Encrypting File System
The Encrypting File System (EFS) of Windows 2000 provides users with the capability to protect data that is stored on an NTFS local or network disk using encryption certificates and the embedded CryptoAPI architecture of Windows 2000. No additional configuration is required to provide users with EFS support. If the user does not have an existing encryption certificate from a Certificate Authority (CA), EFS generates a self-signed certificate the first time a user chooses to encrypt a file or folder.
Windows 2000 provides Certificate Services capable of issuing authorized EFS certificates.
The process for encrypting a file or folder is simple.
Right-click the file or folder and choose Properties.
Under the General tab, choose the Advanced button.
Place a check mark in the Encrypt Contents to Secure Data attribute, and click OK.
Click OK again to apply the change.
Only the user who encrypts the file or folder is capable of decrypting the contents, with the exception of the EFS Recovery Agents specified for the domain. If the user's encryption certificate is lost, an EFS Recovery Agent is capable of decrypting and recovering the contents of the file or folder. Group policy is used to define the EFS recovery agent(s) for a domain. The administrator account for the domain is the default EFS Recovery Agent for a domain. If the EFS Recovery Agent group policy for the domain is removed, or if the computer does not belong to a domain, the Administrator account for the local computer is the default EFS Recovery Agent. If no EFS Recovery Agent is available for the computer where the encrypted file will be stored, EFS is disabled. To modify the EFS recovery agents for a domain or OU, follow these steps:
Open the Active Directory Users and Computers snap-in from Start, Programs, Administrative Tools.
Right-click the domain or OU that will utilize this policy, and choose the Properties option.
Under the Group Policy tab, choose to edit an existing policy or create a new one.
EFS is a computer-based policy, so navigate the Computer Configuration object to Windows Settings, Security Settings, Public Key Policies.
Right-click the Encrypted Data Recovery Agents object and choose New, Encrypted Recovery Agent.
The EFS Recovery Agent Wizard will step you through the addition of another account or group.
To remove an EFS Recovery Agent from the list, highlight the certificate in the Encrypted Data Recovery Agents window and press Delete.
To modify the EFS Recovery Agents for a specific computer:
On the target computer, open the Local Security Settings MMC snap-in from Start, Programs, Administrative Tools.
Navigate to Public Key Policies, and right-click the Encrypted Data Recovery Agents object.
Choose Add or New, Encrypted Recovery Agents. The Recovery Agent Wizard will step you through the process.
EFS and Exchange
It is important to note that EFS is limited to data stored on disk and will not protect data in transit on the network. With that in mind, EFS is still an important component of securing user data in Exchange. As with Exchange 5.5, each mailbox in the Exchange 2000 Web store is secured using Kerberos authentication and access control entries. By default, only the user assigned to the mailbox and the Exchange service account have access to a user's mailbox. Additional users can be granted access rights, either by the user assigned to the mailbox or by an Exchange administrator from the Active Directory. The EFS option allows a user to grant other users access to mailbox data but encrypt sensitive information. This model can protect sensitive files even from administrators. For example, an Exchange administrator can gain unauthorized access to a user's mailbox by altering mailbox permissions in Active Directory. The administrator would not be capable of reading files that were encrypted by the user unless the administrator were also specified as an EFS Recovery Agent. For this reason, it is recommended that EFS Recovery Agents be limited to a select group of users and responsibility rotated on a regular basis. In addition, it is not necessary to assign the EFS Recovery Agent role to administrators.