All Speed Tips
Ask The PC Expert
Subscribe via Email
Subscribe via RSS
Buying a Refurbished PC
How to Optimize Droid Razr Battery
Using Android Apps On Your Windows PC
Encrypting files on Windows XP Professional
Organizations, and even home users, are aware that sensitive data should not be available for other users.
Windows XP Professional gives us way to protect data and prevent its loss. The Encrypting File System (EFS) is responsible for encoding the files. These files can only be read when the user has created the "logon" on your machine (where, presumably, our password is a strong password). In fact, anyone who accesses your machine will not have access to our encrypted files even if the user is a team administrator.
Encryption is the process of encoding sensitive data using an algorithm. Without the correct algorithm key, the data cannot be decoded. Windows XP uses encryption for several purposes:
- Encrypted files on an NTFS volume.
- Encrypted data sent between a client and a web server using Security Socket Layer (SSL).
- Encrypting traffic between computers using VPN.
- Encrypting and signing email messages.
PRECAUTIONS THAT SHOULD BE TAKEN WITH SAI
SAI provides a secure encryption of information. The encryption is so secure that if we lose the key to decrypt the data, the information will be irretrievably lost. Windows XP does not have a "back door" if the key is lost.
You can also lose the key accidentally in a few other ways:
- Manipulating the dialog box in the Certificates console (certmgr.msc) can accidentally delete the encryption certificate.
- We have, for example, data stored in folders on a second encrypted volume (Disc D: for example). You format c:\ and reinstall Windows. Unfortunately, in every Windows installation, although the user name and passwords are the same, Windows creates a new security identifier (SID) for each user. Therefore, the encryption keys and the certificate will be different on Windows than it is on the D: data. In this case, our data on D: is lost since we reinstalled Windows and the SID was changed.
With a little care, the above scenarios can be prevented. To do this, follow these steps (for the first time ONLY):
1) Create an empty folder, and set the encrypted attributes. To do this, right click on the folder and select properties->advanced->check "encrypt contents to secure data" and click ok.
2) Create or save any text file in that folder. This will encrypt a file for the first time.
3) If your machine is not part of a domain, create a recovery agent. This is a second user account that may be used with this agent to decrypt the files. You can see BELOW how to create the recovery agent.
4) Keep the recovery agent certificate and personal encryption certificate on a floppy disk and safe from third parties. The recovery agent's certificate will not be created until we have done the first encryption.
5) Now we can start to encrypt sensitive data.
How to Encrypt
As seen above, all you need to do to encrypt your data is right click on the file or folder and select properties->advanced->check "encrypt contents to secure data" and then click ok.
Why Encrypt files and folders
EFS can encrypt files on a local NTFS volume (Does not apply to volumes in the network). This provides an additional level of protection to the NTFS permissions. Remember that NTFS volumes can be vulnerable in many ways. For instance, installing Windows XP on another partition, and taking possession of the original partition, or utilities such as booting with NTFSDOS. In such a case, if someone has physical access to your machine, they could access confidential information. This is one of the reasons why it is imperative, especially in portable business, to have the sensitive information encrypted.
On some machines, you can use options to protect the BIOS to boot the computer with a password. Unfortunately, this type of protection can also be busted. For example, You can remove the hard drive and mount it on another computer. If data is not encrypted, you can take ownership of folders and the data will be accessible to a malicious user.
Secured paging file
If there is a possibility that your computer can fall into foreign hands, we must be sure that we are not leaving "tracks" in the paging file. By default, when you turn off the machine, a paging file remains intact. Someone who may have physical access to our hard disk could take a look at an unencrypted paging file to try to locate traces of sensitive information. This user would have to be an advanced user to get information out of these "tracks".
If we do not want this to happen, we can change a registry entry. In the key:
HKEY_LOCAL_MACHINE -> System -> CurrentControlSet -> Control -> Session Manager -> Memory Management. Put the value 1 in variable ClearPageFileAtShutdown. Now, when you shut down the machine, Windows will overwrite the pages used in the paging file with binary zeros. This makes the shutdown of the system quite slow. Therefore, we should NOT make this change unless the security needs are HIGH.
How the encryption mechanism works
SAI provides a safe way to store sensitive data. It uses a public key to create a randomly generated encryption key (FEK). This process is done transparently to the user. Windows automatically encrypts data using the FEK when data is written to disk. This data can only be decrypted with your certificate and its associated private key, which is available only to the user logged in with the correct user / password for the key. If other users try to use one of these encrypted files, you will receive a message "access denied".
You can encrypt files or folders. It is recommended to encrypt folders instead of individual files. Any files that you save in this folder are automatically encrypted. This is important since some programs write temporary files and it if you set the folder these will automatically be encrypted as well. Also, for this reason, we must also consider encrypting the folder %temp% and %tmp% of the user since sensitive information could be written to these folders by programs.
Like the process of encryption, decryption is done transparently to the user. Therefore, how you work with encrypted files is the same as with how you work with non-encrypted files. No need to do anything different. When Windows detects that a file is encrypted, it will simply search using the certificate and private key to decrypt the data.
Allowing other users to use our encrypted file
After encrypting a file, you can allow other users to access the file transparently. This capability, new in XP, lets us ensure a file with EFS and leave available to users who we want. You can specify which users have access to a specific file. To enable other users to access our files encrypted:
1) Right click on the encrypted file and click "Properties". In the "General" tab select "Advanced."
2) In the Advanced Attributes, select "Details".
NOTE: The button "Details" is unavailable when you originally encrypt a file. We need to encrypt the file, leave, and return later to the Advanced Attributes dialog. Similarly, the button "Details" is available only when you select a single file. If you select a folder or several files, the button will be unavailable.
3) In the dialog box, go to the Add button. A dialog with users will show.
4) Select the users you want to allow access.
NOTE: Only users who already have an EFS certificate on your machine will appear in this dialog box. The best way for a user on your machine to create a certificate (and therefore appear in the list), is made by the user logging in to the machine and encrypting any file. Network users must export its own certificate (for details, we will see below) must then import the certificate on your machine.
Two ways to Recover Data
CREATING An Agent For Recovery
A recovery agent is another user, usually a manager, who can use our encrypted files. This allows the recovery of our file encryption if something were to happen with our private key.
Windows XP does not create a recovery agent by default on standalone machines. If you belong to a domain, the domain administrator is the default recovery agent.
NOTE: A recovery agent can only recover encrypted files that have been encrypted after the certificate of recovery is established. The agent will not have access, therefore, to a previously encrypted file.
To generate a recovery agent certificate, we must do the following:
1) Connect as Administrator.
2) In a command console (start->run->cmd.exe), run: cipher /r: filename
3) When prompted, type a password that is used to protect the files you create.
This creates both a .Pfx file and a .Cer file with the filename we have specified above.
NOTE: These files allow anyone to be a recovery agent. Therefore, make sure to copy to a floppy and then put the disk in a safe place. Subsequently, you must remove them from your hard disk.
DESIGNATING Data Recovery Agents
We can designate any user as a data recovery agent. It is recommended that an account is an Administrator.
NOTE: We should not appoint our own account as a recovery agent, because if our profile is damaged, and there are no more agents of recovery, the data is lost.
To designate a recovery agent:
1) Connect with the account that you designate as recovery agent.
2) Open up certificates by going to Start->Run->certmgr.msc->OK. Go to Certificates -Current User -> Personal.
3) In the top menu, click on Action -> All Tasks -> Import Wizard. This will launch the recovery.
4) Enter the path and file name of the encryption certificate (the. Pfx file).
5) Enter the password for this certificate and select "Mark this key as exportable." Click Next.
6) Select: Automatically select the certificate based on the type of certificate and click Next. Then click Finish.
7) Open up Local Security Settings by Clicking Start->Run->secpol.msc->OK. Go to Security Settings -> Public Key Policies -> Encrypting File System
8) In the top menu, Click on Action -> Add a recovery agent. A dialog box will open. Click Next.
9) On the recovery agent you select, click the View button and navigate to the folder containing the .Cer we created. Select the file and give it "Open." Now it will show the new agent as USER_UNKNOWN. This is normal because the name is not stored in the file.
If you enjoyed this post, please or
Web site and all contents © Copyright ComputerTooSlow.com 2012, All rights reserved.