New Features with Windows Server 2008 EFS

A few days ago when going over some of the new and improved security features included with Windows Server 2008, I mentioned an enhanced EFS. What are some of the enhanced EFS features? Check out this list:

  • Smart card key storage
  • Key caching
  • Smart card single sign on
  • Per user encryption of offline files
  • Improved Group Policy support
  • EFS rekeying wizard

EFS encryption keys and certificates can be stored on smart cards, providing stronger protection for the encryption keys since they no longer need to be stored on the machine itself. This is especially useful for protecting laptops or multi-user workstations. Smart cards may also provide ways to improve key management in large enterprises.

You can configure EFS Group Policy to store private keys on smart cards in non-cached or cached mode:

  • Non-cached mode. Similar to the traditional way EFS works, all decryption operations requiring the user’s private key are performed on the smart card and the smart card must be plugged into the computer when the operations take place.
  • Cached mode. A symmetric key is derived from the user’s private key and cached in protected memory. Encryption and decryption operations involving the user’s key are then replaced with the corresponding symmetric cryptographic operations by using this derived key. This eliminates the need to keep the smart card plugged in at all times.

EFS also provides Group Policy support to require smart cards and to control the caching behavior of users’ keys, to use either cached or non-cached mode.

Smart card single sign-on (SSO) is used when the user logs on with a smart card and one of the following conditions is true:

  • The user does not have a valid EFS encryption key on the computer, and smart cards are required for EFS by policy settings.
  • The user has a valid EFS encryption key that resides on the smart card used for logon.

When SSO is used, EFS caches the PIN entered by the user at logon and uses it for EFS operations as well. This means that the user isn’t asked for the PIN when EFS operations take place.

If the smart card used for the logon is removed from the smart card reader before any encryption operations are performed, Single Sign On is disabled. The user will be prompted for a smart card and PIN at the first EFS operation, but not for subsequent operations.

Offline copies of files from remote servers can also be encrypted by using EFS. When this feature is enabled, each file in the offline cache is encrypted with a public key from the user who cached the file. This means that only that user has access to the file, and even local administrators cannot read the file without having access to the user’s private keys.

A number of new Group Policy options have been added to help you define and implement Group Policy for EFS. These include the ability to require smart cards, enforce page file encryption, set minimum key lengths for EFS, enforce encryption of the user’s Documents folder, and prohibit self-signed certificates.

The Encrypting File System rekeying wizard allows the user to choose a certificate for EFS and to select and migrate existing files that will use the newly chosen certificate. It can also be used to migrate users in existing installations from software certificates to smartcards. The wizard can also be used by an administrator or users themselves in recovery situations. It is more efficient than decrypting and reencrypting files.

One of more of these changes and updates makes the Windows Server 2008 EFS worth upgrading to if you want to both simplify and increase security on your network. For more information on EFS, check out:



Thomas W Shinder, M.D.

Email: [email protected]
MVP – Microsoft Firewalls (ISA)

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top