Encrypting File System Tools and Settings

Encrypting File System Tools and Settings

Implementing EFS

SecurityFocus: "You can implement EFS on systems running Windows 2000 and Windows XP
Professional Edition. Windows 95/98, Windows Millennium Edition, and Windows
XP Home Edition do not support EFS.

Before implementing EFS to protect your corporate data, you need to create a
recovery key. Make sure you keep a backup copy of the Encrypted Recovery
Agent (ERA); this is your insurance policy to decrypt files throughout your
domain.

Stand-alone workstations generate their own public key certificate that you
can use for EFS. However, in a domain environment, you'll need to create an
ERA before enabling EFS. After creating the ERA, back it up to a media
format that you can protect under lock and key.

To create an ERA, follow these steps:

Go to Start Programs Administrative Tools Active Directory Users And
Computers. (If you have a stand-alone system, go to Start Control Panel
Administrative Tools Local Security Policy, and skip to Step 4.)
Right-click your domain, and select Properties.
On the Group Policy tab, select the Default Domain Policy, and click the
Edit button.
Go to Computer Settings Security Settings Public Key Policies
Encrypted Data Recovery Agents.
Right-click the policy, and select New Encrypted Recovery Agent.
Use the wizard to add the recovery agent certificates to the policy.
After creating the certificate, right-click the certificate, select Export,
and use the Certificate Export Wizard to export your certificate to some
other physically securable media (e.g., CD, floppy, etc.).

After the policy refreshes, all users on your domain will be able to safely
encrypt the contents of their files or folders.

"

Use GPUPDATE to refresh domain policy

gpupdate is the command used to force a refresh of the domain policy.

The syntax is the following;

GPUpdate [/Target:{Computer User}] [/Force] [/Wait:] [/Logoff] [/Boot] [/Sync]

Parameters:

• /Target:{Computer User} Specifies that only User or only Computer policy settings are refreshed. By default, both User and Computer policy settings are refreshed.
• /Force Reapplies all policy settings. By default, only policy settings that have changed are applied.
• /Wait:{value} Sets the number of seconds to wait for policy processing to finish. The default is 600 seconds. The value '0' means not to wait. The value '-1' means to wait indefinitely. When the time limit is exceeded, the command prompt returns, but policy processing continues.
• /Logoff Causes a logoff after the Group Policy settings have been refreshed. This is required for those Group Policy client-side extensions that do not process policy on a background refresh cycle but do process policy when a user logs on. Examples include user-targeted Software Installation and Folder Redirection. This option has no effect if there are no extensions called that require a logoff.
• /Boot Causes a reboot after the Group Policy settings are refreshed. This is required for those Group Policy client-side extensions that do not process policy on a background refresh cycle but do process policy at computer startup. Examples include computer-targeted Software Installation. This option has no effect if there are no extensions called that require a reboot.
• /Sync Causes the next foreground policy application to be done synchronously. Foreground policy applications occur at computer boot and user logon. You can specify this for the user, computer or both using the /Target parameter. The /Force and /Wait parameters will be ignored if specified.