Windows 2000 introduced Encrypting File System (EFS) and Offline Files. EFS lets users encrypt files and folders on NTFS partitions. Offline Files lets users access files offline when their connection to the file server is interrupted. In Windows XP Professional, Microsoft has joined these technologies to enable administrators to encrypt offline files for added security. Let's take a look at how you can use this new capability to encrypt the offline file cache folder.
EFS 101
EFS lets users employ a combination of asymmetric and symmetric key cryptography to encrypt files. When a user first encrypts a particular file, Windows determines whether a Public Key Infrastructure (PKI) certificate server, such as Microsoft's Certificate Services provides, is available. If so, the PKI server will give the user a new EFS digital certificate with a 2-year life. If Windows can't detect a PKI server capable of distributing EFS certificates, Windows will generate a self-signed EFS certificate for the user with a life of 100 years.
When a user selects a file for encryption, Windows creates a random symmetric key (called the File Encryption Key--FEK) and associates it with the file. Windows uses the FEK to encrypt the file and generates only one unique FEK per file, no matter how many users encrypt the file. Windows uses an individual user's EFS asymmetric public key to encrypt the FEK. If a user is designated as a data recovery agent (DRA), Windows encrypts a copy of the FEK with the DRA's EFS public key. In fact, in XP Pro and later OSs, an EFS-protected file can be encrypted by many users at once (the theoretical limit is in the hundreds of users). For each user who encrypts a file, Windows encrypts a copy of the FEK with the user's EFS public key. Each encrypting user's EFS private key can decrypt the FEK (which decrypts the protected file) and is stored in the user's profile. Each EFS private key is protected by a master key that Windows generates with the user's password. EFS encryption is solid, well-tested encryption. (For a more comprehensive description of EFS, see "Take a Closer Look at EFS," September 2005, InstantDoc ID 47175.)
Offline Files 101
The Offline Files feature uses shared folders (or Web pages) with client and server support. Each share on a client computer must be configured to allow Offline Files, although the server settings are often enabled by default. Client machines must also be enabled for Offline File support for each participating share. When a user's computer connects to a share that's been enabled to support Offline Files, the files are downloaded to an offline cache location on the client computer. The user can work with the offline files, and when he or she reconnects to the server, the files are synchronized with the server, and the latest version in either location updates the other version. File synchronization can occur only when the client computer goes offline, during logoff and logon, or on a predetermined schedule.
Using EFS and Offline Files
In XP Pro and later OSs, users can specify all their locally stored offline files to be encrypted for added security. To take advantage of this capability, users must have enabled Offline Files on the client but aren't required to have encrypted individual files previously. When a user enables encryption of the offline folder cache on a particular client machine, Windows encrypts the cache with a special EFS machine digital certificate. Unfortunately, that machine key will encrypt the personal offline files of all users on the client. Obviously, this method is more vulnerable to compromise than are encryption schemes that employ per-user keys. Microsoft has stated that it will change this capability in future Windows versions.
To encrypt the Offline Files database on a local XP Pro computer:
The Windows client-side caching extension, cscui.dll, will now automatically encrypt offline files as they are stored in the local Offline Files database. Requirements for encrypting files include the following:
Group Policy and Offline Folder Caching
As with most other aspects of the Windows experience, you can control offline folder caching with Group Policy. Many Group Policy settings affect Offline Files. For an overview of these settings, see the Microsoft Windows XP Resource Kit Documentation article "Group Policy Settings that Affect Offline Files, available at http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prde_ffs_phvy.asp. However, only one Group Policy setting affects Offline Files and EFS: Encrypt the Offline Files cache. If this policy is enabled, the entire Offline Files cache will be encrypted on an XP Pro or later client machine. You can't select individual files to encrypt when using this policy--all files stored in the cache are encrypted.
Caveats to Keep in Mind
EFS protects only files that are stored on a disk. When an authorized user opens EFS files, Windows decrypts them. When the decrypted files are copied over the network (again by the authorized user) the data is moved in plain text. Microsoft recommends the use of IP Security (IPsec), Secure Sockets Layer (SSL), or another network-communication encryption protocol to protect data in transit. For reasons that are unknown to me, Microsoft prevents the simultaneous use of offline folders and files and Remote Desktop. You must disable one to use the other. Finally, as with any remote synchronization technology, at times synchronization can fail or interrupt normal operations. For example, if you're in a hurry and don't let the entire synchronization process complete before taking your computer offline, you may be prevented from accessing your offline files until you reconnect and complete a successful synchronization. But these cautions aside, the combination of Windows' EFS and Offline Files features provides a viable option for securing offline files.
