WIXLIB

running in the Outlook 2003 defaultof Cached Mode. Finally, the desktopis often used as a sort of temporary directory where users may place documents they’re currently working onor presentations they frequently deliver. Of course, in your organisation,you may have modified the default locations of some of these directories, soyour EFS encryption choices shouldreflect whatever locations are normally used in your organisation.In addition to these general bestpractices, you should also determinewhether you have applications thatmay save sensitive information in alternative locations. For example, someapplications save user informationin %ProgramFiles%\AppName ratherthan the user’s profile. It’s importantto determine whether you have anysuch applications on your client systems so that you can properly protectwhatever data they utilise. In the bestcase scenario, the application couldbe configured to save changes in another user-profile-specific path (suchas My Documents), in which no further EFS changes would be required.In a worst-case scenario, if the application requires that data be stored in itsProgram Files directory, EFS could beused to encrypt only that specific subdirectory of Program Files.Finally, use caution if you plan to encrypt the temporary directory (%TMP%and %TEMP%). Many application installers use this directory for expansion of installation package contentsand then perform file move operationson the expanded files to place them inthe proper path in %ProgramFiles%.Because a moved file on the same volume retains its original attributes, thefile will continue to be encrypted afterit’s been placed in %ProgramFiles%. Ifa user other than the one running theinstaller then attempts to use this file,he will be denied access to it. Often,such problems do not manifest themselves in clear application error messages that are indicative of the rootcause. Because of this, I generally rec-ommend that %TMP% be encryptedonly in well-managed environmentswhere end users do not install applications on their own.Protecting Offline FilesOffline Files is a feature in Windows2000 and later that allows users tomake a local copy of data stored on afile server. Offline Files then allowsthe user to work on this data while disconnected from the server and to synchronise the changes back to the serverwhen next connected.Offline Files, however, is not a simple directory containing copies of filesfrom the server. Instead, it’s a databasethat is shared systemwide and runs inthe context of the SYSTEM account.In Windows XP, this database can beprotected with EFS. Consider whatthis means in light of the earlier discussion about EFS being per-user. Howcould EFS, which is user specific, encrypt a database that is used by multiple security principals?When a user running WindowsXP chooses the option in WindowsExplorer to encrypt offline files, theencryption routine utilised is differentfrom that used for the other encryption operations the user may initiate.Rather than utilise the user’s personal EFS keypair for the process (whichwould prevent SYSTEM from accessing the files), the SYSTEM accountself-generates a keypair for use withEFS and uses that keypair to encryptthe client-side cache. This has a criticalsecurity implication in that if someone can subsequently get code to execute as SYSTEM, he can decrypt thedata in the cache. If a laptop is stolen,it’s trivial for an attacker to reset theadministrator password and log on asadministrator. Once running as administrator, it’s similarly simplistic to forcecode to run as SYSTEM and then access the cache. (Note that this behaviour has changed in Windows Vista.Windows Vista now uses the individual user’s key to encrypt user-specificOffline Files.)To protect against this type of attack,the laptop can be configured to storethe encryption key for the SecurityAccounts Management (SAM) database offline, either as a password inputat boot time (mode 2) or on a floppydisk during the boot process (mode3). Both approaches can be cumbersome since they require non-automatable interaction with the computerduring the boot process, creating potential problems with automated systems management. However, if EFS isto be used on a computer with OfflineFiles, it is critical that one of these options be used to secure the data in thecache. I normally recommend you usethe boot-time password (see Figure 1).This is because a user who has a laptopbag stolen will most likely either havethe disk in the laptop already or, if not,then almost certainly in the bag alongwith the laptop.Figure 1 Automate EFS operationsEnabling EFSOnce you’ve determined what to encrypt on your client, the next step isto perform the actual encryption operation. This process can be achievedthrough a logon script or other process that will execute a script on theclient that calls cipher.exe to performthe encryption operation. If you haveexisting standalone EFS users in yourenvironment, as discussed in the earlier example, I recommend migratingthem first.TechNet Magazine July 200775 79 Security desfin.indd 77778/6/07 11:22:43

Security watchTo migrate these standalone users, the first step is to provision theclient systems with managed certificates, as discussed in this columnin the February 2007 US edition ofTechNet magazine ecurityWatch). Once all systems haveenrolled for these managed certificates, cipher should be run with the /Uswitch to update all existing files withthe new encryption and recovery agentkeys. At this point, all systems in theSG-ComputersUsingEFS group wouldbe utilising EFS in a managed fashion,including centrally issued (and potentially archived) keys and centrally managed recovery agents.To deploy EFS for the users not currently using EFS, you must first remove the Group Policy preventingEFS usage. Once that is completed andusers have enrolled for managed certificates, a logon script can be run toencrypt the key paths discussed earlier.Here is a simplistic script sample:cipher /e /s /a “%userprofile%\My Documents”cipher /e /s /a ”cipher /e /s /a “%userprofile%\Desktop”After you’ve enabled EFS on the desired directories, you should considersetting two additional options to increase the security of your EFS deployment, both related to data paged frommemory to disk. Note that for each ofthese scenarios, the amount of datathat could be potentially recoveredby a malicious party is limited to thatwhich was loaded in memory or pagedto disk during legitimate use. In otherwords, if a user has sensitive EFS-protected data on the machine that theyhave not viewed (and, hence, not loaded into memory), this data is not at riskfrom these attack vectors.The page file is used by Windows asvirtual memory (often referred to asswap space in other operating systems)and contains raw pieces of in-memorydata written in clear text to the harddrive. This can put sensitive data at risk78on an EFS-protected system because ifan attacker is able to recover the pagefile, they can potentially utilise forensics tools to extract usable data fromthis file. Since the page file itself cannot be encrypted in Windows XP (notethat it can be encrypted in WindowsVista) the best option is to forceWindows to clear it at shutdown. Thiscan be accomplished via Group Policy,as illustrated in Figure 2.The downside to this setting is thesignificant increase in time it takes toshut down a machine, particularly onewith large amounts of memory. (By default, the size of the page file is directly related to the amount of physicalmemory in the computer.) This is because to clear the page file, Windowsmust physically write to every page onthe disk prior to shutdown.The hibernation file in Windowscontains a dump of the machine’sphysical memory when the powermanagement mode is set to enable hibernation. When hibernation occurs,Windows writes the complete contents of physical memory to disk in thehibernation file, allowing the computer to be restored to exactly the samestate when the user is ready to continue working. Like the page file, thehibernation file cannot be encryptedin Windows XP. However, unlike thepage file, hibernation cannot be disabled directly from a GPO. Rather, youshould use a script to call powercfg.exewith the /HIBERNATE switch to disable (or re-enable) hibernation.After completing your initial encryption and configuration tasks, youshould consider wiping the slack spaceon disks in your deployment. This process can be very time intensive anddisruptive, but has a security benefitin high-security environments. Slackspace is the area of a disk that doesnot hold data currently active on thesystem but which, because of the wayhard disks operate, may contain pieces of sensitive information from previously used files. In other words,because a file delete operation doesn’tactually overwrite all the sectors a fileoccupies on a disk (it only removesthe pointer from the file table), theTo securely wiperesidual data, runcipher with the /WswitchFigure 2 Setting Group PolicyTo get your FREE copy of TechNet Magazine subscribe at: www.microsoft.com/uk/technetmagazine75 79 Security desfin.indd 788/6/07 11:22:44

ry pagefile’ option. The entire designof Offline Files has been reworked inWindows Vista. In addition to muchbetter performance and stability (aswell as a generally more user-friendlyinterface), client-side caching is nowper user, meaning it is possible to securely encrypt the cache without theuse of SYSKEY mode 2 or 3. These twoimprovements eliminate major deployment hurdles for today’s Windows XPbased environments.Finally, Windows Vista allows administrators to configure encryption of the Documents folder directlythrough Group Policy, without havingto utilise a separate script. Figure 3 illustrates the new EFS properties available via GPO in Windows Vista.Figure 3 EFS propertiesin Windows Vistadata that was deleted may continue toexist on the disk. In these cases, thedata may be recoverable by forensicstools that can read this slack space andreassemble files from it. To securelywipe this residual data, run cipher withthe /W switch. This forces cipher to repeatedly overwrite all sectors markedas available on the disk. As long as allfuture file operations on sensitive dataoccur in EFS-protected directories, itwon’t be necessary to run this command on a regular basis.Enhancing Windows Explorerfor EFSBy default, encryption and decryption options for files and directoriesare somewhat buried in the advancedproperties menus in Windows Ex plorer. You may choose to enhance theend-user experience with EFS by placing ‘Encrypt’ and ‘Decrypt’ on the Win dows Explorer context menu (exposedwith a right-click). Additionally, Win dows Explorer can be configured toshow EFS-protected files and directories in a different colour (green) thanother files. This can help users knowwhether a file or directory is encrypted without having to drill down intothe advanced properties menu. Finally,you may want to add an option to de-fine which users have access to the fileor directory. To enable these options,make the following changes in the registry via a script calling reg.exe:[HKEY LOCAL Explorer\Advanced]“EncryptionContextMenu” dword:00000001“ShowCompColor” dword:00000001[HKEY CLASSES ROOT\*\Shell\Encrypt To User.\Command]@ ”rundll32 efsadu.dll,AddUserToObject %1”EFS in Windows VistaEFS has received a number of important enhancements in Windows Vistathat make it easier to deploy and manage, as well as increase its security.Primary among these enhancementsis full support for storing EFS keys onsmart cards. This is a particularly valuable feature for organisations that arealready utilising smart card logon, because that same card can also be usedto store users’ EFS keys. This supportfor smart cards also extends to recovery agent certificates, such that thesensitive DRA certificates can also bestored on cards.Windows Vista also supports encryption of items previously eitherimpossible or not easily accomplishedin Windows XP. Windows Vista canencrypt the page file, eliminating theneed to set the ‘clear virtual memo-Wrap upEFS provides Windows administratorswith a highly secure option for protecting mobile data. EFS is scalable,manageable and provides flexible datarecovery mechanisms. In WindowsVista, EFS is further improved withenhanced capabilities for easier management and deployment, as well assupport for smart card-based key storage. For organisations that want toprotect data, even when a machine hasbeen physically lost, EFS provides astrong solution that’s already a part ofyour existing Windows platform. John Morello graduated summacum laude from LSU and has been withMicrosoft for six years in a variety ofroles. As a Senior Consultant, he hasdesigned security solutions for Fortune100 enterprises and Federal civilian anddefence clients. He’s currently a ProgramManager in the Windows Server groupworking on security and remote accesstechnologies.TechNet Magazine July 200775 79 Security desfin.indd 79798/6/07 11:22:44

TechNet Magazine July 2007 75 Deploying EFS: Part 2 John Morello Security watch You can think of any Encrypting File System (EFS) deployment as having essentially two parts: the back-end design portion focusing on certificate management and recovery agents, and the user-facing EFS deployment