Using the Encrypted File System in Windows 2000 NTFS5

-->

Materials:

Working complete PC

Blank Diskette

Student Diskette, "New Boot A Ver 2.0+"

Student CD-ROM, "Room 6359"
Objectives:
The student will become familiar with:

Understand the NTFS file system,

Understand the differences between the NTFS4 and NTFS5 File systems,

The usage of the new NTFS5 features,

Use the Certificates MMC snap-in,

Export and Import private NTFS5 encryption keys.
Competency:
The student will learn about the Windows NT family's native file system: NTFS and become familiar with the differences between the NTFS4 and NTFS5 file systems including specifically the employment of encryption on a data folder. The student will become familiar with the nature and function of the Encrypted File System feature of NTFS5 and learn how to use the Certificates MMC snap-in to export the encryption key and how to import it back in the event of a disaster.

Preparation

This tutorial is performed in combination with the Importing Foreign Dynamic Disks tutorial. Using the EFS does not of course have to implemented on the RAID-5 Disk set that is prepared in that exercise and each can be done independently. The encrypted folder will have to be created on a separate HDD for this exercise.

Procedures - Encrypting Files

The EFS attribute is unique to NTFS and will not work on FAT file systems. While a single file can be encrypted, the attribute is really intended to be placed on a folder. All files saved into the folder will then be encrypted. Create a local user in the server and then logon as that user and create a folder. Now right click on the folder and select Properties:
Here is the folder's property sheet:
Click on the Advanced button and this window appears. Place a check in the "Encrypt contents..." check box then click the OK button:
Now click the Apply button of the folder's property sheet window and this message window appears. Select the "Apply changes to subfolders..." radio button and click OK:
This window displays the encryption progress as all of the files get encrypted. When it disappears click the OK button of the folder's property sheet:

Procedures - Exporting the Encryption Key

In order to export the encryption key the generic MMC must be launched and a management console snap-in that is normally not available from the standard Computer Management set must be loaded into it. Click Start > Run and type in "mmc" (no quotes!) and press [Enter]:
In the generic MMC Console window click Console > Add Snap-In:
This window appears. Click the Add button:
In this window select "Certificates" and then click the Add button:
Close these two windows and in the console click the [+] in front of Certificates - Current User, then click the [+] in front of Personal, then click on the folder icon for Certificates under this, then click on the Certificate itself in the right window pane:
With the certificate selected click Action > All Tasks > Export:
No surprise that this launches the Export Certificate Wizard. Click Next:
Export Private Key is the default. Make sure this is chosen here and click Next:
This one is tricky. If the user had multiple certificates they could all be exported into a single file, or made one at a time. The Export All checkbox is by default not chosen and you can leave it this way here since there is only one certificate. In a situation where there are many it could be chosen. The other unchecked box is inviting you to delete the private key once it has been exported. Do not do this unless you want to have to import it again in order to view the encrypted files. Here leave it unchecked. The Use strong encryption can be kept. Click Next:
Because you are exporting a private key which controls your files a password is asked for here which will be needed during the import operation so do not take this lightly. If you forget it then ALL encrypted files will be unaccessible (read: LOST):
Name the export file. Name it the user's name + key: user1key. You might want to name it "User1 Home Directory Encryption Key" (no quotes!). Click Next:
This part of the wizard offers a summary of your choices to review before clicking Finish. Review them and click Finish:
If this little affirmation does not appear, then something went wrong and you will have to try again. Wouldn't it be a shame if an error message appeared telling you that it didn't happen, but you had chosen to delete the private key and now it was gone?. Click OK and close the MMC console. You do not have to save the Console (Click No):

Procedures - Accessing the Data

To simulate a real world recovery scenario assume that the entire operating system got destroyed. All user information inclduing the file system encryption keys would be lost also effectively stranding all encrypted files with no encryption keys. Without the key that was exported this data would be completely unrecoverable. The encryption keys are simply too big to try to brute force crack. For example it took the united effort of a webring of hundreds of very skilled hackers weeks to break a single message encrypted using IBM's DES, a 56-bit key encryption. The encryption technology used by Microsoft was developed by Kerberos a computer security company that has a 4096-bit encryption technology. Put in perspective, if that key were used instead of the DES 56-bit encryption it would have taken the hackers a centillion-centillion years to break the message. (1 Centillion=10,000,000,000,000,000,000,000,000,000,000,000,000,000,
000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000)

To simulate this catastrophe boot the system to the Student CD-ROM "Room 6359" and zap the operating system's hard drive. Ghost to image the drive with Windows 2000 Professional again. This new operating system does not have the user that owned the folder and if "User1" is created that object will get a new SID and will not be considered the owner of the folder. Furthermore, since SID's and encryption keys are generated at random, there is no way that this new user would get the same encryption key again (see the really big number above). However, a system Administrator can always take ownership of anything on the system. Right click on the folder and select properties:
In the folder property sheet click on the security tab:
Click the Advanced button and then click on the Owners tab. Notice that the current owner is listed by User1's SID from the previous operating system. This is because the SID does not match an existing SID on this system. If it did, then the "friendly name" of that system object (like "User1") would be displayed instead. Also notice that in the lower part of the window you are offered the opportunity to "Change Owner to" Select yourself (Administrator) and then click Apply > OK:
Close all of the open property sheets and repeat the process performed above to open the MMC console with the Certificates store snap-in. Open Certificates > Personal > Certificates > All Tasks > Import...:
This starts the Import Certificate Wizard, click Next:
Insert the diskette with the encryption key file and type the full path to the file in the textbox then click Next:
After the system reads the file it will prompt for the password that was stored in it. Provide the password and do not check the "Enable strong private key protection..." which would ask for this password every single time the encryption key is needed (for every file that is going to be copied out of the folder, rather time consuming) click Next:
Follow the default here, we launched the Wizard from the personal certificate store which is where it wants to put it, click Next:
Review the options at the end of the Wizard and click Finish:
Upon success this message box is displayed:
Close it and the MMC. Drag and drop the encrypted folder onto the root of the C: drive. The Windows 2000 image is not NTFS but FAT32. The system should complain that the encryption will not be preserved. Accept the warning and notice that the files are copied to the C: drive which means that they must undergo decryption since FAT32 does not support it. Open the folder and open any file.