Simplify EFS Deployment

Microsoft's Encrypting File System (EFS), introduced in Windows 2000 Server, has improved over the years but still has limited out-of-the-box support for central management and control via Group Policy. The introduction of BitLocker Drive Encryption in Windows Vista and Windows Server 2008 changed the encryption ballgame somewhat, placing EFS in second place, because full disk encryption is acknowledged as the best method for securing data on notebooks. EFS works at the file level and offers some degree of manageability but it can’t encrypt critical OS files. BitLocker works at a low level and encrypts entire volumes. Unlike EFS, BitLocker protects files in the Windows directory and OS files that may contain sensitive information.

Although EFS may still be useful in certain scenarios (e.g., protecting files where users have shared access), BitLocker is the primary choice for encryption on newer systems. But for those of us who need to provide a solution for encrypting sensitive data on Windows XP-based systems, without the expense of third-party solutions, EFS is still the first point of call.

Hidden away in the depths of Microsoft’s Data Encryption Toolkit for Mobile PCs are two tools that can help you gain more control over EFS. The EFS Assistant can enforce encryption of files and folders and scan for files that should be encrypted, helping organizations adhere to regulatory requirements and security policy. The EFS Certificate Updater can help organizations move users from self-signed certificates to V2 certificates provided by a Certification Authority (CA).

One of the main restrictions of EFS on XP is that there’s no way to enforce encryption of folders. Encryption can be enabled or disabled for domain computers in Group Policy, and Recovery Agents can be configured, but that’s about it—administrators or users must configure the encryption status for each folder.

Installing the EFS Assistant

You can deploy EFS Assistant to client devices to automate encryption of potentially sensitive data that might otherwise be left exposed in the case of a physical breach. EFS Assistant is a small executable that can be installed on every Windows device in an organization (the tool currently supports only XP and Vista). It runs in the context of the logged on user. The tool scans files and folders, enabling encryption based on policy defined in the registry. You can download the tool at www.microsoft.com/downloads/details.aspx?FamilyId=1A99576A-FE67-418F-88B1-81E2055FE977.

Evaluation settings, the reporting tool, administrative templates, and shortcuts are installed by default only when the EFS Assistant MSI file is run interactively. The Evaluation Settings install option writes some basic rules to the HKLMSoftwarePoliciesMicrosoftEFS Assistant key in the registry on the local computer (Table 1).

To test the tool, run the EFS Assistant MSI file on an XP machine joined to your domain and accept all the default instal¬lation options (Figure 1). To start the tool manually, select All Programs, Microsoft EFS Assistant from the Start menu. Within a few seconds a balloon notification will inform you that the tool has started scan¬ning files. In a domain environment, you can use Group Policy to deploy the tool and set it to run when users log on.

Another notification will appear once the scan is complete. Now you can run the reporting tool. Select All Programs, Microsoft EFS Assistant, EFS Assistant Results Viewer from the Start menu. This small Visual Basic script creates a CSV file (Figure 2) in the user’s My Documents folder that con¬tains details of encrypted files and folders from the computer’s WMI database.

Configuring the EFS Assistant

When the tool is installed, two lists of fold¬ers are created: the Default Green and Default Red lists. These lists contain paths that the tool includes or excludes, respec¬tively. Folders on the Default Green list include %USERPROFILE%Local SettingsTemporary Internet Files and %USERPROFILE%My Documents. Additional folder lists, which you can configure in Group Policy, take precedence over the Default Red and Green lists.

You can add EFS Assistant settings to Group Policy with the supplied Group Policy admin templates—EFSAssistant.adm and EFSAssistant.admx, for Windows Server 2003 and Server 2008, respectively. You’ll find these templates in the Administrative Templates folder when you unzip the Microsoft EFS Assistant download. Log on to a domain con-troller (DC) as domain administrator, then

Open Group Policy Management Console (GPMC) and expand your forest and domain in the left pane.

As you’ll see in the GPO Editor (Figure 3), management settings (most of which are self-explanatory) are expanded consider¬ably with use of the EFS Assistant. In a pro¬duction environment, you should make sure that you use Group Policy Scope of Manage¬ment to deploy the tool and settings only to systems that meet the tool’s system require¬ments. The EFS Assistant MSI installer file supports the /quiet switch on the command line for Group Policy Software Installation. When the /quiet switch is used, only the EFS Assistant executable is installed and no user interaction is required to complete the install process. You can find best practices for deploying EFS at support.microsoft.com/kb/223316. You can find more information about the tool, including details about folders that should not be encrypted, in the Adminis¬trator’s Guide supplied with the tool down¬load.

Migrating to V2 Certificates with the EFS Certificate Updater Tool

So far, assuming there’s no CA installed in your domain, files have been encrypted using self-signed certificates. Despite being a valid way to implement EFS, files encrypted with self-signed certificates cannot easily be shared with other users. And if a user’s certificate is lost or corrupted, files must be recovered by a Data Recovery Agent (DRA).

The principle advantage of using V2 certificates is that they support key archival, so administrators can quickly give users access to encrypted files if their certificates are lost or corrupted. V2 certificates are supported in Enterprise and Data Center editions of Server 2003 (and later). If an appropriate V2 certificate has been installed in a user’s personal certificate store, the EFS Certificate Updater tool changes the user’s EFS configuration from a self-signed or V1 certificate to the V2 certificate. In an ideal situation, EFS should be disabled until all users have an appropriate V2 certificate for Simplify EFS Deployment encrypting files in their personal certificate store. However, there may be situations where users have already encrypted files with a V1 or self-signed certificate. Even if those users successfully request a V2 certificate, EFS will continue to use the old certificate to encrypt new files. Previously encrypted files will remain encrypted using the old certificate.

To migrate to V2 certificates for users who have already encrypted files using a self-signed certificate, log on to XP with the user’s account. Note that users must already have an EFS V2 certificate (Figure 4) in their personal certificate store before running the EFS Certificate Configu¬ration Updater. The following commands could also be included in a logon script to automate the migration process across mul¬tiple computers. You can download the EFS Certificate Configuration Updater at www.codeplex.com/EFSCertUpdater/Release/ProjectReleases.aspx?ReleaseId=19752, then

1. Run the EFS Certificate Configura¬tion Updater either from the command line or by double-clicking the executable. If you want to migrate from V1 certificates, you’ll need to include the /m1 switch.2. Open a command prompt and run cipher /u to update all previously encrypted files to use the new V2 certifi¬cate.3. Log off and on again to ensure that Windows Explorer displays the correct thumbprint for encrypted files.

To check the results, compare the cer¬tificate’s thumbprint on existing and newly encrypted files against the thumbprint of the V2 certificate in the user’s personal certificate store.

EFS Gains Manageability

The EFS Assistant, while not foolproof, helps establish central management for encrypted files across your mobile workforce. Although Microsoft doesn’t support the EFS Assistant on standalone computers, in my tests I found that it works as expected. In conjunc¬tion with cipher.exe, the EFS Certificate Configuration Updater provides quick and painless migration from self-signed or V1 certificates, directly to more flexible V2 cer¬tificates.