Learn how to get the most out of EFS Assistant and EFS Certificate Updater
Microsoft's Encrypting File System (EFS), introduced in Windows 2000 Server, has improved over the years but still has limited out-of-the-box support for central management and control via Group Policy. The introduction of BitLocker Drive Encryption in Windows Vista and Windows Server 2008 changed the encryption ballgame somewhat, placing EFS in second place, because full disk encryption is acknowledged as the best method for securing data on notebooks. EFS works at the file level and offers some degree of manageability but it can’t encrypt critical OS files. BitLocker works at a low level and encrypts entire volumes. Unlike EFS, BitLocker protects files in the Windows directory and OS files that may contain sensitive information.
Although EFS may still be useful in certain scenarios (e.g., protecting files where users have shared access), BitLocker is the primary choice for encryption on newer systems. But for those of us who need to provide a solution for encrypting sensitive data on Windows XP-based systems, without the expense of third-party solutions, EFS is still the first point of call.
Hidden away in the depths of Microsoft’s Data Encryption Toolkit for Mobile PCs are two tools that can help you gain more control over EFS. The EFS Assistant can enforce encryption of files and folders and scan for files that should be encrypted, helping organizations adhere to regulatory requirements and security policy. The EFS Certificate Updater can help organizations move users from self-signed certificates to V2 certificates provided by a Certification Authority (CA).
One of the main restrictions of EFS on XP is that there’s no way to enforce encryption of folders. Encryption can be enabled or disabled for domain computers in Group Policy, and Recovery Agents can be configured, but that’s about it—administrators or users must configure the encryption status for each folder.
Installing the EFS Assistant
You can deploy EFS Assistant to client devices to automate encryption of potentially sensitive data that might otherwise be left exposed in the case of a physical breach. EFS Assistant is a small executable that can be installed on every Windows device in an organization (the tool currently supports only XP and Vista). It runs in the context of the logged on user. The tool scans files and folders, enabling encryption based on policy defined in the registry. You can download the tool at www.microsoft.com/downloads/details.aspx?FamilyId=1A99576A-FE67-418F-88B1-81E2055FE977.
Evaluation settings, the reporting tool, administrative templates, and shortcuts are installed by default only when the EFS Assistant MSI file is run interactively. The Evaluation Settings install option writes some basic rules to the HKLM\Software\Policies\Microsoft\EFS Assistant key in the registry on the local computer (Table 1).
To test the tool, run the EFS Assistant MSI file on an XP machine joined to your domain and accept all the default instal¬lation options (Figure 1). To start the tool manually, select All Programs, Microsoft EFS Assistant from the Start menu. Within a few seconds a balloon notification will inform you that the tool has started scan¬ning files. In a domain environment, you can use Group Policy to deploy the tool and set it to run when users log on.
Another notification will appear once the scan is complete. Now you can run the reporting tool. Select All Programs, Microsoft EFS Assistant, EFS Assistant Results Viewer from the Start menu. This small Visual Basic script creates a CSV file (Figure 2) in the user’s My Documents folder that con¬tains details of encrypted files and folders from the computer’s WMI database.
Configuring the EFS Assistant
When the tool is installed, two lists of fold¬ers are created: the Default Green and Default Red lists. These lists contain paths that the tool includes or excludes, respec¬tively. Folders on the Default Green list include \%USERPROFILE%\Local Settings\Temporary Internet Files and \%USERPROFILE%\My Documents. Additional folder lists, which you can configure in Group Policy, take precedence over the Default Red and Green lists.
You can add EFS Assistant settings to Group Policy with the supplied Group Policy admin templates—EFSAssistant.adm and EFSAssistant.admx, for Windows Server 2003 and Server 2008, respectively. You’ll find these templates in the Administrative Templates folder when you unzip the Microsoft EFS Assistant download. Log on to a domain con-troller (DC) as domain administrator, thenOpen Group Policy Management Console (GPMC) and expand your forest and domain in the left pane.
- Right-click the Group Policy Objects folder and select New from the menu. In the New GPO
- dialog box, enter EFSAssis¬tant in the Name field and click OK.
- Expand the Group Policy Objects folder, right-click the new EFSAssistant GPO, and select Edit from the menu. The Group Policy Management Editor window will open.
- Expand Computer Configuration in the left pane of the GPO Editor, and right-click Administrative Templates. Select Add/Remove Templates from the menu.
- Click Add at the bottom of the Add/Remove Templates dialog box and browse to the EFSAssistant.adm file in the Admin¬istrative Templates folder; click Open.
- You should now see EFS Assistant appear under Current Policy Templates in the Add/Remove Templates dialog box. Click Close.
- Expand Administrative Templates in the GPO Editor and select EFS Assistant (Figure 3).
As you’ll see in the GPO Editor (Figure 3), management settings (most of which are self-explanatory) are expanded consider¬ably with use of the EFS Assistant. In a pro¬duction environment, you should make sure that you use Group Policy Scope of Manage¬ment to deploy the tool and settings only to systems that meet the tool’s system require¬ments. The EFS Assistant MSI installer file supports the /quiet switch on the command line for Group Policy Software Installation. When the /quiet switch is used, only the EFS Assistant executable is installed and no user interaction is required to complete the install process. You can find best practices for deploying EFS at support.microsoft.com/kb/223316. You can find more information about the tool, including details about folders that should not be encrypted, in the Adminis¬trator’s Guide supplied with the tool down¬load.
Migrating to V2 Certificates with the EFS Certificate Updater Tool
So far, assuming there’s no CA installed in your domain, files have been encrypted using self-signed certificates. Despite being a valid way to implement EFS, files encrypted with self-signed certificates cannot easily be shared with other users. And if a user’s certificate is lost or corrupted, files must be recovered by a Data Recovery Agent (DRA).
The principle advantage of using V2 certificates is that they support key archival, so administrators can quickly give users access to encrypted files if their certificates are lost or corrupted. V2 certificates are supported in Enterprise and Data Center editions of Server 2003 (and later). If an appropriate V2 certificate has been installed in a user’s personal certificate store, the EFS Certificate Updater tool changes the user’s EFS configuration from a self-signed or V1 certificate to the V2 certificate. In an ideal situation, EFS should be disabled until all users have an appropriate V2 certificate for Simplify EFS Deployment encrypting files in their personal certificate store. However, there may be situations where users have already encrypted files with a V1 or self-signed certificate. Even if those users successfully request a V2 certificate, EFS will continue to use the old certificate to encrypt new files. Previously encrypted files will remain encrypted using the old certificate.
To migrate to V2 certificates for users who have already encrypted files using a self-signed certificate, log on to XP with the user’s account. Note that users must already have an EFS V2 certificate (Figure 4) in their personal certificate store before running the EFS Certificate Configu¬ration Updater. The following commands could also be included in a logon script to automate the migration process across mul¬tiple computers. You can download the EFS Certificate Configuration Updater at www.codeplex.com/EFSCertUpdater/Release/ProjectReleases.aspx?ReleaseId=19752, then1. Run the EFS Certificate Configura¬tion Updater either from the command line or by double-clicking the executable. If you want to migrate from V1 certificates, you’ll need to include the /m1 switch. 2. Open a command prompt and run cipher /u to update all previously encrypted files to use the new V2 certifi¬cate. 3. Log off and on again to ensure that Windows Explorer displays the correct thumbprint for encrypted files.
To check the results, compare the cer¬tificate’s thumbprint on existing and newly encrypted files against the thumbprint of the V2 certificate in the user’s personal certificate store.
- Right-click an encrypted file that existed before you ran the EFS Certificate Configuration Updater.
- In the file’s Properties dialog box, click Advanced in the Attributes section.
- In the Advanced Attributes dialog box, click Details under Compress or Encrypt attributes.
- The Encryption Details dialog box will display the thumbprint of the certifi¬cate used to encrypt the file (Figure 5).
- Type mmc in the Run box on the Start menu.
- Click CTRL+M in the MMC window and then Add on the Add/Remove Snap-in dialog box.
- Double click Cer¬tificates in the Add Stand¬alone Snap-in dialog box.
- Select My user account in the Certificates snap-in win¬dow and click Finish.
- Click Close and then OK to return to the MMC window.
- Expand Cer¬tificates – Current User ,Personal, Certificates in the left pane and locate the V2 certificate issued by your CA in the right pane.
- Double-click the certificate and select the Details tab in the Certifi¬cate dialog box.
- Scroll down to the bottom of the list to view the certificate’s thumb¬print (Figure 6).
- Compare the thumbprints from step 4 and step 12; they should be the same if cipher.exe success-fully updated the certificates on encrypted files.
- Repeat steps 1 through 4 to check that new files are also encrypted with the V2 certificate
EFS Gains Manageability
The EFS Assistant, while not foolproof, helps establish central management for encrypted files across your mobile workforce. Although Microsoft doesn’t support the EFS Assistant on standalone computers, in my tests I found that it works as expected. In conjunc¬tion with cipher.exe, the EFS Certificate Configuration Updater provides quick and painless migration from self-signed or V1 certificates, directly to more flexible V2 cer¬tificates.