caching that's used with the offline folders feature.
This feature is useful for mobile computers because users can work on files even when not connected to the network. The files are cached on the user's hard drive. When the user reconnects to the network, the local files are synchronized with the files on the network. Unlike Windows 2000, both Windows XP and Windows Server 2003 let you encrypt offline files.
- EFS offers kernel-mode FIPS-compliant cryptography.
Federal Information Processing Standard 140-1 (FIPS 140-1) and FIPS 140-2 are U.S. government standards that provide a benchmark for implementing cryptographic software. Some U.S. government agencies purchase only products that are FIPS-compliant. In Windows XP/2003, you can use a group policy option called system cryptography: Use FIPS compliant algorithms for encryption to configure clients to be FIPS-compliant.
- Files can be encrypted even if there's no Data Recovery Agent (DRA).
Unlike Windows 2000, the newer version of EFS allows encryption of files even without a DRA. Click over to InformIT to learn more about how to deal with the differences.
ABOUT THE AUTHOR: Zubair Alexander, (MVP, MCT, MCSE, MCSA, MCDST, MCP+I, CNA, A+, Network+, CTT+, CIW), works as a trainer and consultant in Seattle, Washington. He teaches Microsoft ISA Server and other Microsoft BackOffice products and has written extensively on Microsoft products for several years.
This was first published in July 2004