3: Managing and Maintaining Access to Resources

Table of Contents

1. Working with Shared Folders
2. Offline Files
3. Troubleshooting Terminal Services and Remote Desktop Connections
4. Windows Server 2003 File Systems
   1. Converting from FAT or FAT32 to NTFS
   2. NTFS Disk Quotas
   3. NTFS Data Compression
   4. NTFS Data Encryption
   5. Encrypting a File or Folder
   6. Copying and Moving Encrypted Files
   7. Shadow Copies of Shared Folders
   8. Setting Up Shadow Copies
   9. Accessing Shadow Copies
5. Configuring File System Permissions

NTFS Data Encryption

The NTFS file system for Windows Server 2003 also supports data encryption.

Just as with NTFS data compression, you set data encryption as an advanced attribute for a file or folder. Microsoft designed the Encrypting File System (EFS) to ensure the confidentiality of sensitive data. EFS employs public key/private key cryptography.

EFS works only with the NTFS5 file system under Windows Server 2003, Windows XP and Windows 2000. EFS encryption and decryption are transparent to users. You can either compress or encrypt files and folders, but you can't use both compression and encryption on the same file or folder.

Folders that are encrypted using EFS set the encryption attribute on files that are moved or copied into them, so those files automatically become encrypted once they reside in that folder. Files that are encrypted using EFS remain encrypted even if you move or rename them. Encrypted files that you back up or copy also retain their encryption attributes as long as they reside on NTFS volumes.

EFS leaves no file remnants behind because it modifies an encrypted file, nor does it leave any traces of decrypted data from encrypted files in temporary files or in the Windows Server 2003 paging file. You can encrypt and decrypt files and folders from the graphical user interface (GUI) by using Windows Explorer and My Computer, as well as from the command line by using the cipher.exe tool.

Encrypted folders and files appear in green in My Computer and Windows Explorer. You can turn off this default color distinction by clicking Tools >

Folder Options > View in My Computer or Windows Explorer.

After a file has the encryption attribute, only the user who originally encrypted the file, a user who has been granted shared access to the encrypted file, or the designated Data Recovery Agent (DRA) who was the DRA at the time the file was encrypted may access it. DRAs are users who are designated as recovery agents for encrypted files. Only these users have the ability to decrypt any encrypted file regardless of who has encrypted it.

DRAs do not need to be granted shared access to encrypted files; they have access by default. Any other users who attempt to access an encrypted file receive an Access Is Denied message. However, a user with the necessary NTFS access permissions can still move encrypted files within the same drive volume or delete them entirely; therefore, the enforcement of proper NTFS permissions remains extremely important for encrypted files. The default DRAs are as follows:

• The local administrator user account on Windows 2000 nondomain member (standalone) computers. Standalone Windows XP and standalone Windows Server 2003 computers have no DRAs by default.

• The domain administrator user account on Windows Server 2003 or Windows 2000 Server domain controllers and for Windows Server 2003, Windows XP, and Windows 2000 domain member computers.

Next: Encrypting a File or Folder