EFS Issues in Windows XP/2003
The Encrypting File System (EFS) in Windows XP and Windows 2003 includes several features that were not included in the Windows 2000 EFS. In this article, we'll look at the major differences between the Windows 2000 EFS implementation (let's call it "the older EFS") and the Windows XP/2003 implementation ("the newer EFS"). We'll focus on the way in which Microsoft implements the newer EFS, as well as various EFS issues such as resetting users' forgotten passwords and RAS users getting Access Denied error messages.
At the end of this article, I offer some recommendations for planning a business EFS strategy to ensure that you don't lose your important data. Data that's important enough for you to encrypt had better not be lost due to incorrect implementation!
New Features of EFS
Compared to Windows 2000, the newer EFS version in Windows XP and Windows Server 2003 includes several changes. Here's a list of some of the new features:
Encrypted files are marked green so you can easily distinguish them.
You can share your encrypted files with other individuals.
EFS offers a client-side caching that's used with the offline folders feature.
EFS offers kernel-mode FIPS-compliant cryptography.
Files can be encrypted even if there's no Data Recovery Agent (DRA).
In Windows Explorer, choose Tools, Folder Options. On the View tab, select the option Show Encrypted or Compressed NTFS files in Color. This setting makes compressed files appear in blue and encrypted files in green.
You can share encrypted files with other individuals, but not groups. A user with whom you want to share encrypted files must have an encryption certificate on your computer. This can be achieved by a couple of methods: The user can log onto your computer and encrypt a file; or a network user can simply export his or her certificate and you can then import the certificate on your computer.
This feature is useful for mobile computers because users can work on files even when not connected to the network. The files are cached on the user's hard drive. When the user reconnects to the network, the local files are synchronized with the files on the network. Unlike Windows 2000, both Windows XP and Windows Server 2003 let you encrypt offline files.
Federal Information Processing Standard 140-1 (FIPS 140-1) and FIPS 140-2 are U.S. government standards that provide a benchmark for implementing cryptographic software. Some U.S. government agencies purchase only products that are FIPS-compliant. In Windows XP/2003, you can use a group policy option called system cryptography: Use FIPS compliant algorithms for encryption to configure clients to be FIPS-compliant.
Unlike Windows 2000, the newer version of EFS allows encryption of files even without a DRA.
Now that we've looked at some of the new features in EFS, let's closely examine some of the issues related to encryption in Windows 2000 and Windows XP.