Document Sample
FEATURE - DOC Powered By Docstoc
					FEATURE                                                  can encrypt and decrypt files on demand. File
                                                         encryption is easier to implement than encryption
Windows 2000 EFS                                         and works well in environments in which several
Keep your data confidential                              users share a computer. However, this technique’s
                                                         decryption process creates a plain text copy of a
Unauthorized access to confidential data is a            file, which you must delete in a secure manner. In
serious concern for individuals and corporations.        addition, some applications (e.g., Word) store
Some OSs (e.g., Windows 95, Windows for                  information in temporary files on the hard disk.
Workgroups—WFW) offer no security. Even                  These temporary files can leave data unprotected,
Windows NT systems are at risk when                      so you must delete them securely too.
administrators don’t properly implement security.
                                                         Application-level file encryption runs in NT’s user
Intruders can read files you protect with previous
                                                         mode; thus, the OS stores the encryption key in a
versions of NTFS by bypassing NT security with
                                                         pagefile. Hackers can access the pagefile, which
tools such as NTFSDOS.
                                                         gives them access to the documents that the key
UNIX and Windows NT systems rely on a                    encrypts.
discretionary access control (DAC) system.
                                                         Disk encryption encrypts data sector by sector and
Computers with DAC let you protect sensitive data
                                                         encrypts the entire hard disk with one key. The
by restricting access to confidential files and
                                                         user enters a password to lock the hard disk. Disk
folders. DAC capability is particularly useful when
                                                         encryption relies on the OS’ DAC. Thus, you can’t
several users have access to the same computer.
                                                         disable access to the hard disk while you’re
However, even with DAC, confidential files can be
                                                         running disk encryption.
at risk if users don’t receive proper training. DAC
might not be useful if someone steals the computer       EFS
or hard disk because the OS enforces DAC.                EFS has several advantages over traditional
Anyone who can bypass the OS can easily access           encryption techniques. EFS’ encryption technology
the hard disk files. Unauthorized users can access       integrates into the file system, so that users can’t
data secured on an NTFS volume easily if they            access the hard disk without going through the file
steal the hard disk and reinstall NT on it. In certain   system. Win2K’s EFS drivers run in kernel mode to
environments, computers that don’t employ DAC            provide better security. EFS is easy to manage and
permit unrestricted file and folder access to users      completely transparent to the user. A user can use
who can access the system. Intruders can copy            a private key, which the OS generates, to encrypt
files to laptops, 3.5" disks, or home computers by       only those files or folders that need protection.
dialing into the corporate network.                      Users can then access their data transparently.
Windows 2000 (Win2K) includes an Encrypting File         Users who don’t have the private key can’t access
System (EFS) that provides file encryption               the data.
capabilities on an NTFS volume. Even individuals         EFS, which is based on public-key cryptography,
who steal a hard disk or computer can’t access           encrypts data (e.g., local NTFS files) using a
encrypted data on Win2K’s NTFS volume. To gain           randomly generated file encryption key (FEK). A
a better understanding of Win2K’s EFS, you need          public key-based system uses a pair of keys: one
to understand the encryption methods in use              private and one public. Only the user who owns the
today.                                                   private key knows the private key. The public key
Common Encryption Techniques                             is available to anyone who requests it. The user’s
                                                         public key encrypts FEKs; the private key decrypts
Encryption protects confidential data from
                                                         FEKs. NTFS stores a list of encrypted FEKs with
accidental exposure or theft. When you use
                                                         the encrypted file in special EFS attributes known
encryption, your data is secure as long as your
                                                         as Data Decryption Fields (DDFs) and Data
encryption key is safe. Safeguarding one
                                                         Recovery Fields (DRFs).
encryption key is easier than protecting a large
amount of data. However, if you lose the                 EFS’ key storage mechanism is based on Win2K’s
encryption key, you can no longer access the data        CryptoAPI architecture, which stores users’ public
you encrypt. Some of the encryption techniques           and private keys separately from the randomly
that companies currently use to protect data are         generated FEK. This setup lets users store their
file encryption, disk encryption, and EFS.               private keys on secure devices (e.g., NTFS
                                                         volumes, smart cards). Smart cards, which require
File encryption protects your data. Some
                                                         smart-card readers on computers, are credit-card
applications (e.g., Microsoft Word, Microsoft Excel)
                                                         size devices that let users log on to Win2K with a

37446989-9974-4e0b-9376-50360315f1bd.doc                                                                 1/5
personal identification number (PIN). Smart cards       shows. The EFS service integrates with Win2K’s
make personal information (e.g., account numbers,       security subsystem. In user mode, the service
passwords, digital certificates) portable.              supports Win32 APIs and interfaces with
                                                        CryptoAPI to generate DDFs and DRFs. In kernel
Before you start using EFS, the systems
                                                        mode, the service uses local procedure call (LPC)
administrator must set up a data recovery policy at
                                                        to communicate with the EFS driver.
the domain level (or at the local level for
standalone machines). The EFS policy user               The EFS driver runs on top of NTFS in kernel
interface lets recovery agents generate, import,        mode. The driver communicates with the EFS
export, and back up recovery keys. (A recovery          service, which runs in user mode, for all key
agent is the individual a systems administrator         management services. The EFS driver requests
assigns to manage recovery keys for all the             FEKs, DDFs, and DRFs from the EFS service and
computers in a domain.) For example, if domain          transfers the information to the EFSRTL to perform
user Rose loses her private key, she can’t open         file system operations. The EFSRTL is an EFS
the files she encrypted with that key. Rose emails      driver component, but it doesn’t communicate
her encrypted file to Sam, the recovery agent, who      directly with the driver even though the EFS
decrypts the file on a secure machine by importing      architecture implements the EFSRTL and the EFS
the file using Rose’s recovery key. Sam uses the        driver as one component. The EFSRTL and the
EfsRecvr command-line utility to decrypt the file       EFS driver communicate using NTFS callouts,
and send it back to Rose. If necessary, Rose can        which ensures NTFS security in all file operations.
open the file and encrypt it again. Rose can use a
                                                        EFS supports Win32 APIs in a system DLL file
similar process to recover an encrypted file when
                                                        (advapi32.dll) and uses these APIs to encrypt,
she’s working on a standalone workstation at
                                                        decrypt, and recover files. EFS also uses Win32
                                                        APIs to import files from and export files to other
Win2K’s security subsystem enforces and                 locations (e.g., 3.5" disks) without decrypting the
replicates the EFS policy, so that users can use file   files first.
encryption on a system that is temporarily offline.
Laptop users can encrypt files when their               Encrypting Files and Folders
computers are undocked in much the same way             Win2K’s NTFS file and folder properties now
that users can use cached credentials to log on to      include encryption as an option. Encryption is a
a domain when the domain isn’t available for user       new file attribute in NTFS 5.0. Users can open,
authentication.                                         read, and save encrypted and nonencrypted files in
                                                        the same manner. Only the user who encrypts the
You can use EFS to encrypt files on remote              file or folder, a registered recovery agent, or
servers. However, EFS encrypts files only on the        anyone authorized to share the file or folder (i.e.,
hard disk; it doesn’t encrypt data users transmit       users with a private key) can access an encrypted
over the wire. To encrypt data you transfer over the    NTFS file or folder.
network, you must use a method that encrypts all
TCP/IP client communications (e.g., IP security) or     Applying EFS is similar to applying NTFS’
offers similar protection (e.g., Secure Sockets         compression attribute. When you encrypt a folder,
Layer—SSL).                                             NTFS individually encrypts the files inside the
                                                        folder and automatically encrypts any files you add
I based this article primarily on Win2K’s beta 2        to the folder. If any subfolders exist, you can
(build 1859). Some Win2K EFS features (e.g.,            encrypt them too. By default, NTFS encrypts any
command-line options for importing or exporting         subfolders you create in an encrypted folder.
encrypted files) weren’t available when I wrote the
article. In addition, Microsoft announced that the      EFS lets you copy encrypted files across systems
initial release of EFS won’t include support for file   using command-line options. Win2K’s Copy
sharing or alternate encryption algorithms (i.e.,       command includes extra switches to import and
EFS will support only Data Encryption Standard—         export encrypted files. You can export an
DES). (For more information about DES, see "Is          encrypted file to a 3.5" disk, a backup tape, or a
RAS Safe?" Windows NT Magazine, December                FAT16 or FAT32 volume. (Note: Some of these
1997.) Microsoft will add these features in the         features might not be available in the released
future.                                                 version.) You can also transfer the encrypted file
                                                        as an email attachment. The file remains encrypted
EFS Architecture                                        until you decrypt it with the proper key. You export
EFS consists of a service, a driver, a runtime          an encrypted file with the /E switch using the
library (EFSRTL), and Win32 APIs, as Figure 1

37446989-9974-4e0b-9376-50360315f1bd.doc                                                                  2/5
syntax Copy /E source_file destination_file. For          but suspect you might have accidentally left out
example,                                                  certain files. (I don’t encourage using File Manager
                                                          instead of Explorer; however, using File Manager
Copy /E myfile.doc A:
                                                          can be helpful in certain situations.)
You import an encrypted file with the /I switch
using the syntax Copy /I source_file                      Decrypting Files and Folders
destination_file. For example,                            EFS provides transparent decryption of files and
                                                          folders for typical reads and writes. Users also can
Copy /I A:myfile.doc C:\data\myfile.doc                   decrypt files or folders by right-clicking a file or
Remember that if you use the Copy command                 folder in Explorer. To decrypt a file or folder,
without the appropriate switch, EFS copies an             deselect the Encrypt contents to secure data
encrypted file as an unencrypted file, unless you         option in the Data Properties’ Advanced attributes
encrypt the destination folder. You can encrypt and       dialog box.
decrypt folders (and files within a folder) from a        Encryption Standards
command line using the Cipher utility. For more           EFS isn’t available in all OSs for two reasons. First,
information on this utility, see the sidebar "Cipher      including EFS in an OS is complex and requires
Command-line Utility." According to Microsoft             that you integrate it with the OS. Integrating EFS
documentation, Win2K supports encrypting and              isn’t easy and requires considerable skill. Second,
decrypting individual files using the Cipher utility,     national regulations and restrictions on the export
but the build I tested only supported operations at       of encryption technology have made integrating
the folder level.                                         EFS harder for vendors. EFS encryption
If a file or folder resides on a compressed FAT16         technology is based on the DES 56-bit encryption
or FAT32 volume or has a system attribute, you            key. Current policy doesn’t permit the export of
can’t encrypt it. However, you can always                 software with stronger than 40-bit encryption.
uncompress a file or folder before you encrypt it.        While Microsoft and other companies hammer out
You can activate the encryption or compression            the encryption regulations with the US government,
attribute by clicking the Advanced button on the          EFS will be available in North America with
General tab of a folder’s Data Properties dialog          standard 56-bit DES encryption. Outside North
box. Screen 1 shows this dialog box. These                America, only 40-bit DES encryption will be
attributes are mutually exclusive: When you select        available. Standard 56-bit DES encryption is
one attribute, the other attribute grays out.             downward compatible with 40-bit encryption;
                                                          however, 40-bit encryption isn’t compatible with 56-
Make sure you don’t encrypt any files in the system       bit encryption.
folder. A user’s encryption key isn’t available
during the boot process, so that if you encrypt a         A Welcome Addition
system file, you can’t boot into Win2K. If you            Win2K’s new encryption feature—one of the OS’
attempt to encrypt a file with the system attribute,      major enhancements—is a welcome addition.
you’ll receive an Access is denied error message.         Microsoft seems very interested in making Win2K
Future versions of Win2K will let you encrypt             a serious competitor for rival OSs (e.g., UNIX,
system files.                                             AS/400) that run on minicomputers and mainframe
                                                          computers. EFS, and other Win2K features, brings
To identify encrypted files in a folder without
                                                          Microsoft a step closer to this goal.
verifying individual file properties, you can use the
Cipher utility without any switches to display the        Win2K’s EFS provides users with a high level of
state of the files in a folder. However, if you want to   security and transparent access to encrypted files
verify the state of files and folders at several          and folders. EFS is a valuable tool for most
locations on different volumes, using the                 organizations, including large corporations facing
command-line tool can be tedious. In this case, I         the constant challenge of protecting information
suggest you use NT’s File Manager to verify file          from internal and external attacks. When
and folder encryption. File Manager isn’t available       companies implement EFS wisely, EFS provides
in Win2K, but you can copy it from a previous             great data security. Careless management of
version of NT. File Manager doesn’t show you              encryption keys can be damaging, resulting in the
which files or folders are encrypted, but encrypted       loss of valuable information and the exposure of
files and folders disappear from the File Manager         confidential data. To successfully deploy EFS, you
as soon as you encrypt them. This method lets you         must create proper backup and recovery plans and
confirm encrypted data easily and is particularly         carefully manage encryption keys.
useful when you think you’ve encrypted subfolders

37446989-9974-4e0b-9376-50360315f1bd.doc                                                                    3/5
37446989-9974-4e0b-9376-50360315f1bd.doc   4/5
Screen 1

37446989-9974-4e0b-9376-50360315f1bd.doc   5/5

Shared By: