Encrypting File System (EFS) - Encrypting folders and files in Windows. Encryption file system (EFS) What is file encryption system fes

06.12.2020

Games

Laboratory work

Computer science, cybernetics and programming

My documents to be encrypted, right-click and select Properties from the context menu. In the properties window that appears, on the General tab, click the Other button. Under Compression and encryption attributes, select the Encrypt content to protect data check box, and then click OK. Press the OK button in the properties window of the file or folder to be encrypted, in the dialog box that appears, specify the encryption mode: Only to this folder or To this folder and all subfolders and files.

Laboratory work No. 5

Encryption file systemEFS and certificate management

Objectives

Explore the capabilities of the encryption file systemEFS operating systemWindows 2000 (XP).
Examine the sequence of operations for encrypting and decrypting files using an encryption file systemEFS operating systemWindows 2000 (XP).
Acquire practical skills to protect information from unauthorized access.

Brief theoretical information

Encryption file systemEFS allows users to store data encrypted on disk.

Encryption is the process of converting data into a format that other users cannot read. After a file has been encrypted, it automatically remains encrypted anywhere on disk.

Decryption is the process of converting data from an encrypted form to its original format.

When working with an encrypting file systemEFS the following information and recommendations should be considered.

Only files and folders located on NTFS volumes can be encrypted.
Compressed files and folders cannot be encrypted. If encryption is performed on a compressed file or folder, the file or folder is converted to an uncompressed state.
Encrypted files can become decrypted if the file is copied or moved to a volume that is not an NTFS volume.
When you move unencrypted files to an encrypted folder, they are automatically encrypted in the new folder. However, the reverse operation will not automatically decrypt the files. The files must be explicitly decrypted.
Files with the "System" attribute and files in the folder structure cannot be encryptedsystem root directory.
Encrypting a folder or file does not protect it from being deleted. Anyone with delete rights can delete encrypted folders or files.
The encryption process is transparent to the user.

Note. Transparent encryption means that the file does not need to be decrypted before use. You can open the file as usual and modify it. In transparent encryption systems (encryption “on the fly”), cryptographic transformations are carried out in real time, unnoticed by the user. For example, a user writes a document prepared in a text editor to a protected disk, and the protection system encrypts it during the write process.

Using EFS similar to using file and folder permissions. Both methods are used to restrict access to data. However, an attacker who has gained unauthorized physical access to encrypted files and folders will not be able to read them. When he tries to open or copy an encrypted file or folder, a message appears stating that access is denied.

Encrypting and decrypting files is accomplished by setting the encryption properties for folders and files, just as you set other attributes, such as read-only, compressed, or hidden. If a folder is encrypted, all files and subfolders created in the encrypted folder are automatically encrypted. We recommend using folder-level encryption. The encryption file system automatically generates an encryption key pair for the user if it is missing. The encryption file system uses the Data Encryption Standard (DESX) encryption algorithm.

The task:

Enable and disable file encryption with the file system encryptionEFS ... Export a certificate with keys to decrypt files on another computer.

Algorithm for performing work.

A) To enable encryption mode, follow these steps.

1. Specify a file or folder (for example, create a filecipher. doc in the My Documents folder ) that you want to encrypt, right-click and select the command Properties.

2. In the appeared properties window on the tab General click Others ... A dialog box will appear Additional attributes.

3. In a group check the box Encrypt content to protect data and press the button "OK".

4. Click OK in the properties window of the file or folder being encrypted, in the dialog box that appears, specify the encryption mode:

Only to this folder

To this folder and all subfolders and files.

Attention! After completing these steps, the file with your information will be automatically encrypted. Viewing it on another PC will be impossible.

B) To turn off the encryption mode, follow these steps.

Highlight the file cipher. doc in the My Documents folder.
1. Press the right Mouse button and selectProperties.
  1. On the General tab, click the Others button.
  2. In the opened dialog window in the group Compression and encryption attributesuncheck Encrypt content to protect data.

Attention! After completing these steps, the file with your information will not be encrypted.

C) Creating a backup copy of the Certificate usingWindows 2000 (XP0.

A backup copy of the certificate is required to decrypt data after reinstalling the operating system or to view the securityf information transferred to another PC.

Attention! Before reinstalling the operating system, be sure to create copies of the Certificates, because after ne reinstallation you will not be able to decrypt the infor mation.

Follow these steps to create a backup copy of the certificate:

Select the Start button on the taskbar.
1. Go to itemExecute.
  1. In the window that opens, enter the command in the input field mmc.
  2. this will open the management consolemmc.

Note. MMC console is a tool for creating, saving, and opening sets of administration tools called consoles. Consoles contain elements such assnap , snap-in extensions, controls, tasks, wizards, and documentation required to manage many of the hardware, software, and networking components of a Windows system. You can add items to an existing MMC, or you can create new consoles and customize them to manage specific system components.

In the Console menu select teamAdd to or remove snap (Figure 1) and clickAdd.

Picture 1

In the Rigging box double clickCertificates (Figure 2), set the switch tocomputer account and press the buttonFurther .

Figure 2

Perform one of the following actions.
- To manage local computer certificates, click the switch tolocal computer and press the buttonDone.
  - To manage certificates on a remote computer, set the switch toanother computer and enter the computer name or clickOverview to select a computer, then clickDone.
  1. Click the Close button.
  2. The item appears in the list of selected snap-ins for the new consoleCertificates (computername).
  3. If you don't want to add other snap-ins to the console, click OK.
  4. To save this console, in the menuConsole select teamSave and provide the name of the snap Certificates.
  5. Close the Console window and select the commandStart and further All programs.
  6. Find the item Administration and select sub-itemCertificates (t now rig with Certificates available in the Start menu).
  7. In the left pane of the snap Certificates open folder Trusted root certificatesand then the Certificates folder. A list of certificates will appear in the right pane.
  8. Specify a portable certificate (for example, the first in the list, Figure 3) and right-click. In the context menu that appears, select the command All tasks and beyond select team Export.

Figure 3

This will launch the Certificate Export Wizard.
1. Click "Next.
  1. In the next wizard window, select the option Yes, export the private key.
  2. Then press the button Further.
  3. In the next window of the wizard, only one format is available (PFX ), intended for personal exchange of information. Click the buttonFurther.
  4. In the next windows, provide the password (for example,11 ) protecting file data certificate. pfx , as well as the path to save the file (write down the path to the folder in which you saved a copy of the Certificate)certificate. pfx.
  5. Click "Next.
  6. A list of exported certificates and keys will be displayed. Click the button Done.
  7. Complete the Export Certificate Wizard by clicking the button OK in the dialog box indicating the successful completion of the export procedure.

As a result, the certificate and private key will be exported to a file with the extension certificate.pfx, which can be copied to a floppy disk and transferred to another computer, or used after reinstalling the operating system.

Follow these steps to restore a certificate from a backup.

Transfer the file created in the previous step with the extension pfx certificate to computer ( You need to remember the path to the copy of the Certificate).
1. Run the snap Certificates, to do this, select the button Start taskbar and beyond All programs we / Administration /Certificates.
  1. In the structure window of the snap Certificates open folder Trusted root certificates,then the Certificates folder. A list of your certificates will appear in the right pane.
    1. Right-click on an empty spot in the right pane.
    2. In the context menu that appears, select the command All tasks.
    3. In its submenu, select the command Import
    4. The Certificate Import Wizard starts.
    5. Follow the instructions in the wizard specify the location of the certificate file.pfx and provide the password for protecting this file.
    6. To start the import operation, click the buttons Done and OK.
    7. After completing the import procedure, click OK and close the import wizard window;

As a result of your actions, the current user or you yourself will be able to work with encrypted data on this computer.

Self-study assignments

Export certificate # 2 from the Intermediate Certification Authorities folderRoot Agency (save the illustrations for the teacher's report).
Import the exported certificate into the Personal folder (save illustrations for teacher report).

Control questions

What is included in a cryptosystem?
Compare the public and private key encryption methods (asymmetric and symmetric encryption).
What is mmc?
What EFS allows.

Description of the report form

The completed assignment for independent work and answers to control questions must be sent to the teacher for verification.

And also other works that may interest you
38728.		Key concepts of intelligence	169.5 KB
	Only gradually it becomes clear how meaningful, voluminous, complex, multifaceted and interesting the phenomenon of intelligence turns out to be. All attempts to define and describe it are accompanied by the use of concepts characteristic of the carriers of intelligence or somehow characterizing them. But there are concepts that condition intelligence. A lot in our life depends on how deeply we are able to realize them.
38731.		Creating a mobile space for a school museum	4.31 MB
	Educational-methodical manual: "Museum-space of education" issue 1 "Pedagogical Museum: from traditions to innovations" reflects the concept of the museum-pedagogical complex as an educational field, a special developing environment, in which:
38732.		Modeling the mechanism of the red giant's luminosity change initiated by gravitational interaction in multiple systems	473.5 KB
	The research is based on the methods of mathematical modeling. One of the variational principles of mechanics - Hamilton's principle (principle of least action) was used as the main methodological approach for constructing the initial model of the studied system
38733.		Logical Link Control Layer LLC protocol. Types of protocols and their structures	289 KB
	A local area network is usually called a network, all the elements of which are located in a relatively small area. Such a network is usually designed for the collection, transmission and distributed processing of information within the same enterprise or organization.
38734.		Management Basics	874.5 KB
	Management and business activities of the organization. Place and role of management in the organization's business activity system. Management and business activity of the organization 1. The essence of the object and the subject of management theory To achieve the goals of the organization requires the coordination of its tasks.
38736.		Study of the dynamics of translational-rotational motion of a rigid body	159.5 KB
	On the vertical post 1 there is a millimeter scale on which the swing of the pendulum is determined. The photosensor is designed to send electrical signals to the stopwatch 10 at the moment the light beam crosses the pendulum disk. Theoretical information Maxwell's pendulum of mass m raised to a height h by winding suspension threads on the pendulum rod has a potential energy of mgh.

Page 1 of 5

Encryption File System is a service that is tightly integrated with NTFS and resides in the Windows 2000 kernel. Its purpose is to protect data stored on the disk from unauthorized access by encrypting it. The appearance of this service is not accidental, and has been expected for a long time. The fact is that the existing file systems do not provide the necessary data protection against unauthorized access. An attentive reader may object to me: what about Windows NT with its NTFS? After all, NTFS provides access control and data protection from unauthorized access! Yes it's true. But what about the case when the NTFS partition is accessed not using the Windows NT operating system, but directly, at the physical level? After all, this is relatively easy to implement, for example, by booting from a floppy disk and running a special program: for example, the very common ntfsdos. As a more sophisticated example, you can specify the product NTFS98, which can be downloaded

(the unregistered version allows reading NTFS volumes from under Windows98, the registered version also allows writing to such volumes). Of course, you can foresee such a possibility and set a password to start the system, however, practice shows that such protection is ineffective, especially when several users work at one computer at once. And if an attacker can remove a hard drive from a computer, then no passwords will help here. By connecting the drive to another computer, you can read its contents as easily as this article. Thus, an attacker can freely take possession of confidential information stored on the hard drive.

The only way to protect against physical data reading is to encrypt the files. The simplest case of such encryption is archiving a file with a password. However, there are a number of serious disadvantages here. First, the user needs to manually encrypt and decrypt (that is, in our case, archive and unzip) the data each time before and after the end of work, which in itself reduces the security of the data. The user may forget to encrypt (archive) the file after finishing work, or (even more trite) simply leave a copy of the file on disk. Second, user-invented passwords are usually easy to guess. In any case, there are enough utilities that allow you to unpack password-protected archives. As a rule, such utilities brute-force the password by searching the words written in the dictionary.

EFS was designed to overcome these shortcomings. Below we take a closer look at the details of encryption technology, EFS user interactions and data recovery methods, learn about the theory and implementation of EFS in Windows 2000, and take a look at an example of encrypting a directory using EFS.

Encryption technology

EFS uses the Windows CryptoAPI architecture. It is based on public key encryption technology. To encrypt each file, a file encryption key is generated at random. In this case, any symmetric encryption algorithm can be used to encrypt the file. Currently, EFS uses one algorithm, DESX, which is a special modification of the widespread DES standard.

EFS encryption keys are stored in a resident memory pool (EFS itself is located in the Windows 2000 kernel), which prevents unauthorized access to them through the paging file.

User interaction

In order to encrypt a directory from Windows Explorer, the user just needs to select one or more directories and select the encryption checkbox in the extended directory properties window. All files and subdirectories created later in this directory will also be encrypted. Thus, you can encrypt a file simply by copying (or transferring) it to an "encrypted" directory.

Encrypted files are stored encrypted on disk. When the file is read, the data is automatically decrypted, and when it is written, it is automatically encrypted. The user can work with encrypted files in the same way as with ordinary files, that is, open and edit documents in a text editor Microsoft Word, edit drawings in Adobe Photoshop or the graphics editor Paint, and so on.

It should be noted that in no case should you encrypt files that are used at system startup - at this time, the user's private key used for decryption is not yet available. This can make the system unable to start! EFS provides a simple protection against such situations: files with the system attribute are not encrypted. However, be careful: this could create a security hole! Check to see if the file attribute is set to "system" to make sure the file will actually be encrypted.

It is also important to remember that encrypted files cannot be compressed using Windows 2000 and vice versa. In other words, if a directory is compressed, its contents cannot be encrypted, and if the contents of a directory are encrypted, then it cannot be compressed.

In the event that you need to decrypt data, you just need to uncheck the encryption boxes for the selected directories in Windows Explorer, and files and subdirectories will be automatically decrypted. It should be noted that this operation is usually not required, as EFS provides a "transparent" operation with encrypted data for the user.

EncryptingFileSystem

The encryption file system is a service that is tightly integrated with NTFS and resides in the Windows 2000 kernel. Its purpose is to protect data stored on the disk from unauthorized access by encrypting it. The appearance of this service is not accidental and has been expected for a long time. the fact is that the existing file systems do not provide the necessary data protection against unauthorized access.

Although NTFS also provides access control and data protection from unauthorized access, but what to do if the NTFS partition is accessed not using the Windows NT operating system, but directly, at the physical level? After all, this is relatively easy to implement, for example, by booting from a floppy disk and launching a special program: for example, a very common one.Of course, you can provide for such an opportunity and set a password to start the system, but practice shows that such protection is ineffective, especially in the case when for several users work with one computer at once. And if an attacker can remove a hard drive from a computer, then no passwords will help here. By connecting the disk to another computer, its contents can be read without any problems. Thus, an attacker can freely take possession of confidential information stored on the hard drive. The only way to protect against physical reading of the data is to encrypt the files. The simplest case of such encryption is archiving a file with a password. However, there are a number of serious disadvantages here. First, the user needs to manually encrypt and decrypt (that is, in our case, archive and unzip) the data each time before and after the end of work, which in itself reduces the security of the data. The user may forget to encrypt (archive) the file after finishing work, or (even more trite) simply leave a copy of the file on the disk. Second, user-invented passwords are usually easy to guess. In any case, there are enough utilities that allow you to unpack password-protected archives. As a rule, such utilities brute-force the password by searching the words written in the dictionary. EFS was designed to overcome these shortcomings.

2.1. Encryption technology

EP $ uses the Windows CryptoAPI architecture. It is based on public key encryption technology, and a file encryption key is randomly generated to encrypt each file. However, any symmetric encryption algorithm can be used to encrypt the file. Currently, EFS uses one algorithm - DESX, which is a special modification of the widespread DES standard. EFS encryption keys are stored in a resident memory pool (EFS itself is located in the Windows 2000 kernel), which prevents unauthorized access to them through the paging file.

By default, EFS is configured so that the user can start using file encryption right away. Encryption and reverse operation are supported for files and directories. In the event that a directory is encrypted, all files and subdirectories of this directory are automatically encrypted. It should be noted that if an encrypted file is moved or renamed from an encrypted directory to an unencrypted one, it will still remain encrypted. Encryption / decryption operations can be performed in two different ways - using Windows Explorer or the Cipher console utility. in order to encrypt a directory from Windows Explorer, the user just needs to select one or more directories and select the encryption checkbox in the extended directory properties window. All files and subdirectories created later in this directory will also be encrypted. Thus, you can encrypt a file simply by copying (or transferring) it to an "encrypted" directory. Encrypted files are stored encrypted on disk. When the file is read, the data is automatically decrypted, and when it is written, it is automatically encrypted. The user can work with encrypted files in the same way as with regular files, that is, open and edit documents in a text editor Microsoft Word, edit pictures in Adobe Photoshop or the graphics editor Paint, and so on.

It should be noted that in no case should you encrypt files that are used when starting the system at this time, the user's private key, with which the decryption is performed, is not yet available. This can make the system unable to start! EFS provides simple protection against such situations: files with the system attribute are not encrypted. However, be careful: this can create a "hole" in the security system! Check if file attribute is set<системный» для того, чтобы убедиться, что файл действительно будет зашифрован.

The Encrypting File System (EFS) is a powerful option for protecting data stored on Windows computers. EFS is free and is included with every OS since Windows 2000. Technological advances are everywhere, and EFS is no exception. With advances in technology, it has become much easier to use EFS for most of the storage environment. However, you may not need EFS everywhere, so you need to narrow the boundaries and control to the extent that such a filesystem can be used. Therefore, it is a great idea to take advantage of Group Policy to manage EFS.

Two stages of EFS management

EFS has two levels of customization. The first level is set at the computer level, which determines whether this file system will be supported and available. The second level is the level of folders and files, this level performs data encryption.

Windows 2000 (Server and Professional), Windows XP Professional, Windows Server 2003, Windows Vista, and Windows Server 2008 all support encryption of data located on the computer. By default, all of these computers support data encryption using EFS. Of course, this can also be a negative characteristic, as some data or some computers do not need to encrypt the data due to logistics.

The logistics I'm talking about here is allowing users to encrypt data. Since all computers support data encryption by default, and every user can encrypt it, data can be encrypted on the local computer, as well as data shared over the network. Figure 1 shows the options under which data can be encrypted on a Windows XP Professional computer.

Figure 1: Data encryption is a property of them

To access the encryption option, as shown in Figure 1, you only need to select the properties of the file or folder you want to encrypt by right-clicking and invoking the Properties context menu of the encrypted object. Then click the Advanced button on the Properties dialog box, which in turn will display the Advanced Attributes dialog box.

Controlling EFS Support for Active Directory Domain Computers

When a computer joins an Active Directory domain, it can no longer control the EFS support option on it. Instead, this feature is controlled by the default domain policy that is stored in Active Directory. All computers in a Windows Active Directory domain support EFS by simply joining it.

Note that Windows 2000 domains manage this configuration in a standard domain policy differently than Windows Server 2003 and Windows Server 2008 domains.

Windows 2000 Domain Control over EFS

Windows 2000 computers have slightly different EFS support than later operating systems, so the configuration for EFS is different in the standard domain policy. For Windows 2000, EFS activation and deactivation is based on the EFS Data Recovery Agent certificate included in the standard domain policy. By default, the administrator account has this certificate and is configured as a data recovery agent. If the data recovery certificate is missing, EFS does not work.

To access this setting in the standard domain policy, follow the specified path while editing the GPO in the Group Policy Editor:

Computer Configuration \\ Windows Settings \\ Security Settings \\ Public Key Policies \\ Encrypted Data Recovery Agents

At this location, you will see the EFS file encryption certificate for the administrator, as shown in Figure 2.

Figure 2: Windows 2000 domains display the EFS file encryption certificate as a username, such as Administrator

This setting is what gives all computers the ability to encrypt files. To disable this feature, you simply need to remove the administrator certification from the GPO. If you then decide to enable this feature on a limited number of computers in Active Directory, you will need to follow these steps:

Create a new GPO and link it to an OU containing all computers that need file encryption support.
Go to the "Encrypted File Recovery Agents" tab in the GPO and add a certificate that supports EFS data recovery.

This will give computers covered by the GPO the ability to use EFS for data stored on those computers.

Controlling Windows 2003 and 2008 Domains over EFS

Newer domains and operating systems (all that came out after Windows 2000) support EFS in much the same way, but have their own specific differences.

No data recovery agents are required to encrypt data on computers later than Windows 2000.
EFS is not controlled by including the Data Recovery Agent certificate in the GPO.
EFS supports multiple user access to encrypted files.

Thus, for Windows 2003 and 2008 domains, you need a different set of jobs to monitor EFS on computers that belong to those domains. However, the setting is still in the standard domain policy. You will need the following path here:

Computer Configuration \\ Windows Settings \\ Security Settings \\ Public Key Policies \\ Encrypted File System

Now, instead of converting the data recovery agent, you need to right click on the EFS tab. From the options menu that appears, select Properties. Here you will see a line on your Windows 2003 domain that says "Allow users to encrypt files using the Encrypting File System (EFS)". Windows Server 2008 domains have radically redesigned their interface to provide multi-faceted EFS support on this property page, as shown in Figure 3.

Figure 3: Windows Server 2008 Provides Multifaceted Control over EFS

Note that on the General tab, there is an opposite button called Don't Allow. This parameter can be used to disable EFS support on all computers in the domain. Also note that there are many other EFS monitoring options available in this dialog box.

You can also specify specific computers in a domain by following the steps in the Windows 2000 domain section above.

Conclusion

EFS is a very powerful and useful option. It can encrypt data stored on Windows computers. Encryption will help protect your data from users or hackers trying to access it but unable to decrypt the data. EFS is a two-step process, firstly EFS must be activated on the computer. This option can be controlled through Group Policy or when the computer joins the domain. Administrators have the right to enable or disable EFS on any computer in the domain through a GPO setting. If you disable EFS for all computers and then create and configure a new GPO, only certain computers will be able to use EFS.

One of the little known features of Windows is the encryption system Encrypting File System (EFS). It allows you to quickly encrypt and password your files and folders in windows using your own user account. Since the files or folders were encrypted using the password of the windows user account, other users on your system, including the administrator, cannot open, modify, or move folders or files. EFS is useful if you don't want other users to view your files and folders. Let's consider in this guide how to set a password for a folder and files using the built-in windows tools, without third-party programs.

Encrypting File System and BitLocker are completely different encryption systems. EFS is less secure than BitLocker. Anyone who knows the password for your account can easily access them. You will not be able to encrypt entire disk partitions, EFS only works with files and folders, and BitLocker, on the contrary, only works with disks and flash drives.

How to put a password on a folder and files

All you need to do is check the box and create a backup of the security certificate. To get started, select the folder with the files where you want to put the password using EFS, right-click on it and select " properties".