Home / Windows 7

Configuring The Encrypting File System (EFS)

Encrypting File System (EFS) is an encryption service built into Windows 8 that has been around since the release of Windows XP. EFS is designed to provide file level encryption to protect your confidential files when others have physical access to your computer.

Using EFS, users can encrypt and decrypt their files/folders to protect sensitive data on their computer in case it's lost or stolen. The encryption key is associated with the user's logon account and is stored as part of the user profile.

To use EFS, you must store your files on an NTFS volume. If you are using Windows compression on the file/folder, you have to uncompress it before you can encrypt it.

Encrypting a folder or file is as simple as right-clicking the object, choosing Properties, clicking the General tab, and then clicking Advanced. The Advanced Attributes dialog box appears. To enable encryption, select the Encrypt contents to secure data option. If the folder contains files and subfolders, you will be prompted to apply encryption to just the folder or to apply changes to the folder, subfolder, and files.

The first time you encrypt a file or folder in Windows 8, you will be prompted to back up your file encryption certificate and key. Doing so will launch the Certificate Export Wizard, in which you can apply a password to the exported file, provide a name, and then determine a location to store the file. You should always make a backup of the key to make sure you can recover your encrypted information if you lose the key. Consider placing it somewhere other than your computer, such as in a shared folder on the network or on a USB flash drive.

Encrypted files/folders can be moved and copied, but you should keep the following in mind:

  • Moving an encrypted file from an NTFS volume to a FAT/FAT32 volume will decrypt it. FAT/FAT32 does not support encryption. It will also remove any NTFS permissions configured on the file.
  • Moving an encrypted file between NTFS volumes on the same computer will maintain the encryption. NTFS permissions will also be maintained when the file is moved.

If you want to use your encrypted files on another computer, you need to export the EFS certificate and key from your computer and then import it at the other computer. If you want to share your encrypted files with another user, the other person has to export the EFS certificate and then import it on your computer. After it is imported, you will add the certificate to the file you want to share through the file's property settings. Exporting and importing are done via the Certification snap-in (certmgr.msc).

When EFS is used, an EFS recovery agent (ERA) is automatically created, whether the computer is a member of a domain or workgroup. The ERA can recover files/folders that have been encrypted in situations in which the person loses keys or leaves the company. The Domain ERA is automatically created the first time you install a domain controller on the network. In fact, it's the Domain Administrator that functions as the recovery agent account. In a workgroup, the local computer's Administrator is designated as the recovery agent.

You can delete recovery agents, but there must always be at least one, or else EFS will not allow you to encrypt files/folders. Remember, the files can also be decrypted by moving them to a FAT/FAT32 volume. To recover the file, log on under the ERA account, locate the file, and then take ownership of it. After you have ownership of the file, go into its property settings and deselect Encrypt contents to secure data.

Configuring Security for Removable Media

In today's networks, the biggest concern of administrators has been the arrival of removable storage devices. With Windows 8 and Windows Server 2012, you fortunately have several options for monitoring and securing these types of devices. Controlling the use of removable media is critical to the overall security of your network.

Monitoring and securing removable media include using Group Policy to control whether users are allowed to use removable media on your network or on specific computers; and whether they can deploy BitLocker/BitLocker To Go to encrypt and protect removable media that is lost or stolen.

Using Group Policy

Group Policy provides control over users and computers in the network. It can be used to define the state of the user and/or computer environment and then continually enforce it over specific groups of users or computers or across the entire organization.

Group Policy allows you to implement specific configurations (security and networking policies) for users and computers that define what they can and cannot do on the network. These collections of user and computer configurations are called Group Policy Objects (GPOs). GPOs are associated with Active Directory containers (sites, domains, and organizational units [OUs]) and are managed from the Group Policy Management Console (GPMC). The GPMC (gpmc.msc) provides a single interface for managing GPOs across your entire organization. To use GPMC on a Windows 8 computer that is a member of a domain, you will need to install the Remote Server Administration Tools (RSAT) for Windows 8 from Microsoft's website. RSAT allows you to remotely manage roles and features in Windows Server 2012 from a computer running Windows 8. To access GPMC on a Windows 2012 server, you can press the Windows logo key 1 r and type gpmc.msc or access it from the Server Manager console ( Tools . Group Policy Management ).

There are also local GPOs that can be configured on individual computers. To manage the local settings, you can use the Local Group Policy Editor (LGPE; gpedit.msc). The LGPE is commonly used in situations where you have computers that are not members of an Active Directory domain. To locate LGPE, press the Windows logo key 1 w and type edit group policy. You can also access it by pressing the Windows logo key 1 r and typing gpedit.msc.

GPOs are separated into two sections: Computer Configuration and User Configuration. You would configure the Computer Configuration section to set policies that are applied to the computer regardless of who logs on to it. The User Configuration is used to set policies that apply to users, regardless of which computer they log on to.

You can configure GPOs to monitor the use of removable storage devices on your network. The setting can be found in the following location using the GPMC:

  • Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies. The Audit Removable Storage setting enables you to audit user attempts to access file system objects on a removable storage device. If you enable this policy, a security audit event is generated each time an account accesses the removable storage device.

You can also configure GPOs to prevent the use of removable media on your network for computers and/or users.

The settings can be found in both Computer and User locations in the GPMC:

  • Computer Configuration\Policies\Administrative Templates\System\Removable Storage Access. These settings will be applied to the computer and every user who logs on to it.
  • User Configuration\Policies\Administrative Templates\System\Removable Storage Access. These settings will be applied only to users/groups that are included in an Active Directory container to which you link the GPO.

On Windows 8 clients, you can configure similar settings using the LGPE (gpedit.msc). When enabled and applied, the Prevent installation of removable devices setting prevents Windows from installing removable devices. A device is considered removable when the driver for the device to which it is connected indicates the device is removable. For example, a USB device is reported removable by the drivers for the USB hub to which it is connected.