Controlling Encrypting File System (EFS) using Group Policy
Encrypting File System (EFS) is a powerful option for protecting data that is stored on Windows computers. EFS is free and has been included with each operating system since Windows 2000. Like everything, there are advancements in technology and EFS is no different. With the advancements in technology, it is more realistic to use EFS for more of your data storage environment. However, you might not want to support EFS everywhere, so you need to narrow the scope and control where it can be used. Therefore, it is an ideal solution to take advantage of Group Policy to help manage EFS.
Two Stages of Managing EFS
EFS has two levels of configuration. The first level is set at the computer level, which dictates whether or not it will even be supported and available. The second level is at the folder and file level, which performs the encryption on the data.
Windows 2000 (Server and Professional), Windows XP Professional, Windows Server 2003, Windows Vista, and Windows Server 2008 all support encryption of the data that resides on the computer. By default, all of these computers support encryption of data using EFS. Of course, this can be a negative thing, as some data or some computers should not encrypt data due to logistics.
The logistics that I am referring to is that of allowing users to encrypt data. Since all computers support encryption by default and any user can encrypt, data can be encrypted on the local desktop, as well as on data that is shared on the network. Figure 1 illustrates the option where data can be encrypted on a Windows XP Professional computer.
Figure 1: Encryption of data is a property of the data
To access the encryption option shown in Figure 1, you just need to access the properties of the file or folder that you want to encrypt by right-clicking on the object, then selecting Properties. Then, select the Advanced button on the Properties dialog box, which will in turn show the Advanced Attributes dialog box.
Controlling the Support of EFS for Computers in an Active Directory Domain
When a computer joins an Active Directory domain, it no longer is in control over whether or not it supports EFS. Instead, the Default Domain Policy stored in Active Directory controls this capability. All computers that are joined to a Windows Active Directory domain support EFS, simply by joining the domain.
The caveat is that Windows 2000 domains handle this configuration in the Default Domain Policy differently than Windows Server 2003 and Windows Server 2008 domains.
Windows 2000 Domains Control over EFS
Windows 2000 computers support EFS differently than later operating systems, which is why the configuration for EFS is different in the Default Domain Policy. For Windows 2000, the key to enabling and disabling EFS is all based on the EFS data recovery agent certificate being included in the Default Domain Policy. By default, the Administrator account has this certificate and is configured as the data recovery agent. (If there is no certificate for data recovery, EFS fails.)
To access this configuration in the Default Domain Policy, follow this path once you are editing the GPO in the Group Policy Editor:
Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Encrypted Data Recovery Agents
At this location, you will see the EFS File Encryption Certificate for the Administrator, as shown in Figure 2.
Figure 2: Windows 2000 domains show the EFS File Encryption Certificate just as the user's name, like Administrator
This configuration is what provides all computers the ability to encrypt files. In order to remove this capability, you would just delete the Administrator certification from the GPO. If you wanted to then provide EFS to just a few computers in Active Directory, you would follow these steps:
- Create a new GPO and link it to an organizational unit that contains all of the computers that need to support encryption.
- Access the Encrypted Data Recovery Agents node in the GPO and add in a certificate that supports EFS data recovery.
This will provide the computes affected with the GPO the ability to use EFS for the data that is stored on the computers.
Windows 2003 and 2008 Domains Control over EFS
The newer domains and operating systems (those later than Windows 2000) support EFS in a similar fashion, but do have some unique differences.
- No data recovery agent is needed to encrypt on post Windows 2000 computers.
- EFS is not controlled by the inclusion of the data recovery agent certificate in the GPO.
- EFS supports multiple user access to encrypted files.
Therefore, for Windows 2003 and 2008 domains, you will have a different set of tasks to perform in order to control EFS for domain based computers. The setting still exists in the Default Domain Policy though. The new path that you will need to access is:
Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Encrypting File System
Now, instead of modifying the data recovery agent, you will need to right-click on the Encrypting File System node. From the menu option displayed, select Properties. From there, you will see there is a check box that says "Allow users to encrypt files using Encrypting File System (EFS)" on your Windows 2003 domains. Windows Server 2008 domains have radically changed the interface, providing granular support of EFS from this Property page, as shown in Figure 3.
Figure 3: Windows Server 2008 provides granular control over EFS
Notice on the General tab there is a radio button that says "Don't allow". This is the configuration that can be set to disable EFS on all computers in the domain. Also notice that there are many other settings available in this dialog box for controlling EFS.
You can also target specific computers in the domain by following the steps listed above in the Windows 2000 domain section.
EFS is very powerful and useful. It can encrypt data stored on Windows computers. The encryption will help protect against users or attackers that try to access the data, but don't have access or the ability to decrypt the data. EFS is a two step process, as first EFS must be enabled on the computer. This can be controlled by Group Policy, and is when computers join a domain. Administrators have the power to enable or disable EFS on any computer in the domain by configuring a GPO. By disabling EFS for all computers in the domain and then creating and configuring a new GPO, only specified computers can use EFS.