As a frequent traveler, I've noticed that an increasing number of airline passengers carry notebook computers. As I sat in an airport terminal waiting for a delayed flight recently, I looked around at some of these travelers busily typing away at their machines and began to think about how important computers have become in our society—not only for work, but also for personal use.
Think about all the critical data stored on these computers—everything from important business documents to personal credit card account information. More important, think about whether this information is secure. What would happen if you lost your notebook or if someone stole it? If someone were to gain access to this information, what impact would your misfortune have on your company or on you? If you're like me, the fallout would probably be more severe than you'd care to admit. To help you keep your data private and secure, Microsoft has added a feature to Windows 2000 called Encrypting File System (EFS).
Windows NT users can set NTFS permissions to control who can access data. However, file permissions don’t always ensure that data is protected, and some users find that setting permissions is complicated. If people can gain physical access to a machine, they can employ several methods to bypass even correctly set NTFS permissions. They can boot from a diskette to DOS and then use a utility such as NTFSDOS to access any file on the hard disk, including the protected files. Alternatively, they can remove the hard disk from the system and attach it to another system or employ one of several other methods to gain full access to the data. In other words, the OS provides the protection, and if hackers can find a way to bypass the OS, they can bypass the security as well. EFS solves this problem by writing data to the hard disk using public key encryption. The data is in an encrypted format on the hard disk, and it remains protected even if someone uses another OS to boot the machine or moves the hard disk to another machine.
How EFS Works
When you specify that you want to use EFS to encrypt a file or a folder, EFS generates a file encryption key (FEK), which consists of a pseudo-random number. The system uses this number and the Data Extended Standard X (DESX) algorithm to create the encrypted file and write it to the hard disk. The system then encrypts the FEK with your public key and stores it with the encrypted file. When you access the encrypted file, the system uses your private key to decrypt the FEK and then uses the FEK to decrypt the file. When you use EFS for the first time, the system automatically generates a public/private key pair if one doesn’t already exist. If you're logged on to a domain, the public/private key pair resides on a domain controller (DC); otherwise, it resides on the local machine.
Setting Up EFS
EFS is available only on Win2K machines that have NTFS formatted disks. To configure a file or a folder to use NTFS, right-click the file or folder and chose the Advanced button on the Properties dialog box that appears. Next, on the Advanced Attributes dialog box, click the "Encrypt contents to secure data" checkbox. As a result, the system rewrites the file or the contents of the folder to the hard disk using encryption, thereby making the data inaccessible to anyone without the proper credentials. Any new files you create in an encrypted folder will automatically write to the hard disk with encryption. File decryption happens automatically, without prompting, when you access a file—if you're the user that set up the encryption. Not only is using EFS much easier than setting NTFS permissions, it's also more secure.
EFS Recovery Agents
As a network administrator, you're probably thinking ahead to one danger that EFS might introduce: If a user encrypts important company information and then leaves the company, how do you gain access to the data? To provide for data recovery, EFS generates two copies of the FEK and stores them with the file on the local hard disk. The first copy is encrypted with the user's public key, as I described earlier, and the second is encrypted with the designated recovery agent’s public key. These steps ensure that the recovery agent can access the FEK and decrypt the file if necessary. By default, the domain administrator is the recovery agent for domain computers, and the local administrator is the recovery agent for standalone machines. You can use Group Policy to specify different or additional recovery agents.
The weekly reports from the latest companies (including Microsoft) to fall victim to intruders demonstrate that no one is immune. EFS doesn't offer a foolproof guarantee that your data is safe, but this new encryption tool is much more secure than any of its predecessors.
