共用方式為


Protecting Data by Using EFS to Encrypt Hard Drives

On This Page

Introduction
Before You Begin
Generating and Backing Up a Recovery Key
Creating a Domain-Based Recovery Agent
Creating a Local Recovery Agent
Using EFS
Enabling the Encrypt/Decrypt Options on the Windows Explorer Menu
Enabling EFS File Sharing
Exporting and Importing Data Recovery Keys
Recovering Data
Best Practices
Related Information

Introduction

In many businesses, users share desktop computers. Some users travel with portable computers that they use outside the physical protection of the business, in customer facilities, airports, hotels, and at home. This means that valuable data is often beyond the control of the business. An unauthorized user might try to read data stored on a desktop computer. A portable computer can be stolen. In all of these scenarios, malevolent parties can gain access to sensitive company data.

One solution to help reduce the potential for stolen data is to encrypt sensitive files by using Encrypting File System (EFS) to increase the security of your data. Encryption is the application of a mathematical algorithm to make data unreadable except to those users who have the required key. EFS is a Microsoft technology that lets you encrypt data on your computer, and control who can decrypt, or recover, the data. When files are encrypted, user data cannot be read even if an attacker has physical access to the computer's data storage. To use EFS, all users must have Encrypting File System certificates-digital documents that allow their holders to encrypt and decrypt data using EFS. EFS users must also have NTFS permission to modify the files.

Two types of certificates play a role in EFS:

  • Encrypting File System certificates. This type of certificate allows the holder to use EFS to encrypt and decrypt data, and is often called simply an EFS certificate. Ordinary EFS users get this type of certificate. The Enhanced Key Usage field for this type of certificate (visible in the Certificates Microsoft Management Console snap-in) has the value Encrypting File System (1.3.6.1.4.1.311.10.3.4).

  • File Recovery certificates. This type of certificate allows the holder to recover encrypted files and folders throughout a domain or other scope, no matter who encrypted them. Only domain admins or very trusted designated persons called data recovery agents should get this. The Enhanced Key Usage field for this type of certificate (visible in the Certificates Microsoft Management Console snap-in) has the value File Recovery (1.3.6.1.4.1.311.10.3.4.1). These are often called EFS DRA certificates.

To enable another authorized person to read your encrypted data, you can give them your private key, or you can make them a data recovery agent. A data recovery agent can decrypt all EFS-encrypted files in the domain or organizational unit in his or her scope. This document provides step-by-step instructions for the main EFS-related tasks in a small-to-medium business, and also lists several important best practices for using EFS.

The procedures in this document guide you through the following tasks:

  • Create and safeguard a recovery key to ensure that encrypted data can be safely recovered when the original user cannot do so.

  • Create recovery agents who can recover encrypted files when the original user cannot do so.

  • Set up EFS in your business.

  • Configure Windows Explorer to conveniently use EFS.

  • Configure file sharing to work with EFS.

  • Export and import data recovery keys to enable the safe recovery of encrypted files and folders.

  • Recover data when the original user cannot do so.

By following the procedures in this document, you will make the following system-wide changes:

  • Create a backup data recovery key.

  • Create a recovery agent.

  • Enable EFS for encrypting data on a computer hard drive.

  • Configure Windows Explorer to include EFS options.

These procedures also enable you to implement the following changes or precautions:

  • Provide shared access to selected encrypted data.

  • Manage data recovery keys for use in recovering encrypted data.

  • Recover encrypted data when necessary.

Before You Begin

The procedures in this document help you configure your computers to use EFS and illustrate how to use EFS to protect data on the computer hard drives in your business. Before you begin to carry out these procedures, you should work with your legal counsel to ensure that your planned encryption policies and procedures adhere to relevant legal laws and regulations. In particular, if your organization has offices outside the United States, you need to be familiar with export control laws related to encryption software. You should also be familiar with some basic requirements and conditions for using EFS:

  • You can encrypt files and folders only on NTFS file system volumes. Consequently, you cannot use EFS to protect data on hard drives that use the FAT or FAT32 file system. Unless you have a specific reason to continue using the FAT file system, it is recommended that you convert these volumes to use NTFS. The Windows 95, Windows 98, and Windows Millennium Edition operating systems do not support NTFS or EFS. Windows XP Home Edition supports NTFS, but not EFS.

  • Files or folders that are compressed cannot also be encrypted. If you encrypt a compressed file or folder, that file or folder will be uncompressed.

  • Files marked with the System attribute cannot be encrypted, nor can you encrypt files in the systemroot folder.

  • Options that you select from a pop-up dialog box when you first encrypt files or folders determine how encryption operates in the future:

    • If you choose to encrypt the parent folder when you encrypt a single file, all files and subfolders that are added to the folder in the future will be encrypted when they are added.

    • If you choose to encrypt all files and subfolders when you encrypt a folder, all files and subfolders currently in the folder are encrypted, as well as any files and subfolders that are added to the folder in the future.

    • If you choose to encrypt the folder only when you encrypt a folder, all files and subfolders currently in the folder are not encrypted. However, any files and subfolders that are added to the folder in the future are encrypted when they are added.

Unless otherwise specified, in the procedures described in this document, server computers are running the Windows Server 2003 operating system, and client computers are running Windows XP Professional.

In an Active Directory environment, users are assumed to have roaming user profiles. Please note that screenshots in this document reflect a test environment and the information might differ from the information displayed on your computer.

All of the step-by-step instructions in this document were developed using the Start menu that appears by default when you install your operating system. If you have modified your Start menu, the steps might differ slightly.

Generating and Backing Up a Recovery Key

Not having a backed-up recovery key can result in irrevocable loss of encrypted data. Backing up a recovery key helps ensure that encrypted data can be recovered in the event that the user holding the EFS encryption certificate is not able to decrypt the data.

Requirements

  • Credentials: This operation must be performed using the recovery agent account that has the file recovery certificate and private key in its private store. The domain administrator is the default recovery agent; in a home or non-domain environment, there is no default recovery agent, but you can create a local recovery agent for all accounts on the computer. It is more common in a home setting for each EFS certificate holder to back up their own private keys.

  • Tools: Certificates snap-in to the Microsoft Management Console (MMC).

CAUTION: Before making any changes to the default recovery policy, be sure to back up the default recovery keys. The default recovery keys in a domain are stored on the first domain controller for the domain.

  • To back up default recovery keys to a floppy disk

    1. Click Start, click Run, type mmc, and then click OK. The Microsoft Management Console opens.

      Console 1 - Console Root

    2. On the File menu, click Add/Remove Snap-in, and then click Add.

    3. Under Add Standalone Snap-in, click Certificates, and then click Add.

    4. Click My user account, and then click Finish.

    5. Click Close, and then click OK.

    6. Double-click Certificates - Current User, double-click Personal, and then double-click Certificates.

    7. Click the certificate that displays the words File Recovery in the Intended Purposes column.

    8. Right-click the certificate, point to All Tasks, and then click Export.

    9. Follow the instructions in the Certificate Export Wizard to export the certificate and associated private key to a .pfx file format.

Creating a Domain-Based Recovery Agent

To allow an account to read or recover data encrypted by using EFS, you must make the account a recovery agent. In a domain environment, it is advisable to use domain accounts for that purpose. You can create a recovery agent for any site, domain, or organizational unit in an Active Directory directory service forest. By default, the built-in Administrator account for a domain is a recovery agent; in that case you do not need to create a recovery agent.

Requirements

  • Credentials: Administrator of the domain.

  • Tools: the Active Directory Users and Computers snap-in to MMC.

  • To create a domain-based recovery agent

    1. Click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.

      Active Directory users and Computers

    2. Right-click the domain whose recovery policy you want to change, and then click Properties.

    3. Click the Group Policy tab.

      comp01.local Properties

    4. Right-click the recovery policy you want to change, and then click Edit.

    5. In the console tree (on the left), click Encrypting File System. This can be found at Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Encrypting File System.

      Group Policy Object Editor

    6. In the details pane (on the right), right-click, and then click Create Data Recovery Agent.

      Note: The Create Recovery Agent Wizard prompts you to add a user as a recovery agent either from a file or from Active Directory. When you add a recovery agent from a file, the user is identified as USER_UNKNOWN. This is because the user name is not stored in the file.

      In order to add a recovery agent from Active Directory, EFS recovery agent certificates (file recovery certificates) must be published in Active Directory. However, because the default EFS file recovery certificate template does not publish these certificates, you need to create a template that does so. To do this, in the Certificate Templates snap-in, copy the default EFS file recovery certificate template to create a new template, right click the new template, choose Properties, and, on the General tab of the Properties dialog box for the copied certificate, and select the Publish certificate in Active Directory check box.

    7. Follow the instructions in the Create Recovery Agent Wizard to finish creating a domain-based recovery agent.

Creating a Local Recovery Agent

In a non-domain environment, such as on a standalone computer or in a workgroup, you can create a local recovery agent. Creating a local recovery agent might be helpful if the computer is shared by multiple users. On a single-user computer, it is easier for the user to simply back up the recovery key to a removable media.

Requirements

  • Credentials: Administrator of the local computer.

  • Tools: Group Policy Object Editor.

  • To create a local recovery agent

    1. Click Start, click Run, type mmc, and then click OK.

    2. On the File menu, click Add/Remove Snap-in, and then click Add.

    3. Under Add Standalone Snap-in, click Group Policy Object Editor, and then click Add.

    4. Under Group Policy Object, make sure that Local Computer is displayed, and then click Finish.

    5. Click Close, and then click OK.

    6. In Local Computer Policy, navigate to the Local\Computer Policy\Computer Configuration\Windows Settings\Security Settings\Public Key Policies folder.

      Console 1 - [Console Root\Local Computer Policy\Com...

    7. In the details pane, right-click Encrypting File System, and then click Add Data Recovery Agent or Create Data Recovery Agent.

      Note: The Wizard prompts you for a user name for a recovery agent. You can supply the wizard with the name of a user with a published file recovery certificate, or you can browse for file recovery certificates (.cer files) that contain information about the recovery agent you want to add. File recovery certificates can be obtained from Certification Authorities. To identify a file recovery certificate, in the Certificates snap-in, in the details pane, in the Enhanced Key Usage field, look for the value File Recovery (1.3.6.1.4.1.311.10.3.4.1). File recovery certificates are stored as .cer files in the local computer file system or in Active Directory.

      When you add a recovery agent from a file, the user is identified as USER_UNKNOWN because the user name is not stored in the file.

    8. Follow the instructions in the wizard to complete the process.

Using EFS

Once you have finished creating a recovery agent and have generated and backed up a recovery key, you are ready to begin using EFS to help protect files and folders from unauthorized access. This section provides instructions on enabling EFS.

Requirements

  • Credentials: You must be a user with an EFS certificate and NTFS permission to modify the file or folder.

  • Tools: Windows Explorer.

  • To encrypt a file or folder by using EFS

    1. Open Windows Explorer.

      My Documents

    2. Right-click the file or folder that you want to encrypt, and then click Properties.

    3. On the General tab, click Advanced.

      New Text Document Properties.txt properties

    4. Select the Encrypt contents to secure data check box, and then click OK.

      Advanced Attributes

    5. In the Properties dialog box, click OK, and then do one of the following:

      • To encrypt a file and the parent folder, in the Encryption Warning dialog box, click Encrypt the file and the parent folder.

      • To encrypt a file only, in the Encryption Warning dialog box, click Encrypt the file only.

      • To encrypt a folder only, in the Confirm Attribute Changes dialog box, click Apply changes to this folder only.

      • To encrypt a folder and its subfolders and files, in the Confirm Attribute Changes dialog box, click Apply changes to this folder, subfolders and files.

    6. Click OK to accept and apply your encryption choices.

Enabling the Encrypt/Decrypt Options on the Windows Explorer Menu

Some businesses might find it easier to implement EFS by configuring Windows Explorer to display "Encrypt" and "Decrypt" on the shortcut menu when a user right-clicks a file. To enable this, you need to edit the Windows registry to create a new registry value which does not exist by default.

CAUTION: Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

Requirements

  • Credentials: An administrator with experience editing the registry and an understanding of the dangers of editing the registry.

  • Tools: the Registry Editor.

  • To enable Encrypt/Decrypt options on the Windows Explorer menu

    1. Open the Registry Editor and navigate to the following registry path:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\

      Registry Editor

    2. In the details pane (on the right), right click, click New, and then click DWORD value.

    3. Type EncryptionContextMenu for the name of the DWORD value, and then press Enter.

    4. Right click the DWORD value you just created and click Modify.

    5. In the Edit DWORD Value dialog box, in the Value Data box, enter a value of 1, and then click OK.

    6. Click File, and then click Exit to close the Registry Editor.

Note: In Windows Server 2003, you can also add the Encryption Details button to the Explorer menu by creating a registry batch file (*.reg) with the following information and running the registry batch file for each user:

[HKEY_CLASSES_ROOT\*\Shell\Encrypt To User...\Command]

@="rundll32 efsadu.dll,AddUserToObject %1"

Enabling EFS File Sharing

Businesses commonly want to use encryption to help safeguard sensitive data, but also need to allow multiple users access to that data. With EFS, one user can encrypt a file, and then give additional users the ability to access the encrypted data. To allow several users to access an encrypted file, the user who encrypts the file designates the file as shared, and then enables shared access by adding the EFS encryption certificates of each additional user to the encrypted file. In this way, businesses can help improve security without impairing the availability of data.

You should be aware of certain requirements and limitations related to sharing encrypted data:

  • You cannot add groups of users to encrypted files, nor can you add users to encrypted folders.

  • All users that are added to an encrypted file must have an EFS encryption certificate on the computer where the file is located. Typically, a certification authority such as Verisign issues certificates. Also, if a user has logged on to the computer and encrypted any file, that user will have an EFS encryption certificate on the computer. To import certificates, see To import a certificate on the Microsoft TechNet Web site at https://go.microsoft.com/fwlink/?LinkId=22846.

  • All users that can decrypt the file must also have access to read the file. NTFS permissions must be set properly to allow this access. If a user is denied access because of insufficient NTFS permissions, the user cannot read the encrypted file and cannot decrypt the data. To set permissions on files, see To set, view, change, or remove permissions on files and folders on the Microsoft TechNet Web site at https://go.microsoft.com/fwlink/?LinkId=22847.

Requirements

  • Credentials: An EFS certificate, and ownership of the file, are required.

  • Tools: Windows Explorer.

All users that are added to the file must have a certificate located on the computer.

  • To allow a user to encrypt or decrypt a file

    1. Open Windows Explorer.

    2. Right-click the encrypted file that you want to change, and then click Properties.

    3. On the General tab, click Advanced.

    4. In Advanced Attributes, click Details.

    5. To add a user to this file, click Add, and then do one of the following:

      • To add a user whose EFS encryption certificate is on this computer, click the certificate and then click OK.

      • To view a certificate on this computer before adding it to the file, click the certificate and then click View Certificate.

      • To add a user from Active Directory, click Find User, then locate the user in the list and click OK.

      • To remove a user from this file, click the user name and then click Remove.

Note: When a user is added to a file and the user's EFS encryption certificate is imported, the certificate is validated to a trusted root certification authority (CA). The certificate is then stored in the Other People certificate store for that user.

Exporting and Importing Data Recovery Keys

Data recovery keys (DRA keys) must be available to the Data Recovery Agent to enable the Agent to recover encrypted data when normal recovery is not possible. Therefore, it is important to safeguard recovery keys. A good way to guard against loss of recovery keys is to export the Data Recovery certificates and private keys of Data Recovery Agents to securable removable media in .pfx format files. You can then recover lost data by importing them.

The following procedures outline the process for exporting and importing DRA keys.

Requirements

  • Credentials: You must be logged on with the administrator account on the first domain controller in the domain.

  • Tools: Certificates MMC snap-in.

Exporting Data Recovery Keys

  • To export the certificate and private key of the default domain Data Recovery Agent

    1. Log on to the domain with the administrator account on the first domain controller in the domain.

    2. Click Start, and then click Run.

    3. Type mmc.exe and press Enter.

      Console Root

    4. Click File, and then click Add/Remove Snap-In.

    5. Click Add. A list of all the registered snap-ins on the current computer appears.

    6. Double-click the Certificates snap-in, click My User Account, and then click Finish.

      Certificates snap-in

    7. In the Add Standalone Snap-In dialog box click Close, and then in the Add/Remove Snap-in dialog box click OK. MMC now displays the personal certificates for Administrator account.

    8. Navigate to the Certificates\Current User\Personal\Certificates folder.
      The details pane (on the right) displays a list of all the certificates for the administrator account. By default, two certificates are normally present. Locate the default domain DRA certificate.

    9. Right-click the default domain DRA certificate, click All Tasks and then click Export to start the Certificate Export Wizard.

      Certificate Export Wizard

      IMPORTANT: It is critical that you choose the correct key during the export process, because once the export process is complete the original private key and corresponding certificate are deleted from the computer. If the key cannot be restored to the computer, then file recovery will not be possible using that DRA certificate.

    10. Click Yes, export the private key, and then click Next. This will cause the private key to be removed when the export is complete.

      Certificate Export Wizard

    11. On the Export File Format page, click Personal Information Exchange ? PKCS #12 (.PFX), select the Enable strong protection and Delete the private key if the export is successful check boxes, and then click Next.
      As a best practice, the private key should be deleted from the system when a successful export is complete, and strong private key protection should be used as an extra level of security on the private key.
      When exporting a private key, the .pfx file format is used. The .pfx file format is based on the PKCS #12 standard, a portable format for storing or transporting user information including private keys, certificates, and miscellaneous secrets. The .pfx file format (PKCS #12) also allows a password to protect the private key stored in the file.

      Certificate Export Wizard

    12. On the Password page, in the Password and Confirm password text boxes, type a strong password and then click Next.

      Certificate Export Wizard

      The last step is to save the actual .pfx file. The certificate and private key can be exported to any writeable device, including a network drive or floppy disk.

    13. On the File to Export page, type or browse for a file name and path, and then click Next.

      Certificate Export Wizard

      A notification will report whether the export was successful.

      Certificate Export Wizard

      If the file and associated private key are lost, it will be impossible to decrypt any existing files that have used that specific DRA certificate as the data recovery agent. Once the .pfx file and private key have been exported, secure the file on stable removable media in a secure location in accordance with the security guidelines and practices for your business. For example, a business might preserve the .pfx file on one or more CD-ROMs stored in a safety deposit box or vault that has strict physical access controls.

Importing Data Recovery Keys

In the event that you need to recover encrypted data by using an exported data recovery key, you will first need to import the key. Importing keys is simpler than exporting them. To import a key stored as a PKCS #12 formatted file (.pfx file), just double-click the file to open the Certificate Import Wizard, or you can start the wizard and import the key by completing the following steps:

Requirements
  • Credentials: Domain Admin account on the computer.

  • Tools: The Certificates MMC snap-in.

  • To import a data recovery key

    1. Log on to the computer with a valid account.

    2. Click Start and then click Run.

      Run

    3. Type mmc.exe and then press Enter.

    4. In MMC, on the File menu, click Add/Remove Snap-In.

    5. Click Add. A list of all the registered snap-ins on the current computer appears.

    6. Double-click the Certificates snap-in, click My User Account and then click Finish.

    7. In the Add Standalone Snap-In dialog box click Close, then in the Add/Remove Snap-in dialog box click OK. MMC now contains the personal certificate store for the Administrator account.

      Console 1

    8. Navigate to the Certificates\Current User\Personal\Certificates folder, right-click the folder, click All Tasks, then click Import to start the Certificate Import Wizard.

      Certificate Import Wizard

    9. Click Next, type a file name and path for the file to import and then click Next.

      Certificate Import Wizard

    10. On the Password page, in the Password box, type the password for the file being imported if it is a PKCS #12 file.
      It is a best practice to store private keys protected with a strong password.

    11. If you want to export the key again later from the current computer, it is important to select the Mark this key as exportable check box. Click Next.

      Certificate Import Wizard

    12. The wizard might prompt for the name of the store the certificate and private key should be imported into. To ensure that the private key is imported into the personal store, do not click Automatically select the certificate store based on the type of certificate; instead, click Place all certificates in the following store, and then click Next.

      Certificate Import Wizard

    13. Highlight the Personal store and click OK.

      Certificate Import Wizard

    14. Click Next, and then click Finish to complete the import. A notification will report whether the import was successful.

      Certificate Import Wizard

IMPORTANT: A domain-based account should always be used in association with a Data Recovery Agent, because local accounts might be susceptible to physical offline attacks.

Recovering Data

In the event that encrypted data cannot be recovered by the original user, for example, because the user has left the company, you need a way to recover the data and make it accessible to the company. This section tells how to recover an encrypted file or folder. To do so, you will use Backup or another backup tool to restore the user's encrypted file or folder to the computer where the file recovery certificate and recovery key of the Data Recovery Agent are located.

You must be a designated recovery agent to carry out this procedure. In other words, you must hold the private key and certificate for a DRA identified on the file or folder to be recovered.

Requirements

  • Credentials: Data recovery agent.

  • Tools: Windows Explorer.

  • To restore an encrypted file or folder

    1. Open Windows Explorer.

      My Documents

    2. Right-click the encrypted the file or folder that you want to recover, and then click Properties.

    3. On the General tab, click Advanced.

      New Text Documents.txt properties

    4. Clear the Encrypt contents to secure data check box.

      Advanced Attributes

    5. Make a backup version of the decrypted file or folder and return the backup version to the user.

      Note: You can return the backup version of the decrypted file or folder to the user as an e-mail attachment or on a disk or network file share.

      An alternate approach to recovering data involves physically transporting the recovery agent's private key and certificate to the computer that has the encrypted file, importing the private key and certificate, decrypting the file or folder, and then deleting the imported private key and certificate. This procedure exposes the private key more than the procedure above, but does not require any backup or restore operations or transporting of files.

Best Practices

The following best practices can help a company effectively use and manage encrypted files and folders.

  • Recovery agents should back up their file recovery certificates to a secure location.
    If you are the recovery agent, use the Export command from Certificates in Microsoft Management Console (MMC) to export the file recovery certificate and private key to a floppy disk. Keep the floppy disk in a secure location. Then, if the file recovery certificate or private key on your computer is ever damaged or deleted, you can use the Import command from Certificates in MMC to replace the damaged or deleted certificate and private key with the ones you have backed up on the floppy disk.

  • Use the Default Domain Configuration.
    By default, the administrator of a domain is the default DRA in a Windows 2000 or Windows Server 2003 domain. When the administrator for a domain first logs in with that account a self-signed certificate is generated, the private key is stored in the profile on that computer, and the default domain Group Policy contains the public key of that certificate as the default DRA for the domain.

  • Update lost or expired DRA private keys promptly.
    Although the expiration of a DRA certificate is a minor event, the loss or corruption of the private keys belonging to the DRA is potentially catastrophic for a business.

    An expired DRA certificate (private key) can still be used to decrypt previously encrypted files, however new or updated encrypted files cannot use the expired certificate (public key). When a business has either lost the private keys of a DRA or the certificate of a DRA has expired, the best practice to follow is to immediately generate one or more new DRA certificates and update Group Policy to reflect the new DRAs. When users encrypt new files or update existing encrypted files, the files will automatically be updated with the new DRA public keys. It might be necessary to encourage users to update all existing files to reflect the new DRAs.

    In Windows XP, the command-line utility cipher.exe has been updated with a /U parameter to update the file encryption key or recovery agent keys on all files on local drives. The following example updates two encrypted files on the local drive where Cipher.exe is run:

    <![CDATA[
    

Cipher.exe /U C:\Temp\test.txt: Encryption updated. C:\My Documents\wordpad.doc: Encryption updated.

]]&gt;</pre>


**Note:** When using the default self-signed certificate in a domain without a certification authority, the lifetime of the certificate is 99 years.

The following best practices can help a company protect the data of mobile users in case of theft or loss:

  • Physical protection of the computer is paramount. There is no technological substitute for taking every precaution to ensure the computer is not stolen or physically compromised.

  • Always use the mobile computer as part of an Active Directory domain.

  • Store the private keys for users separately from the mobile computer and import them when needed.

  • For common storage folders such as "My Documents" and temporary folders, encrypt the folder so that all new and temporary files will be encrypted when created.

  • Always create new files, or copy existing plaintext files, into an encrypted folder when the data is extremely sensitive. This will ensure that all files have never existed in plaintext form on the computer, and that temporary data files cannot be recovered by using sophisticated disk analysis attacks.

  • Encrypted folders can be enforced in a domain by using a combination of Group Policy, logon scripts and security templates to ensure that standard folders such as "My Documents" are configured as encrypted folders.

  • The Windows XP operating system supports the encryption of data in offline files. Offline files and folders that are cached locally should be encrypted when using client-side caching policies.

  • Use the system key utility SYSKEY in mode 2 or mode 3 (boot floppy or boot password) on the mobile computer to prevent the system from being booted by malicious users. The system key utility and its options are documented in online help for your version of Windows.

  • Enable Server Message Block (SMB) signing in Group Policy for servers that are trusted for delegation and used for storing encrypted files. This setting is found in Group Policy at this location: GPO-name\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft Network Server: Always digitally sign communications.

  • Ensure unencrypted data is removed from the hard drive after encryption of files and periodically thereafter.

For more information about EFS, see the following: