Best Practices for Encrypting File System
This article discusses a Beta release of a Microsoft product. The information in this article is provided as-is and is subject to change without notice.

No formal product support is available from Microsoft for this Beta product. For information about obtaining support for a Beta release, please see the documentation included with the Beta product files, or check the Web location from which you downloaded the release.
The information in this article applies to:
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional

SUMMARY

Windows 2000 includes the ability to encrypt data directly on volumes that use the NTFS file system so that the data cannot be used by any other user. Files and folders can be encrypted by setting an attribute in the object's Properties dialog box.

Because the encryption/decryption process is transparent to users, it is important that organizations that want to use file encryption to its fullest extent promote strong guidelines regarding its usage.


MORE INFORMATION

The following is the list of standard practices:

  • Encrypt the "My Documents" folder for all users (%user profile%\My Documents). This will ensure that the personal folder, where most Office documents are stored, will be encrypted by default.

  • Encrypt the Temp folder for all users (%temp%). This will ensure that any temporary files created by various programs are encrypted, avoiding any possible leaks.

  • Teach users to never encrypt individual files, but only folders. Programs work on files in various ways. Encrypting files consistently at the folder level will ensure that files do not get decrypted unexpectedly.

  • The private keys associated with recovery certificates are extremely sensitive. They should be generated either on a computer that is physically secured, or their certificates should be completely exported to a PFX file, protected under a strong password, and stored on a secure floppy disk.

  • Recovery agent certificates should be assigned to special recovery agent accounts that are not used for any other purpose.

  • Do not destroy recovery certificates or private keys when recovery agents are changed (which should occur periodically). Keep all of them, until all files that may have been encrypted with them are updated.

  • Designate two or more recovery agent accounts per Organizational Unit (OU), depending on the size of the OU. Designate two or more computer for recovery, one for each designated recovery agent account, and give permissions to appropriate administrators to use the recovery agent accounts.

  • Implement a recovery agent archive program to ensure that encrypted files can be recovered using obsolete recover keys. Recovery certificates and private keys must be exported and stored in a controlled and secure manner. Ideally, as with all secure data, archives should be stored in a controlled access vault and you should have two archives: a master and a backup. The master is kept on-site, while the backup is located in a secure off-site location.

  • Avoid using print spool files in your print server architecture, or ensure that print spool files get generated in an encrypted folder.

For additional information about the Encrypting File System (EFS), see the "Encrypting File System for Windows 2000 Server Technical Overview" document on the following Microsoft Web site:
http://www.microsoft.com/windows/server/Technical/security/encrypt.asp

 

Additional query words:

Keywords          : kbenv 
Version           : WINDOWS:2000
Platform          : WINDOWS 
Issue type        : kbinfo

 

Last Reviewed: September 15, 1999