Clearly, EFS re-keying isn't an obvious action that you would expect average
users to perform regularly. But we'll have to live with it for now: At this
time, Microsoft doesn't provide an option to perform re-keying centrally or
automatically at regular intervals.
Extended EFS Configuration and Central Control
In Vista and Longhorn Server, Microsoft exposes a valuable new set of EFS configuration
parameters, some of which control new EFS features that weren't available in
previous EFS editions. Prime examples include the ability to encrypt the paging
file, as well as the ability to control the clearing of the EFS encryption key
cache. In previous EFS editions, when an encrypted file was opened (and thus
decrypted) and paged to disk, the file became available in clear text in the
paging file. Also in previous editions, the EFS encryption key cache was only
cleared when a user logon session ended; now, the cache can be cleared when
a user locks his workstation or after a certain time limit.
The new EFS configuration settings can control EFS use, security configuration,
certificate and private key parameters, and caching. In a Windows domain, these
settings can also be leveraged from Group Policy to control the EFS behavior
on user workstations. You can access the EFS settings from the properties of
the Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Encrypting
File System container, as Figure 4
shows. (The figure doesn't show the EFS encryption key cache settings, which
you control from the Cache tab.)
Thanks to the new configuration settings, administrators can now easily enable
or disable the use of EFS on the Windows machines in their domain environment
and centrally configure crucial EFS parameters. To disable the use of EFS, you
must simply select the Don't allow radio button on the corresponding
GPO object, as you see in Figure 4. Administrators can also require the use
of a smart card for EFS by selecting the Require smart card for EFS check
box, allow the use of self-signed EFS certificates by selecting the Allow
EFS to generate self-signed certificates when a certificate authority is not
available check box, and set the key length of the EFS RSA private keys
that are used for self-signed certificates from the Key size for self-signed
certificates drop-down list. (For EFS certificates that a Windows CA issues,
you would set the key length in the corresponding AD certificate template.)
Changes Under the Hood
Vista and Longhorn Server EFS also include two important EFS changes that aren't
immediately visible from the Windows GUI: the support for smart cards and the
ability to more effectively use EFS with remote files. Microsoft finally supports
the storage of the EFS private key on a smart card. Smart card?based private
key storage is the most secure way of storing private keys. With earlier Windows
versions, you could store the EFS private key only in the user profile on the
hard disk. Provided each system that the user logs on to has a smart card reader
installed, smart cards are also the easiest way to implement roaming EFS keys.
Microsoft has also optimized the EFS cryptographic operations that are involved
with storing the private key on a smart card. In previous EFS versions, the
use of a smart card would slow down users' encrypted file access if the smart
card?based EFS private key would be accessed for each encrypted file access.
For this reason, Microsoft developed an accelerated mode for EFS private key
storage on a smart card. The first time a user utilizes a smart card?based EFS
private key to access an encrypted file, EFS will derive a software-based EFS
private key from the smart card?based EFS private key and cache it in the security
context of the Local Security Authority (LSA)—essentially, the system
will cache it in a secure memory area. EFS will then use this software-based
private key for encryption and decryption operations for the remainder of the
user's logon session.
Another important change is the support for local encryption and decryption
of EFS-encrypted files that reside on remote machines—for example, file
servers. In previous EFS versions, when users accessed encrypted files on a
file server, the file was decrypted on the file server and sent in clear text
to the user's workstation. In Vista and Longhorn Server, Microsoft made changes
to the Server Message Block (SMB) protocol—the default protocol for Windows
file sharing—allowing SMB to transport the EFS metadata between the file
server and the user workstation. The result is that an EFS-protected file essentially
remains encrypted all the way to the client.
These SMB changes are part of the new SMB 2.0 protocol that's part of the Vista
and Longhorn Server code base. In Windows 2003, Microsoft provides a similar
capability through a set of WWW Distributed Authoring and Versioning (WebDAV)
extensions. However, these extensions are useful only when the file server is
linked to a Microsoft IIS Web server share and when the user utilizes the HTTP
protocol to access the shared files.
Smart Security
Thanks to Vista EFS's introduction of such features as key-backup warnings and
wizards, the EFS Re-key Wizard, and smart-card support, Microsoft is making
it easier to use EFS more securely. Also, Microsoft is delivering new EFS features
that have been high on organizations' file-encryption requirements checklists—for
example, the smart-card support and more secure access of remote encrypted files.
EFS also complements the other data-protection and -encryption technologies—BitLocker
Drive Encryption (BDE) and Windows Rights Management Services (RMS)—that
Microsoft already offers. BDE is designed for single-user and volume-level encryption
and isn't designed for the sharing of encrypted data. Enterprises that want
encrypted file sharing should look at EFS. (For more information about Vista's
BDE, see "Vista BitLocker: Boon or Bust?" InstantDoc ID 50182.) Enterprises
that want permanent protection and encryption of data—even when data is
removed from a protected folder or volume and attached, for example, to a Microsoft
Outlook email message—must look at RMS. The RMS client is also bundled
with Vista.
End of Article
Prev. page
1
2
[3]
next page -->
