Windows 2000 Evaluated Configuration Users Guide

Click here to download the PDF of this document. (W2kCCUG.pdf)

Version 1.0

October 1, 2002

Prepared For:

Microsoft Corporation

Corporate Headquarters

One Microsoft Way

Redmond , WA98052-6399

Prepared By:

Science Applications International Corporation

7125 Gateway Drive

Columbia , MD21046

On This Page

1. Introduction
2. Windows 2000 Evaluated Configuration
   3.Using Windows 2000 in a Secure Manner

1. Introduction

Welcome to the Microsoft Windows 2000 Evaluated Configuration Users Guide document. The Windows 2000 Common Criteria Security Target, henceforth referred to as the Windows 2000 ST, provides a set of security requirements taken from the Common Criteria for Information Technology Security Evaluation (CC). The Windows 2000 product was evaluated against the Windows 2000 ST and found to satisfy the ST requirements.

This document provides sufficient guidance for Windows 2000 users to securely use the product in accordance with the requirements stated in the Windows 2000 Common Criteria Security Target (ST). This document is specifically targeted at the non-administrative (e.g. non-privileged) user of Windows 2000.

Audience Assumptions

This document assumes the audience is generally familiar with Windows 2000.

Document Overview

This document has the following chapters:

Chapter 1, Introduction, introduces the purpose and structure of the document and the assumptions of the audience.

Chapter 2, Windows 2000 Evaluation Configuration, describes the evaluated configuration.

Chapter 3, Using Windows 2000 in a Secure Manner, describes the environment of the evaluation configuration, an overview of the security functions, an overview of user and group accounts, and a description of how to use the security functions of Windows 2000.

Conventions

Throughout the document, the following conventions are followed:

Warning: warnings are provided to make the user aware of actions that have critical security ramifications. Warnings are identified with the bolded word Warning (e.g. Warning).

Evaluation Note conditions that are specific to the evaluation configuration that the user should be aware of. Evaluation Notes are identified with the bolded words Evaluation Note (e.g. Evaluation Note).

Note: text that is important for the user to take notice of is identified with the bolded word Note (e.g. Note).

2. Windows 2000 Evaluated Configuration

The primary focus of this section is to describe the concept of an evaluated configuration. This section does NOT give instruction of how to install and configure the Windows 2000 to be in the evaluated configuration. Such instruction is provided in the Windows 2000 Security Configuration Guide. This section introduces the notion of an evaluated configuration so the administrator is aware of potential consequences if the system is not in the evaluated configuration, and specifies the Hardware and Software requirements.

The Target of Evaluation (TOE) includes a homogenous set of Windows 2000 systems that can be connected via their network interfaces and may be organized into domains. A domain is a logical collection of Windows 2000 systems that allows the administration and application of a common security policy and the use of a common accounts database. Windows 2000 supports single and multiple domain configurations. In a multi-domain configuration, the TOE supports implicit and explicit trust relationships between domains. Domains use established trust relationships to share account information and validate the rights and permissions of users. A user with one account in one domain can be granted access to resources on any server or workstation on the network. Domains can have one-way or two-way trust relationships. Each domain must include at least one designated server known as a Domain Controller (DC) to manage the domain.

Each Windows 2000 system, whether it is a DC server, non-DC server, or workstation, is part of the TOE and provides a subset of the TOE Security Functions (TSFs). The TSF for Windows 2000 can consist of the security functions from a single system (in the case of a stand-alone system) or the collection of security functions from an entire network of systems (in the case of domain configurations).

System Requirements

This section describes the minimum system requirements for the evaluated configuration.

Hardware

Physically, each workstation or server in the evaluation configuration consists of an Intel X86 machine or equivalent processor (including Pentium family) with up to 4 CPUs for a Server product and up to 8 CPUs for the Advanced Server product. A set of devices may be attached and they are listed as follows:

• Display Monitor,

• Keyboard,

• Mouse,

• Floppy Disk Drive,

• CD-ROM Drive,

• Fixed Disk Drives,

• Printer,

• Audio Adaptor, and

• Network Adaptor.

The TOE does not include any physical network components between network adaptors of a connection. The ST assumes that any network connections, equipment, and cables are appropriately protected in the TOE security environment.

Software

Windows 2000 is an operating system that supports both workstation and server installations. The TOE includes three product variants of Windows 2000: Professional, Server, and Advanced Server. The server products additionally provide Domain controller features including the Active Directory and Kerberos Key Distribution Center. Otherwise, all three variants include the same security features. The primary difference between the variants is the number of users and types of services they are intended to support.

Windows 2000 Professional is suited for business desktops and notebook computers; it is the workstation product. Windows 2000 Server is designed for workgroups and small business environments. Windows 2000 Advanced Server includes availability and scalability features that support higher volumes of users and more complex applications.

The security features addressed by this security target are those provided by Windows 2000 as an operating system. Microsoft provides several Window 2000 software applications that are considered outside the scope of the defined TOE and thus not part of the evaluated configuration. Services outside this evaluation include: e-mail services; certificate authority services; web based applications; and firewall functionality.

3.Using Windows 2000 in a Secure Manner

This section describes the security environment of Windows 2000 in the evaluated configuration and how to use the Windows 2000 security functions.

Evaluation Note: Users should ensure that they each uphold the assumptions related to users.

Operating Environment

The security environment of the evaluated configuration of Windows 2000 is described in the Windows 2000 ST and identifies the threats to be countered by Windows 2000, the organizational security policies, and the usage assumptions as they relate to Windows 2000. The assumptions and policies are primarily derived from the Controlled Access Protection Profile (CAPP), while the threats were introduced in the Windows 2000 ST have been introduced to better represent specific threats addressed by Windows 2000. The administrator should ensure that the environment meets the organizational policies and assumptions. They are repeated below from the Security Target.

Organizational Security Policies

Table 3-1 describes organizational security policies that are addressed by Windows 2000.

Table 3-1 Organizational Security Policies

Security Policy	Description	PP Source
P.ACCOUNTABILITY	The users of the system shall be held accountable for their actions within the system.	CAPP
P.AUTHORIZED_USERS	Only those users who have been authorized access to information within the system may access the system.	CAPP
P.NEED_TO_KNOW	The system must limit the access to, modification of, and destruction of the information in protected resources to those authorized users which have a "need to know" for that information.	CAPP
P.AUTHORIZATION	The system must have the ability to limit the extent of each user's authorizations.
P-ADD-IPSEC	The system must have the ability to protect system data in transmission between distributed parts of the protected system
P.WARN	The system must have the ability to warn users regarding the unauthorized use of the system.

Secure Usage Assumptions

This section describes the security aspects of the environment in which Windows 2000 is intended to be used. This includes assumptions about the connectivity, personnel, and physical aspects of the environment.

Windows 2000 is assured to provide effective security measures in the defined environment only if it is installed, managed, and used correctly. The operational environment must be managed in accordance with the user and administrator guidance.

Connectivity Assumptions

Windows 2000 is a distributed system connected via network media. It is assumed that the following connectivity conditions will exist.

Table 3-3 Connectivity Assumptions

Assumption	Description	PP Source
A.CONNECT	All connections to peripheral devices reside within the controlled access facilities. The TOE only addresses security concerns related to the manipulation of the TOE through its authorized access points. Internal communication paths to access points such as terminals are assumed to be adequately protected.	CAPP
A.PEER	Any other systems with which the TOE communicates are assumed to be under the same management control and operate under the same security policy constraints. The TOE is applicable to networked or distributed environments only if the entire network operates under the same constraints and resides within a single management domain. There are no security requirements that address the need to trust external systems or the communications links to such systems.	CAPP

Personnel Assumptions

It is assumed that the following personnel conditions will exist.

Table 3-4 Personnel Assumptions

Assumption	Description	PP Source
A.COOP	Authorized users possess the necessary authorization to access at least some of the information management by the TOE and are expected to act in a cooperating manner in a benign environment.	CAPP
A.MANAGE	There will be one or more competent individuals assigned to manage the TOE and the security of the information it contains.	CAPP
A.NO_EVIL_ADM	The system administrative personnel are not careless, willfully negligent, or hostile, and will follow and abide by the instructions provided by the administrator documentation.	CAPP

Evaluation Note: The user must adhere to A.COOP as described in the above table.

Physical Assumptions

Windows 2000 is intended for application in user areas that have physical control and monitoring. It is assumed that the following physical conditions will exist.

Table 3-5 Physical Assumptions

Assumption	Description	PP Source
A.LOCATE	The processing resources of the TOE will be located within controlled access facilities that will prevent unauthorized physical access.	CAPP
A.PROTECT	The TOE hardware and software critical to security policy enforcement will be protected from unauthorized physical modification.	CAPP
A.CONFIG	The hardware protects the TSF in ensuring that only the TSF can be started.

Security overview

It is important to keep your computer secure, not only to protect data on the computer itself, but on the network as well. A good security system confirms the identity of the people who are attempting to access the resources on your computer, protects specific resources from inappropriate access by users, and provides a simple, efficient way to set up and maintain security on your computer.

To help you accomplish these goals, Windows 2000 offers these security features:

• User Accounts: To use a computer that is running Windows 2000, you must have a user account, established by an authorized administrator, which consists of a unique user name and a password. Windows 2000 verifies your user name and password when you press CTRL+ALT+DEL and then type your user name and your password. If your user account has been disabled or deleted, Windows 2000 prevents you from accessing the computer, ensuring that only valid users have access to the computer.

• Group Accounts: Users must have certain user rights and permissions to perform tasks on a computer running Windows 2000. Group accounts help you efficiently assign those user rights and permissions to users. Windows 2000 comes with many built-in groups based on the tasks users commonly perform, such as the Administrators, Backup Operators, or Users groups. Assigning users to one or more of the built-in groups gives most users all of the user rights and permissions they need to perform their jobs. Only authorized domain administrators can add members to Domain groups. Only members of the local Administrators group can add and modify group membership on the local workstation. Members of the Power Users group can create users and groups, but can only modify accounts that were created by the specific member of the Power Users group.

• Encryption (NTFS drives only): Encrypting files and folders makes them unreadable to unauthorized users. If a user attempting to access an encrypted file has the private key to that file (that is, if the user either encrypted the file personally or is a registered recovery agent), the user will be able to open the file and work with it transparently as a normal document. A user without the private key to the file is denied access. Encryption is available only on NTFS drives.

• File and Folder Permissions (NTFS drives only): When you set permissions on a file or folder, you specify the groups and users whose access you want to restrict or allow, and then select the type of access. It is more efficient to specify group accounts when you assign permissions to objects, so that you can simply add users to the appropriate group when you need to allow or restrict access for those users. For example, you can give managers Full Control of a folder that contains electronic timesheets, and then give employees Write access so that they can copy timesheets to that folder, but not read the contents of the folder. File and folder permissions can be set only on NTFS drives.

• Share Folder Permissions: If you are a member of the Administrators or Power Users group, you can share folders on a local computer so that users on other computers can access those folders. By assigning shared folder permissions to any NTFS, FAT, or FAT32 shared folder, you can restrict or allow access to those folders over the network. Use NTFS folder permissions if the shared folder is located on an NTFS drive. NTFS permissions are effective on the local computer and over the network.

• Printer Permissions: Because shared printers are available to all users on the network, administrators might want to limit access for some users by assigning printer permissions. For example, all non-administrative users in a department could be given Print permission and all managers the Print and Manage Documents permissions. By doing this, all users and managers can print documents, but managers can change the status of any print job submitted by any user.

• Auditing: Authorized administrators can use auditing to track which user account was used to access files or other objects, as well as logon attempts, system shutdowns or restarts, and similar events. Before any auditing takes place, the administrator must use Group Policy to specify the types of events you want to audit. For example, to audit a folder, enable Audit Object Access must first be enabled in the Auditing policy in Group Policy. Next, the administrator sets up auditing in the same fashion as permissions for files and folders.

• User Rights: User rights are rules that determine the actions a user can perform on a computer. In addition, user rights control whether a user can log on to a computer directly (locally) or over the network, add users to local groups, delete users, and so on. Built-in groups have sets of user rights already assigned. Authorized administrators usually assign user rights by adding a user account to one of the built-in groups or by creating a new group and assigning specific user rights to that group. Users who are subsequently added to a group are automatically granted all user rights assigned to the group account. User rights are managed using Group Policy.

• Group: Policy: Group Policies are used to set a variety of software, computer, and user policies. For example, an authorized administrator can define the various components of the user's desktop environment, such as the programs that are available to users, the icons that appear on the user's desktop, the Start menu options, which users can modify their desktops and which cannot, and so on. Group Policy is also used to set user rights.

User and Group Accounts

The default security settings for Windows 2000 can be described by summarizing the permissions granted to default user accounts and groups and the three special groups.

• Administrator: The default Administrator account has full control over the computer's software, contents, and settings. Only authorized administrators should log on as an Administrator. The account can be used to perform tasks such as creating user accounts, installing software, or making any changes that you want to be available to all users.

• Guest: Default user account available to allow anonymous access to the computer and resources. It is disabled by default.

  Evaluation Note The Windows 2000 Security Configuration Guide document (Appendix D User and Group Accounts) instructs the administrator to disable the guest account in the Evaluated Configuration.

• Administrators: Members of the Administrators group can perform all functions supported by the operating system. The default security settings do not restrict administrative access to any registry or file system object. Administrators can grant themselves any rights that they do not have by default. Ideally, administrative access should only be used to:

  • Install the operating system and components (such as hardware drivers, system services, and so on).

  • Install Service Packs and Windows Packs.

  • Upgrade the operating system.

  • Repair the operating system.

  • Configure critical operating system parameters (such as password policy, access control, audit policy, kernel mode driver configuration, and so on).

  • Take ownership of files that have become inaccessible.

  • Manage the security and auditing logs.

  • Back up and restore the system.

• Users: The Users group provides the most secure environment in which to run programs. On a volume formatted with NTFS, the default security settings on a newly installed system (but not on an upgraded system) are designed to prevent members of this group from compromising the integrity of the operating system and installed programs. Users cannot modify system-wide registry settings, operating system files, or program files. Users can shut down workstations, but not servers. They can run certified Windows 2000 programs that have been installed or deployed by administrators. Users have full control over all of their own data files.

  Users cannot install programs that can be run by other Users (this prevents Trojan horse programs). They also cannot access other Users' private data or desktop settings.

• Power Users: Members of the Power Users group have more permissions than members of the Users group and fewer than members of the Administrators group. Power Users can perform any operating system task except tasks reserved for the Administrators group. Power Users can:

  • Run legacy applications in addition to Windows 2000 certified applications.

  • Install programs that do not modify operating system files or install system services.

  • Customize system-wide resources including Printers, Date/Time, Power Options, and other Control Panel resources.

  • Create and manage local user accounts and groups.

  • Stop and start system services that are not started by default.

  Power Users do not have permission to add themselves to the Administrators group. Power Users do not have access to the data of other users on an NTFS volume, unless those users grant them permission.

  Warning: Since Power Users can install or modify programs, running as a Power User when connected to the Internet could make the system vulnerable to Trojan horse programs and other security risks.

  Evaluation Note: The Windows 2000 Security Configuration Guide document (Appendix D User and Group Accounts) instructs the administrator to not add non-administrative accounts to the Power Users group.

• Backup Operators: Members of the Backup Operators group can back up and restore files on the computer, regardless of any permission that protect those files. They can also log on to the computer and shut it down, but they cannot change security settings.

  Evaluation Note: The Windows 2000 Security Configuration Guide document (Appendix D User and Group Accounts) instructs the administrator to not add non-administrative accounts to the Backup Operators group.

• Special Groups: Several additional groups are automatically created by Windows 2000.

  • Interactive. This group contains the user who is currently logged on to the computer. During an upgrade to Windows 2000, members of the Interactive group will also be added to the Power Users group, so that legacy applications will continue to function as they did before the upgrade.

  • Network. This group contains all users who are currently accessing the system over the network.

  • Terminal Server User. When Terminal Servers are installed in application serving mode, this group contains any users who are currently logged on to the system using Terminal Server. Any program that a user can run in Windows NT 4.0 will run for a Terminal Server User in Windows 2000. The default permissions assigned to the group were chosen to enable a Terminal Server User to run most legacy programs.

Evaluation Note The Windows 2000 Security Configuration Guide document instructs the administrator to not grant resource permissions or user rights to this account.

Why you should not run your computer as an administrator

Typical users should not be added to the Administrators. For most computer activity, log on as a member of the Users or Power Users group. Even authorized administrators that need to perform an administrator-only task, should log on as an administrator, perform the task, and then log off. Ideally, no one should log on under the default administrator account. When performing any administrative task authorized administrators should log on under a specific user account that is a member of the Administrators group.

Running Windows 2000 as an administrator makes the system vulnerable to Trojan horses and other security risks. The simple act of visiting an Internet site can be extremely damaging to the system. An unfamiliar Internet site may have Trojan horse code that can be downloaded to the system and executed. If you are logged on with administrator privileges, a Trojan horse could do things like reformat your hard drive, delete all your files, create a new user account with administrative access, and so on.

When you log on as a member of the Users group, you can perform routine tasks, including running programs and visiting Internet sites, without exposing your computer to unnecessary risk. As a member of the Power Users group, you can perform routine tasks and you can also install programs, add printers, and use most Control Panel items. If you need to perform administrative tasks, such as upgrading the operating system or configuring system parameters, then log off and log back on as an administrator.

Security Functions

This section describes how to use the security functions of Windows 2000.

Passwords

The security provided by a password system depends on the passwords being kept secret at all times. Thus, a password is vulnerable to compromise whenever it is used, stored, or even known. To ensure security, passwords must be used carefully. These recommendations will help protect your passwords:

• Never write down your password.

• Never share passwords with anyone.

• Never use your network logon password for another purpose.

• Use different passwords for your network logon and the Administrator account on your computer.

• Change your network password every 60 to 90 days or as dictated by local security policies. Administrators may force periodic password changes through group/domain policies.

• Change your password immediately if you think it has been compromised.

You should also be careful about where you save your password on your computer. Some dialog boxes, such as those for remote access and other telephone connections, present an option to save or remember your password. Do not select that option.

Creating strong passwords

Good computer security includes the use of strong passwords for your network or local logons. For a password to be strong and hard to break, it should:

• Be at least eight characters long.

• Contain characters from each of the following three groups:

Description	Examples
Letters (uppercase and lowercase)	A, B, C,...; a, b, c,...
Numerals	0, 1, 2, 3, 4, 5, 6, 7, 8, 9
Symbols (all characters not defined as letters or numerals)	` ~ ! @ # $ % ^ & * ( ) _ + - = { } | [ ] \ : " ; ' < > ? , . /

• Have at least one symbol character in the second through sixth positions.

• Be significantly different from prior passwords.

• Not contain your name or user name.

• Not be a common word or name.

Passwords can be the weakest link in a computer security scheme. Strong passwords are important because password-cracking tools continue to improve and the computers used to crack passwords are more powerful. Network passwords that once took weeks to break can now be broken in hours.

Password cracking software uses one of three approaches: intelligent guessing, dictionary attacks, and automation that try every possible combination of characters. Given enough time, the automated method can crack any password. However, it still can take months to crack a strong password.

Evaluation Note The Windows 2000 Evaluated Configuration Administrators Guide document and Windows 2000 Security Configuration Guide document both instruct the administrator to set the minimum password length to be at least 8 characters in the evaluation configuration.

Changing a password

Several methods can be used to initiate password changes:

• Policies may dictate periodic mandatory password changes.

• Account passwords may need to be reset by an authorized administrator.

• Users may choose to initiate a password change.

Mandatory password changes

The Domain password policy may dictate a maximum password age. A maximum password age determines how long users can keep a password before they have to change it. The aim is to periodically force users to change their passwords. Once a password has expired due to this policy, you will receive the following message after initiating a login attempt:

You will need to change the password as follows:

1. Click the OK button on the password expiration notice.

2. The Change Password window will appear with the old password already filled in.

   

3. Enter a new password and confirm it by entering it a second time.

• If the new password does not match the confirm new password block, the following warning message will appear:

• If your domain policy requires the use of strong passwords and has defined password policies addressing issues such as length and history, and you enter a non-conforming password, the following warning message will appear:

  

1. A successful password change is verified with the following message:

   

Password reset

Occasionally, a user may forget a password. If the user is locked out of the computer due to not remembering a password the only way to recover is to have an authorized administrator reset the user account password. The typical practice when resetting an account password is to expire the new password, provided by the administrator, immediately and require the user to enter a new password. This practice helps maintain the secrecy of user account password by forcing users to create a password that is not known by the administrator. The procedures that must be followed by the user to enter a new password are identical to those described above for mandatory password changes.

User initiated password change

To initiate a password change:

1. Press CTRL+ALT+DELETE to access the Windows Security GUI.

2. Click Change Password. A Change Password window will appear (old password dialog box is blank).

   

3. Enter the old password, then enter a new password and confirm it by entering it a second time.

4. A successful password change is verified with the following message:

   

Computer Access

Log on

To Log on to the computer:

1. Initiate a trusted path for login by pressing CTRL+ALT+DELETE.

2. If the administrator has implemented a log on banner, a message banner will appear on your screen. Read the message and click OK, or hit <Enter> to continue with the logon process.

3. At the Log On to Windows GUI, enter your user name and password.

4. Click on the Options >> button. In the Log on to: drop down box select whether you wish to either log on to a network domain controller or to the directly to the local computer.

   

5. Click the OK button to log on.

User account locked due to invalid password attempts

If the domain policy includes an account lockout threshold, user accounts will be locked immediately after executing the specified number of invalid login attempts. Initial invalid login attempts will be presented to the user in a Logon Message as shown below. Note that by design the message does not specifically indicate whether the password or the login ID is incorrect.

The final invalid login attempt will inform the user that the account has been locked by presenting the Logon Message shown below. Note that by design the message does not state whether the account is disabled due to a bad password or a bad login ID.

Account lockouts may be set by policy to remain locked for a set period of time or may be locked indefinitely until an authorized administrator unlocks the account. An authorized administrator must be contacted to unlock user accounts that have been locked indefinitely or that require immediate access.

Log off

To log off from the computer so someone else can use it:

1. Click Start, and then click Shut Down.

2. In the What do you want the computer to do? list, select Log off and click the OK button. This closes all programs, disconnects the computer from the network, and prepares the computer to be used by someone else.

   

3. You can also log off your computer by pressing CTRL+ALT+DELETE, and then clicking Log Off.

   

Shutdown Computer

To shut down your computer:

1. Click Start, and then click Shut Down.

2. In the What do you want the computer to do? list, select Shut down.

   

3. Do not turn off your computer until a message appears telling you that it is safe to do so. Windows 2000 stores important data in memory while the system is running, and needs to write the data to the hard disk before you turn off the computer. After the data is saved, Windows 2000 notifies you that it is okay to turn off the computer.

   

4. You can also shut down your computer by pressing CTRL+ALT+DELETE, clicking Shut Down, and then clicking Shut down in the What do you want the computer to do? list.

Restart Computer

To restart your computer

1. Click Start, and then click Shut Down.

2. In the What do you want the computer to do? list, select Restart.

   

3. You can also restart your computer by pressing CTRL+ALT+DELETE, clicking Shut Down, and then clicking Restart in the What do you want the computer to do? list.

Disk Quotas

Windows 2000 disk quotas track and control disk storage usage on a per-user, per-volume basis. Windows 2000 tracks disk quotas for each volume, even if the volumes are on the same hard disk. Because quotas are tracked on a per-user basis, every users disk space is tracked regardless of the folders in which the user stores files.

The following list describes several important characteristics of Windows 2000 disk quotas.

• Windows 2000 calculates disk space usage for users based on the files and folders they own. When a user copies or saves a file to an NTFS volume or takes ownership of a file on an NTFS volume, Windows 2000 charges the disk space for the file against the users quota limit.

• Windows 2000 ignores compression when it calculates hard disk space usage. Users are charged for each uncompressed byte, regardless of how much hard disk space is actually used. In part, this charge is made because file compression produces different degrees of compression for different types of files. Different file types that are the same size when compressed might end up to be very different sizes when they are compressed.

• When disk quotas is enabled, the free disk space Windows 2000 reports to applications for the volume is the amount of space remaining within the users disk quota limit. For example, a user whose files occupy 50 megabytes (MB) of an assigned disk quota limit of 100MB will show 50 MB of free space even if the volume contains several gigabytes of free space.

Authorized administrators can use disk quotas to monitor and control hard disk space usage. Administrators can perform the following tasks:

• Set a disk quota limit to specify the amount of disk space for each user.

• Set a disk quota warning to specify when Windows 2000 should log an event, indicating that the user is nearing his or her limit.

• Enforce disk quota limits and either deny users access if they exceed their limit or allow them to continue access.

• Log an event when a user exceeds a specific disk space threshold. For example, a threshold might be when users exceed their quota limit or when they exceed their warning level.

Once disk quotas is enabled for a volume, Windows 2000 collects disk usage data for all users who own files and folders on the volume. This allows you to monitor volume usage on a per-user basis. By default, only members of the Administrators group can view and change the quota settings. However, the administrator can allow users to view quota settings.

Exceeding Disk Quota Limits

When the administrator selects the Deny disk space to users exceeding quota limit option, users who exceed their quota limit receive an "insufficient disk space" error from Windows 2000 and cannot write additional data to the volume without first deleting or moving some existing files from it.

Individual programs determine their own error handling for this condition. To the program, it appears that the volume is full. Enabling quotas and not limiting disk space use are useful when administrators do not want to deny users access to a volume, but want to track disk space use on a per-user basis. The administrator can also specify whether or not to log an event when users exceed either their quota warning level or their quota limit.

When the administrator selects the Log event when a user exceeds their quota limit option, an event is written to the Windows system log on the computer running disk quotas whenever users exceed their quota limit. Administrators can view these events with Event Viewer, filtering for disk event types.

When the administrator selects the Log event when a user exceeds their warning level option, an event is written to the Windows system log on the computer running disk quotas whenever users exceed their quota warning level. Administrators can view these events with Event Viewer, filtering for disk event types. Unless you set a trigger to do so, users are not warned of this event.

If you receive indications that you may have exceeded your disk quota, try removing any unnecessary files. Otherwise contact your system administrator for assistance.

Data Protection

Information security strategies protect data on your servers and client computers, and also conceal and protect packets traversing insecure networks. Your distributed security plan needs to identify which information must be protected in the event computer equipment is lost or stolen. Also, types of network traffic that are sensitive or private and need to be protected from network sniffers must be included in the plan.

In terms of users on your enterprise network, access control is the primary mechanism to protect sensitive files from unauthorized access. However, the computers themselves might be portable and subject to physical theft. Therefore, access control is not sufficient to protect the data stored on these computers. This is a special problem with laptop computers that can be easily stolen while traveling. Windows 2000 provides the Encrypting File System (EFS) to address this problem.

If you want to protect data on your computer, you should secure individual files and folders and take steps to secure the physical computer itself. If the computer contains sensitive information, keep it in a safe location.

Password protected screen locks

You can secure your computer by locking it whenever you are away from your desk and setting up a password-protected screen saver. By pressing CTRL+ALT+DEL and clicking Lock Computer, you can prevent unauthorized users from gaining access to your computer. Only you and members of the Administrators group on your computer can unlock it (you unlock it by pressing CTRL+ALT+DEL, typing your password, and then clicking OK). You can also set up a screen saver so that whenever the computer is idle for more than a specified length of time, the screen saver starts and the computer automatically locks.

Implementing a password protected screen saver

Users may set an automatic screen lock on a workstation by setting screensaver based screen lock as follows:

1. Right click on the user desktop and select Properties. The Display Properties window will appear.

2. Click on the Screen Saver tab.

3. Select a screen saver from the Screen Saver drop down menu.

4. Enter the number of minutes of inactivity that the system must wait before initiating the screen saver in the Wait: dialog box.

5. Select the Password Protected box.

   

6. Click OK to set the password protected screen saver.

Warning: Users must ensure there is no un-intentional pressure (e.g. a book pressing on a key) on the keyboard to allow the screen lock function to work properly. Any pressure on the keyboard will prevent the screen lock from being invoked.

Initiating a screen lock

Users may manually initiate a screen lock as follows:

1. Simultaneously press the Ctrl-Alt-Del buttons. This will invoke the trusted path function and present the Windows Security interface.

2. Click on the Lock Computer button.

   

3. This will lock the users desktop, as indicated by the Computer Locked window.

   

Unlocking the computer screen

A user can unlock the screen as follows:

1. Simultaneously press the Ctrl-Alt-Del buttons. This will invoke the trusted path function and present a login interface to unlock the computer.

   

2. Enter the account name of the currently logged on user and the associated password.

3. Click OK to unlock the computer screen.

In the event emergency access is required to a user desktop that has been locked by either a screensaver based password lock or through a user-initiated action, an authorized administrator may unlock the computer.

Setting Access Controls on Files, Folders, and Other System Objects in Windows 2000

Access control is the process of authorizing users and groups to access objects on the network. Key concepts that make up access control are described below.

• Least Privilege Principle: A key component of authorization is the least privilege principle, which states that all users should have the least possible amount of systems access or system authorization that still allows them to perform their job functions. Thus, if a user only needs to be able to view a particular file, that user should have read-only access to the file; the user should not be able to write to that file.

• Ownership of Objects: Windows 2000 assigns an owner to an object when the object is created. By default, the owner is the creator of the object.

• Permissions Attached to Objects: The primary means for access control is permissions, or access rights. In Windows systems, permissions can be set on files, folders, and other objects within the system. Permissions allow or deny users and groups particular actions for users and groups. Permissions are implemented primarily by way of security descriptors, which also define auditing and ownership.

• Inheritance of permissions: Windows 2000 provides a feature for administrators to easily assign and manage permissions. Known as inheritance, this feature automatically causes objects within a container to inherit the permissions of that container. For example, the files within a folder, when created, inherit the permissions of the folder.

• Object managers: If you need to change the permissions on an individual object, you can simply start the appropriate tool and change the properties for that object. For example, to change the permissions on a file, you can start Windows Explorer, right-click on the file name, and click Properties. The administrator can use this dialog box to change permissions on the file.

• Object auditing: Windows 2000 allows the administrator to audit users access to objects. You can then view these security-related events in the security log with the Event Viewer.

Copying vs. Moving

When using NTFS permissions to secure access to specific files or folders, it is very important to pay close attention to what happens to those permissions whenever the object is moved or copied to another location on the system.

• When an object is copied into another directory it inherits the access permissions in place at the destination folder.

• When a file or directory object is moved from one directory to another directory the NTFS permissions that have been applied to the file move with it.

File Permissions

File permissions include Full Control, Modify, Read & Execute, Read, and Write. Each of these permissions consists of a logical group of special permissions. The following table lists NTFS file permissions and specifies which special permissions are associated with that permission.

NTFS File Permissions
Special Permissions	Full Control	Modify	Read & Execute	Read	Write
Traverse Folder/Execute File
List Folder/Read Data
Read Attributes
Read Extended Attributes
Create Files/Write Data
Create Folders/Append Data
Write Attributes
Write Extended Attributes
Delete Subfolders and Files
Delete
Read Permissions
Change Permissions
Take Ownership
Synchronize

Warning: Groups or users granted Full Control on a folder can delete any files in that folder regardless of the permissions protecting the file.

Folder permissions

Folder permissions include Full Control, Modify, Read & Execute, List Folder Contents, Read, and Write. Each of these permissions consists of a logical group of special permissions. The following table lists NTFS folder permission and specifies which special permissions are associated with that permission.

Folder Permissions
Special Permissions	Full Control	Modify	Read & Execute	List Folder Contents	Read	Write
Traverse Folder/Execute File
List Folder/Read Data
Read Attributes
Read Extended Attributes
Create Files/Write Data
Create Folders/Append Data
Write Attributes
Write Extended Attributes
Delete Subfolders and Files
Delete
Read Permissions
Change Permissions
Take Ownership
Synchronize

Although List Folder Contents and Read & Execute appear to have the same special permissions, these permissions are inherited differently. List Folder Contents is inherited by folders but not files, and it should only appear when you view folder permissions. Read & Execute is inherited by both files and folders and is always present when you view file or folder permissions.

Selecting where to apply permissions

The Permission Entry dialog box appears when you set permissions on files and folders. In this dialog box, Apply onto lists the locations where you can apply permissions. How these permissions are applied depends on whether Apply these permissions to objects and/or containers within this container only check box is selected. By default, this check box is clear.

When the Apply these permissions... check box is clear permissions are applied as shown below:

Apply onto	Applies permissions to current folder	Applies permissions to subfolders in current folder	Applies permissions to files in current folder	Applies permissions to all subsequent subfolders	Applies permissions to files in all subsequent subfolders
This folder only
The folder, subfolders and files
This folder and subfolders
This folder and files
Subfolders and files only
Subfolders only
Files only

When the Apply these permissions... check box is selected permissions are applied as shown below:

Apply onto	Applies permissions to current folder	Applies permissions to subfolders in current folder	Applies permissions to files in current folder	Applies permissions to all subsequent subfolders	Applies permissions to files in all subsequent subfolders
This folder only
The folder, subfolders and files
This folder and subfolders
This folder and files
Subfolders and files only
Subfolders only
Files only

Setting or modifying permissions

To set, view, change, or remove special permissions for files and folders:

1. Open Windows Explorer; click Start, point to Programs, point to Accessories, and then click Windows Explorer.

2. Locate the file or folder for which you want to set special permissions.

3. Right-click the file or folder, click Properties, and then click the Security tab.

4. Click Advanced.

   

5. Perform one of the following:

   • To set special permissions for a new group or user, click Add. In Name, type the name of the user or group using the format domainname\name or select from the list. To access account names from the domain, click the Look In list box. You should now see a list that shows the current machine, the local domain, trusted domains, and other resources that you can access. Select the local domain to view all the account names in the domain.

     

   • When you are finished, click OK to automatically open the Permission Entry dialog box.

     

   • To view or change special permissions for an existing group or user, click the name of the group or user and then click View/Edit.

     

   • To remove a group or user and its special permissions, click the name of the group or user and then click Remove. If the Remove button is unavailable, clear the Allow inheritable permissions... check box. The file or folder will no longer inherit permissions. Skip steps 4, 5, and 6.

6. In the Permission Entry dialog box, click where you want the permissions applied in Apply onto, if necessary. Apply onto is available only for folders.

7. In Permissions, click Allow or Deny for each permission.

8. If you want to prevent subfolders and files within the tree from inheriting these permissions, click to select the Apply these permissions... check box.

   Notes:

   • You can set permissions only on drives formatted to use NTFS.

   • To change permissions, you must be the owner or have been granted permission to do so by the owner.

   • If the check boxes under Permissions are shaded, the file or folder has inherited the permissions from the parent folder.

Warning: Groups or users granted Full Control for a folder can delete files and subfolders within that folder regardless of the permissions protecting the files and subfolders.

Warning: Change of permissions become effective upon all subsequent opens. If a user has an object open while changes to the permissions of the object are made, the permissions that were obtained upon open remain effective (i.e. are allowed) until the object is closed.

How inheritance affects file and folder permissions

After you set permissions on a parent folder, new files and subfolders created in the folder inherit these permissions. If you do not want them to inherit permissions, select This folder only in Apply onto when you set up special permissions for the parent folder.

In cases where you want to prevent only certain files or subfolders from inheriting permissions:

1. Right-click the file or subfolder, click Properties, click the Security tab.

If the permission check boxes for an account appear shaded, the file or folder has inherited permissions from the parent folder. There are three ways to make changes to inherited permissions:

• Make the changes to the parent folder, and then the file or folder will inherit these permissions.

• Select the opposite permission (Allow or Deny) to override the inherited permission.

• Clear the Allow inheritable permissions from parent to propagate to this object check box. Now you can make changes to the permissions or remove the user or group from the permissions list. However, the file or folder will no longer inherit permissions from the parent folder.

1. Clear the Allow inheritable permissions from parent to propagate to this object check box.

   

2. A Security window, shown below, will appear asking whether you wish to copy inherited permissions or remove them. Click on the Remove button.

   

3. All permissions previously inherited are removed from the file or subfolder.

   

If neither Allow nor Deny is selected for a permission, then the group or user may have obtained the permission through group membership. If the group or user has not obtained the permission through membership in another group, then the group or user is implicitly denied the permission. To explicitly allow or deny the permission, click the appropriate check box.

Shared folder permissions

Shared folders are used to provide network users with access to files and application resources on the network. When a folder is shared, users can connect to the folder over the network and gain access to the files that it contains. However, to gain access to the files, users must have permissions to access the shared folders.

A shared folder can contain applications, data, or a user's personal data, called a home folder. Each type of data requires different shared folder permissions. The following are characteristics of shared folder permissions:

• Shared folder permissions apply to folders, not individual files. Since you can apply shared folder permissions only to the entire shared folder, and not to individual files or subfolders in the shared folder, shared folder permissions provide less detailed security than NTFS permissions.

• Shared folder permissions don't restrict access to users who gain access to the folder at the computer where the folder is stored. They apply only to users who connect to the folder over the network.

• Shared folder permissions are the only way to secure network resources on a FAT volume. NTFS permissions arent available on FAT volumes.

• The default shared folder permission is Full Control, and it is assigned to the Everyone group when you share the folder.

A shared folder appears in Windows Explorer as an icon of a hand holding the shared folder as shown below.

To control how users gain access to a shared folder, you assign shared folder permissions. The following table shows shared folder permissions and the actions on shared folders allowed to users for each share permission.

	Shared Folder Permission
Actions Allowed by Share Permissions	Full Control	Change	Read
Viewing file names and subfolder names
Traversing to subfolders
Viewing data in files and running programs
Adding files and subfolders to the shared folder
Changing data in files
Deleting subfolders and files
Changing permissions (NTFS only)
Taking ownership (NTFS only)

You can allow or deny shared folder permissions. Generally, it is best to allow permissions and to assign permissions to a group rather than to individual users. You deny permissions only when it is necessary to override permissions that are otherwise applied. In most cases, you should deny permissions only when it is necessary to deny permission to a specific user who belongs to a group to which you have given the permission. If you deny a shared folder permission to a user, the user won’t have that permission. For example, to deny all access to a shared folder, deny the Full Control permission.

How Shared Folder Permissions Are Applied

Applying shared permissions to user accounts and groups affects access to a shared folder. Denying permission takes precedence over the permissions that you allow. The following list describes the effects of applying permissions.

• Multiple Permissions Combine: A user can be a member of multiple groups, each with different permissions that provide different levels of access to a shared folder. When you assign permission to a user for a shared folder, and that user is a member of a group to which you assigned a different permission, the user's effective permissions are the combination of the user and group permissions. For example, if a user has Read permission and is a member of a group with Change permission, the user's effective permission is Change, which includes Read.

• Denying Permissions Overrides Other Permissions: Denied permissions take precedence over any permissions that you otherwise allow for user accounts and groups. If you deny a shared folder permission to a user, the user won’t have that permission, even if you allow the permission for a group of which the user is a member.

• NTFS Permissions Are Required on NTFS Volumes: Shared folder permissions are sufficient to gain access to files and folders on a FAT volume but not on an NTFS volume. On a FAT volume, users can gain access to a shared folder for which they have permissions, as well as all of the folder's contents. When users gain access to a shared folder on an NTFS volume, they need the shared folder permission and also the appropriate NTFS permissions for each file and folder to which they gain access.

• Copied or Moved Shared Folders Are No Longer Shared: When you copy a shared folder, the original shared folder is still shared, but the copy is not shared. When you move a shared folder, it is no longer shared.

Guidelines for Shared Folder Permissions

The following list provides some general guidelines for managing your shared folders and assigning shared folder permissions:

• Determine which groups need access to each resource and the level of access that they require. Document the groups and their permissions for each resource.

• Assign permissions to groups instead of user accounts to simplify access administration.

• Assign to a resource the most restrictive permissions that still allow users to perform required tasks. For example, if users need only to read information in a folder, and they will never delete or create files, assign the Read permission.

• Organize resources so that folders with the same security requirements are located within a folder. For example, if users require Read permission for several application folders, store the application folders within the same folder. Then share this folder instead of sharing each individual application folder.

• Use intuitive share names so that users can easily recognize and locate resources. For example, for the Application folder, use Apps for the share name. You should also use share names that all client operating systems can use.

Although Windows 2000 allows for very long share names, try to keep share names short, about 12 characters. Shorter names are easier to remember and type.

Microsoft Windows 2000 provides 8.3-character equivalent names, but the resulting names might not be intuitive to users. For example, a Windows 2000 folder named Accountants Database would appear as Account~1 on client computers running MS-DOS, Windows 3.x, and Windows for Workgroups.

Sharing Folders

You can share resources with others by sharing the folders containing those resources. To share a folder, you must be a member of one of several groups, depending on the role of the computer where the shared folder resides. When you share a folder, you can control access to the folder by limiting the number of users who can simultaneously gain access to it, and you can also control access to the folder and its contents by assigning permissions to selected users and groups. Once you have shared a folder, users must connect to the shared folder and must have the appropriate permissions to gain access to it. After you have shared a folder, you might want to modify it. You can stop sharing it, change its share name, and change user and group permissions to gain access to it.

Which groups can share folders and on which machines they can share them depends on whether it is a workgroup or a domain and the type of computer on which the shared folders reside:

• In a Windows 2000 domain, the Administrators and Server Operators groups can share folders residing on any machines in the domain. The Power Users group is a local group and can share folders residing only on the stand-alone server or computer running Windows 2000 Professional where the group is located.

• In a Windows 2000 workgroup, the Administrators and Power Users groups can share folders on the Windows 2000 Server stand-alone server or the computer running Windows 2000 Professional on which the group exists.

If the folder to be shared resides on an NTFS volume, users must also have at least the Read permission for that folder to be able to share it.

Sharing a Folder

When you share a folder, you can give it a share name, provide comments to describe the folder and its content, limit the number of users who have access to the folder, assign permissions, and share the same folder multiple times. You can share a folder as follows:

1. Log on with a user account that is a member of a group that is able to share folders.

2. Right-click the folder that you want to share, and then click Sharing. The folders properties window will appear, showing the options of the Sharing tab.

   

3. On the Sharing tab of the Properties dialog box, configure the options shown in the table below to make the folder available as a share.

Option	Description
Share Name	The name that users from remote locations use to make a connection to the shared folder. You must enter a share name.
Comment	An optional description for the share name. The comment appears in addition to the share name when users at client computers browse the server for shared folders. This comment can be used to identify contents of the shared folder.
User Limit	The number of users who can concurrently connect to the shared folder. If you click Maximum Allowed as the user limit, Windows 2000 Professional supports up to 10 connections. Windows 2000 Server can support an unlimited number of connections, but the number of Client Access Licenses (CALs) that you purchased limits the connections.
Permissions	The shared folder permissions that apply only when the folder is accessed over the network. By default, the Everyone group is assigned Full Control for all new shared folders.
Caching	The settings to configure offline access to this shared folder.

Assigning Shared Folder Permissions

After you share a folder, the next step is to specify which users have access to the shared folder by assigning shared folder permissions to selected user accounts and groups. You can assign permissions to user accounts and groups for a shared folder, as follows:

1. On the Sharing tab of the Properties dialog box of the shared folder, click Permissions.

2. In the Permissions dialog box, ensure that the Everyone group is selected and then click Remove.

   

3. In the Permissions dialog box, click Add.

   

4. In the Select Users, Computers**, Or Groups** dialog box, click the user accounts and groups to which you want to assign permissions.

5. Click Add to add the user account or group to the shared folder. Repeat this step for all user accounts and groups to which you want to assign permissions.

6. Click OK.

   

7. In the Permissions dialog box for the shared folder, click the user account or group, and then, under Permissions, select the Allow check box or the Deny check box for the appropriate permissions for the user account or group.

   

Modifying Shared Folders

You can modify shared folders, stop sharing a folder, modify the share name, and modify shared folder permissions.

You can modify a shared folder as follows:

1. Click the Sharing tab in the Properties dialog box of the shared folder.

   

2. To complete the appropriate task, use the steps in the table below.

To	Do this
Stop sharing a folder	Click Do not share this folder.
Modify the share name	Click Do not share this folder to stop sharing the folder; click Apply to apply the change; click Share this folder, and then enter the new share name in the Share name box.
Modify shared folder permissions	Click Permissions. In the Permissions dialog box, click Add or Remove. In the Name dialog box, click the user account or group whose permissions you want to modify. Modify the permissions in the Permissions: Allow or Deny dialog box.
Share folder multiple times	Click New Share to share a folder with an additional shared folder name. Do so to consolidate multiple shared folders into one while allowing users to continue to use the same shared folder name that they used before you consolidated the folders.
Remove a share name	Click Remove Share. This option appears only after the folder has been shared more than once.

Note: If you stop sharing a folder while a user has a file open, the user might lose data. If you click Do not share this folder and a user has a connection to the shared folder, Windows 2000 displays a dialog box notifying you that a user has a connection to the shared folder.

Combining Shared Folder Permissions and NTFS Permissions

You share folders to provide network users with access to resources. If you are using a FAT volume, the shared folder permissions are the only resource available to provide security for the folders you have shared and the folders and files they contain. If you are using an NTFS volume, you can assign NTFS permissions to individual users and groups to better control access to the files and subfolders in the shared folders. When you combine shared folder permissions and NTFS permissions, the more restrictive permission is always the overriding permission.

One strategy for providing access to resources on an NTFS volume is to share folders with the default shared folder permissions and then control access by assigning NTFS permissions. When you share a folder on an NTFS volume both shared folder permissions and NTFS permissions combine to secure file resources.

Shared folder permissions provide limited security for resources. You gain the greatest flexibility by using NTFS permissions to control access to shared folders. Also, NTFS permissions apply whether the resource is accessed locally or over the network.

When you use shared folder permissions on an NTFS volume, the following rules apply:

• You can apply NTFS permissions to files and subfolders in the shared folder. You can apply different NTFS permissions to each file and subfolder that a shared folder contains.

• In addition to shared folder permissions, users must have NTFS permissions for the files and subfolders that shared folders contain to gain access to those files and subfolders. This is in contrast to FAT volumes where permissions for a shared folder are the only permissions protecting files and subfolders in the shared folder.

• When you combine shared folder permissions and NTFS permissions, the more restrictive permission is always the overriding permission.

In the figure below, the Everyone group has the shared folder Full Control permission for the Public folder and the NTFS Read permission for File A. The Everyone group's effective permission for File A is Read because Read is the more restrictive permission. The effective permission for File B is Full Control because both the shared folder permission and the NTFS permission allow this level of access.

Mapping a network share

To map a drive letter to a network computer or folder

1. Open Windows Explorer, click Start, point to Programs, point to Accessories, and then click Windows Explorer.

2. On the Tools menu, click Map Network Drive.

3. In Drive, select the drive letter to map to the shared resource.

4. In Folder, type the server and share name of the resource, in the form of \\servername\sharename. Or click Browse to locate the resource.

5. To reconnect to the mapped drive every time you log on, select the Reconnect at logon check box.

6. Mapped drives are available only when the host computer is also available.

7. You can assign a mapped drive to a different drive letter by disconnecting from the drive and then remapping it to a new drive letter.

Implementing the Encrypting File System in Windows 2000

The Encrypting File System (EFS) provides the core file encryption technology used to store encrypted files on NTFS file system volumes. Once you encrypt a file or folder, you work with the encrypted file or folder just as you do with any other files and folders. Encryption is transparent to the user that encrypted the file. This means that you do not have to decrypt the encrypted file before you can use it. You can open and change the file as you normally do. However, an intruder who tries to access your encrypted files or folders will be prevented from doing so. An intruder receives an access denied message if the intruder tries to open, copy, move, or rename your encrypted file or folder.

You encrypt or decrypt a folder or file by setting the encryption property for folders and files just as you set any other attribute such as read-only, compressed, or hidden. If you encrypt a folder, all files and subfolders created in the encrypted folder are automatically encrypted. It is recommended that you encrypt at the folder level.

You can also encrypt or decrypt a file or folder using the command-line function cipher. For more information about the cipher command, type cipher /? at a command prompt.

Use EFS to keep your documents safe from intruders who might gain unauthorized physical access to your sensitive stored data (by stealing your laptop or Zip disk, for example).

Working with encrypted files

When you work with encrypted files and folders, keep in mind the following information and recommendations.

Important EFS Information

• Only files and folders on NTFS volumes can be encrypted.

• You cannot encrypt files or folders that are compressed. First you must uncompress the file or folder, then you can encrypt it. On a compressed volume, uncompress folders you want to encrypt.

• Only the user who encrypted the file can open it.

• You cannot share encrypted files. EFS is not for distributing private data.

• Encrypted files can become decrypted if you copy or move the file to a volume that is not an NTFS volume.

• Use cutting and pasting to move files into an encrypted folder. If you use a drag-and-drop operation to move the files, they will not automatically be encrypted in the new folder.

• System files cannot be encrypted.

• Encrypting a folder or file does not protect against deletion. Anyone with delete permission can delete encrypted folders or files.

• Temporary files, which are created by some programs when documents are edited, are also encrypted as long as all the files are on an NTFS volume and in an encrypted folder. It is recommended that you encrypt the Temp folder on your hard disk for this reason. Encrypting the Temp folder ensures that your encrypted documents remain encrypted even during the editing process. If you create a new document or open an attachment in Outlook, the file may be created as an encrypted document in the Temp folder. If you choose to save the encrypted document to another location on an NTFS volume, it will remain encrypted in the new location.

• You can encrypt or decrypt files and folders located on a remote computer that has been enabled for remote encryption. For more information, consult your domain administrator. However, if you open the encrypted file over the network, the data that is transmitted over the network by this process is not encrypted. Other protocols, such as SSL/PCT or IPSEC must be used to encrypt data over the wire.

• A recovery policy is automatically implemented when you encrypt your first file or folder so that if you should lose your file encryption certificate and associated private key, a recovery agent can decrypt your file for you.

EFS Recommendations

• Encrypt the My Documents folder if this is the place where you save most of your documents. This ensures that your personal documents are encrypted by default.

• Encrypt your Temp folder so that any temporary files created by programs are automatically encrypted.

• Encrypt folders instead of individual files so that if a program creates temporary files during editing, these will be encrypted as well.

• Using the Export command from Certificates in Microsoft Management Console (MMC), make backup copies on floppy disk of your file encryption certificate and associated private key. Keep the floppy disk in a secure location. Then, if you should ever lose your file encryption certificate (through disk failure or any other reason), you can restore the certificate and associated private key from the floppy disk using the Import command from Certificates in MMC and be able to open your encrypted files.

The Encrypting File System (EFS) uses a private key encryption mechanism for storing data in encrypted form on the network. ESF is the file encryption technology used for NTFS volumes. EFS runs as a service and uses both private key encryption and public key encryption.

Encrypting a file or folder

You can encrypt a file only if your administrator enables encryption. Encrypt a file or folder on an NFTS volume as follows:

1. Select the file or folder to encrypt.

2. Right-click on the file or folder and click Properties.

3. On the General tab, click Advanced.

   

4. On the Advanced Attributes dialog box, select Encrypt contents to secure data and click OK. This returns you to the Properties dialog box.

   

5. Click OK in the Properties dialog box.

6. You are asked to choose between encrypting the folder and all its contents or just the folder itself. If the folder is empty, choose to encrypt the folder only; otherwise, choose the folder and its contents, and click OK.

   

7. A dialog box shows you the status of encrypting the folder or file. Click OK again to make this change, and close the snap-in.

After a folder is encrypted, files saved in that folder are automatically encrypted. When an encrypted file is moved to another folder that is not encrypted, the file remains encrypted. However, if the owner of the file moves the file to a FAT partition or volume, such as a floppy disk, the file is automatically decrypted.

Decrypting Files and Folders

Encrypted files can only be decrypted using the private key that encrypted them.

Decrypt a file as follows:

1. Right-click the folder and click Properties.

2. On the General tab in the Properties dialog box, click Advanced.

3. Clear the Encrypt contents to secure data dialog box.

4. Click OK.

5. Click OK again to confirm.

You will also see a dialog box offering the option to just decrypt the folder, or to decrypt the folder and all of its contents.

Note: The Administrator has sufficient rights to decrypt all files that have been encrypted.

Copying an Encrypted Folder or File

The following explains the procedures and limitations for copying encrypted folders or files on the same volume and from one volume to another.

• To copy a file or folder on the same computer from one NTFS partition in a Windows 2000 location to another NTFS partition in a Windows 2000 location. Copy the file or folder as you would an unencrypted file. Use Windows Explorer or the command prompt. The copy is encrypted.

• To copy a file or folder on the same computer from an NTFS partition in a Windows 2000 volume to a FAT partition. Copy the file or folder as you would an unencrypted file. Use Windows Explorer or the command prompt. Because the destination file system does not support encryption, the copy is not encrypted.

• To copy a file or folder to a different computer where both use the NTFS partitions in Windows 2000. Copy the file or folder as you would an unencrypted file. Use Windows Explorer or the command prompt. If the remote computer allows you to encrypt files, the copy is encrypted; otherwise it is not encrypted. Note that the remote computer must be trusted for delegation; in a domain environment, remote encryption is not enabled by default.

• To copy a file or folder to a different computer from an NTFS partition in a Windows 2000 location to a FAT or NTFS in a Windows NT 4.0 location. Copy the file or folder as you would an unencrypted file. Use Windows Explorer or the command prompt. Because the destination file system does not support encryption, the copy is not encrypted.

Note: If the original file was encrypted, Microsoft recommends that you confirm the status of the destination file by looking at the Advanced Attributes dialog box (click the Advanced button on the General tab of the files property sheet).

Moving or Renaming an Encrypted Folder or File

The following explains the procedures and limitations for moving encrypted folders or files on the same volume and from one volume to another.

To move or rename a file or folder within the same volume: Move or rename the file as you would an unencrypted file. Use Windows Explorer, the shortcut menu, or the command prompt. The destination file or folder remains encrypted.

To move a file or folder between volumes: This is essentially a copy operation. Review the previous section, Copying an Encrypted Folder or File.

Deleting an Encrypted Folder or File

If you have sufficient access to delete the file or folder, you can delete it as you could an unencrypted file.

Note: Deleting an encrypted folder or file is not restricted to the user who originally encrypted the file.

Restoring Files to a Different Computer

To be able to use encrypted files on a computer other than the one the files were encrypted on, authorized administrators need to ensure that the encryption certificate and associated private key are available on the other system. This can be done by either by using a Roaming Profile or by manually moving the keys.

• Using a Roaming Profile: Authorized administrators have to set up a roaming profile for users if they don’t already have one. Once users have a roaming profile, the encryption keys used are the same on all computers that a user logs on to with that same user account. Note that even if using roaming profile, users may want to back up encryption certificates and private keys. However, if users do lose the keys that enable them to decrypt a file, they can request the designated recovery agent (by default the local or domain administrator) to recover the encrypted files.

• Manually moving keys: Before moving keys manually, authorized users should back up encryption certificates and private keys. They can then restore the certificates and keys on a different system.

Back up the encryption certificate and private key as follows:

1. Click Start, click Run, type mmc in the Open box, and click OK.

2. On the Console menu, click Add/Remove snap-ins, and click Add.

3. Locate the Certificates snap-in, and click Add.

   

4. Select My user account and then click Finish. Click Close. Click OK.

   

5. Locate the Encrypting File System certificates in the Personal certificate store. Click the + next to Certificates**–Current User**. Expand the Personal folder. Click Certificates.

   

6. Right-click the certificate, click All Tasks, and click Export.

   

7. This starts the Certificate Manager Export wizard. Click Next.

   

8. Click Yes, export the private key. Click Next.

   

9. The export format available is Personal Information Exchange-PKCS#12, or .pfx—personal exchange format. Click Next.

   

10. Provide the password to protect the .pfx data. Click Next.

11. Provide the path and file name where the .pfx data is to be stored. In this case, type c:\mykey. Click Next.

    

12. A list of certificates and keys to be exported is displayed. Click Finish to confirm.

13. Click OK to close the wizard, and close the snap-in.

This exports the encryption certificate and private key to a .pfx file that must be backed up securely.

To restore an encryption certificate and private key on a different system do the following:

1. Copy the .pfx file to a floppy disk, and take it to the computer on which the encryption certificate and private key are to be imported.

2. Start the Certificates snap-in by clicking Start, clicking Run, and then typing mmc.

3. On the Console menu, click Add/Remove snap-ins, and click Add.

4. Click Certificates, and click Add. Select My user account and then click Finish. Click Close. Click OK.

5. Right-click Personal store, click All Tasks, and click Import to import the .pfx file.

   

6. This starts the Certificate Manager Import wizard. Follow the wizard steps to successfully import the certificate and private key.

   

7. Provide the path to the .pfx file. In our example, it is c:\mykey.pfx.

8. Type the password to unwrap the .pfx data.

9. Click Place all certificates in the following store, and accept the Personal certificate store. Click Next.

   

10. Click Finish, and then click OK to start the import operation. When the import is complete, click OK to close the wizard.

    

Once the same keys are available, the user can transparently use encrypted files that may have been backed up on different computer.

Encrypting with the cipher.exe Tool

Windows 2000 also includes a command-line utility, cipher.exe. This tool offers additional functionality not provided by the GUI interface associated with the property page for a file.

There are many switches for the cipher tool, which are detailed in the following table. The format for the command is:

cipher [/e | /d] [/s: folder_name ] [/i] [/f] [/q] [ file_name []]

The table below describes the switches available with the cipher.exe command.

Switch	Action
/e	Encrypts the specified folder or files. Folders are marked, and files added later are also encrypted.
/d	Decrypts the specified folder or files. Files added later to a decrypted folder are not encrypted.
/s	Performs the specified operation on files that are in the specified folder, and on files that are in all subfolders.
/i	Allows the command to continue even if errors are encountered. (By default, cipher stops when it encounters errors.)
/f	Causes cipher to encrypt all files in the folder, even if they are already encrypted. (By default, already encrypted files are skipped.)
/q	Causes cipher to only report the most essential information.
/file_name	Specifies the name of the file to be encrypted.
/folder_name	Specifies the name of the folder to be encrypted.

Use Cipher.exe to encrypt a folder or file as follows:

1. Click Start, click Run, type cmd and click OK.

2. To encrypt the My Documents folder, you could use this command string (the spaces are important):

   C:\>cipher /e /s:My Documents

3. To encrypt all the files in the My Documents folder and its subfolders that have the word junk in the name, you could use this command string:

   C:\My Documents\>cipher /e /s:* junk*

You may run the command without any switches to display the current encryption state of a folder and the files that it contains.

To use Cipher.exe to decrypt a folder or file

1. To decrypt the folder, D:\Encrypted Files, type

   C:\>cipher /d /s:"D:\Encrypted Files"

2. Press Enter.