This documentation is archived and is not being maintained.
Security Watch Deploying EFS: Part 2
John Morello graduated summa cum laude from LSU and has been with Microsoft for six years in a variety of roles. As a Senior Consultant, he has designed security solutions for Fortune 100 enterprises and Federal civilian and defense clients. He’s currently a Program Manager in the Windows Server group working on security and remote access technologies.
© 2008 Microsoft Corporation and CMP Media, LLC. All rights reserved; reproduction in part or in whole without permission is prohibited.
You can think of any Encrypting File System (EFS) deployment as having essentially two parts: the back-end design portion focusing on certificate management and recovery agents, and the user-facing EFS deployment portion. Last month I covered the back-end portion and discussed options for data and key recovery
as well as options for provisioning clients with certificates. Here, I'll focus on the aspects of the deployment that your end users will see, such as enhancements to Windows® Explorer, choosing what file system locations to encrypt, and how to manage encryption options with Group Policy.
Determining if EFS Is Already in Use
Once you've decided to deploy EFS, the first step is to determine the current state of EFS usage within your organization. Recall that EFS can be used in standalone mode, in which the end user is solely responsible for the creation and backup of his encryption keys. You may have advanced users in your organization who have already used EFS in this fashion, so it's important to determine who these users are in order to ensure a smooth transition to a more managed deployment.
The first time EFS is employed by any given user on a computer, Windows creates the following registry entry in HKEY_CURRENT_USER:
Microsoft® Systems Management Server (SMS), Active Directory logon scripts, or other tools can be used to check for the presence of this entry on machines across your enterprise. If a user has this registry value present, he has used EFS at some point. However, this value does not necessarily indicate that someone is currently using EFS or that any of his data is encrypted. Thus, when a machine is found with this registry key, it should be more closely examined to determine if any files are currently encrypted.
Using cipher.exe and passing the /U and /N switches will instruct cipher to report the encryption state of files and directories on a computer. For example, if you wanted to determine if any data on a system was encrypted, you could run the following command:
cipher /U /N
The registry check and cipher report could be combined into a single script to check for the presence of the registry value and, if present, to generate a report of currently encrypted files on the computer. Once these reports are generated, you'll know which users have which files encrypted and will be ready to migrate them to a centrally managed design.
To control the application of Group Policy during the deployment, it's useful to create two security groups in your domain to separate those computers where EFS is in use from those where it is not. For example, "SG-ComputersUsingEFS" would contain the computer accounts of those computers where EFS is already in use, while "SG-ComputersNotUsingEFS" would contain all other machines where EFS is not currently in use.
Controlling EFS Usage with Group Policy
Once you know who is and is not using EFS, the next step in your client deployment is to disable standalone EFS usage for anyone not currently using it. This is an important step in the deployment process because it's easier to enable and configure EFS properly the first time than it is to migrate users who are using self-signed certificates. You should only perform this step after determining which users are already using EFS because by disabling EFS through Group Policy, users will not be able to access any currently encrypted files. You can find this policy in the Group Policy Object Editor under Compu-ter Configuration\Windows Settings\Security Settings\Public Key Policies\Encrypting File System.
As mentioned earlier, this value should only be enabled on computers where EFS is not currently in use, so as not to disrupt the work of anyone who is already using EFS. Thus, in my example, the access control list (ACL) on the Group Policy Object (GPO) that disables EFS allows only the "SG-ComputersNotUsingEFS" group to apply the Group Policy.
To Encrypt or Not to Encrypt
Once you've determined what systems are currently using EFS and you've disabled EFS on all others until your managed deployment, the next step is to determine what will be encrypted in that managed deployment. Depending on how your client systems are managed, this process can range from simplistic to quite intricate.
The first thing to consider when thinking about what files to encrypt is whether or not your users are administrators on their systems. If your users are local administrators, you're really only able to educate and encourage them to encrypt sensitive data, but you're not able to truly control it in a managed way. The reason for this is simple: a local administrator can create files and directories anywhere on the file system. Thus, while you may encrypt the common locations, such as My Documents, if the user creates a new directory in another location and saves sensitive information there, it is quite difficult to ensure that this data is also protected. In addition to all of the other security benefits achieved when end users are not local administrators, this also makes EFS far more manageable and secure.
The next critical piece of information to keep in mind about EFS is that it is per-user encryption. In other words, anything that is encrypted by a given user can only be decrypted by that same user and no other, including the SYSTEM account (the exception, of course, being the Data Recovery Agent or DRA.) This means that if an executable or DLL is encrypted with a user's key and another principal on the system tries to access it, the other principal will receive an access denied error. Thus, in general you should not encrypt files or directories that include executable code that might need to be accessed by multiple principals on a system. Windows will prevent encryption of files in %SystemRoot% or files bearing the SYSTEM attribute, but it's not uncommon for software vendors to install binaries into %ProgramFiles% for services that may be run by the SYSTEM account. For example, this is a common approach for laptop vendors to use when installing power and device management software that runs as a service.
With these two facts in mind, what are the best practices for EFS encryption targets? The answer goes back to how your users' systems are normally configured. In a well-managed environment with a standardized operating system image, you can likely automate the encryption process for users based on the predetermined data storage locations from your image. For example, if users can only save data in %userprofile%\My Documents, you may only need to encrypt that directory. (Note: be careful when encrypting My Documents if you use folder redirection. If My Documents is redirected to a server, the server will need to be Trusted for Delegation and have access to the user's profile. In such cases, it's generally easier to just encrypt the Offline Files cache, which we'll discuss later in this column.)
In a less-managed environment (where users may write to many locations on the file system), you may want to take the approach of automating the encryption of a few common storage locations and then providing education to users on how to encrypt other locations on their own. Regardless of your environment, you should always encrypt at the directory level rather than at the file level. Doing so ensures that all files created in that directory, including temporary ones, are always encrypted.
Recommended Encryption Locations
As a general rule, the locations you should normally encrypt are: %userprofile%\My Documents, %userprofile%\Application Data\Microsoft\Outlook (assuming you're using Microsoft Office Outlook® as your messaging client), and %userprofile%\Desktop. Encrypting My Documents protects the default location for saved files in Windows XP. Protecting the Outlook directory ensures that sensitive e-mail that's cached locally is also encrypted; this is particularly important for users running in the Outlook 2003 default of Cached Mode. Finally, the desktop is often used as a sort of temporary directory where users may place documents they're currently working on or presentations they frequently deliver. Of course, in your organization, you may have modified the default locations of some of these directories, so your EFS encryption choices should reflect whatever locations are normally used in your organization.
In addition to these general best practices, you should also determine whether you have applications that may save sensitive information in alternative locations. For example, some applications save user information in %ProgramFiles%\AppName rather than the user's profile. It's important to determine whether you have any such applications on your client systems so that you can properly protect whatever data they utilize. In the best-case scenario, the application could be configured to save changes in another user-profile-specific path (such as My Documents), in which no further EFS changes would be required. In a worst-case scenario, if the application requires that data be stored in its Program Files directory, EFS could be used to encrypt only that specific subdirectory of Program Files.
Finally, use caution if you plan to encrypt the temporary directory (%TMP% and %TEMP%). Many application installers use this directory for expansion of installation package contents and then perform file move operations on the expanded files to place them in the proper path in %ProgramFiles%. Because a moved file on the same volume retains its original attributes, the file will continue to be encrypted after it's been placed in %ProgramFiles%. If a user other than the one running the installer then attempts to use this file, he will be denied access to it. Often, such problems do not manifest themselves in clear application error messages that are indicative of the root cause. Because of this, I generally recommend that %TMP% be encrypted only in well-managed environments where end users do not install applications on their own.
Protecting Offline Files
Offline Files is a feature in Windows 2000 and later that allows users to make a local copy of data stored on a file server. Offline Files then allows the user to work on this data while disconnected from the server and to synchronize the changes back to the server when next connected. Offline Files, however, is not a simple directory containing copies of files from the server. Instead, it's a database that is shared systemwide and runs in the context of the SYSTEM account. In Windows XP, this database can be protected with EFS. Consider what this means in light of the earlier discussion about EFS being per-user. How could EFS, which is user specific, encrypt a database that is used by multiple security principals?
When a user running Windows XP chooses the option in Windows Explorer to encrypt offline files, the encryption routine utilized is different from that used for the other encryption operations the user may initiate. Rather than utilize the user's personal EFS keypair for the process (which would prevent SYSTEM from accessing the files), the SYSTEM account self-generates a keypair for use with EFS and uses that keypair to encrypt the client-side cache. This has a critical security implication in that if someone can subsequently get code to execute as SYSTEM, he can decrypt the data in the cache. If a laptop is stolen, it's trivial for an attacker to reset the administrator password and log on as administrator. Once running as administrator, it's similarly simplistic to force code to run as SYSTEM and then access the cache. (Note that this behavior has changed in Windows Vista™. Windows Vista now uses the individual user's key to encrypt user-specific Offline Files.)
To protect against this type of attack, the laptop can be configured to store the encryption key for the Security Accounts Management (SAM) database offline, either as a password input at boot time (mode 2) or on a floppy disk during the boot process (mode 3). Both approaches can be cumbersome since they require non-automatable interaction with the computer during the boot process, creating potential problems with automated systems management. However, if EFS is to be used on a computer with Offline Files, it is critical that one of these options be used secure the data in the cache. I normally recommend you use the boot-time password (see Figure 1). This is because a user who has a laptop bag stolen will most likely either have the disk in the laptop already or, if not, then almost certainly in the bag along with the laptop.
Figure 1 Automate EFS operations
Once you've determined what to encrypt on your client, the next step is to perform the actual encryption operation. This process can be achieved through a logon script or other process that will execute a script on the client that calls cipher.exe to perform the encryption operation. If you have existing standalone EFS users in your environment, as discussed in the earlier example, I recommend migrating them first.
To migrate these standalone users, the first step is to provision the client systems with managed certificates, as discussed in the February 2007 installment of this column (microsoft.com/technet/technetmag/issues/2007/02/SecurityWatch). Once all systems have enrolled for these managed certificates, cipher should be run with the /U switch to update all existing files with the new encryption and recovery agent keys. At this point, all systems in the SG-ComputersUsingEFS group would be utilizing EFS in a managed fashion, including centrally issued (and potentially archived) keys, and centrally managed recovery agents.
To deploy EFS for the users not currently using EFS, you must first remove the Group Policy preventing EFS usage. Once that is completed and users have enrolled for managed certificates, a logon script can be run to encrypt the key paths discussed earlier. Here is a simplistic script sample:
cipher /e /s /a "%userprofile%\My Documents" cipher /e /s /a "%userprofile%\Application Data\Microsoft\Outlook" cipher /e /s /a "%userprofile%\Desktop"
After you've enabled EFS on the desired directories, you should consider setting two additional options to increase the security of your EFS deployment, both related to data paged from memory to disk. Note that for each of these scenarios, the amount of data that could be potentially recovered by a malicious party is limited to that which was loaded in memory or paged to disk during legitimate use. In other words, if a user has sensitive EFS-protected data on the machine that they have not viewed (and, hence, not loaded into memory), this data is not at risk from these attack vectors.
The page file is used by Windows as virtual memory (often referred to as swap space in other operating systems) and contains raw pieces of in-memory data written in clear text to the hard drive. This can put sensitive data at risk on an EFS-protected system because if an attacker is able to recover the page file, they can potentially utilize forensics tools to extract usable data from this file. Since the page file itself cannot be encrypted in Windows XP (note that it can be encrypted in Windows Vista) the best option is to force Windows to clear it at shutdown. This can be accomplished via Group Policy, as illustrated in Figure 2.
Figure 2 Setting group policy (Click the image for a larger view)
The downside to this setting is the significant increase in time it takes to shut down a machine, particularly one with large amounts of memory. (By default, the size of the page file is directly related to the amount of physical memory in the computer.) This is because to clear the page file, Windows must physically write to every page on the disk prior to shutdown.
The hibernation file in Windows contains a dump of the machine's physical memory when the power management mode is set to enable hibernation. When hibernation occurs, Windows writes the complete contents of physical memory to disk in the hibernation file, allowing the computer to be restored to exactly the same state when the user is ready to continue working. Like the page file, the hibernation file cannot be encrypted in Windows XP. However, unlike the page file, hibernation cannot be disabled directly from a GPO. Rather, you should use a script to call powercfg.exe with the /HIBERNATE switch to disable (or re-enable) hibernation.
After completing your initial encryption and configuration tasks, you should consider wiping the slack space on disks in your deployment. This process can be very time intensive and disruptive, but has a security benefit in high-security environments. Slack space is the area of a disk that does not hold data currently active on the system but which, because of the way hard disks operate, may contain pieces of sensitive information from previously used files. In other words, because a file delete operation doesn't actually overwrite all the sectors a file occupies on a disk (it only removes the pointer from the file table), the data that was deleted may continue to exist on the disk. In these cases, the data may be recoverable by forensics tools that can read this slack space and reassemble files from it. To securely wipe this residual data, run cipher with the /W switch. This forces cipher to repeatedly overwrite all sectors marked as available on the disk. As long as all future file operations on sensitive data occur in EFS-protected directories, it won't be necessary to run this command on a regular basis.
Enhancing Windows Explorer for EFS
By default, encryption and decryption options for files and directories are somewhat buried in the advanced properties menus in Windows Explorer. You may choose to enhance the end-user experience with EFS by placing "Encrypt" and "Decrypt" on the Windows Explorer context menu (exposed with a right-click). Additionally, Windows Explorer can be configured to show EFS-protected files and directories in a different color (green) than other files. This can help users know whether a file or directory is encrypted without having to drill down into the advanced properties menu. Finally, you may want to add an option to define which users have access to the file or directory. To enable these options, make the
following changes in the registry via a script calling reg.exe: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced] "EncryptionContextMenu"=dword:00000001 "ShowCompColor"=dword:00000001 [HKEY_CLASSES_ROOT\*\Shell\Encrypt To User...\Command] @="rundll32 efsadu.dll,AddUserToObject %1"
EFS in Windows Vista
EFS has received a number of important enhancements in Windows Vista that make it easier to deploy and manage, as well as increase its security. Primary among these enhancements is full support for storing EFS keys on smart cards. This is a particularly valuable feature for organizations that are already utilizing smart card logon, because that same card can also be used to store users' EFS keys. This support for smart cards also extends to recovery agent certificates, such that the sensitive DRA certificates can also be stored on cards.
Windows Vista also supports encryption of items previously either impossible or not easily accomplished in Windows XP. Windows Vista can encrypt the page file, eliminating the need to set the "clear virtual memory pagefile" option. The entire design of Offline Files has been reworked in Windows Vista. In addition to much better performance and stability (as well as a generally more user-friendly interface), client-side caching is now per user, meaning it is possible to securely encrypt the cache without the use of SYSKEY mode 2 or 3. These two improvements eliminate major deployment hurdles for today's Windows XP-based environments.
Finally, Windows Vista allows administrators to configure encryption of the Documents folder directly through Group Policy, without having to utilize a separate script. Figure 3 illustrates the new EFS properties available via GPO in Windows Vista.
Figure 3 EFS properties in Windows Vista (Click the image for a larger view)
EFS provides Windows administrators with a highly secure option for protecting mobile data. EFS is scalable, manageable, and provides flexible data recovery mechanisms. In Windows Vista, EFS is further improved with enhanced capabilities for easier management and deployment, as well as support for smart card-based key storage. For organizations that want to protect data, even when a machine has been physically lost, EFS provides a strong solution that's already a part of your existing Windows platform.
Where to Go for More
For more information on the topics discussed in this column, see the following resources: