Increasing Security by Using EFS
encryption is the process of making information indecipherable to protect it from unauhodzed viewing or use. A key is required to decode the information. The Encryptmg file System (EFS) provides encryption for data in N'I'FS ftles stored on disk. This encryption is public key-based and runs as an integrated system service, making it easy to mange, difficult to attack, and transparent to the file owner. If a user who attempts to access» w encrypted NTFS file has the private key to that file (which is assigned When the user logs on), the file can be decrypted so that the user can open the file and work with it transparently as a normal document. A user without the private key is denied access.
Windows 10 also includes the Cipher command, which provides the capability to encrypt and decrypt files and folders from a command prompt. Windows 10 also provides a recovery agent, a specially designated user account that can still recover encrypted files if the owner loses the private key.
encryption is the process of making information indecipherable to protect it from unauhodzed viewing or use. A key is required to decode the information. The Encryptmg file System (EFS) provides encryption for data in N'I'FS ftles stored on disk. This encryption is public key-based and runs as an integrated system service, making it easy to mange, difficult to attack, and transparent to the file owner. If a user who attempts to access» w encrypted NTFS file has the private key to that file (which is assigned When the user logs on), the file can be decrypted so that the user can open the file and work with it transparently as a normal document. A user without the private key is denied access.
Windows 10 also includes the Cipher command, which provides the capability to encrypt and decrypt files and folders from a command prompt. Windows 10 also provides a recovery agent, a specially designated user account that can still recover encrypted files if the owner loses the private key.
How to encrypt a folder or file in windows 10
- In Windows Explorer, right-click on the folder or file you wish to encrypt.
- From the general tab, select Properties.
- Click on the Advanced button at the bottom of the tab
In the Advanced Attributes dialog box, under Compress or Encrypt Attributes, check Encrypt contents to secure data. if you want to encrypt or uncheck this option if you can decrypt the folder and then click OK and then click apply If you selected a folder to encrypt, a Confirm Attribute Change dialog box will be appear asking if you want to encrypt everything in the folder.
Select Apply change to this folder only or Apply changes to this folder, subfolders and files, and click OK.
Click on the Back up your file encryption key tab If the message disappears before you can click it, you can find it in the Notification Area for your OS.
Ensure you have a USB flash drive plugged into your Computer.
Click Back up now (recommended).
Click Next to continue.
Click Next to create your certificate.
Ensure you have a USB flash drive plugged into your Computer.
Click Back up now (recommended).
Click Next to continue.
Click Next to create your certificate.
Accept the default file format to export and click Next.
Check the Password: box, enter your password twice, and click Next.
In your USB drive, type a name for the certificate and key you want to export, and click Save. The file will be saved with a .pfx extension.
Click Next, Finish, and then OK.
Eject your USB drive from your computerTo decrypt a file or folder:
Follow the first six steps above, but uncheck the Encrypt contents to secure data box in Step 4
Click Next, Finish, and then OK.
Eject your USB drive from your computerTo decrypt a file or folder:
Follow the first six steps above, but uncheck the Encrypt contents to secure data box in Step 4
Compressed files cannot be encrypted, and encrypted files cannot be compressed with NTFS compression.
After you encrypt the folder, when you save a file in that folder, the file is encrypted using file encryption keys, which are fast symmetric keys designed for bulk encryption. The file is encrypted in blocks, with a different file encryption key for each block. All the file encryption keys are stored and encrypted in the Data Decryption field (DDF) and the Data Recovery field (DRF) in the file header.
If an administrator removes the password on a user account, the user account will lose all EFS-encrypted files, personal certificates, and stored passwords for Web sites or network resources. Each user should make a password reset disk to avoid this situation. To create a password floppy disk, open User Accounts and, under Related Tasks, click Prevent A Forgotten Password. The Forgotten Password Wizard steps you through creating the password reset disk.
Overview of EFS
EFS allows users to encrypt NTFS files by using a strong public key-based cryptographic scheme that encrypts all files in a folder. Users with roaming profiles can use the same key with trusted remote systems. No administrative effort is needed to begin, and most operations are transparent. Backups and copies of encrypted files are also encrypted if they are in NTFS volumes. Files remain encrypted if you move or rename them, and temporary files created during editing and left unencrypted in the paging file or in a temporary file do not defeat encryption.
You can set policies to recover EFS-encrypted data when necessary. The recovery policy is integrated with overall Windows 10 security policy (see Chapter 16, “Configuring Security Settings and Internet Options,” for more on security policy). Control of this policy can be delegated to individuals with recovery authority, and different recovery policies can be configured for different parts of the enterprise. Data recovery discloses only the recovered data, not the key that was used to encrypt the file. Several protections ensure that data recovery is possible and that no data is lost in the case of total system failure
EFS is configured either from Windows Explorer or from the command line it can be enabled or disabled for a computer, domain, or organizational unit (OU) by resetting recovery policy in the Group Policy console in Microsoft Management Console (MMC)
You can use EFS to encrypt and decrypt Files on remote file servers but not lo encrypt data that is transferred over the network. Windows 10 provides network protocols, such as Secure Sockets Layer (SSL) authentication, to encrypt data over the network.
EFS Features
Transparent encryption In EFS. File encryption does not require the file owner to decrypt 3nd re-encrypt the File on each use. Decryption and encryption happen transparently on file reads and writes to disk.
Strong protection of encryption keys Public key encryption resists all but the most sophisticated methods of attack. Therefore, in BPS, the file encryption keys are encrypted by using a public key from the user's certificate. The list Of encrypted file encryption keys is stored with the encrypted file and is unique to it. To decrypt the file encryption keys, the file owner sup plies a private key, which only he or she has.
Integral data-recovery system If the owner’s private key is unavailable, the recovery agent can open
the file using his or her own private key. There can be more than one
recovery agent, each with a different public key.
Secure temporary and paging files Many applications create temporary files while you edit a document. and these temporary files can be left unencrypted on the disk. On computers running Windows 10 , EFS can be implemented at the folder level, so any temporary copies of an encrypted file are also encrypted, provided that all files are on NTFS volumes. EFS resides in the Windows operating system kernel and uses the nonpaged pool to store file encryption keys, ensuring that they are never copied to the paging file.
Even when you encrypt files. an intruder who accesses your computer can access those files if your user account is still logged on to the computer. Be sure to lock your console when you are not using the computer, or configure a screensaver to require a pass word when the computer is activated. If the computer is configured to go to standby mode when it is idle, you should require a password to bring the computer out of standby. These precautions are particularly important on portable computers, which people are more likely to leave unattended while the user is logged on.
If you lose your file encryption certificate and associated private key through disk failure or for any other reason, a user account designated as the recovery agent can open the file using his or her own certificate and associated private key If the recovery agent is on another computer in the network, send the file to the recovery agent.
The recovery agent can bring his or her private key to the owner's computer. but it is never a good security practice to copy a private key onto another computer.
It is a good security practice to rotate recovery agents. However, if the agent designation changes, access to the file is denied. For this reason, you should keep recovery certificates and private keys until all files that are encrypted with them have been updated.
The person designated as the recovery agent has a special certificate and associated private key that allow data recovery. To recover an encrypted file, the recovery agent does the following:
Secure temporary and paging files Many applications create temporary files while you edit a document. and these temporary files can be left unencrypted on the disk. On computers running Windows 10 , EFS can be implemented at the folder level, so any temporary copies of an encrypted file are also encrypted, provided that all files are on NTFS volumes. EFS resides in the Windows operating system kernel and uses the nonpaged pool to store file encryption keys, ensuring that they are never copied to the paging file.
Even when you encrypt files. an intruder who accesses your computer can access those files if your user account is still logged on to the computer. Be sure to lock your console when you are not using the computer, or configure a screensaver to require a pass word when the computer is activated. If the computer is configured to go to standby mode when it is idle, you should require a password to bring the computer out of standby. These precautions are particularly important on portable computers, which people are more likely to leave unattended while the user is logged on.
How to Create an EFS Recovery Agent
If you lose your file encryption certificate and associated private key through disk failure or for any other reason, a user account designated as the recovery agent can open the file using his or her own certificate and associated private key If the recovery agent is on another computer in the network, send the file to the recovery agent.
The recovery agent can bring his or her private key to the owner's computer. but it is never a good security practice to copy a private key onto another computer.
It is a good security practice to rotate recovery agents. However, if the agent designation changes, access to the file is denied. For this reason, you should keep recovery certificates and private keys until all files that are encrypted with them have been updated.
The person designated as the recovery agent has a special certificate and associated private key that allow data recovery. To recover an encrypted file, the recovery agent does the following:
- Uses Backup or another backup tool to restore a user’s backup version of the encrypted file or folder to the computer where his or her file recovery certificate is located.
- In Windows Explorer, opens the Properties dialog box for the file or folder, and in the General tab, clicks Advanced.
- Clears the Encrypt Contents To Secure Data check box.
- Makes a backup version of the decrypted file or folder and returns the backup version to the user.
No comments:
Post a Comment