Protecting Sensitive Information from Theft on Windows XP Professional in a Workgroup

On This Page

Introduction
Before You Begin
Using EFS
Enabling the Encrypt/Decrypt Options on the Windows Explorer Menu
Backing up a User's EFS Certificate
Establishing a Data Recovery Agent
Recovering Encrypted Data
Best Practices
Related Information

Introduction

In many businesses, users travel with portable computers that they use in customer facilities, airports, hotels, and at home. This mobility creates new risks: portable computers can be stolen and the data on them can become accessible to hostile users. For example, an attacker who has physical access to your computer may be able to use a boot disk to access your hard disk or remove the hard disk and attach it to another computer.

In other organizations, users share desktop computers. They may share some data, but typically have at least some documents that they need to protect from being read or altered by other users.

One way to minimize these risks is to use Encrypting File System (EFS). EFS is a Microsoft technology that lets you encrypt files on your computer and control who can decrypt or recover these files. When data is encrypted, it cannot be easily read or modified, even if the intruder has physical access to the computer's hard disk. (Encrypted data can, however, still be deleted.)

To use EFS, a user must have a special Encrypting File System certificate and private key that allow the holder to encrypt and decrypt data using EFS. But enabling a user to use EFS poses its own unique risks. First, if users lose their EFS certificates and private keys, their encrypted data can become virtually inaccessible. For this reason, it is essential to back up the certificates and private keys used to encrypt the data on a portable computer or workstation.

Encrypted data can also become inaccessible if the user is unavailable or suddenly leaves the organization. To protect against these potential risks, it is very important to set up and register a data recovery agent who can decrypt all EFS-encrypted files on computers in his or her scope.

This document provides step-by-step instructions for using EFS to protect sensitive data from theft and compromise in a small to medium-sized business that does not have an Active Directory directory service installed. It does not discuss special security measures that should be taken for shared data stored on network file servers. The procedures in this document guide you through the following tasks:

• Begin using EFS on computers running Windows XP Professional. This process takes approximately one to five minutes, depending on the number of folders and files being encrypted.

• Configure Windows Explorer to simplify EFS use. This process takes approximately three minutes.

• Create and safeguard a recovery key to ensure that encrypted data can be safely recovered by the original user. This process takes approximately three minutes.

• Register one or more data recovery agents who can recover encrypted files when the original user cannot do so. This process takes approximately five minutes.

• Back up and import encryption keys to enable the safe recovery of encrypted files and folders. These processes take approximately three minutes each.

• Recover data when the original user cannot do so. This process takes approximately one to five minutes, depending on the number of folders and files being recovered.

  Note: All of the procedures described in this document can also be used to manage EFS on a standalone computer running Windows Server 2003.

By following the procedures in this document, you will make the following system-wide changes:

• Enable EFS for encrypting data on a computer hard disk.

• Configure Windows Explorer to include EFS options.

• Create a data recovery agent.

This document also lists several important best practices for using EFS.

IMPORTANT: All the step-by-step instructions included in this document were developed by using the Start menu that appears by default when you install your operating system. If you have modified your Start menu, the steps might differ slightly.

Before You Begin

The procedures in this document help you configure and use EFS on computers running a generic configuration of Windows XP Professional that are disconnected from a network and where domain-based EFS management is not being enforced.

Before you begin, you should be familiar with some basic requirements and conditions for using EFS:

• You can encrypt files and folders only on NTFS file system volumes. You cannot use EFS to protect data on hard disk drives that use the FAT or FAT32 file system. Unless you have a specific reason to continue using the FAT file system, it is recommended that you convert these volumes to use NTFS.

• When you encrypt documents on an NTFS volume, documents will be immediately decrypted as soon as they are removed from the NTFS volume. This includes attaching the files in e-mail, copying them over a network to a file server, or saving them to most types of removable media. If you want to keep the documents encrypted when you copy them to other locations, you can use the Backup program found by clicking Start, All Programs, Accessories, System Tools.

• Files or folders that are compressed cannot also be encrypted. If you encrypt a compressed file or folder, that file or folder will be uncompressed.

• Files in the %systemroot*%* folder, such as C:\Windows, cannot be encrypted. Files marked as belonging to the operating system also cannot be encrypted.

• The system creates a special Encrypting File System certificate the first time that a user encrypts a file or folder. If this certificate and accompanying private key are deleted or otherwise lost, it is virtually impossible to regain access to the encrypted data. For this reason, it is essential to create a data recovery agent (DRA) before using EFS for the first time.

The manner in which sensitive documents are used and transported is frequently controlled by an organization's policies and procedures or public laws and regulations. Before you carry out the procedures in this document, work with your legal counsel to ensure that your planned encryption policies and procedures comply with legal requirements.

Using EFS

This section provides instructions on using EFS. Be sure to create a recovery agent and generate and back up a recovery key as part of the overall strategy for using EFS to help protect files and folders from unauthorized access.

Note: Screenshots in this document reflect a test environment and the information might differ from the information displayed on your computer.

Requirements

• You must be a user with NTFS permissions to modify a file or folder. You also need an EFS certificate, which will be issued to you automatically as part of this procedure.

• This procedure is performed using Windows Explorer.

To encrypt a file or folder by using EFS

1. Right-click Start, and then click Explore. Click My Documents.

   

2. Right-click the file or folder that you want to encrypt, and then click Properties.

   Note: In general, encrypt folders rather than individual files, because all files stored in these folders will themselves be encrypted, which simplifies data management.

3. On the General tab, click Advanced.

   

4. Select the Encrypt contents to secure data check box, and then click OK.

   

5. In the Properties dialog box, click OK, and then do one of the following:

   • If you are encrypting a file:

     • If you want to encrypt a file and the parent folder, in the Encryption Warning dialog box, click Encrypt the file and the parent folder.

     • If you want to encrypt a file only, in the Encryption Warning dialog box, click Encrypt the file only.

   • If you are encrypting a folder:

     • If you want to encrypt a folder and its subfolders and files, in the Confirm Attribute Changes dialog box, click Apply changes to this folder, subfolders and files. This is the most secure and easy to manage option.

     • If you want to encrypt a folder only, in the Confirm Attribute Changes dialog box, click Apply changes to this folder only. Existing files and subfolders in the folder will not be encrypted, but any files or subfolders that are placed in the folder will be encrypted.

6. Click OK to accept and apply your encryption choices.

Verifying That EFS Has Been Enabled

To verify that you have completed this procedure correctly, open Windows Explorer and examine the names and properties of the files and folders that you have encrypted. If the file and folder names and their associated properties appear in green rather than the default black font, the files and folders have been encrypted successfully.

If the names of files and folders that have been encrypted do not appear in green, you may need to enable this feature for each user.

To show encrypted file and folder names and attributes in color

1. In Windows Explorer, on the Tools menu, click Folder Options.

2. Click the View tab, then scroll down and click Show encrypted or compressed NTFS files in color. Click OK.

You can also right-click the folder or file, click Properties, and then click Advanced. The Encrypt contents to secure data check box should be selected.

Alternatively, log off and then log back on with a different user account. Attempt to open a file encrypted using the original user account. If access is denied, then the file has been encrypted.

Enabling the Encrypt/Decrypt Options on the Windows Explorer Menu

If your users will be modifying encryption and decryption options for files and folders on a regular basis, you may want to provide them with more direct access to these options than using the procedure described above. You can simplify these steps by configuring Windows Explorer to display Encrypt and Decrypt on the shortcut menu of each computer when a user right-clicks a file. To enable this, you need to edit the Windows registry on each computer to create a new registry value that does not exist by default.

CAUTION: Incorrectly editing the registry can severely damage your system. Before making changes to the registry, you should back up any valuable data on the computer.

Requirements

• You must be logged on as an administrator and have experience editing the registry to complete this procedure.

• This procedure is performed using the Registry Editor (Regedit.exe).

To enable Encrypt/Decrypt options on the Windows Explorer menu

1. Click Start, click Run, type regedit, and then click OK.

2. Navigate to the following registry path:

   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\

   Explorer\Advanced\

3. On the Edit menu, click New, and then click DWORD Value.

4. Type EncryptionContextMenu for the name of the DWORD Value, and then press Enter.

   

5. Right click the DWORD Value you just created and click Modify.

6. In the Edit DWORD Value dialog box, in the Value data box, type 1, and then click OK. (Under Base, the default selection, Hexadecimal, should not be changed.)

   

7. Click File, and then click Exit to close the Registry Editor.

Verifying that the Encrypt/Decrypt Options on the Windows Explorer Menu Have Been Enabled

To verify that you have completed this procedure correctly, open Windows Explorer and right-click a file or folder. If the file or folder is not encrypted, an Encrypt option should appear on the context menu. If the file or folder is encrypted, a Decrypt option should appear on the context menu.

Backing up a User's EFS Certificate

In many organizations, users will be responsible for backing up their own EFS certificates. This is needed to recover the user's encrypted data in case the EFS certificate on the computer is no longer usable.

Requirements

• To back up an EFS certificate, you must be the user identified as the owner of the certificate.

• To complete this procedure, use the Certificates snap-in in Microsoft Management Console.

To export the EFS certificate for a user

1. Click Start, click Run, type mmc, and then click OK.

2. On the File menu, click Add/Remove Snap-in.

3. Click Add. A list of all the registered snap-ins on the current computer appears.

4. Double-click the Certificates snap-in and then click Finish. An icon indicating that a Certificates - Current User snap-in has been installed will be listed in the Add/Remove Snap-in dialog box.

   

   Note: If you are performing this procedure as a user with Administrator credentials, you will have to specify whether to use the Certificates snap-in to manage certificates associated with your User account, a Service account, or the Computer account. You should select your User account from the list.

5. In the Add Standalone Snap-in dialog box, click Close, and then in the Add/Remove Snap-in dialog box, click OK. MMC now displays the personal certificates for your account.

6. Navigate to the Certificates - Current User\Personal\Certificates folder. The details pane (on the right) displays a list of all the certificates for the user's account. Locate the Encrypting File System certificate.

   

7. Right-click the Encrypting File System certificate, click All Tasks, and then click Export to start the Certificate Export Wizard. Click Next.

   

8. On the Export Private Key page, click Yes, export the private key. Click Next.

9. On the Export File Format page, click Personal Information Exchange - PKCS #12 (.PFX) and then click Next.

   Note: For maximum security, some users may want to select the Delete the private key if the export is successful check box. However, this option will require you to import your private key every time you want to access encrypted files.

   When exporting a private key, the .pfx file format is used. The .pfx file format is based on the PKCS #12 standard, a portable format for storing or transporting user information including private keys, certificates, and miscellaneous secrets. The .pfx file format (PKCS #12) also allows a password to protect the private key stored in the file.

   

10. On the Password page, in the Password and Confirm password text boxes, type a strong password. Strong passwords are at least seven characters long; do not contain your user name, real name, or company name; and do not contain complete dictionary words. In addition, this password should be different than the password used to log on to the system. Then click Next.

    

    The last step is to save the actual .pfx file. The .pfx file can be exported to any storage device, including a USB storage device, writeable CD-ROM, network drive or floppy disk.

11. On the File to Export page, type or browse for a file name and path, and then click Next. Review the information that appears on the next screen to verify the file name, file location, and file format that you selected, then click Finish.

Verifying That the EFS Certificate and Key Have Been Exported

A notification will report whether the export was successful.

After you have read this notification, click OK to exit the Certificate Export Wizard.

If the file and associated private key are lost, it will be impossible to decrypt any existing files that have used that specific File Recovery certificate as the data recovery agent. Once the certificate and private key have been exported, store the .pfx file on stable removable media in a secure location in accordance with the security guidelines and practices for your business. For example, a business might preserve the .pfx file on one or more CD-ROMs stored in a safety deposit box or vault that only the most trusted users can access. Laptop users should not store the removable media containing their .pfx files in their computer case or briefcase. Otherwise, if the laptop is stolen a hostile user could use the .pfx files to gain access to the user's encrypted data.

Establishing a Data Recovery Agent

A data recovery agent is a user account that is authorized to access files protected by EFS. Windows XP Professional does not automatically establish a local data recovery agent for standalone computers or members of a workgroup. A data recovery certificate must be created and registered manually on the computer. Only data that is encrypted after the data recovery certificate has been created and the data recovery agent has been registered can be recovered using the data recovery agent.

IMPORTANT: If you have already encrypted files and folders before you establish a data recovery agent, it is recommended that you decrypt these files and folders, and then re-encrypt them after the data recovery agent has been registered.

Requirements

• To create a data recovery certificate, the easiest option is to use the Cipher.exe utility.

• To register a data recovery agent for a local computer, you must be a member of the local Administrators group.

To create a data recovery certificate

1. Click Start, click Run, type cmd, and then click OK.

2. At the command prompt, type cipher /R: filename, and then press Enter.

   

   Note: Use a file name that is meaningful to you. Do not add an extension to the file name.

3. When prompted, enter a strong password, and click Enter. You will be prompted to enter this password twice in order to ensure that this is the password that you intended.

This procedure creates two files in the \Documents and Settings\username folder for the user who created the data recovery agent: filename.pfx*,* which is the private key for the data recovery certificate, and filename.cer, which is used to configure the recovery policy for the local computer.

After these keys have been generated, you must modify the recovery policy for the local computer in order to register the new data recovery agent. This enables the use of the new data recovery certificate to recover encrypted files on the computer.

When you have successfully registered the new data recovery agent, copy the filename.pfx and filename.cer to a secure backup medium, delete them from the local computer, and put the backup copy in a secure location.

To register the data recovery agent for the local computer

1. Click Start, click Run, type mmc, and then click OK.

2. On the File menu, click Add/Remove Snap-in. Click Add.

3. In the Add Standalone Snap-in dialog box, click Group Policy. Click Finish.

4. Under Group Policy Object, make sure that Local Computer is displayed. Click Finish.

5. In the Add Standalone Snap-in dialog box, click Close, and then in the Add/Remove Snap-in dialog box, click OK.

6. In Local Computer Policy, navigate to Computer Configuration\Windows Settings\Security Settings\Public Key Policies. Right-click Encrypting File System, and then click Add Data Recovery Agent. When the Add Recovery Agent Wizard appears, click Next.

   

7. On the Select Recovery Agents page, click Browse Folders to browse to the location of the data recovery certificate (filename.cer) that you created in the previous procedure, select the certificate, click Open, and then click Next.

   

Verifying That a Data Recovery Agent Has Been Established

After you have registered the data recovery agent certificate in local security policy, a page appears informing you that you have successfully completed the Add Recovery Agent Wizard. After reviewing the information about the users who have been designated as data recovery agents, click Finish.

Exporting Data Recovery Keys

Data recovery keys must be available to the data recovery agent to enable the agent to recover encrypted data when normal recovery is not possible. Therefore, it is important to safeguard recovery keys. A good way to guard against loss of recovery keys is to import them onto the local computer only when needed. At other times data recovery certificates and private keys of data recovery agents should be exported and stored on securable removable media in .pfx format files.

Requirements

• You must be a user on the local computer to complete this procedure.

• To complete this procedure you need the Certificates snap-in in Microsoft Management Console.

To export the certificate and private key of the data recovery agent

1. Click Start, click Run, type mmc, and then click OK.

2. On the File menu, click Add/Remove Snap-in.

3. Click Add. A list of all the registered snap-ins on the current computer appears.

4. Double-click the Certificates snap-in, click My User Account, and then click Finish.

5. In the Add Standalone Snap-in dialog box click Close, and then in the Add/Remove Snap-in dialog box click OK. MMC now displays the personal certificates for your account.

6. Navigate to the Certificates - Current User\Personal\Certificates folder. The details pane (on the right) displays a list of all the certificates for the account. Locate the certificate labeled File Recovery under the Intended Purposes column.

7. Right-click the file recovery certificate, click All Tasks, and then click Export to start the Certificate Export Wizard. Click Next.

   

   IMPORTANT: It is critical that you choose the correct key during the export process because after the export process is complete the original private key and corresponding certificate are deleted from the computer. If the key cannot be restored to the computer, then file recovery will not be possible using that file recovery certificate.

8. Click Yes, export the private key, and then click Next.

   

9. On the Export File Format page, click Personal Information Exchange - PKCS #12 (.PFX), select the Delete the private key if the export is successful check box, and then click Next.

   IMPORTANT: Deleting the private key from the computer when the export procedure is complete helps protect it from compromise if a hostile user gains access to the computer.

   When exporting a private key, the .pfx file format is used. The .pfx file format is based on the PKCS #12 standard, a portable format for storing or transporting user information including private keys, certificates, and miscellaneous secrets. The .pfx file format also allows a password to protect the private key stored in the file.

   

10. On the Password page, in the Password and Confirm password text boxes, type a strong password, and then click Next.

    The last step is to save the actual .pfx file. The .pfx file can be exported to any storage device, including a USB storage device, writable CD-ROM, network drive, or floppy disk.

11. On the File to Export page, type or browse for a file name and path, and then click Next.

    

12. Click Finish.

Verifying That the Recovery Key Has Been Exported

A notification will report whether the export was successful.

After the certificate and private key have been exported, secure the file on stable removable media in a secure location in accordance with the security guidelines and practices for your business. For example, a business might preserve the .pfx file on one or more CD-ROMs stored in a safety deposit box or vault that has strict physical access controls.

Recovering Encrypted Data

In the event that encrypted data cannot be recovered by the original user, for example, because the user has left the company, you need a way to recover the data and make it accessible to the company. This section tells how to recover an encrypted file or folder.

Note: If you do not have access to the original user's computer but a backup copy of the user's data exists, you might need to use Backup or another backup tool to restore the user's encrypted file or folder to a computer where the file recovery certificate and file recovery key of the data recovery agent are located.

The following procedures outline the process for:

• Importing data recovery keys.

• Completing data recovery.

Importing Data Recovery Keys

In the event that you need to recover encrypted data by using an exported data recovery key, you will first need to import the key. Importing keys is simpler than exporting them. To import a key stored as a PKCS #12 formatted file (.pfx file), just double-click the file to open the Certificate Import Wizard, or you can start the wizard and import the key by completing the following steps.

Requirements

• You must be a user on the local computer to complete this procedure.

• To complete this procedure you need the Certificates snap-in in Microsoft Management Console.

To import a data recovery key

1. Log on to the computer with a valid account.

2. Click Start, click Run, type mmc, and then click OK.

3. On the File menu, click Add/Remove Snap-in.

4. Click Add. A list of all the registered snap-ins on the current computer appears.

5. Double-click the Certificates snap-in, click My User Account, and then click Finish.

6. In the Add Standalone Snap-in dialog box, click Close, then in the Add/Remove Snap-in dialog box, click OK. MMC now contains the personal certificate store for the current user's account.

   

7. Navigate to the Certificates - Current User\Personal\Certificates folder. Right-click the folder, click All Tasks, then click Import to start the Certificate Import Wizard.

   

8. Click Next, type the path and file name (with a .pfx extension) that you want to import and then click Next.

   IMPORTANT: If you click Browse to navigate to the location of the file recovery key, you will only see files with the .cer extension. You need to change the Files of type selection to the Personal Information Exchange (*.pfx) format before selecting your file.

9. On the Password page, in the Password box, type the password and then select the Mark this key as exportable check box. Click Next.

   

10. The wizard might prompt for the name of the store the certificate and private key should be imported into. To ensure that the private key is imported into the personal store, click Place all certificates in the following store, and then click Browse.

    

11. Highlight the Personal store and click OK.

12. Click Next, and then click Finish to complete the import.

Verifying That the Recovery Key Has Been Imported

A notification will report whether the import was successful.

Completing Data Recovery

When the data recovery key has been successfully imported, you can complete the data recovery process.

Requirements

• You must be a designated recovery agent and completed the data recovery procedure in the previous procedure to complete this task.

• This procedure is completed using Windows Explorer.

To restore an encrypted file or folder

1. Right-click Start, and then click Explore.

   

2. Right-click the encrypted the file or folder that you want to recover, and then click Properties.

3. On the General tab, click Advanced.

4. Clear the Encrypt contents to secure data check box. Click OK to close the Advanced Attributes dialog box. Click OK to close the Properties dialog box.

   

5. Make a backup version of the decrypted file or folder and return the backup version to the user.

   Note: You can return the backup version of the decrypted file or folder to the user as an e-mail attachment or on a disk or network file share.

Verifying That Data Has Been Recovered

If you can open a file that was encrypted by another user on the target computer, the recovery process was successful.

Recovering Encrypted Data After a Forced Password Reset

Encrypted files can become unavailable to a user if the user's password is forcibly reset by an administrator for the workgroup or local computer. If you exported the user's EFS private key from the user's account as described earlier in this document, you can import the key back into the account and recover access to the encrypted files. Also, if you defined a data recovery agent (DRA) before the files were encrypted, you can regain access to EFS files as the data recovery agent.

However, even if you did not back up the user's private key, you can still recover encrypted data as long as the user's original account still exists, and the user's profile is present and unchanged since the user last had access to the data, if you still know the original password or if you created a password reset disk before the password was forcibly changed.

Requirements

• You must have the original password. This is the password with which the user last logged on successfully and was able to access his credentials and files.

• You must have a password reset disk. This password reset disk must have been created while the user had access to the files.

To recover data using the original password

1. Log on to the computer as the user with the current password.

2. Click Start, and then click Control Panel.

3. In Control Panel, click User Accounts.

4. Click your user name.

5. Click Change my password.

6. Follow the instructions to change the password back to your original password.

7. Restart the computer.

To recover data by using the password reset disk

1. If you are logged on, log off of the computer.

2. Attempt to log on as the user, and deliberately type an incorrect password.

3. Click use your password reset disk.

4. Follow the instructions in the Password Reset Wizard, and then click Next.

5. Insert the removable media that contains your password key, and then click Next.

6. Enter your new password in the Reset the User Account Password dialog box, and then click Next.

Verifying That You Can Access Encrypted Data After a Forced Password Reset

If you can access your encrypted data after you log on using the original password or the new password created using the password reset disk, the data recovery process was successful.

Best Practices

The following best practices can help a company effectively use and manage encrypted files and folders:

• Recovery agents should back up their file recovery certificates to a secure location. If you are the recovery agent, use the certificate export procedure described earlier in this document to export the data recovery certificate and private key to removable storage media. Keep the removable media in a secure location.

• Update lost data recovery private keys promptly. The loss or corruption of the private keys belonging to the data recovery agent can be potentially catastrophic for a business.

• Physical protection of the computer is paramount. There is no technological substitute for taking every precaution to ensure the computer is not stolen or physically compromised.

• In general, encrypt folders rather than individual files, because all files stored in these folders will themselves be encrypted, which simplifies data management.

• Encrypt common storage folders such as "My Documents," temporary folders, and the folders used to store local e-mail data so that all new and temporary files will be encrypted when created.

  Note: Encrypting temporary folders can make some applications unusable.

• One of the most important defensive measures you can take against potential intruders is to use strong passwords. For more information about creating strong passwords, see "Creating Stronger Passwords" at https://www.microsoft.com/athome/security/privacy/password.mspx

• Instead of storing your user account password in clear-text, Windows generates and stores user account passwords that contain 15 or fewer characters by using two different password representations, generally known as "hashes." The LAN Manager hash (LM hash), which is provided for compatibility with clients running Windows 95, Windows 98, or Macintosh, is relatively weak compared to the Windows NT hash (NT hash) of the password and is therefore more vulnerable to potential attacks. For more information, see "How to prevent Windows from storing a LAN manager hash of your password in Active Directory and local SAM databases" at https://support.microsoft.com/default.aspx?scid=kb;en-us;299656

• You can further enhance security by using the Syskey utility, which applies strong encryption to account password information that is stored in the Security Account Manager database on computers running Windows XP Professional. For more information about configuring and using the Syskey utility, see Windows XP Professional Help and Support Center.

Related Information

For more information about EFS, see the following:

• "Encrypting File System" on the Microsoft TechNet Web site at https://go.microsoft.com/fwlink/?LinkID=22412

• "Encrypting File System in Windows XP and Windows Server 2003" on the Microsoft TechNet Web site at https://go.microsoft.com/fwlink/?LinkID=22413

• "How To: Share Access to an Encrypted File in Windows XP" on the Microsoft TechNet Web site at https://support.microsoft.com/?id=308991