S 4.147 Secure use of EFS under Windows

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: User

Windows 2000 and higher versions provide an Encrypting File System (EFS) that supports the encryption of individual files. The files must be marked accordingly for encryption. File encryption using EFS is based on a hybrid mechanism that uses a combination of symmetric and asymmetric encryption methods:

A fast symmetric procedure is used for pure data encryption. The key used for encryption (the File Encryption Key or FEK) is randomly generated.
By default, Windows 2000 and Windows XP prior to Service Pack 1 use the DESX procedure, which is a variation of the DES algorithm. Windows XP can also be adapted to use the triple DES algorithm according to FIPS 140-1. The primary reason for using the triple DES encryption algorithm is that it permits longer keys to be used for encryption. The algorithm is activated in the group policies under Computer Configuration | Windows Settings | Security Settings | Local Policies | Security Options | System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing. In Windows XP Service Pack 1 and higher versions, the AES algorithm is used with key lengths of 256 bits. The encryption algorithm used can be specified in the registry entry HKLM\SOFTWARE\ Microsoft\Windows NT\CurrentVersion\EFS\AlgorithmID: 0x6603 for triple DES, 0x6604 for DESX, and 0x6610 for AES.
Activation of the triple DES encryption algorithm not only affects the EFS by default, but also IPSec. The use of triple DES is restricted to the EFS using a new entry in the registry database (DWORD Name: AlgorithmID, Wert 0x6603, in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS).
When used in a mixed environment (Windows 2000 and higher Windows versions), it must be noted that Windows 2000 systems without the High Encryption Pack or Service Pack 2 (or higher) installed cannot access files encrypted using the triple DES algorithm. Documents that were encrypted with AES cannot be read by Windows 2000 systems or by Windows XP systems without Service Pack 1 installed. However, these problems only occur during normal operation when the encrypted data is not decrypted on the original computer (which is possible, for example, when using removable drives with NTFS or WebDAV with EFS).
The asymmetric RSA procedure is used to encrypt the FEK. The FEK is encrypted using the public key of the user who encrypts the file. This means that the FEK can only be decrypted and then used to decrypt the contents of the file using the private key of this user. Since the release of Windows 7 and Server 2008 R2, the FEK can be additionally encrypted using the Elliptic Curve Cryptography (ECC) procedure. The procedure allows the use of shorter keys. In Windows 7 and Server 2008 R2, RSA and ECC Hybrid are used to achieve compatibility with previous Windows versions. The key length for the procedures is configured in the group policy: Computer Configuration | Windows Settings | Security Settings | Public Key Policies | Encrypting File System. Here, the default value of 2048 bits for RSA and 256 bits for ECC should be used at a minimum. Depending on the confidentiality requirement for the data to be encrypted, larger key lengths can also be selected.

All the keys needed for encryption or decryption are stored during use by Windows in an area of the main memory that is not moved to the swap file. This is intended to guarantee that the key cannot be compromised if an unauthorised third party should obtain access to the swap file. One critical issue in this regard is the use of the Hibernation mode because all of the main memory is stored in a file which will then necessarily contain the key material as well. For this reason, the Hibernation mode should not be used if you are using EFS on Windows versions prior to Windows Vista and Windows Server 2008. This is especially important for mobile systems. The hybrid Standby mode available in Windows Vista and higher should not be used for the same reason. Like the Hibernation mode, this sleep mode developed especially for desktop systems stores the contents of the memory on the hard disk before the system is set to the Standby mode. On clients in Windows Vista and higher and on servers in Server 2008 and higher, it can help to encrypt the swap file: Computer Configuration | Windows Settings | Security Settings | Public Key Policies | Encrypting File System. Click with the right mouse button and select Properties from the menu that appears.

Every user can specify encryption for individual files or directories with EFS. The users should be trained in the correct use of EFS, and they should also be informed of the potential weaknesses of this type of encryption.

The use of EFS improves security in general. However, the users should be aware that even when plain text files are encrypted, there is still a residual risk that the data in the deleted plain text files could be restored fully or in part. The restoration of deleted files requires special software and access to the hard disk of the particular computer, though.

To ensure that the files encrypted using the EFS are not completely lost if the private key is lost, it is possible to encrypt the FEK again using the public key of the Recovery Agent. This makes it possible to decrypt the data when logged in to the user account of the recovery agent. In principle, any user account can be used as a recovery agent. In Windows 2000, the specification of a recovery agent is mandatory, but is not mandatory in Windows XP or higher versions. The default setting for the recovery agent user account in Windows 2000 is the administrator account.

The following should be considered when using EFS from a security perspective:

The EFS is fully transparent to the user. In Windows 2000, a user does not notice any differences between encrypted and unencrypted files. For this reason, special care must be taken to ensure that sensitive files are also actually encrypted. In Windows XP / Server 2003 and higher versions, the encrypted files are displayed by default in the Windows Explorer in a different colour. This can be controlled in the Windows Explorer using the Show encrypted or compressed NTFS files in colour option under Tools | Folder Options | View or Organize | Folder and Search Options | View. In Windows Vista / Server 2008 and higher versions, the command path to be used depends on which view has been set in the Windows Explorer.
In the basic settings, EFS-encrypted files are not included in the index of the Windows Search function. If the encrypted files are still to be indexed for fast search, the index must also be protected by encryption mechanisms. Otherwise, sensitive data can be read from the index in plain text. Therefore, EFS-encrypted files should not be indexed for the Windows Search.
Because of its transparency to users, the protection obtained using EFS file encryption is only as strong as the password of the particular user account. If an unauthorised third party is able to log in to a user account successfully, then he has access to all encrypted files in this user account. For this reason, too, strong passwords should be used for each user account. Since Windows allows you to use your own password filters, you can use this mechanism to technically enforce the use of stronger passwords.
EFS is a file encryption system and not a folder encryption system. However, it is also possible to mark a folder for encryption, in which case all files located in the folder, including new files created in such a folder, are encrypted. However, it is theoretically possible to store and create unencrypted files in such a folder (see the next paragraph). Encrypted files can also exist anywhere in the file tree and are not bound only to the folders marked for encryption.
The encryption feature is a file attribute that is treated just like all other file attributes, meaning when a file is moved, its file attributes remain unchanged. This means that files moved to a folder that is marked for encryption are not automatically encrypted. The default setting for Windows Explorer is set so that moved files are also encrypted. This behaviour can be controlled using a group policy. However, this does not apply to working under the Windows command line. Users must be informed of the possibility that folders marked for encryption can also contain unencrypted files.
Although EFS is not a folder encryption tool, it is recommended to store encrypted files in special folders and to mark certain folders for encryption. This makes it easier to work with encrypted files.
Encryption of a file does not provide any form of access control. In particular, encrypted files can be deleted by third parties when the file access rights permit this. Consequently, corresponding access right settings should be specified to control access to encrypted files.
Centralised control of the use of EFS can be obtained using group policies, which are used to define the recovery agents, among other things.
A recovery agent must always be defined in order to use the EFS in Windows 2000. It is recommended to create a special account that is used exclusively for this purpose. In particular, administrator accounts should not be used for this purpose to ensure the authorisations of the administrators are limited in this regard.

Depending on the protection requirements determined, consideration should be given to applying the two-person rule to the use of such accounts, for example by splitting the password into two parts and giving each person one part.
The encryption ban enforced in Windows 2000 using the resources of an empty recovery policy no longer works in Windows XP and higher versions. Encryption is prohibited in Windows XP by disabling the Allow users to encrypt files using the Encrypting File System (EFS) option in the properties of the policy in Computer Configuration | Windows Settings | Security Settings | Public Key Policies | Encrypted Field System | Properties | Allow users to encrypt files using the Encrypting File System (EFS). In Windows Vista / Server 2003 and higher versions, the use of EFS can be configured under Computer Configuration | Windows Settings | Security Settings | Public Key Policies | Encrypting File System by clicking with the right mouse button and selecting Properties in the menu that then appears.
The use of a separate recovery agent does not offer complete protection against an administrator because an administrator is always able to reset the password of a user and could then log in subsequently as this user and access the user's encrypted files. This only applies to domain accounts in Windows XP, though. When the password of a local user account is reset in Windows XP, access to this account's encrypted files is blocked for everyone. Windows XP offers a new mechanism to avoid losing the encrypted data of a local user called the Password Reset Disk (PRD). According to Microsoft, it is not possible to create such a password reset diskette for a domain user account.
The private key of the recovery agent should be deleted from the system after it has been exported to a storage medium. The storage medium must be kept in a secure location and should be accessed according to the two-person rule. It is recommended to create a separate backup copy of the key and store this copy in a safe place.
When using EFS, it is necessary to secure all private keys. To do this, it is necessary to configure the backup mechanism to include all profile data on all computers, which means all directories below the Documents and Settings/ <user name> directory, which also contain all user keys and certificates.
If EFS is used without a user profile stored on a server (roaming profile), then different keys are used to encrypt and decrypt the FEK depending on the local profile because these keys are stored in the profile of a user (in encrypted form). In this case, too, it is important to back up all keys. In particular, encrypted data from a computer that has been backed up to tape should not be installed on a different computer because it will be impossible to decrypt it successfully because it uses a different key.
Using a PKI to issue EFS certificates may make sense in a company or government agency. Using a PKI simplifies key management and key backup, especially when using user profiles stored on a server.
It is impossible in Windows XP to encrypt system files (files with the system attribute set) and compressed files. When using Windows Vista / Server 2003 and higher versions and the BitLocker hard drive encryption program, system files are encrypted when the system is turned off. Furthermore, it is possible to encrypt compressed files in Windows Vista / Server 2003 and higher. However, the files are decompressed before encryption.
The Windows boot file autoexec.bat must be protected against encryption by disabling write access for users. Otherwise, there is a risk of denial-of-service attacks.
When encrypted data is edited or printed after decryption using a program such as a text editor, temporary files are usually generated that contain the data in plain text form. Depending on the program, these temporary files may still exist even after closing the editor. This means that unauthorised third parties may be able to obtain access to these files depending on their storage location (TEMP directory or SPOOL area) and access authorisation rights of the files.
To reach a higher level of security when handling files encrypted using EFS, consideration should be given to marking the directories typically containing temporary data (e.g. TEMP or SPOOL) for encryption as well. The amounts of data stored in these directories and which programs use these directories must be taken into account. When large amounts of data are accessed frequently, the use of encryption can lead to a loss in performance. Under certain circumstances, the encryption of the TEMP directory may cause problems during updates.
EFS does not currently offer any way to encrypt files so that different users have access to them using the Windows 2000 graphical user interface. In general, though, it is possible with EFS to encrypt a file for an entire list of users. To do this, though, it is necessary to access the EFS program interface (EFS API) and write a corresponding program. With the introduction of Windows XP, multi-user encryption also became available in the graphical user interface. It must be noted, however, that it is impossible to specify more than one user in the encryption options of a folder. Similarly, it is also impossible to encrypt an individual file for a single Windows user group. In Windows XP, you can only encrypt individual files for more than one user or all files in a folder for a single user. In Windows Vista / Server 2003 and higher versions, the certificates of other users can also be used for EFS encryption to enable access to the encrypted data.
It is now possible in Windows XP and higher versions to encrypt offline files. The entire storage for offline files, which contains files from every user, is encrypted using a computer-specific key. Encryption is transparent to the users and can only be enabled and disabled by administrators. Encryption is enabled using the settings in the Windows Explorer or by defining the corresponding group policy in Computer Configuration | Administrative Templates | Network | Offline Files | Encrypt Offline File Cache.
Data encrypted with EFS is encrypted and decrypted on the computer on which the data is stored. In particular, this means that data that is stored in encrypted form on a server is transmitted over the network as plain text when accessed by a client (SMB protocol). If the data, based on the protection requirements determined, also needs to be protected during transmission, then additional safeguards are necessary to secure the network communication. EFS with WebDAV (Web Digital Authoring and Versioning), SSL or IPSec can be used, for example, to secure the network (see also S 5.90 Use of IPSec under Windows).
Windows XP has introduced a new mechanism called WebDAV for working with files via web sharing. If EFS is used with WebDAV, then a locally encrypted file is transmitted in encrypted form to the server and then stored there. A file requested using WebDAV is also transmitted in encrypted form by the server and then decrypted locally. It is therefore possible to encrypt transmission over the network through the use of WebDAV.
If the EFS is used for local user accounts, the registry must be encrypted with a password using the syskey command. This is the only way to protect local account passwords from being reset by "hacker tools".
EFS is only an economical alternative to file encryption with other tools when it is used correctly. For example, EFS can be used on laptops to compensate for the lack of physical security so that data is protected against unauthorised access gained by circumventing the operating system protection mechanisms. However, the use of EFS is not necessarily appropriate in every case, which means that the decision whether or not to use EFS must be made based on the particular application.

In Windows Vista / Server 2003, it is possible to use the BitLocker hard drive encryption as an alternative or as a supplement to EFS (see S 4.337 Use of BitLocker drive encryption). This applies in particular to mobile computers (see S 2.442 Use of Windows Vista and Windows 7 on mobile systems).

Review questions:

Were the Hibernation mode and the hybrid Standby mode deactivated when using EFS and using Windows versions prior to Windows Vista and Windows Server 2008?
Are strong passwords enforced for the Windows user accounts?
Are files encrypted with EFS also protected by restrictive access rights?
Has a dedicated account been created for the recovery agent and its private key backed up and then deleted from the system?
Are data backups of all private keys available?
Is the registry encrypted with a password using the syskey tool if EFS is used with local accounts?
Is the Windows boot file autoexec.bat prevented from being encrypted?
Have all Windows users been trained in the correct use of EFS?