You can implement EFS on systems running Windows 2000 and Windows XP
Professional Edition. Windows 95/98, Windows Millennium Edition, and Windows XP
Home Edition do not support EFS.
Before implementing EFS to protect your corporate data, you need to create a
recovery key. Make sure you keep a backup copy of the Encrypted Recovery Agent
(ERA); this is your insurance policy to decrypt files throughout your domain.
Stand-alone workstations generate their own public key certificate that you can
use for EFS. However, in a domain environment, you'll need to create an ERA
before enabling EFS. After creating the ERA, back it up to a media format that
you can protect under lock and key.
To create an ERA, follow these steps:
Go to Start | Programs | Administrative Tools | Active Directory Users And
Computers. (If you have a stand-alone system, go to Start | Control Panel |
Administrative Tools | Local Security Policy, and skip to Step 4.)
Right-click your domain, and select Properties.
On the Group Policy tab, select the Default Domain Policy, and click the Edit
button.
Go to Computer Settings | Security Settings | Public Key Policies | Encrypted
Data Recovery Agents.
Right-click the policy, and select New | Encrypted Recovery Agent.
Use the wizard to add the recovery agent certificates to the policy.
After creating the certificate, right-click the certificate, select Export, and
use the Certificate Export Wizard to export your certificate to some other
physically securable media (e.g., CD, floppy, etc.).
After the policy refreshes, all users on your domain will be able to safely
encrypt the contents of their files or folders.
Encrypting a file or folder is relatively easy. Follow these steps:
In Windows Explorer, right-click the file or folder you want to encrypt, and
select Properties.
In the Encrypted Files Properties dialog box, click Advanced on the General
tab.
Select the Encrypt Contents To Secure Data check box, and click OK twice.
Make sure you have a copy of your users' certificates to use for emergency
decryption in the event of workstation rebuilds.
Keep in mind that you can't encrypt compressed files or folders. Marking a file
or folder for encryption will automatically uncompress the file or folder. In
addition, copying or moving a file to a non-NTFS volume will automatically
decrypt it.
Final thoughts
It's a good idea to implement EFS in phases after your users have a certificate
and you have a good backup copy of that certificate locked in a drawer.
You can expect your biggest boost in security to come when you implement EFS
for laptop users. If a user loses a laptop, but he or she encrypted data with
the domain account, that data will remain secure.
-----Original Message-----
From: Larry [mailto:larry.chin@sympatico.ca]
Sent: 26 April 2006 03:28 PM
To: focus-ms@securityfocus.com
Subject: EFS rollout using Active Directory
Greetings:
Does anyone have a procedure for implementing Microsoft EFS using Active
Directory ?
I have to roll EFS out to 2000+ laptops and would like to implement using
Active Directory, but I don't have a lot of experience with AD.
Thanks
/LC
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
