Windows 7 / Security and Privacy

---

Secure Stored Data

User authentication puts a lock on the outside doors of the computer, and controlling access puts locks on the inside doors, but if someone breaks through or gets around those barriers, the data inside is available to anyone who wants it. For example, someone may take a disk drive and access it with another operating system, or steal a laptop and methodically break through the passwords. Or, much simpler and more common, an employee either purposefully gets or mistakenly is given access to data that employee should not have and decides to misuse it.

The answer to all of these scenarios is to make the data itself unusable without a key. This is done by encrypting a file, a folder, or the whole disk so that no matter how it is accessed, by another operating system or a low-level utility, it is encrypted and cannot be read without the key, and the key is itself encrypted so that it is exceptionally difficult to obtain and use.

File and Folder Encryption

File and folder encryption has been built into Windows Server 2008 NTFS and is called the Encrypting File System (EFS). Once EFS is turned on for a file or a folder, only the person who encrypted the file or folder will be able to read it, with the exception that a specially appointed administrator will have a recovery key to access the file or folder. For the person who encrypted the file, accessing it requires no additional steps, and the file is re-encrypted every time it is saved. All of the encrypting and decrypting is done behind the scenes and is not obvious to the user.

NOTE: Neither system files or folders, nor compressed files or folders can be encrypted. You can decompress a compressed file or folder and then encrypt it.

The Encryption Process

The actual encryption of a file or folder is done with a symmetric encryption key, which is the same for both encryption and decryption and is very fast. The symmetric encryption key (also called a secret key) is itself encrypted using the file owner's public key that is contained in his or her EFS certificate. (See "Understand Private/Public Key Encryption," later in this tutorial.) Therefore, the owner with her or his private key matching the public key is the only one who can open the encrypted file-except for the recovery administrator. When the file is created or re-created and a symmetric key is made, the key is actually encrypted twice, once for the owner and once for the recovery administrator. Then if the need arises, the recovery administrator can use his or her private key to decrypt the file.

The encrypted symmetric key is stored as a part of the file. When an application requests the file, NTFS goes and gets it, sees that the file is encrypted, and calls EFS. EFS works with the security protocols to authenticate the user, use his or her private key to decrypt the file, and pass an unencrypted file to the calling application, all in the background, without any outward sign that it is taking place. The encryption and decryption routines are so fast that on most computers that can run Windows Server 2008, you seldom notice the added time.

TIP: Because many applications save temporary and secondary files during normal execution, it is recommended that folders rather than files be the encrypting container. If an application is then told to store all files in that folder where all files are automatically encrypted upon saving, security is improved.

Encryption Considerations

Several requirements must be met to use file and folder encryption:

• Windows 2000 or later NTFS must be in use. Any other file system, whether Windows NT 4 NTFS or FAT, will not work with EFS.
• AD CS should be installed and running either on a stand-alone computer or within a domain. If AD CS is not running, EFS will issue its own certificates, but these are considered "not trusted" by Windows Server 2008.
• The user of the file or folder must have an EFS certificate. If one does not exist, it is automatically created.
• There must be one or more certificated recovery agent administrators. If one does not exist, a default administrator is automatically appointed and a certificate is issued. The default administrator on a stand-alone computer is the local administrator, while in a domain, it is the domain administrator on the first domain controller that is installed.

Recovery Agent Administrators The reason for requiring a recovery agent administrator is shown by the situation in which someone leaves an organization, maybe through an accident, and his or her encrypted files are needed. Another situation is one in which a disgruntled employee encrypts shared files before leaving the organization. EFS is disabled without a recovery agent, so that files cannot be encrypted without a means to decrypt them. Several recovery agents may be assigned to an EFS file or folder, but there must be at least one. For each recovery agent, as well as the user, a copy of the symmetric encrypting key encrypted with the person's public key is stored with the encrypted file. Whoever decrypts the file reveals only the data and not any of the other keys.

Copy and Move EFS Files

Copying and moving EFS files and folders has special significance. Here are the rules:

• If you copy or move an unencrypted file or folder to an encrypted folder, the item copied will be encrypted.
• Copying or moving encrypted files or folders to another file system, such as Windows NT 4 NTFS or Windows 98 FAT32, removes the encryption, although only the owner or recovery agent can do this. Everyone else will be denied access.
• Backing up encrypted files or folders with Windows Server 2008 Backup leaves the items encrypted.

TIP: When you back up encrypted data, make sure that both the user and the recovery agent keys are also backed up, which can be done with AD CS.