• Chapter 1. Installing and Configuring Windows Server 2003
  • software development Company Server 2003
  • Chapter 1. Installing and Configuring Windows Server 2003
  • New Features in Windows Server 2003
  • Best Practices
  • Moving Forward
  • Version Comparisons
  • Hardware Recommendations
  • Installation Checklist
  • Functional Overview of Windows Server 2003 Setup
  • Installing Windows Server 2003
  • Post Setup Configurations
  • Functional Description of the Windows Server 2003 Boot Process
  • Correcting Common Setup Problems
  • Chapter 2. Performing Upgrades and Automated Installations
  • New Features in Windows Server 2003
  • NT4 Upgrade Functional Overview
  • Upgrading an NT4 or Windows 2000 Server
  • Automating Windows Server 2003 Deployments
  • Moving Forward
  • Chapter 3. Adding Hardware
  • New Features in Windows Server 2003
  • Functional Description of Windows Server 2003 Architecture
  • Overview of Windows Server 2003 Plug and Play
  • Installing and Configuring Devices
  • Troubleshooting New Devices
  • Moving Forward
  • Chapter 4. Managing NetBIOS Name Resolution
  • New Features in Windows Server 2003
  • Moving Forward
  • Overview of Windows Server 2003 Networking
  • Name Resolution and Network Services
  • Network Diagnostic Utilities
  • Resolving NetBIOS Names Using Broadcasts
  • Resolving NetBIOS Names Using Lmhosts
  • Resolving NetBIOS Names Using WINS
  • Managing WINS
  • Disabling NetBIOS-over-TCP/IP Name Resolution
  • Chapter 5. Managing DNS
  • New Features in Windows Server 2003
  • Configuring a Caching-Only Server
  • Configuring a DNS Server to Use a Forwarder
  • Managing Dynamic DNS
  • Configuring Advanced DNS Server Parameters
  • Examining Zones with Nslookup
  • Command-Line Management of DNS
  • Configuring DHCP to Support DNS
  • Moving Forward
  • Overview of DNS Domain Structure
  • Functional Description of DNS Query Handling
  • Designing DNS Domains
  • Active Directory Integration
  • Configuring DNS Clients
  • Installing and Configuring DNS Servers
  • Configuring Secondary DNS Servers
  • Integrating DNS Zones into Active Directory
  • Chapter 6. Understanding Active Directory Services
  • New Features in Windows Server 2003
  • Active Directory Support Files
  • Active Directory Utilities
  • Bulk Imports and Exports
  • Moving Forward
  • Limitations of Classic NT Security
  • Directory Service Components
  • Brief History of Directory Services
  • X.500 Overview
  • LDAP Information Model
  • LDAP Namespace Structure
  • Active Directory Namespace Structure
  • Active Directory Schema
  • Chapter 7. Managing Active Directory Replication
  • New Features in Windows Server 2003
  • Replication Overview
  • Detailed Replication Transaction Descriptions
  • Designing Site Architectures
  • Configuring Inter-site Replication
  • Controlling Replication Parameters
  • Special Replication Operations
  • Troubleshooting Replication Problems
  • Moving Forward
  • Chapter 8. Designing Windows Server 2003 Domains
  • New Features in Windows Server 2003
  • Design Objectives
  • DNS and Active Directory Namespaces
  • Domain Design Strategies
  • Strategies for OU Design
  • Flexible Single Master Operations
  • Domain Controller Placement
  • Moving Forward
  • Chapter 9. Deploying Windows Server 2003 Domains
  • New Features in Windows Server 2003
  • Preparing for an NT Domain Upgrade
  • In-Place Upgrade of an NT4 Domain
  • In-Place Upgrade of a Windows 2000 Forest
  • Migrating from NT and Windows 2000 Domains to Windows Server 2003
  • Additional Domain Operations
  • Moving Forward
  • Chapter 10. Active Directory Maintenance
  • New Features in Windows Server 2003
  • Loss of a DNS Server
  • Loss of a Domain Controller
  • Loss of Key Replication Components
  • Backing Up the Directory
  • Performing Directory Maintenance
  • Moving Forward
  • Chapter 11. Understanding Network Access Security and Kerberos
  • New Features in Windows Server 2003
  • Windows Server 2003 Security Architecture
  • Security Components
  • Password Security
  • Authentication
  • Analysis of Kerberos Transactions
  • MITv5 Kerberos Interoperability
  • Security Auditing
  • Moving Forward
  • Chapter 12. Managing Group Policies
  • New Features in Windows Server 2003
  • Group Policy Operational Overview
  • Managing Individual Group Policy Types
  • Moving Forward
  • Chapter 13. Managing Active Directory Security
  • New Features in Windows Server 2003
  • Overview of Active Directory Security
  • Using Groups to Manage Active Directory Objects
  • Service Accounts
  • Using the Secondary Logon Service and RunAs
  • Using WMI for Active Directory Event Notification
  • Moving Forward
  • Chapter 14. Configuring Data Storage
  • New Features in Windows Server 2003
  • Functional Description of Windows Server 2003 Data Storage
  • Performing Disk Operations on IA32 Systems
  • Recovering Failed Fault Tolerant Disks
  • Working with GPT Disks
  • Moving Forward
  • Chapter 15. Managing File Systems
  • New Features in Windows Server 2003
  • Overview of Windows Server 2003 File Systems
  • NTFS Attributes
  • Link Tracking Service
  • Reparse Points
  • File System Recovery and Fault Tolerance
  • Quotas
  • File System Operations
  • Moving Forward
  • Chapter 16. Managing Shared Resources
  • New Features in Windows Server 2003
  • Functional Description of Windows Resource Sharing
  • Configuring File Sharing
  • Connecting to Shared Folders
  • Resource Sharing Using the Distributed File System (Dfs)
  • Printer Sharing
  • Configuring Windows Server 2003 Clients to Print
  • Managing Print Services
  • Moving Forward
  • Chapter 17. Managing File Encryption
  • New Features in Windows Server 2003
  • File Encryption Functional Description
  • Certificate Management
  • Encrypted File Recovery
  • Encrypting Server-Based Files
  • EFS File Transactions and WebDAV
  • Special EFS Guidelines
  • EFS Procedures
  • Moving Forward
  • Chapter 18. Managing a Public Key Infrastructure
  • New Features in Windows Server 2003
  • Moving Forward
  • PKI Goals
  • Cryptographic Elements in Windows Server 2003
  • Public/Private Key Services
  • Certificates
  • Certification Authorities
  • Certificate Enrollment
  • Key Archival and Recovery
  • Command-Line PKI Tools
  • Chapter 19. Managing the User Operating Environment
  • New Features in Windows Server 2003
  • Side-by-Side Assemblies
  • User State Migration
  • Managing Folder Redirection
  • Creating and Managing Home Directories
  • Managing Offline Files
  • Managing Servers via Remote Desktop
  • Moving Forward
  • Chapter 20. Managing Remote Access and Internet Routing
  • New Features in Windows Server 2003
  • Configuring a Network Bridge
  • Configuring Virtual Private Network Connections
  • Configuring Internet Authentication Services (IAS)
  • Moving Forward
  • Functional Description of WAN Device Support
  • PPP Authentication
  • NT4 RAS Servers and Active Directory Domains
  • Deploying Smart Cards for Remote Access
  • Installing and Configuring Modems
  • Configuring a Remote Access Server
  • Configuring a Demand-Dial Router
  • Configuring an Internet Gateway Using NAT
  • Chapter 21. Recovering from System Failures
  • New Features in Windows Server 2003
  • Functional Description Ntbackup
  • Backup and Restore Operations
  • Recovering from Blue Screen Stops
  • Using Emergency Management Services (EMS)
  • Using Safe Mode
  • Restoring Functionality with the Last Known Good Configuration
  • Recovery Console
  • Moving Forward
  • Who Should Read This Book
  • Who This Book Is Not For
  • Conventions
  • Acknowledgments
  • About the Author
  • About the Technical Reviewers
  • Index
  • Index A
  • Index B
  • Index C
  • Index D
  • Index E
  • Index F
  • Index G
  • Index H
  • Index I
  • Index J
  • Index K
  • Index L
  • Index M
  • Index N
  • Index O
  • Index P
  • Index Q
  • Index R
  • Index S
  • Index SYMBOL
  • Index T
  • Index U
  • Index V
  • Index W
  • Index X
  • Index Z
  • Preface
  • Previous Section Next Section

    EFS Procedures

    At this point, you've probably had enough of the principles of operation of EFS and you're eager to put them into action. First, though, you need to buy yourself a little time while you plan your EFS deployment. You do not want to end up with hundreds or thousands of encrypted files scattered around your system without a clear plan for managing them.

    The subsequent sections describe how to create additional DRAs and deploy their public keys, how to protect the DRA private keys, how to encrypt files and folders, and how to recover encrypted files if the user should be unavailable. You'll also see how to use the CIPHER command-line utility to perform many of these tasks.

    Before deploying EFS, I highly recommend that you install at least one Certification Authority (CA) server in your organization. It does not need to be a Microsoft CA, but it does need to be able to issue EFS and FR certificates. If you have a third-party CA in place, it's usually easiest to install a Microsoft CA as a subordinate Enterprise Root so you get Active Directory certificate deployment and the full range of certificate purposes. The instructions for deploying a Microsoft CA are in Chapter 18, "Managing a Public Key Infrastructure."

    When you're ready to deploy EFS, here is a quick checklist of items you'll need to perform:

    1. Identify administrators who you want to become Data Recovery Agents for their local OUs. Have them obtain File Recovery certificates.

    2. Import the FR public key certificates of the newly dubbed DRAs into the Encrypting File System group policy for GPOs linked to their local OUs.

    3. Export and remove the FR private keys of the DRAs and save them in a secure location for use when a file must be recovered.

    4. Import the FR public key certificate of the domain Administrator account. This enables EFS for Windows 2000 clients and sets up proper DRA certificate deployment for Windows Server 2003 and EFS clients.

    5. Enable the EFS group policy for Windows Server 2003 and XP clients.

    6. Encrypt folders and files at your laptops and desktops.

    7. Set a group policy to encrypt the offline file cache at your laptops and possibly at your desktops.

    In addition, you'll want to periodically test your ability to recover files as one of the local DRAs. The instructions for this are also included.

    Disable Encryption

    Windows Server 2003 and XP machines are capable of encrypting files without a DRA, which complicates the steps for disabling EFS in a mixed environment. You'll need to perform these three items to disable EFS on all your clients:

    • For servers running Windows Server 2003 and XP desktops in a Windows Server 2003 domain, set the Encrypting File System group policy to disable EFS.

    • For servers running Windows Server 2003 and XP desktops in a Windows 2000 domain, use a custom ADM (administrative) template to configure and distribute a group policy that will disable EFS.

    • For Windows 2000 servers and desktops in a Windows Server 2003 or Windows 2000 domain, remove the DRA File Recovery public key certificate from the Encrypting File System policy (Windows Server 2003) or Encrypted Data Recovery Agent policy (Windows 2000).

    If you have standalone servers running Windows Server 2003 or XP desktops, disable local file encryption via the Encrypting File System policy in the local security policies.

    Disable EFS on Windows Server 2003 and XP Clients in a Windows Server 2003 Domain

    You can disable file encryption at Windows Server 2003 and XP member computers in a Windows Server 2003 domain with a simple group policy option. Follow Procedure 17.2.

    Procedure 17.2 Disabling EFS Using Windows Server 2003 Group Policies

    1. Open the Group Policy Editor for the Default Domain GPO.

    2. Navigate to Computer Configuration | Windows Settings | Security Settings | Public Key Policies.

    3. Right-click the Encrypting File System icon and select PROPERTIES from the flyout menu.

    4. Uncheck the Allow Users To Encrypt Files Using Encrypting File System (EFS) option.

    5. Click OK to save the policy.

    It will take 90 plus/minus 30 minutes for this policy to be felt at the desktops. You can force the update at a client by running gpupdate at a command prompt. Attempt to encrypt a test folder or file and verify that the action is blocked.

    Disable EFS on Windows Server 2003 and XP Clients in a Windows 2000 Domain

    Disabling EFS on Windows Server 2003 and XP clients in a Windows 2000 domain requires a little extra work on your part. Windows 2000 group policies do not contain the EFSConfigure policy used to control EFS in a Windows Server 2003 domain. You must create this policy yourself using a custom ADM template.

    Use Notepad to build the custom ADM template in the \Windows\INF directory on the PDC Emulator. (The PDC Emulator is the default server for modifying group policies.) You can name the file anything you like as long as it has an ADM extensionfor example, call it Efs.adm.

    The contents of the file should look something like this. (Modify the double-quoted strings as you like, but leave the SUPPORTED string as it stands to be consistent with other policies.)

    CLASS MACHINE
    
    CATEGORY "Special EFS Handling"
         POLICY "Disable XP and Windows Server 2003 EFS"
                    #if version >= 4
                   SUPPORTED "At least Microsoft Windows XP Professional"
              #endif
              KEYNAME "Software\Policies\Microsoft\Windows NT\CurrentVersion\Efs"
              EXPLAIN     "This policy stops XP desktops from encrypting files in a
    Windows 2000 domain. Enable the policy to disable EFS."
              VALUENAME "EfsConfiguration"
                    VALUEON   NUMERIC 1
                    VALUEOFF  NUMERIC 0
         END POLICY
    END CATEGORY
    

    After you've created the template, load it into the Group Policy Editor by right-clicking the Administrative Templates icon, selecting ADD/REMOTE TEMPLATES from the flyout menu, then double-clicking the name of the template to load it. You should see the Category listing directly under the Administrative Templates icon. Figure 17.14 shows an example.

    Figure 17.14. Group Policy Editor showing custom ADM template containing special EFS handling policy.

    graphics/17fig14.gif

    When you enable the policy, it will not take effect for 90 plus/minus 30 minutes. You can force the update at a client by running gpupdate at a command prompt. When you attempt to create an encrypted file, you should get an Access Denied error. If not, run gpresult /v to see if you are getting the policy. Here is a snippet of the proper results:

    Administrative Templates
    
        GPO: Default Domain Policy
            Setting: Software\Policies\Microsoft\Windows NT\CurrentVersion\EFS
             State:   Enabled
    

    Be sure to put this policy in place before you begin deploying XP desktops. Identify any files that have been encrypted in the interim and decrypt them until you're ready to deploy file encryption on a production basis. Use cipher /u /n to search out encrypted files on a volume. You must be at the desktop (or take control via Remote Desktop) to run this utility.

    Disable EFS on Windows 2000 Clients in a Windows Server 2003 Domain

    To disable EFS on Windows 2000 clients, you must remove the FR public key certificate of the DRA from group policies. Without this certificate, the clients will refuse to encrypt files.

    Export a copy of the certificate before you remove it so you can import it back when you're ready to deploy EFS. Even if you plan on deploying EFS immediately, it is a good practice to export the certificate and store a copy just in case someone accidentally deletes it from the group policy. The public key does not need special handling other than to be sure you have enough copies so that a single bad floppy doesn't cause a loss of the file. Follow Procedure 17.3.

    Procedure 17.3 Exporting and Deleting the FR Public Key Certificate

    1. Open the AD Users and Computers console.

    2. Navigate to Computer Configuration | Windows Settings | Security Settings | Public Key Policies | Encrypting File System.

    3. Right-click the Administrator certificate icon in the right pane and select ALL TASKS | EXPORT from the flyout menu. The Certificate Export Wizard starts.

    4. Click Next. The Export Private Key window opens. Select the No, Do Not Export The Private Key radio button.

    5. Click Next. The Export File Format window opens. Select one of the certificate types. They are all cryptographically equivalent.

    6. Click Next. The File To Export window opens. Enter or browse to a path and filename you want to assign to the certificate, such as AdminPublicFR.cer.

    7. Click Finish. The wizard closes. Verify that the certificate file is in the location you designated.

    After copying the file to different media, you can delete the certificate from the Encrypting File System group policy. Be sure to delete just the certificate, not the policy itself. If you delete the policy, Windows 2000 clients will encrypt their files using the local DRA.

    Configure Additional DRAs

    If you lose the FR private key issued to the Administrator account by deleting the profile at the first domain controller in the domain, you cannot recover files. For this reason, assigning additional DRAs should be high on your priority list before deploying EFS.

    If you have geographically defined OUs, it is a good practice to create GPOs for each OU that contains the Encrypting File System policy for the DRA or DRAs in that OU. Said another way, you want a local administrator's pager to go off when a user cannot get access to an encrypted folder. For instance, you can create a GPO called PhxEFS, link it to the Phoenix OU, then load the FR public key certificate of the DRA in Phoenix into the Encrypting File System policy of the PhxEFS GPO.

    Here is an important note. DRA certificates in cascaded GPOs are not cumulative. In other words, a client only gets the DRAs in the Encrypting File System policy closest to the computer object in Active Directory. All others are ignored. Therefore, don't expect to see the domain Administrator account on the list of DRAs if you assign DRAs in a GPO linked to an OU.

    EFS obtains only one FR certificate automatically, that of the domain DRA. To obtain additional FR certificates, the administrator who you have designated to be a local DRA must obtain an FR certificate. The operation uses the Certificates snap-in. Obtain FR certificates as shown in Procedure 17.4.

    Procedure 17.4 Obtaining FR Certificates for Additional DRAs

    1. Log on as an administrator who has been designated as a DRA.

    2. Load the Certificates snap-in into an MMC console.

    3. Under Certificates - Current User, right-click the Personal folder and select REQUEST NEW CERTIFICATE from the flyout menu. This launches the Certificate Request Wizard.

    4. Click Next. The Certificate Types window opens (see Figure 17.15). Select EFS Recovery Agent from the list of certificate types. (You will get an error if the client cannot contact a CA.)

      Figure 17.15. Certificate Request WizardCertificate Types window showing EFS Recovery Agent selection.

      graphics/17fig15.jpg

    5. Click Next. The Certificate Friendly Name and Description window opens. Enter a short name for the Certificate and a description, if you desire. You can leave these fields blank, if you like.

    6. Click Next. A summary window opens listing your selections.

    7. Click Finish to request the certificate. You should get a Certificate request was successful. message when the transaction with the CA is complete.

    8. Expand the tree under Personal | Certificates to see the new certificate. The Intended Purpose column lists File Recovery as the purpose.

    9. Publish this certificate in Active Directory by dragging a copy to Certificates | Active Directory User Object | Certificates.

    When you use the preceding steps to request an FR certificate, the CA issues two items:

    • An X.509 certificate that contains the FR public key

    • An FR private key delivered to the client via a secure channel

    The local crypto provider puts the keys into the administrator's local profile. We'll see a little later how to export the FR private key to a certificate so it can be stored safely and the local copy deleted.

    Load New DRAs into EFS Group Policies

    Now that you have FR public key certificates for all your DRAs, you need to put their certificates into the GPOs linked to their OUs so clients in the OUs will download the certificates and use them when encrypting files. To do this, follow Procedure 17.5.

    Procedure 17.5 Loading an FR Public Key into the EFS Group Policy

    1. Open the AD Users and Computers console.

    2. Open the Properties window for the OU where you want to have a new GPO.

    3. Select the Group Policy tab.

    4. Click New to add a new GPO. Give the GPO a name such as PhxEFS.

    5. Click Edit to open the Group Policy Editor.

    6. Navigate to Computer Configuration | Windows Settings | Security Settings | Public Key Policies.

    7. Right-click Encrypting File System and select ADD DATA RECOVERY AGENT from the flyout menu. The Add Recovery Agent Wizard opens.

    8. Click Next. The Select Recovery Agents window opens.

    9. Click Browse Directory. The Find Users, Contacts, and Groups window opens. Use this window to locate the name of the DRA that you used to obtain an FR certificate in the previous steps. The user's distinguished name appears under Recovery Agents.

    10. Click Next. A summary window opens.

    11. Click Finish to load the certificate into the policy.

    It will take 90 plus/minus 30 minutes for this policy to be felt at the desktops. You can force an update at a client by running gpupdate on a client in the OU. Encrypt a test file on an XP desktop and use Details to view the DRA list (or run efsinfo /r if you have the support tools loaded). The new DRA should be listed and the domain Administrator account will not appear on the list.

    Export and Delete FR Private Keys

    Without maintaining access control on the FR private keys, you cannot ensure the ongoing security of your EFS subsystem. Here are the general actions for securing an FR private key:

    1. Export the FR private key to a certificate.

    2. Save the FR certificate to several media and secure the media in a safe or vault.

    3. Delete the FR certificate from the domain controller where it was originally located.

    The steps in Procedure 17.6 describe how to perform these operations. Perform them at the machine where the DRA obtained the FR certificate.

    Procedure 17.6 Exporting and Deleting an FR Private Key

    1. Load the Certificates snap-in into an MMC console.

    2. Expand the tree to Certificates Current User | Personal | Certificates. If the icon is not there, you have logged on at the wrong machine.

    3. Right-click the File Recovery certificate and select ALL TASKS | EXPORT from the flyout menu. This starts the Certificate Export Wizard. Use the Intended Purposes column to find the right certificate.

    4. Click Next. The Export Private Key window opens. Select Yes, Export The Private Key.

    5. Click Next. The Export File Format window opens (see Figure 17.16). The only available format for this operation is the PKCS #12 format, which encrypts the private key for additional protection.

      Figure 17.16. Certificate Export WizardExport File Format.

      graphics/17fig16.jpg

      Leave the Enable Strong Protection option selected. This uses an advanced form of encryption that is not available for pre-SP4 versions of classic NT.

    6. Click Next. The Password window opens. Enter a password and confirm. There are no complexity requirements, but long passwords are better than short ones, and the more non-alpha characters you use, the better.

    7. Click Next. The File To Export window opens. Enter the name you want to give the exported certificate. The name has no cryptographic significance. Include something in the name that indicates the user it belongs to, such as PhxAdminPrivate.

    8. Click Next. A summary window opens.

    9. Click Finish. The wizard writes the certificate file and then informs you when the export has been successfully completed.

    10. Close the Certificates console.

    Be sure to save several copies of the exported certificate and lock the copies in a safe place.

    Always test the private key certificate before deleting the private key from the server. Do so by importing the key from the certificate at another machine (server or desktop) and then verifying that you can open encrypted files at the desktop.

    After you've verified the contents of the certificate, delete the FR private key from the server via the Certificates snap-in. This prevents unauthorized individuals from using the DRA's credentials to log on and then opening encrypted files.

    Set Folder Encryption at Laptops

    You're now ready to let your users encrypt their files. Encourage them to set encrypting on folders, not files, then save files in the encrypted folders. This avoids creating clear-text temp files.

    If a user enables encryption on a folder that already contains files, the files will be encrypted. This leaves a temp file, so show the user how to run cipher /w afterwards to scrub away the temp file contents.

    If EFS encounters a locked file when CIPHER tries to encrypt a file, a warning appears with the option to Retry or Ignore. Have the user make note of the locked file so she can encrypt it later after the lock has been released.

    Encrypting Folders

    To enable encryption for a folder, follow Procedure 17.7.

    Managing Certificates Using CIPHER

    You can obtain an FR certificate pair (X.509 public key certificate and PKCS #12 private key certificate) from the command line using CIPHER.

    The syntax is cipher /r:<file_name>, where <file_name> is the name you want to assign to the certificate files.

    After the files have been generated, double-click the file to launch the Certificate Import Wizard and import the key into your personal certificate store. Be sure to put them into your Personal store.

    If you install a new DRA and you want to refresh existing encrypted files with the public key of the new DRA, enter cipher /u. This updates all encrypted files on the volume that can be accessed by the user running CIPHER. You can verify that the new DRA is in place by selecting the Advanced tab in the file Properties window and then clicking Details.

    Procedure 17.7 Setting Folder Encryption

    1. Open Explorer.

    2. Navigate to the folder you want to encrypt. (Users with roaming profiles cannot encrypt the My Documents folder or any other component of their profiles.)

    3. Open the Properties window for the folder.

    4. Click Advanced. The Advanced Attributes window opens.

    5. Select the Encrypt Contents To Secure Data option. You cannot select both this and the Compress Contents option.

    6. Click OK to save the selection and return to the main Properties window.

    7. Click OK to apply the change and encrypt the folder. The Confirm Attribute Changes window opens.

    8. Select Apply Changes To This Folder, Subfolders, and Files. This ensures that all the contents of the folder and any subfolders the user may create are encrypted.

    Show the user how to determine the encryption status by the color of the text for the folder or file. If the color does not change, enable the Show Encrypted or Compressed NTFS Files in Color option in the View tab of the Folder Options window. The user can also see the encryption status in the web content portion of the folder window.

    Assigning Additional Users to an Encrypted File

    A user who has encrypted a file can give access to additional users. This is done via the Properties window of the file by clicking Advanced under attributes and then Details. Figure 17.17 shows an example.

    Figure 17.17. Detailed Encrypting File System properties showing the selection of additional users who can access an encrypted file.

    graphics/17fig17.gif

    The selected user or users must have an EFS public key certificate either in a certificate store at the machine or in their Active Directory account. If the user has never encrypted a file before, you need to have him encrypt a file on a member computer in the domain to obtain an EFS certificate. The certificate will be copied to the user's Active Directory account automatically. You can also walk the user through loading the Certificates snap-in to request an EFS certificate from a CA. Personally, I think the first option is simpler.

    Encrypting Individual Files

    If users insist on encrypting individual files, you can simplify the operation for them by placing an ENCRYPT/DECRYPT option on the flyout menu. This requires a Registry change to add a new value. Here is the information:

    
    Key:    HKLM | Software | Microsoft | Windows | CurrentVersion | 
    graphics/ccc.gifExplorer | Advanced
    Value:  EncryptionContextMenu
    Data:   1 (REG_DWORD)
    

    Encrypting Files and Folders Using CIPHER

    If you prefer a command-line alternative for manipulating encrypted files, use the CIPHER utility:

    • To set the encryption flag on a folder, enter cipher /e /s:<folder_name>. This causes any new files in the folder to be encrypted, but does not encrypt existing files.

    • To set the encryption flag on a folder and encrypt existing files, enter cipher /e /a /i /s:<folder_name>\*.*. The /i switch forces the encryption to continue even if it encounters a locked file. This operation generates a clear-text temp file and should be followed by cipher /w to wipe the unallocated space on the drive.

    • To decrypt a folder, enter cipher /d <folder_name>. To decrypt the files underneath the folder, use cipher /d /a /i /s:<folder_name>\*.*.

    Encrypted File Recovery

    If a user is not unavailable to open an encrypted file, you can open it using the Data Recovery Agent's credentials as long as the file is on the machine hosting the DRA's private key. There are no special recovery mechanisms or recovery applications. The steps are as follows:

    1. Import the DRA's FR private key from its saved certificate to a recovery machine. This machine does not need to be a server, but it should be running either Windows Server 2003 or XP and it must be a domain member.

    2. Transport the encrypted files to the recovery machine using Ntbackup.

    3. Open and decrypt the files using the DRA's credentials.

    4. Delete the DRA's private key from the recovery machine.

    5. Wipe the drive to remove vestiges of the private key.

    The only step in this list that requires detailed instructions is importing the FR private key certificate. This is the PFX certificate you stashed on a floppy or CD in a safe. Follow Procedure 17.8.

    Procedure 17.8 Importing an FR Private Key from a PFX Certificate

    1. Copy the PFX file containing the FR private key to the hard drive of a machine running Windows Server 2003 or XP. I'll call this the Recovery machine.

    2. Open Explorer and navigate to the folder containing the PFX file.

    3. Double-click the file. The Certificate Import Wizard starts.

    4. Click Next. The File To Import window opens. Make sure the filename is properly displayed.

    5. Click Next. The Password window opens. Enter the password that was assigned to the PFX file when it was exported. Do not select the Mark This Key As Exportable option. You will be deleting this copy of the key as soon as you're done with it.

    6. Click Next. The Certificate Store window opens. Select the Place All Certificates In The Following Store option and then click Browse.

    7. Highlight the Personal folder in the logical certificate store hierarchy and click OK to return to the wizard.

    8. Click Next. A summary window opens.

    9. Click Finish. The key is extracted from the certificate and placed in the Personal store. The wizard notifies you with a The import is successful. message.

    10. Now, open any encrypted files and recover them by copying the contents to| another location, assigning another user to the file, or decrypting permanently.

    Transporting Encrypted Files to New Machines

    If a user changes laptops and wants to transfer encrypted files to the new machine, you face a bit of work. You cannot simply copy the encrypted files over the network to the new computer. You must do the following:

    1. Back up the encrypted files to a backup file at the user's laptop (or a network drive).

    2. Configure a roaming profile for the user.

    3. Log the user on at the new machine with the roaming profile.

    4. Copy the backup file to the new machine.

    5. Restore the encrypted files on the disk of the new machine.

    6. Verify that the user can open the files.

    If you do not want to use a roaming profile, you can export the user's certificates using the Certificates snap-in and then import them at the new machine. Remember that you must be logged on with the user's credentials. Be sure to give the PFX certificate containing the private key a strong password and delete it off the old machine when you have completed the transfer. Wipe the deleted files with cipher /w.

      Previous Section Next Section