MCSA/MCSE 70-270 Exam Prep 2: Windows XP Professional
Objective: Configure, manage, and troubleshoot Encrypting File System (EFS). Users can encrypt their files by using EFS. The encryption attribute on a file or folder can be toggled the same as any other file attribute. When you set the encryption attribute on a folder, all its contents, whether subfolders or files, are also encrypted. The encryption attribute, when assigned to a folder, affects files the same way that the compression attribute does when a file is moved or copied. Files that are copied into the encrypted folder become encrypted. Files that are moved into the encrypted folder retain their former encryption attribute, whether or not they were encrypted. When you move or copy a file to a file system that does not support EFS, such as FAT16 or FAT32, the file is automatically decrypted. Exam Alert EFS requirements The file system must be set to NTFS if you want to use EFS, and no file can be both encrypted and compressed at the same time.
Encrypting File System Basics
Windows XP Professional has the capability to encrypt files directly on any NTFS volume. This ensures that no other user can use the encrypted data. Encryption and decryption of a file or folder is performed in the object's Properties dialog box. Administrators should be aware of the rules to put into practice to manage EFS on a network:
EFS uses certificates to manage the encryption. When a file is encrypted, the user's encryption certificate is assigned to the file. When the user opens the file, the encryption certificate is checked and the user is allowed to open and work with the file. When another user attempts to open the file, the user is unable to do so. Therefore, EFS is suitable for data that a user wants to maintain as private, but not for files that are shared. To copy file encryption certificates, you use the Export command in the Certificates snap-in. You should be able to follow the process in Step by Step 12.1 to perform this process.
Permissions do not have any authority over the encryption attribute. A person who has Full Control or Take Ownership permission for a file that has been encrypted with EFS is not able to access the file unless that person is also an authorized user of the file. User accounts that are designated data recovery agents can also decrypt encrypted files. However, even an Administrator for the computer or domain is not able to decrypt an encrypted file without being a designated data recovery agent. A unique encryption key is assigned to each encrypted file. You can share an encrypted file with other users in Windows XP Professional, but you are restricted from sharing an entire encrypted folder with multiple users, or sharing a single file with a security group. This is related to the way that EFS uses certificates, which are applicable individually to users; and how EFS uses encryption keys, which are applicable individually to files. The following section reviews how to share encrypted files. How Did They Encrypt That? EFS uses algorithms that scramble and encode the data within a file. The application program interface, named CryptoAPI, is the EFS component that generates the encryption. When a person encrypts a file for the first time, a pair of keysone public, one privateis randomly created. This pair of keys works both to generate the encryption on the file, and later, to unlock the file to decrypt it. Designated recovery agents are user accounts authorized to decrypt encrypted files. When a user account is designated as a recovery agent, you essentially are granting it a copy of the key pair. If you lose the key pair, or they become damaged, and if there is no designated recovery agent, there is no way to decrypt the file and the data is permanently lost. Preparing a Disk for EFS
Windows XP Professional supports a disk formatted with the File Allocation Table (FAT) or the New Technology File System (NTFS). However, EFS works only on a disk that is formatted with the NTFS file system. By default, the disk format is FAT, although as you probably have discerned from Chapter 5, NTFS provides many more features and options than FAT, such as compression, encryption, and granular file permissions. The only thing that you really need to do to prepare the hard disk for EFS is to make certain that it is formatted with NTFS. If it is not, you can convert the hard disk format from FAT to NTFS or format the partition as NTFS. There are two ways to go about this:
Exam Alert NTFS and partition conversions Every now and then you see an exam answer that displays the convert command with the /fs:FAT switch. Ignore it. This is always incorrect. Converting a hard disk partition to NTFS is a one-way proposition. After the partition is formatted with NTFS, it cannot be converted back to FAT. The only way to restore the FAT file system is to reformat the partition, erasing all the data, and then restoring the data from a backup. In addition, you may run into a question that prompts for reversion to Windows 98 or Windows Me after the hard disk partition has been converted to NTFS. This too is always incorrect. It is not possible to revert to these operating systems after you have converted the hard disk to NTFS. Your only option is to reformat the hard disk partition and reinstall the older operating system.
Convert.exe is really simple to use and typically problem-free, although you should make certain to back up the data on the partition before you convert it as a precaution. Having already read Chapter 5, you should be fully able to convert a hard disk partition to NTFS. However, Step by Step 12.2 provides full instructions if you want to follow along.
You can format a new or empty hard disk partition as NTFS by using the Disk Management utility. Although you are probably an old hat with Disk Management, you can follow along with the procedure in Step by Step 12.3 if you prefer.
Establishing an EFS Policy
You can establish a policy, using either Group Policy or Local Security Policy, that applies directly to EFS. (Both Group Policy and Local Security Policy are described in greater detail at the end of this chapter.) To generate this policy, you can open the Group Policy object editor. EFS policies are located in the Computer Configuration node, below Windows Settings, then Security Settings, then Public Key Policies, in the node named Encrypting File System. Right-click the Encrypting File System node and, from the shortcut menu, select All Tasks, as shown in Figure 12.3. Figure 12.3. Policies applicable to EFS are found in the Computer Configuration node.
The two options that you have are Add Data Recovery Agent and Do Not Require Data Recovery Agents. Remember that without data recovery agents, a damaged or lost key could render a person's entire set of encrypted files useless. Therefore, it is recommended that every EFS certificate is generated along with a data recovery agent. Group Policy can be used to apply either setting on an organizational unit-, site-, or domain-basis. This gives you a great deal of granular control over who is automatically given data recovery agents and who is not. When you select the Add Data Recovery Agent policy, a wizard starts. In this wizard, you select the user or users who will be given the recovery agent designation. If you are participating in Active Directory, you merely need to browse for the users and select them. If not, you need to request certificates for each user first and then look for the certificate files for those users. (They are easy to find. Certificate files use a .cer extension.) After you have completed the wizard, each EFS certificate that is generated will be accompanied by a recovery agent's certificate. Using EFS with a Certification Authority (CA)
You can use different types of certificates with EFSthird-partyissued certificates, CA-issued certificates, and self-signed certificates. If you have developed a security system on your network that utilizes mutual authentication based on certificates issued by your own CA, you can extend the system to EFS to further secure encrypted files. When an enterprise CA creates certificates, it bases the actual certificate on a template. In a Windows 2000 or Windows Server 2003 Active Directory environment, the certificate templates are stored in the Active Directory itself and are used to define what types of certificates can be issued to users, computers, and resources, as well as the attributes of those certificates. The certificate templates that support EFS are
The Basic EFS certificate template is able to be used for only EFS functions. The Administrator and User certificate templates apply to EFS as well as other areas. Each user has to be granted the Enroll permission for a certificate template to receive the certificate. If you want to ensure that users are granted only the User type of certificate for EFS, rather than the basic EFS template, you do not need to delete the template. Instead, you simply remove the Enroll permission for it. The Certificates snap-in console can be used to request EFS certificates. To request a certificate, you can follow the procedure in Step by Step 12.4.
Storing Certificates in Windows XP
When a Windows XP Professional user obtains a public key certificate, Windows XP writes the certificate to the Registry in the user's individual hive and then stores it in the user's personal certificate store, which is simply a folder containing the certificate in plaintext format at [View full width] %systemdrive%\Documents and Settings\%username%\Application Data\ Microsoft
Plaintext is acceptable for public keys because they are supposed to be freely available. To guard against outside manipulation, public key certificates are digitally signed by CAs. Private keys, by their very nature, must be secured, and as a result they are encrypted through the use of a 64-byte-long, random symmetric key called the user's master key. Windows XP places private keys in each user's profile folder: %systemdrive%\Documents and Settings\%username%\Application Data\ Microsoft\Crypto\RSA
All contents of this RSA folder are encrypted with the user's master key. The folder cannot be renamed or moved without causing problems with private key usage or application. EFS must be able to access the public and private keys to encrypt and decrypt files. Note that both of the folders that store public and private keys are incorporated in the user's profile. When administrators implement roaming profiles, the keys are copied to the local computer at logon and discarded at logoff. Allowing EFS to Self-Sign Certificates
When Windows XP is in a workgroup or is configured as a stand-alone computer, EFS automatically generates EFS certificates rather than obtaining them from a CA. A user only needs to encrypt a file for a unique EFS certificate to be generated. When EFS generates certificates, they are automatically self-signed. In addition, when EFS is unable to renew a CA-generated certificate, it generates a self-signed certificate. Whereas EFS attempts to renew all certificates, renewal is not necessary for self-signed certificates because they are valid for a full century. Aside from the 100-years-in-the-future expiration date, self-signed certificates are easy to spot. Their Issued By and Issued To attributes are identical. You can view all these attributes in the Certificates console snap-in. You can generate a self-signed certificate using the cipher command-line utility. To do so, open a Command Prompt window and type cipher /k, which results in the key output shown in Figure 12.4. Figure 12.4. The cipher command is used to generate new keys for a user, as well as perform other encryption functions.
You can use Internet Explorer to back up your certificates. To do so, open the browser window, select the Tools menu, and then click Internet Options. Click the Content tab and then click the Certificates button in the Certificates section. You see the dialog depicted in Figure 12.5. Figure 12.5. Certificate information is displayed on the Content tab of Internet Options for Internet Explorer.
Click the certificate that you want to back up and then click the Export button. (If there are multiple certificates to choose from, double-click them and view each certificate's Detail tab, and in the Show list, click Extensions Only. The Enhanced Key Usage attribute of the certificate states Encrypting File System if it has been generated for EFS.) After you click the Export button, the Certificate Export Wizard begins and you can follow along with the same process that was described in Step by Step 12.1 at the beginning of this chapter. Encrypting Files
There are two ways to encrypt a file:
You use cipher at a command prompt. If you were going to encrypt a file named Myfile.txt located in the C:\MYDIR folder, the full command to use is cipher /e /s:c:\mydir\myfile.txt
To change the Advanced encryption attribute of a file, navigate to the file, using either My Computer or Windows Explorer, then right-click it. From the shortcut menu, select Properties. On the General tab, click the Advanced button in the Attributes section. The Advanced Attributes dialog box opens, as shown in Figure 12.6. Figure 12.6. The Advanced Attributes dialog box enables you to either compress or encrypt a file.
Check the box next to Encrypt Contents to Secure Data and click OK. Then click OK again to close the file's Properties sheet. You are given a warning dialog that lets you choose between encrypting just the file that you had selected, or both the file and its parent folder. Select one of the options and click OK. Exam Alert Mutually exclusive Advanced Attributes In the Advanced Attributes dialog box, if you select the Compress Contents to Save Disk Space check box, the check mark disappears from the Encrypt Contents to Secure Data check box. These two attributes are mutually exclusiveyou can select only one. For any exam solution that provides for a file or folder being both encrypted and compressed, consider it as a wrong answer.
After a file has been encrypted, you can view its encryption attribute details by again right-clicking the file, selecting Properties, and clicking the Advanced button on the General tab. In the Advanced Attributes dialog box, click the Details button. The Encryption Details For dialog box opens, as shown in Figure 12.7. Figure 12.7. After a file has been encrypted, you can view the encryption details and add other users to share the file.
You can see who is able to open the encrypted file, and you can add other user accounts to share the encrypted file and view the designated data recovery agent, if any. Click the Add button to share the encrypted file. A dialog box listing all the EFS-capable certificates for users opens. If a user has never been issued a certificate (whether through the Certificates snap-in or by encrypting a file in the past), the user's account does not appear in this dialog box. After a file is encrypted, an unauthorized user attempting to open the file is given an error message that says the user does not have access privileges. If an unauthorized user tries to move or copy an encrypted file, the user receives an Access is denied error message. Decrypting Files
The process of decryption is the opposite of encryption. You can either use the cipher command or change the Advanced attribute for encryption on the file. To use the cipher command to decrypt the file, click Start, Run, type cmd in the Open text box, and press Enter. At the command prompt, type cipher /d /s:c:\myfolder\myfile.txt and press Enter. The file will be decrypted. To use the Advanced Attributes method, open either My Computer or Windows Explorer and navigate to the file. Right-click the file and select Properties. On the General tab, click the Advanced button. In the ensuing Advanced Attributes dialog box, clear the Encrypt the Contents to Secure Data check box. Click OK and then click OK again. If you are not the person who originally encrypted the file, or if you are not the designated recovery agent, then you will receive an error for applying attributes that says the access is denied. Troubleshooting EFS
The cipher command can be helpful in discovering information about the encrypted files on your computer, in addition to enabling you to encrypt and decrypt files. Table 12.1 shows the optional switches that you can use with the cipher command. When you use cipher without any switches, it displays the encryption state of the current folder and its contents. When you see the results, either the character U or E appears in front of each file or folder. U means the object is unencrypted and E means that it is encrypted.
You might encounter several problems when using EFS:
|