MCTS 70-680: Encrypting File System (EFS)


Uploaded by itfreetraining on 23.10.2011

Transcript:
Hello, welcome back to your free training series for Windows 7. In this video I will
look at the encrypted file system or EFS. EFS is supported only in Windows 7 Professional
or above. The encrypted file system is a system in Windows
that allows you to encrypt any file or folder on your hard disk. This help to ensure only
the people who are allow to read the file have access and also prevents what is called
an offline attack. An offline attack is when you boot off a boot disk or remove the hard
disk from the computer and place it in anther computer. This kind of attack by passes the
security of the operating system. By using EFS to encrypt your files, the attacker
will not be able to make sense of any of the files even when reading them using an offline
attack. To make EFS fast it uses a symmetric algorithm.
This essentially means it uses the same key to encrypt the file as to decrypt the file.
You may be wondering where is this key is stored? Well it is stored in the file that
you want encrypted. This may seem like a security risk, but the
way Windows get around this is attached to your user account is a certificate. This certificate
is used to encrypt the key stored in the file so it can’t be read without your certificate.
This essentially means the following. If you delete your user account with it goes the
certificate needed to access the encrypted file. Even if you create a new user with the
same user name it will have a different certificate and not be able to access any files encrypted
with the other user certifcate. To get around this problem, Microsoft allows
you to do one of two things. Firstly you can backup up your certificates. Backing up the
certificates allows you to access the file if the originally certificate is lost. For
example if the user account is deleted. The second thing you can do is create what
is called a data recovery agent. A data recovery agent is a second user that has access to
the file. To make this work, EFS places a second copy of the symmetric key in the
file and this is encrypted with the data recovery agent certificate. Now you have two users
who can get access to the key when required. If more users need to access the file, you
can again add more keys to the file and these will be encrypted using the user’s certificate.
This makes EFS very expandable but does also mean that you have to start managing
certificates. If you are using a domain environment, you
can install a certificate authority in your domain to manage all these certificates. Doing
this is beyond the scope of this course and the exam. In this video I will look at how
to manage certificates locally. I now switch to my Windows 7 computer and start encrypting
some files. First of all I will open mmc from the start
menu. From here I will add the certificates snap in. When you encrypt your first file
a EFS certificate is created automatically. Since no files has ever been encrypted on
this computer, when I open the folder personal under certificates there are no certificates
present. To encrypt some files, I will open Windows
explorer and go into a folder in the documents library I created called personal. To encrypt
a file, right click the file and select properties. From here select the button advanced.
To encrypt the file it is simple matter of ticking the tick box encrypt contents to secure
data. Notice that if I tick the box compress contents to save disk space the encrypt tick
box is cleared. With Windows, you have the choice of one or the other, not both.
Once I tick the encryption tick box, all I need to do is press o.k. and exit out of the
properties for the file. Notice that I now get a dialog message asking me if I want to
encrypt the file and folder or just the file. It is recommended that you encrypt the folder
because software like Microsoft Word creates temporary files. If the temporary file is
not encrypted then the contents of the original file may be able to be found from the temporary
file. Once I press o.k. the file will be encrypted.
Notice that in Windows explorer the file name has now changed to green. If now go back into
the certificates snap in, you will notice that once I refresh the view by pressing F5,
a EFS certificate has been created. This certificate is used to protect and read the
symmetric encryption key contained in the file.
If this user was deleted, the certificate shown here would be deleted with the user.
If the certificate is not back up and lost then any files encrypted with this certificate
will not be readable. To help prevent this from happening it is best to create a data
recovery agent. I will now change to anther user on this computer
called DRA. I have changed the wall paper so the DRA user is easier to tell apart
from the other user. To create a data recovery agent for this user, I first need to export
a certificate that can be used to encrypt files and read them. To do, open a command
prompt from the start menu and enter the command cipher with the r switch followed by colon
and the file name. Once I enter in a password to protect the
certificate two files will be created. The CER file has the public key which will be
used to encrypt files. The PFX file contains the private key which is used to decrypt files.
To configure a data recovery agent for this computer, open local group policy from the
start menu. From group policy expand into computer configuration, Windows settings,
security settings, public key polices and encrypting file system.
Currently there are not DRA’s configured, to add one, right click encrypted file system
and select the option add data recovery agent. This will start the wizard, from the wizard
browse to the certificate file I exported earlier.
I will get a warning telling me Windows can’t tell if this certificate has been revoked.
This is normal when using self-signed certificates which means the certificate was created on
the computer that it is being used on. Once I finish the wizard, the certificate
will be used to create a data recovery agent. Remember to configure a data recovery agent
before your users start encrypting files. If you don’t, any files encrypted before
the data recovery agent was set up will not be accessible by the recovery agent.
If I select properties for encrypted file system, notice that I have the option to switch
off encryption. On large networks it may be worth switching off encryption to prevent
your users using it if you don’t have a need for it. The last thing you want is your
end users flipping on encryption thinking it is a good idea without a data recovery
agent first being set up on your network. Now that I have configured a data recovery
agent, if I now go into the properties for the file that I encrypted earlier, select
advanced and then select the option details. Notice now that data recovery user account
is listed as a recovery certificate at the bottom of the screen.
If I exit out of here and now attempt to open the file, notice that I get an access denied
message. Since this file was encrypted before the data recovery agent was set up I will
not be able to access it. If the user writes to the file or re-encrypts the file the data
recovery agent will have access to the file. If I now switch back to the general user and
go back into the personal directory and create a new file, this file will be able to be opened
by the data recovery agent. If I go into the properties of the file, select advanced and
then select details. Notice the recovery certificate is automatically added to the file. Notice
also that if I select the user, I have the option back up keys. Even with a data recovery
agent on your computer, you should at a minimum backup the keys to a safe location.
If I now switch back to my data recovery agent user and attempt to open the file I just created
I will get an error message saying access denied. I have done this on purpose to prove
a point. The data recovery agent has been set up correctly, but Windows does not have
a copy of the certificate installed. To show this, if I now open mmc from the
start menu and then add the certificate snap in. If I now navigate to the personal folder,
notice there is no certificate on this computer. Thus there is no certificate installed to
decrypt files. To add the certificate I exported earlier,
I can simply double click on the file. Make sure you select the PFK file as this contents
the private key needed to decrypt files. If you add the CER file, this file does not
have the private key and thus can’t decrypt any files.
Once the wizard starts I will be asked for the password for the file. Once I have entered
the password I can next my way to the end of wizard. The certificate has been imported
to the local computer. When I press F5 to refresh the certificates snap in, I can now
see the certificate. If I attempt to open the file again, the file
will open this time without a problem. This user will now be able to open any encrypted
files created on this computer from this point onwards.
Encryption in Windows is a little hard to understand at first because there is so much
involved to get it to work. To better understand,let’s review how it works.
First of all you have a user on a system that wants to encrypt a file. When the file is
encrypted a symmetric key is used to encrypt the file. A symmetric key simple means the
same key is used to encrypt the file as to decrypt the file. Symmetric key encryption
is used because it is quite fast. The symmetric key is then stored with the
file. The problem is that anyone who can access the file could read the symmetric key. To
overcome this, when you encrypt your first file, Windows automatically creates a public
and private key to be used with EFS. The public key is used to encrypt the symmetric
key so it can’t be read without the private key.
The public key and private key are kept in the user profile, so it is recommend that
you backup the users certificates and keep them in a safe place. Without the certificate
you can’t decrypt the symmetric key and thus decrypt the file.
On large networks, you are most likely going to want to configure a data recovery agent
or DRA. The DRA has its only public key and private key. When the user encrypts a
file, the symmetric key is again encrypted and combined with the file, but this time
anther copy of the symmetric key is also placed with the file. The second key is encrypted
with the public key of the DRA. The DRA and the user can both decrypt a
copy of the symmetric key using their private keys. Notice however, the DRA can’t decrypt
the first file because there is no copy of a symmetric key in the file that has been
encrypted with the DRA’s public key. For the DRA to access this file, the user will
need to re-encrypt the file or open and resave the file. This is why it is so important to
set up DRA on your network before you start encrypting files.
If you have no plans to use encryption on your network, I would recommend switching
it off or changing the permissions for the end users so they can’t enable it. The last
thing you want is an end user to enable encryption, leave the company, have their account deleted
and then 6 month later realize you can’t access any of their files.
Notice also that if you want to enable more people to access the file it is a simple matter
of adding them. Windows will add a new symmetric key that has been encrypted with the user’s
public key to the file allowing them to decrypt the file.
Just remember that the certificate used to encrypt and decrypt files is created when
you first encrypt a file. If you attempt to add a user that has never encrypted a file
before you won’t be able to because no certificate exists for that user.
In order to get their name to appear, you need to need to have the user encrypt a file
and thus a certificate will automatically be created for them. To create the certificate,
you can also have the user run the command cipher with the slash k switch. This will
create the certificate without the need to encrypt any files.
The encryption system in Windows is quite powerful and needs to be managed correctly.
If it is not managed correctly then you risk not being able to access your files and thus
losing the data in those files forever. For these reasons make sure you back up your certificates
and where appropriate set up a data recovery agent.
The next video in this completely free series for Windows 7 for the 70-680 exam will look
at user account control. User account control helps protect your computer from having viruses
and spy ware from being installed on your computer without your knowledge. I hope you
have enjoyed this video and thanks for watching.