Rules To Remember
As with any system designed to protect something of value, encrypting files and folders on Windows requires devotion to some practical principles and safeguards:
Set an encryption policy. Although EFS allows users to start encrypting files whenever they feel like it, it's not a good idea to start using it willy-nilly.
Have at least two recovery agent accounts. By default, the domain administrator is the recovery agent for all computers in that domain. Depending on the size of the domain, you may want to establish recovery accounts for smaller groups within each domain—what Microsoft calls organizational units (OUs). However you divide your users, you should have at least two recovery agent accounts for each OU. Put each account on a separate computer and make sure that the appropriate administrators have permission to use the accounts.
Change the default recovery agent account ASAP. By default, the Administrator account of the first domain controller installed on the domain is the recovery agent. Even if the owner of that account is to be one of the recovery agents, you should immediately establish a separate recovery agent account with a strong password. The domain administrator account is a prime target for bad guys, and leaving the recovery keys available through that account is asking for trouble.
Set and test your recovery agents before you start encrypting files. Make sure that the recovery agents can recover files before you start using EFS. Test this process thoroughly.
Know what you are—and are not—encrypting. Just because a file name appears in that comforting green doesn't mean that every copy of the information in the file is encrypted. For example, when you print a file, a copy may go into the printer's spool file. If the spool file isn't separately encrypted, that copy of the file will be exposed.
Encrypt folders, not files. EFS allows you to encrypt either individual files or entire folders. In general, you should encrypt at the folder level. This practice protects any temporary files that the application might create in the same folder. Of course, encrypting a folder encrypts all the subfolders and files below it in the hierarchy.
Start with the My Documents folder. The best place to start encrypting with EFS is the user's My Documents folder. This strategy will protect the data created with Microsoft Office applications and many other kinds of applications as well.
Protect your keys—even the obsolete ones. Of course, all current keys should be treated like gold and safeguarded accordingly. However, even old recovery keys should be carefully archived in case they're needed. Recovery certificates and private keys should be exported to secure storage, including archiving at least two copies—one of them offsite.
Make and secure copies of your keys. Keep copies of your keys on removable media in a secure place, in the event of corruption or other problems.
Don't keep recovery keys on your laptop. If you have a standalone system, don't keep your recovery agent keys on the system. Export them to removable media and store them someplace safe.
Don't use the recovery agent accounts for any other purpose.
Understand the limits of EFS. EFS is very good at protecting files and folders from unauthorized snoopers. It doesn't protect the entire computer, nor does it protect the data under all circumstances.
Notably, EFS doesn't protect data in transit over the network. If you store your encrypted file on a remote server and access it over the network, EFS doesn't protect your data while it's being sent. You're vulnerable to a "man in the middle" attack by an unauthorized listener on the network. Windows provides Private Communication Technology using the Secure Sockets Layer (SSL) to encrypt data in transit, but that's not part of EFS.
The other problem is that EFS is not completely effective at protecting a standalone system from a sophisticated attacker who has physical access. In other words, if your laptop is stolen, or someone gains access to your desktop system over the weekend, your files may be compromised even if you use EFS.
Because EFS is so popular, a number of tools are aimed at recovering EFS passwords. One example is Advanced EFS Data Recovery from Elcomsoft. These programs will recover EFS passwords even if the system is not bootable—a big help to system administrators, but unfortunately also a big help to thieves.
Even without using a password-recovery program, a number of other techniques can be used to compromise a standalone system, given physical access.
Consider alternatives. A better choice for protecting a laptop might be a third-party disk encryption program such as SafeGuard Easy from Utimaco Safeware. These programs prevent all disk access, and some of them won't allow the operating system to boot without a password.
Another possibility is a two-factor protection system that uses an authentication token the user carries on a key ring and plugs into the USB port.
Encryption is not data security. Even the most firmly encrypted data can be compromised by a variety of attacks such as phishing and social engineering that go around the encryption. Consider security issues as a whole and don't assume that you're secure just because you're using EFS.