Access Denied: Understanding EFS Limitations
Because EFS protects only copies of files stored on disk, you need to take extra measures to protect files in the pagefile, temporary files, and files on computers that hibernate.
November 11, 2002
I heard that when you use Encrypting File System (EFS), you should clear your pagefile before shutdown. Why and how should I do so?
Users need to understand that EFS protects only the file copy that's stored on disk. When you open an encrypted file, information can leak in several ways. For example, when you email an encrypted file to an associate, the file isn't encrypted as it travels from your email server to your associate's computer. The email application decrypts the file when the application reads the file from disk. When you open an encrypted file (e.g., as a .doc file through an application such as Microsoft Word), Windows 2000 reads the encrypted file into memory, decrypts the file in memory, then gives the decrypted file to the application. Suppose you open a Word document and begin editing it. At that point, the document is in RAM. Then, you open several other applications to research information for the document and your computer starts to run out of RAM. To free up memory, Win2K looks for pages that haven't been used for a while and swaps them out to the pagefile. A portion of Word's RAM, and your document along with it, gets swapped out to disk. Later, you shut down the computer. If Win2K hasn't overwritten the area of the pagefile that holds your Word document and someone steals your computer, the thief might be able to salvage portions of the document by booting DOS on a 3.5" disk and scavenging the pagefile (pagefile.sys).
To prevent such exposures, enable the Clear virtual memory pagefile when system shuts down Group Policy Object (GPO) under Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity Options. Enabling this policy causes system shutdowns to take longer because Win2K must zero out every bit in the pagefile.
A similar security risk exists when you hibernate a system: Win2K writes the system's RAM, including any encrypted files you've opened with an application, to hiberfil.sys. For maximum security, you can disable hibernation. Open the Control Panel Power Options applet, select the Hibernate tab, and clear the Enable hibernate support check box. Win2K will zero out the hiberfil.sys file when the computer shuts down.
Temporary files are another way that Win2K can leak encrypted information. Make sure you flag all temporary folders as encrypted.
—Randy Franklin Smith
About the Author
You May Also Like