Help Secure your Business Information using Encrypting File System

[Today’s post comes to us courtesy of JoAnn McKimpson from the SBS Marketing Team]

Every day, your users work with information that is valuable to your business. However, this same information—including your customer databases, product price lists, and financial information—is constantly at risk of discovery. You see the reports in the papers nearly every day: laptops are stolen, removable hard drives are sent to the wrong recipient. Savvy businesses realize they need help to secure their business information and protect it from inadvertent or deliberate disclosure.

That’s why Microsoft created Encrypting File System (EFS), a powerful tool for encrypting files and folders on servers and client computers. EFS helps secure confidential information that should not be disclosed without authorization, information that resides on remote servers or on portable computers such as laptops or netbooks, or confidential information on computers that are shared by multiple workers at a business. With EFS, you can protect your business’s information in case someone gains physical possession of the computer that the files reside on. Even people who are authorized to access the computer and its file system can’t view the data that they shouldn’t. Files are encrypted when you close them, but are automatically ready to use when you open them. If you change your mind about encrypting a file, clear the check box in the file’s properties.

EFS is an integral part of the file system and is transparent to your users and applications; you don’t need to install any special software to work with encrypted files. It’s available on Windows Small Business Server (Windows SBS) 2008 and the Windows 7 Professional, Enterprise, and Ultimate operating systems, including both 32-bit and 64-bit platforms.

How EFS works

EFS helps secure the information that is contained in your folders and files by creating a unique key that uses a combination of the server’s credentials and the user’s credentials. When you first apply EFS to a folder, any files that are created in that folder or moved into that folder are encrypted, and only you and the recovery agent are given access to encrypt or decrypt the file. You can give any other user access to individual files in this folder. However, users can only be added to the access list individually; it is not possible to grant an entire group access to a file. Also, although you can give users access to individual files, it is not possible to give users access to an entire folder.

After a folder is marked for encryption, it isn’t necessary to manually mark the files in it for encryption. But when you move a file out of the encrypted folder, the file may be decrypted, depending on whether you move the file into an NTFS volume. The best practice is to keep a file in its encrypted folder until the file is no longer needed.

If a person or program doesn’t possess the correct key to read the encrypted file or folder, an “Access Denied” message appears. EFS is an excellent file encryption system—there is no "back door”—however, anybody who can obtain the user ID and password can log on as that user and decrypt that user’s files.

Encrypting File System Best Practices

Because EFS is so secure, it’s critical to enforce a strong password policy. It’s also a best practice to archive and back up the recovery keys for your domain and keep them in a safe place to ensure recovery should the keys become damaged or lost. If you don’t take these precautions, you can permanently lose the information in encrypted files and folders. We will cover recovery keys in the next section of this post.

When encrypting removable media, it is important to keep in mind that the encrypted files will only be accessible on computers that have certificates for users who are listed as having access to the file (or the recovery agent key). This means that if you are working on an encrypted file at work, and you bring it home to finish up on your home computer, you will only be able to access this file if your home computer has your user certificate.

Similarly, you should take great care when you enable EFS on a SharePoint site. Any user who has access to a SharePoint site can encrypt any file on that site. However, once that file is encrypted, only users listed as having access to that file (or the recovery agent) will be able to access it.

For more information on EFS Best Practices, read this TechNet article*:

Using Encrypting File System

As previously mentioned, it is essential to back up your user certificates and recovery key before you use EFS to encrypt anything on your computer or the server. Once you have backed up these certificates, you can encrypt folders and files either directly or using group policy

Creating Backing Up the Domain-Based Recovery Key

The first step in backing up user certificates and recovery keys is to create a domain-based data recovery agent. By default, the local administrator is set as the recovery key. This means that if the machine is lost or stolen, the domain administrator will not be able to access encrypted files. Instead, it is best to set the domain administrator as the recovery agent.

To create a domain-based recovery agent:

  1. Log on to the Windows SBS 2008 server.
  2. Click Start > Administrative Tools > Group Policy Management.
  3. Right-click the GPO that contains the EFS policy, and then click Edit.
  4. In the console tree (on the left), navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies, and then right-click Encrypting File System


  5. Click Create Data Recovery Agent to make the currently logged on user a Recovery Agent. The new Recovery Agent certificate appears in the right-hand pane.

To add additional recovery agents, right-click the Encrypting File System node, and then click Add Data Recovery Agent. This will open the Add Recovery Agent Wizard.

Once you have set the domain recovery agent, you should back up the certificate. To export the domain EFS recovery agent’s private key:

  1. Log on to the Windows SBS 2008 server.
  2. Click Start > Administrative Tools > Group Policy Management.
  3. Right-click the GPO that contains the EFS policy, and then click Edit.
  4. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Encrypting File System.


  5. Right-click the certificate you want to export.
  6. Point to All Tasks, and then click Export. The Certificate Export Wizard starts.
  7. Click Next.
  8. Click Yes, export the private key, and then click Next.
  9. Click Personal Information Exchange – PKCS #12 (.PFX).  

    Note: We strongly recommend that you select the Enable strong protection (requires IE 5.0, NT 4.0 SP4 or above) check box to protect your private key from unauthorized access. If you select the Delete the private key if the export is successful check box, the private key is removed from the domain controller. As a best practice, we recommend that you use this option. Install the recovery agent’s private key only in situations when you need it to recover files. In all other situations, export and then store the recovery agent’s private key offline to help maintain its security.

  10. Click Next.
  11. Specify (and confirm) a password, and then click Next.
  12. Specify a file name and location where you want to export the certificate and the private key, and then click Next.

    Note: We recommend that you back up the file to a disk or to a removable media device, and then store the backup in a location where you can confirm the physical security of the backup.

  13. Verify the settings that are displayed on the Completing the Certificate Export Wizard page, and then click Finish.

Now that you have set the domain recovery agent and backed up the certificate, you can begin to use EFS to help protect files and folders from unauthorized access. The following sections provide instructions on enabling EFS by selecting specific folders and files and by using group policy.

Encrypting Specific Folders and Files in Windows SBS 2008 or Windows 7 Professional

In Windows SBS 2008, there are two ways you can use EFS to help protect business information. The first is the easier one to implement: select the specific folders or files on your server that you want to encrypt. These steps are also the same for encrypting folders or files in Windows 7 Professional. Follow these steps to select specific folders or files:

  1. Start Windows Explorer.
  2. Right-click the folder or file you want to protect, then click Advanced > Encrypt contents to secure data.
  3. Click OK twice to close the dialog boxes. Your folder or file is now encrypted.


This method helps secure your information in cases where unauthorized users attempt to access the files from within your business, or for when the server or its hard drives are removed from your business.

To allow a user to encrypt or decrypt a file:

  1. Open Windows Explorer.
  2. Right-click the encrypted file that you want to change, and then click Properties.
  3. On the General tab, click Advanced.
  4. In Advanced Attributes, click Details.
  5. To add a user to this file, click Add, and then do one of the following:


  6. To add a user whose EFS encryption certificate is on this computer, click the certificate and then click OK.
  7. To view a certificate on this computer before adding it to the file, click the certificate and then click View Certificate.
  8. To add a user from Active Directory, click Find User, then locate the user in the list and click OK.
  9. To remove a user from this file, click the user name and then click Remove.

Note: When a user is added to a file and the user’s EFS encryption certificate is imported, the certificate is validated to a trusted root certification authority (CA). The certificate is then stored in the Other People certificate store for that user.

Encrypting Folders and Files in Windows SBS 2008 or Windows 7 Professional Using Group Policy

The second way to encrypt folders and files is to create a group policy for computers in your business so that specific files and folders on those computers use EFS. The most useful group policies enforce encryption of the user’s Documents folder and encrypt offline files. They give remote users or users with laptops the ability to work with information while on the road, but they keep the information secure should the laptop or hard drive fall into unfriendly hands.

You should be aware, however, that using Folder Redirection group policy, which redirects specific user folders to server locations, can result in those files being encrypted multiple times. This is unnecessary and can adversely affect file server performance.

Follow these steps to create an EFS group policy:

  1. Click Start > Administrative Tools > Group Policy Management.
  2. In the console tree, right-click the domain name in the forest in which you want to create and link a Group Policy object (GPO).
  3. Click Create a GPO in this domain, and Link it here… 


  4. In the New GPO dialog box, specify a name for the new GPO, and then click OK.
  5. In the console tree, in the Group Policy Objects folder, right-click the new GPO and click Properties.


  6. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies.
  7. Right-click Encrypting File System and then click Properties. The Encrypting File System Properties dialog box appears.
  8. Under File Encryption using Encrypting File System (EFS), click Allow.
  9. Select Encrypt the contents of the user’s Documents folder and then click OK.


  10. Close the console applications. The new group policy will be applied the next time a user logs on to the domain.

The next time the user uses the computer, the new settings will be applied. To verify that the policy has been correctly applied:

  1. Log in as any user on the domain.
  2. Right-click any folder on the user’s computer.
  3. Select Properties, then Advanced.
    You should see the following settings:


Note: It can take a few minutes for these settings to propagate. Also, the user’s machine may need to be restarted.

Recovering EFS Keys

As we’ve discussed, encrypted data is readable only to users who possesses the required private key to unlock the data and to the recovery agent. It is important for you to realize that if the user’s private key is lost or damaged, the encrypted data becomes unusable unless there is a means to restore the plaintext or the private key to the user. Your organizations can lose access to valuable encrypted information unless there is a means for someone else besides the user to recover the encrypted information.

In order for you to successfully retrieve that user’s data, the EFS user must have a valid EFS user certificate, and at least one EFS recovery agent account must have a valid EFS recovery certificate. Thus, when you deploy EFS or secure mail, you should implement a recovery program and policies to ensure that users’ encrypted data can be recovered.

When Group Policy is downloaded to computers, the Encrypted Data Recovery Agent Group Policy settings contain the certificates for each designated recovery agent account within the scope of the policy. EFS uses the information in the current Encrypted Data Recovery Agent Group Policy settings to create and update DRFs. A recovery agent certificate contains the public key and information that uniquely identifies the recovery agent account.

To retrieve an encrypted file or folder:

  1. As the recovery agent, log in to the computer from which you need to retrieve data.
  2. Open Certificate Manager by clicking the Start button, typing certmgr.msc into the Search box, and then pressing ENTER.‌
  3. Click the Personal folder.
  4. Click the Action > All Tasks > Import. This opens the Certificate Import wizard.


  5. Click Next.
  6. Type the location of the file that contains the certificate, or click Browse and navigate to the file’s location, and then click Next.


    If you have navigated to the right location but don’t see the certificate you are importing, then check that the correct file type is selected (i.e., .PFX, .P12, etc.).

  7. Type the password, select the Mark this key as exportable check box, and then click Next.
  8. Click Place all certificates in the following store, confirm that the Personal store is indicated, click Next, and then click Finish.

After you import the certificate, you should have access to decrypt the encrypted files: right-click the file, click Properties > Advanced, and then uncheck Encrypt contents to secure data. This will decrypt the file.

The Combined Benefits of EFS on SBS 2008 and Windows 7

Using EFS is especially important for those of us who use devices such as laptops and external hard drives away from the office. Encrypting the Documents folder helps ensure that the information is kept from prying eyes and, when used with the redirected folders policy in Windows SBS 2008, also helps ensure that the information is maintained and backed up on the server. When used together, these methods create a centrally-managed business policy that helps add security to your business information. It is important to properly back up recovery keys so that you can access a users’ files if disaster strikes.

For more information on the Encrypting File System, read this TechNet article:

*Written originally for Windows XP but still valid for current EFS implementations