Data can be encrypted so others without permission cannot read the data

 

http://www.homecomputingsecurity.com

 
What

 

 EFS – Encryption File Service

 
Why

 

 If others access your data files they cannot read them if they are properly encrypted

 
How

 

 Microsoft provides the EFS feature

 
Detailed Information

How to use encrypted files for security of your data

On a home computer with multiple user accounts, when you save data files to you’re MY DOCUMENTS folder, only you and the administrator accounts can access your data files store there. Other limited user accounts cannot access you’re my DOCUMENTS data files due to NTFS and security policy.

Well, that is supposed to be true. But it is not absolutely true. Anyone can download a free program like this one from Active Data Recovery Software - called READNTFS.EXE - and create a simple bootable diskette containing the program, reboot your computer with this diskette (or a CD) and read your hard drives and copy off any file. This program bypasses the Windows Security policy because Windows is not loaded. Your hard drive contents are accessible if someone can physically load up this diskette at your computer.

If you keep sensitive data files on your local hard drive and that drive uses NTFS – you can prevent the above from happening by using EFS – Encryption File Service. This applies to Windows, 2000, 2003 and XP Professional operating systems. (Note: XP Home version does not support EFS. XP Pro version does.)

If you must keep sensitive data files on your local hard drive, at least you can protect them using EFS encryption on your NTFS partitioned hard drive. If your PC's hard drive is FAT32 and not NTFS, you first need to convert it to NTFS. (Skip this step if your hard drive is already in NTFS format. Right-click a drive letter and go to properties and see what FILE SYSTEM is noted):

·        Click Start

·        Click All Programs

·        Click Accessories

·        Click Command Prompt

·        In the command prompt window type "convert c: /fs:ntfs" (substitute the appropriate drive letter if you are not converting the "C" drive)

·        NOTE: This is a one-way ticket. The convert utility from Microsoft will only convert from FAT or FAT32 to NTFS- not the other way around. If you need to convert an NTFS drive to FAT or FAT32 you will need a 3rd-party product such as Partition Magic from Symantec (formerly Powerquest purchased by Symantec in December of 2003).

One of the best new features of NTFS 5 (introduced with Windows 2000) is the Encrypted File System (EFS). EFS provides transparent data encryption for files and folders on disk. Transparent means that the user is not required to manually encrypt and decrypt files. When EFS is enabled for a folder, and a file is written or read, the process of encryption and decryption occurs automatically.

You can enable EFS for a file or folder by using Windows Explorer. Right-click the folder or file, select Properties, navigate to and select the Advanced button on the General tab, and enable the option to Encrypt contents to secure data. It is suggested you store sensitive data files all within an encrypted folder. Any data within that folder can be encrypted. You can take an existing folder like MY DOCUMENTS enable encryption. Now all files created within this folder or copied to this folder inherit encryption; files moved to this folder keep the properties they had, but you can enable encryption after so moved. In XP, files and subfolders appear in green to indicate they are encrypted. 

Here is the XP encryption dialog box under ADVANCED:

Encryption


As you can see in the screenshot above, the option to encrypt the contents is located in the Compress or Encrypt attributes section. Important to note is the word “or”, you cannot enable both compression and encryption for the same file or folder. If you enable the option Compress contents to save disk space, the option Encrypt contents to secure data will be disabled automatically.

If you enable encryption for a folder and want all the files and subfolders in it to inherit the setting, choose Apply changes to this folder, subfolder and files after you click OK or Apply on the General tab of the folder’s properties sheet. When you create new files in a folder with the encryption attribute enabled, they will be encrypted automatically.

How to see your Encrypted Files in a different color:

·        Compressed NTFS files are displayed in blue.

·        Encrypted NTFS files are displayed in green.

You need to have this option selected in Folder Options...

Start | Run | Type:    control folders   | Click OK |

View tab |  add check to: “Show encrypted or compressed NTFS files in color”

 

By default, encrypted files and folders can be accessed only by the user who encrypted them. In Windows 2000 this means you cannot share EFS encrypted files and folders with other users, but in Windows XP however, you can share encrypted files (not folders) with other users. To do this, click the Details button next to Encrypt contents to secure data option the on the Advanced Attributes dialog box, and add the users you want to allow access. See below:


Encryption

When you rename, move, or copy an encrypted file, the file will remain encrypted, even if you move or copy it to an unencrypted folder or drive.

Moving or saving encrypted files to a CD or a thumbdrive…..which are not NTFS media….removes the encryption. This is good and bad. Good that you can easily save a copy of your encrypted data files that are accessible by anyone in case your hard drive crashes. The Bad is that anyone who comes across your CD or thumbdrive can access these non-encrypted files. Be sure to securely store your CD or thumbdrive in a firesafe. Some thumbdrives can be protected from access using security software or biometrics. You will also need to keep backing up any new or modified encrypted files that are critical to you. A safe practice whether encrypted or not.

Otherwise, an encrypted file can only be read by the account holding the encryption key. That account cannot be renamed or the password changed or recovery fails. ONLY the user that creates the file or folder - and the primary administrator account of the computer - are allowed permission to open the EFS files and folders. You should also make a backup of the recovery agent certificate and store it on a diskette or CD and place in a secure location like a fire safe – in case your hard drive crashes beyond recovery. Without the recovery agent certificate – no one will be able to recover the access to an encrypted file! Not even using the READNTFS.exe type of boot up program on diskette.

If you don’t back up your recovery agent certificate – you should at least must make a back up of your encrypted folder or files to another external medium such as a memory stick, diskette, CD or DVD. These mediums don’t support NTFS and thus all encrypted data copied to them loses encryption and are now accessible by everyone. Store them securely away. The negative to relying only on this method for backing up encrypted data is that the data is only as recent as the backup. If your hard drive completely dies, you must go to the external back up regardless. But if the drive data is ok but the system crashes, one could restore the operating system, import the recovery agent certificate, and regain access to the encrypted files without any data loss.

I suggest backing up data files daily to a memory stick or Flash card between more permanent backups to a CD. Periodically, making backups to CD or DVD and storing securely away at another location or fire safe provides additional safety and peace of mind.

Finally, be aware that there are programs to assist hackers in cracking a password file. If the hacker can crack the password and login as the administrator, your encrypted files are no longer safe. Thus, for ultimate protection, do not store the most sensitive files onto your computer hard drive. Keep in mind that if you “temporarily” use a sensitive file on your computer, loading it from an external source - because you interact with the data - stealth Trojan key logger program could possibly capture your keystrokes and capture some data. It is also possible to get history MRU data and read some of your sensitive data. The most sensitive data should only be used on a standalone computer.

 

How To Decrypt someone’s Encrypted files on Windows XP

1. Login as Administrator

2. Go to Start/Run and type in cmd and click OK.

At the prompt type cipher /r:Eagent and press enter

This prompt will then display:

Please type in the password to protect your .PFX file:

Type in your Administrator password

Re-confirm your Administrator password

The prompt will then display

Your .CER file was created successfully.

Your .PFX file was created successfully.

The Eagent.cer and Eagent.pfx files will be saved in the current directory that is shown at the command prompt. Example: The command prompt displays C:\Documents and Settings\admin> the two files are saved in the admin folder. (For security concerns, you should house the two files in your Administrator folder or on a floppy disk).

3. Go to Start/Run and type in certmgr.msc and click OK. This will launch the Certificates Manager. Navigate to Personal and right click on the folder and select All Tasks/Import. The Certificate Import Wizard will appear. Click Next. Browse to the C:\Documents and Settings\admin folder. In the Open dialog box, change the Files of Type (at the bottom) to personal Information Exchange (*.pfx,*.P12). Select the file Eagent.pfx and click Open. Click Next. Type in your Administrator password (leave the two checkboxes blank) and click Next. Make sure the Radio button is active for the first option (Automatically select the certificate store based on the type of certifcate). Click Next. Click Finish. (You'll receive a message that the import was successful). To confirm the import, close Certificates Manager and re-open it. Expand the Personal folder and you will see a new subfolder labeled Certificates. Expand that folder and you will see the new entry in the right side column. Close Certificate Manager.

4. Go to Start/Run and type in secpol.msc and click OK. This will launch the Local Security Policy. Expand the Public Key Policies folder and then right click on the Encrypted File System subfolder and select Add Data Recovery Agent... The Wizard will then display. Click Next. Click the Browse Folders... button. Browse to the C:\Documents and Settings\admin folder. Select the Eagent.cer file and click Open. (The wizard will display the status User_Unknown. That's ok). Click Next. Click Finish. You will see a new entry in the right side column. Close the Local Security Policy.

You, the Administrator are now configured as the default Recovery Agent for All Encrypted files on the Local Machine.

To Recover Encrypted files:

Scenario #1

If you have completed the above steps BEFORE an existing user encrypted his/her files, you can log in to your Administrator account and navigate to the encrypted file(s). Double click on the file(s) to view the contents.

Scenario #2

If you have completed the above steps AFTER an existing user has already encrypted his/her files, you must login to the applicable User's User Account and then immediately logout. Next, login to your Administrator account and navigate to the encrypted file(s). Double click on the file(s) to view the contents.

*Warning: Do not Delete or Rename a User's account from which will want to Recover the Encrypted Files. You will not be able to de-crypt the files using the steps outlined above.

 

 
Resources

 

 

 

 

 

 

Contact me at NofinerWeb.com