LabMice.net - The Windows 2000\XP\.NET Resource Index
Home | About Us | Search

Last Updated November 19, 2003

File Management
  Compression
  Dfs
  EFS
  FRS
  Offline Folders

  WFP
  Utilities

Disk Management
  Where to Start
  Defragmentation
  Disk Drives
  Disk Management
  Disk Recovery
  Dynamic Disks
  File Systems
  RAID
  Remote Storage
  Removable Storage
  Storage (SANS)
  Troubleshooting

  

EFS Tips

The best practice for using encryption is to first encrypt the folder, and then move the files you wish to protect into that folder.

DO NOT encrypt the drive that contains your system folder (WINNT). This could have a significant impact on performance, and could cause your machine to become unbootable. 

You can either compress or encrypt a folder, you cannot do both.

If you move an encrypted file to a drive that doesn't use NTFS (including a floppy disk), the file will not retain its encryption.

Regardless of who encrypted the file, if your Windows 2000/XP workstation in not part of a domain, the local Administrator account can decrypt the file.


 

 

 

 

 

 

Encrypting File System (EFS) Resources

Windows 2000's Encrypting File System (EFS) enables users to encrypt and decrypt files. You can use EFS to keep files safe from intruders who might gain unauthorized physical access to sensitive, stored data (for example, by stealing a laptop or external disk drive). The encryption is transparent to the users and you can access encrypted files the same way you would any other files or folders. However this added security requires a bit of pre-planning to make sure you can recover data if you need to.

Where to Start...

Best Practices for Encrypting File System
Microsoft Knowledge Base Article: 223316 - Windows 2000 includes the ability to encrypt data directly on volumes that use the NTFS file system so that the data cannot be used by any other user. Files and folders can be encrypted by setting an attribute in the object's Properties dialog box. Because the encryption/decryption process is transparent to users, it is important that organizations that want to use file encryption to its fullest extent promote strong guidelines regarding its usage. 

Encrypting and decrypting data with Encrypting File System
Encrypting and decrypting data with Encrypting File System. You can use Encrypting File System (EFS) to: Encrypt their files. Access their encrypted files. Source: Microsoft.com

Encrypting File System: Your Secrets are Safe
The Encrypting File System (EFS) that is included with the Windows© 2000 operating system provides the core file encryption technology to store NTFS files encrypted on disk. EFS particularly addresses security concerns raised by tools available on other operating systems that allow users to physically access files from an NTFS volume without an access check. Source: Microsoft.com

Encrypting File System for Windows 2000
This document provides an executive summary and a technical overview of EFS and looks at the issues of data access scenarios and the limitations of the approaches that some products on the market have in trying to solve system, file, and data security problems. Source: Microsoft.com

Encrypting File System for Windows 2000 White Paper
Abstract This document provides an executive summary and a technical overview of the encrypting file system (EFS) that is included with the Microsoft© Windows? 2000 operating system. Source: Microsoft.com

HOW TO: Encrypt Files and Folders on a Remote Windows 2000 Server 
Microsoft Knowledge Base Article: 320044 - This step-by-step article describes how to use Encrypting File System (EFS) to encrypt files and folders on a remote Windows 2000-based computer.

Working With Windows 2000 NTFS Encryption
You may have heard that the version of the NTFS file system included with Windows 2000 differs from that included with prior versions of Windows NT. This new version of NTFS supports such features as disk quotas and file-level encryption. We©ll discuss some of the issues you©ll face over time if you decide to implement NTFS encryption. Source: 8 Wire (March 19, 2001)

Additional Articles worth reading....

All you need to know about compression and encryption for Exam 70-210
A quick primer on subjects covered for the Windows 2000 Professional MCSE exam. Includes rules for moving and copying compressed and encrypted file and folders. Source: Swynk.com

Encrypting Files in Windows 2000
Microsoft Knowledge Base Article: 222054 - Windows 2000 includes the Encrypting File Service (EFS) that you can use to encrypt files and folders directly on the storage media, either locally or

Hardening EFS
Win2K's Encryption File System (EFS) provides users with a simple, transparent way to encrypt files. But before enabling this feature, make sure to set up and troubleshoot the backend key-management and -recovery infrastructure. Source: Information Security Magazine (Feb 2000)

How to Back Up Your Encrypting File System Private Key
Microsoft Knowledge Base Article: 241201 - This article describes how to back up your Encrypting File System (EFS) private key so that you can recover encrypted data in the event that you lose the copy on your computer.

HOW TO: Configure a Domain EFS Recovery Policy 
Microsoft Knowledge Base Article: 313365 - This step-by-step article describes how to configure a domain Encrypting File System (EFS) recovery policy.

How to Disable/Enable EFS on a Stand-Alone Windows 2000-Based Computer
Microsoft Knowledge Base Article: 243035 - Describes how to disable and enable the Encrypting File System (EFS) on Windows 2000-based computers that are not members of a Windows 2000

HOW TO: Disable EFS for All Computers in a Windows 2000-Based Domain 
Microsoft Knowledge Base Article: 222022 - Microsoft Windows 2000 includes an encryption tool called Encrypting File System (EFS). Clients can use this tool to protect files by encrypting them. However, it is possible that in some environments, an administrator may want to prevent users from encrypting data on their workstations. An administrator can do so for domain clients by modifying a controlling group policy object (GPO) or locally with a local GPO. 

HOW TO: Disable/Enable EFS on a Stand-Alone Windows 2000-Based Computer 
Microsoft Knowledge Base Article: 243035 - This article describes how to disable and enable the Encrypting File System (EFS) on Windows 2000-based computers that are not members of a Windows 2000-based domain. EFS is designed to work only when a recovery agent is available before a file can be encrypted. By default, the local Administrator account is used as the designated recovery agent for stand-alone Windows 2000-based computers

How to Enable the Encryption Command on the Shortcut Menu
Microsoft Knowledge Base Article: 241121 - This article describes how to add the Encrypt/Decrypt command to the shortcut menu that appears when you right-click a file or folder. 

How to Encrypt Data Using EFS in Windows 2000
Microsoft Knowledge Base Article: 230520 - Describes how to encrypt data using the Encrypting File System (EFS) in Windows 2000.

How to Prevent Files from Being Encrypted When Copied to a Server
Microsoft Knowledge Base Article: 302093 - You may want to have files in an encrypted state by using the Windows 2000 Encrypting File System (EFS) feature, such as on a laptop computer, while still having the ability to copy these files in an unencrypted state to a central server to to share with other users. This article describes how to cause encrypted files that are copied to a particular Windows 2000-based computer to be stored on that computer in an unencrypted state. 

HOW TO: Reinitialize the EDRP on a Workgroup Computer Running Windows 2000 
Microsoft Knowledge Base Article: 257705 - This article describes how to reinitialize the local recovery policy on a Windows 2000-based computer. This process does not reinitialize a domain recovery policy. For Windows 2000-based domain members, the local recovery policy is superseded by the domain recovery policy.

HOW TO: Set Up EFS for Secure Access to Data on a File Server or an Intranet in Windows 2000  
Microsoft Knowledge Base Article: 301395 - This step-by-step article describes how to configure Encrypting File System (EFS) to provide core file encryption technology when you store files on an NTFS file system partition. You can use EFS to encrypt and decrypt files to keep your files safe from intruders who might gain unauthorized physical access to your sensitive, stored data (for example, if your laptop or external disk drive is stolen).

The hidden dangers of Encrypting File System
Options abound, as do potential pitfalls, so this Hot Tip deals with what could turn out to be a whopper if you are not paying close attention. Source: Trainability.com

Third-Party Certificate Authority Support for Encrypting File System
Microsoft Knowledge Base Article: 273856 - Describes how Windows 2000 supports third-party Certificate Authorities (CAs) that issue Encrypting File System (EFS) certificates and EFS Recovery Agent certificates. 

Using a Certificate Authority for the Encrypting File Service
Microsoft Knowledge Base Article: 223338 - The Encrypting File System (EFS) is a feature of Windows 2000 that allows users to encrypt data directly on volumes that use the NTFS file system. It operates by using certificates based on the X.509 standard. If no Certificate Authority (CA) is available from which to request certificates, the EFS subsystem automatically generates its own self-signed certificates for users and default recovery agents.

Windows 2000 EFS (Encrypting File System) Potential Issues 
List of potential issues regarding Stanford's deployment of Windows 2000 EFS. Source: Stanford.edu

Back up and Recovery of Encrypted Files

Backing up and recovering encrypted data
The main administrative tasks associated with the Encrypting File System (EFS) are backing up and restoring encrypted files, configuring a recovery policy, and recovering encrypted data. Source: Windows 2000 Server Online Documentation

How to Reinitialize the EDRP on a Workgroup Computer Running Windows 2000
Microsoft Knowledge Base Article: 257705 - This article describes how to reinitialize the local recovery policy on a Windows 2000-based computer. This process does not reinitialize a domain recovery policy. For Windows 2000-based domain members, the local recovery policy is superseded by the domain recovery policy.

How to Restore an Encrypting File System Private Key for Encrypted Data Recovery
Microsoft Knowledge Base Article: 242296 - If you lose your Encrypting File System (EFS) private key (for example, your computer installation is destroyed), a designated EFS recovery agent must restore the files. The designated recovery agent uses his or her EFS recovery agent private 

HOW TO: Use Ntbackup to Recover an Encrypted File or Folder in Windows 2000  
Microsoft Knowledge Base Article: 313277 - You can use Windows 2000 Encrypting File System (EFS) to encrypt data so that only your user account and the recovery agent account can access the data. This feature prevents data from being accessed by other users. Data encryption is especially valuable on laptop computers, which are more liable to theft. 

Methods for Recovering Encrypted Data Files
Microsoft Knowledge Base Article: 255742 - This article describes methods for recovering data that was encrypted with the Encrypting File System (EFS) if the private key for the user who encrypted the files is lost or destroyed. 

Need to Disable EFS on a Windows 2000-Based Computer in Windows NT 4.0-Based Domain 
Microsoft Knowledge Base Article When a computer that is running Windows 2000 Professional is a member of a Microsoft Windows NT 4.0-based domain, you may have to disable the Encrypting File System (EFS) on the computer because the domain administrator cannot recover encrypted files. Windows NT 4.0-based domain has no way to specify the use of the Domain Encrypted Data Recovery Agent. 

Recovering Encrypted Data
Encryption is an important security measure, but you may find yourself needing to decrypt files that don©t belong to you in order to recover the data they contain. This article, part of our series on using encryption with Windows 2000, shows you how to decrypt otherwise unusable files. Source: 8 Wire

The Encrypted Data Recovery Policy for Encrypting File System
Microsoft Knowledge Base Article: 230490 - The Encrypting File System (EFS) supports data recovery by allowing recovery agents to recover file encryption keys (FEKs) and decrypt users' files. The Encrypted Data Recovery policy (EDRP) is configurable for both a domain and a stand-alone server and must be configured by an administrator

The Local Administrator Is Not Always the Default Encrypting File System Recovery Agent 
Microsoft Knowledge Base Article: 255026 - This article discusses how the local administrator is not always the default Encrypting File System (EFS) recovery agent. 

Transferring Encrypted Files That Need to Be Recovered
Microsoft Knowledge Base Article: 223178 - You can use the Encrypted File System (EFS) to encrypt the files on a volume so that the data can be read only by the intended users, even if other users

Tools...
Cipher.exe Security Tool for the Encrypting File System
Microsoft Knowledge Base Article: 298009 - Cipher.exe is a command-line tool (included with Windows 2000) that you can use to manage encrypted data by using the Encrypting File System (EFS). As of June 2001, Microsoft has developed an improved version of the Cipher.exe tool that provides the ability to permanently overwrite (or "wipe") all of the deleted data on a hard disk. This feature improves security by ensuring that even an attacker who gained complete physical control of a Windows 2000 computer would be unable to recover previously-deleted data. 

EFS Info.exe Encrypting File System Information
This command-line tool displays information about files and folders encrypted with Encrypting File System (EFS) on NTFS partitions. EFS is a feature of Windows 2000 that enables users to encrypt and decrypt files. Download size: 608K

Using Efsinfo.exe to Determine Information About Encrypted Files
Microsoft Knowledge Base Article: 243026 - This article describes how to use the Efsinfo.exe utility from the Windows 2000 Resource Kit. You can use Efsinfo to determine who the designated Encrypting File System (EFS) recovery agent is for an encrypted file, and to determine who originally.

Troubleshooting EFS: Known Bugs and Issues

"Access Denied" Error Message When Encrypting a Folder
Microsoft Knowledge Base Article: 265114 - When you attempt to encrypt a folder you may receive the following error message: An error occurred applying attributes to the file: X:\Filename. Access is denied  

"Access is Denied" Error Message When Encrypting or Decrypting Files or Folders
Microsoft Knowledge Base Article: 264064 - When you attempt to encrypt or decrypt a file or folder, you may receive an error message similar to the following example:

Cannot Open Encrypted Files on a Computer with Multiple Windows 2000 Installations
Microsoft Knowledge Base Article: 256168 - If you have a Windows 2000-based computer with more than one installation of Windows 2000, you may receive the following error message when you try to open an encrypted file:

Cannot Gain Access to Microsoft Encrypted File Systems 
Microsoft Knowledge Base Article: 243850 - If you log on to a server using a mandatory profile, you may experience one or more of the following behaviors:

Cipher Does Not Process Multiple Folders
Microsoft Knowledge Base Article: 229530 - When you try to mark multiple folders for encryption using the Cipher.exe tool, only the last folder you specify is actually encrypted.

EFS Backup Functions May Not Work on Computers That Are Running Windows 2000 
Microsoft Knowledge Base Article: 307306 - You cannot use backup software to back up or restore an encrypted folder that is located in an unencrypted folder to which the backup operator does not have access.

Logon Process Hangs After Encrypting Files on Windows 2000
Microsoft Knowledge Base Article: 269397 - After you encrypt files on your Windows 2000-based computer, the computer may stop responding (hang) during the logon process. When this occurs, no users can log on to the computer.

Need to Disable EFS on a Windows 2000-Based Computer in Windows NT 4.0-Based Domain  
Microsoft Knowledge Base Article: 288579 - When a Windows 2000 Professional-based computer is a member of a Microsoft Windows NT 4.0-based domain, you may have to disable Encrypting File System (EFS) on the computer because the domain administrator cannot recover encrypted files. A Windows NT 4.0-based domain has no way to specify use of the Domain Encrypted Data Recovery Agent. 

Plain-Text Version of Encrypted Files May Exist on Disk
Microsoft Knowledge Base Article: 288183 - When you are using the Encrypting File System (EFS) features of Windows 2000, you should always create encrypted files in folders that have the encrypted attribute set, rather than creating plain-text files and encrypting them later. If you do not, plain-text versions of the files will exist on the disk before encryption is implemented. 

Sysprep.exe May Re-Enable the Encrypting File System 
Microsoft Knowledge Base Article: 294844 - When you disable Encrypting File System (EFS - on a Windows 2000-based computer, EFS may become re-enabled. 

The Local Administrator Is Not Always the Default Encrypting File System Recovery Agent
Microsoft Knowledge Base Article: 255026 - This article discusses how the local administrator is not always the default Encrypting File System (EFS) recovery agent.

Unable to Access Encrypted Files After Using Sysprep.exe
Microsoft Knowledge Base Article: 288348 - If you encrypted files on a Windows 2000-based computer by using Encrypting File System (EFS), you may lose the ability to access or decrypt these files if you run the System Preparation tool (Sysprep.exe) on the computer. 

Users with Roaming Profiles Cannot Use EFS On Domain Controllers 
Microsoft Knowledge Base Article: 311513 - If the Encrypting File System (EFS - feature is configured for use in a Windows 2000-based domain environment and the "Delete cached copies of roaming profiles" policy is enabled, users with roaming profiles can encrypt files on Windows 2000.

You Cannot Access Protected Data After You Change Your Password 
Microsoft Knowledge Base Article: 322346 - After you change your domain password, you may receive an error message when you try to gain access to protected data. Examples of protected data include files or folders that are encrypted with Encrypting File System (EFS) and user certificates.
 

Entire contents
© 1999-2003 LabMice.net and TechTarget
All rights reserved

This site and its contents are Copyright 1999-2003 by LabMice.net. Microsoft, NT, BackOffice, MCSE, and Windows are registered trademarks of Microsoft Corporation. Microsoft Corporation in no way endorses or is affiliated with LabMice.net. The products referenced in this site are provided by parties other than LabMice.net. LabMice.net makes no representations regarding either the products or any information about the products. Any questions, complaints, or claims regarding the products must be directed to the appropriate manufacturer or vendor.