To back up private keys, disable EFS on users' PCs

You may want to disable the Encrypting File System data protection and data recovery feature on Windows 2000 and Windows XP machines for security reasons. Here's how to go about it.

The Encrypting File System (EFS) feature was introduced in Windows 2000 and is also available in Windows XP Professional. This data protection and data recovery feature is available without any special configuration because it is enabled by default.

Although this feature is easy to use, administrators have concerns with the use of EFS. These concerns are related to the ability to recover encrypted files and the protection of private keys used for encryption, which are associated with each user's account and the recovery agent's account. Because the private keys necessary for decryption are stored in the user's profile, if the profile gets deleted or corrupted, the user can no longer access their encrypted files.

Without using a custom solution, backing up and storing a user's private keys (without backing up the entire profile) can be a time-consuming process. Also, using nondefault recovery agents requires installation of the Certificate Authority feature, which also needs to be managed properly. To avoid these additional tasks, it is better to disable EFS on users' machines.

The EFS service works differently on Win 2000 and XP. To disable EFS on Windows 2000, do the following:

  1. Launch the Group Policy MMC snap-in and select the Group Policy Object (GPO) linked to your domain.
  2. Drill down to Computer Configuration - Windows Settings - Security Settings - Public Key Policies - Encrypted Data Recovery Agents. Right-click on the Encrypted Data Recovery Agents folder. Select Delete Policy to delete the default recovery policy.
  3. Right-click on Encrypted Data Recovery Agents again and select Initialize Empty Policy. This will prevent users from using EFS on any Windows 2000 system that belongs to the domain.

Disabling EFS on Windows XP requires a different procedure. XP offers greater flexibility in configuring the scope of reach of EFS. If your intention is to disable EFS for a single file, you can simply assign the system attribute to the file. For example, to apply the system attribute to the info1.txt file, type the following at the command prompt: attrib +s info1.txt.

If instead you want to prevent EFS on the folder level, you can create a desktop.ini file in the folder. This file should contain the following two lines:
[Encryption]
Disable=1

This will affect the folder itself and all its files. However, it does not have any impact on its subfolders and their content.

If you prefer, you can disable EFS at the system level. Editing the Registry can do this. Set the following entry of DWORD type to the value 1:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS\EfsConfiguration.

About the author: Rahul Shah currently works at a software firm in India, where he is a systems administrator maintaining Windows servers. He has also worked for various software firms in testing and analytics, and also has experiences deploying client/server applications in different Windows configurations.

More information on this topic:


This was first published in August 2006

Dig deeper on Windows Disaster Recovery and Business Continuity

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close