[Add to favorites] deleting EFS from Win2k/XP Client

Author: techrepublic.com.com
Thursday, March 10 2005 pm

Learn the necessary steps to delete efs on the Win2k/XP client.

Most readers may have heard of EFS, which is an Encrypting File System included in Microsoft Windows 2000 and Windows XP Professional systems ). This file system allows Windows 2000 and XP users to conveniently encrypt files or folders running on NTFS partitions. Many articles have covered the positive and negative effects of this function. In this article, from the perspective of end users, I will discuss the above two aspects step by step based on the actual usage of EFS-not from a system administrator who understands the technology behind EFS and the reasons for using ESP angle. I will also provide the necessary steps to disable EFS on Windows 2000 and Windows XP.

EFS Basics
EFS is included in Windows 2000 and XP systems. It allows users to add a security protection layer for data over NTFS protection. The former is a technology that NT has been using for many years. EFS does not work for data stored in the fat or FAT32 partition.

EFS is designed to be easy to use and even transparent to end users. Therefore, some users may not feel the existence of it when using it. EFS uses 128-bit desx encryption to protect data stored in encrypted files and encrypted folders. It uses PKI instead of the user name and password to connect the file with the user who encrypts the file. In this way, the encrypted data cannot be read when the user changes the account password. By default, EFS is allowed in Windows 2000 and XP Professional systems, and any user has the permission to modify its encrypted files or directories. The specific method is to select a check box under the file or folder advanced attributes, as shown in.

Figure

In the correct way, EFS can avoid reading sensitive data by users who have broken through NTFS protection. From an optimistic perspective, EFS does have the ability to improve security protection, but it also brings false security to users, which has a negative effect. In the use of EFS, there are very few errors in the system, but once it happens, it will have terrible consequences. It is important to understand what EFS can do and what it cannot do. EFS will provide some false security information. Now let's remove this information.

What EFS cannot do
EFS protects data from reading, rather than deleting it. Attempts to copy EFS encrypted files fail, so many people think that unauthorized users cannot delete files. But these files can be deleted.

ESP protects data stored in the local NTFS partition. When a file is sent across the network, EFS does not provide data protection. This is a big problem. Because EFS is designed to be transparent to end users, when the encrypted file user copies the file to the network or sends the encrypted file via email, the file will be automatically decrypted before it passes through the network, therefore, the file can be read on the target system. For users who do not understand this and believe that their sensitive data is still secure, the loss caused by such errors may be huge.

EFS cannot be used on Image drives that span networks unless the server and client work in the same Active Directory forest (Active Directory forest) and the server is trusted and authorized. By default, only the domain controller in an ADS environment is trusted and authorized. Understanding these constraints is critical to the effective use of EFS. Microsoft originally believed that EFS was easy to use, but it still needed appropriate end-user training to use EFS. How many users in your network understand these concepts? Or, more importantly, how many users in your network use EFS across networks without understanding the principles of EFS?

What happens when EFS is mistakenly used
Many EFS materials (especially those from Microsoft) use this idea, that is, the end user can always perform operations correctly, it will never happen or deliberately use EFS-like technologies to mess up things. However, if you have to take support of computer systems as your job, you will know that the end user will not always perform the operation correctly. If EFS is used in the environment you manage (remember that EFS is allowed by default), you must understand what problems EFS may have, and what measures can you take to solve these problems.

Any technical support engineer or network administrator must first consider that any user who has the modification permission (write capability) to a file or folder can encrypt the file or folder. Therefore, this rule can be applied to files not created by users. Will this cause problems in your network environment? Will multiple users share the same system? If the answer is yes, the problem may occur. In your Active Directory environment, do you use the domain controller as a file server? If yes, a user may have encrypted a file. Therefore, a large group of users who are allowed to modify the file cannot access the file. When EFS permits by default, end users have sufficient rights to do things that may cause trouble.

Note:
If the user has full control over the file, they can also change the NTFS permission to deny anyone access to the file. This is why you should always modify the permissions of non-administrative users and groups. Indeed, almost no System Administrator allows end users to specify who can access data in the network.

Problems caused by EFS are hard to be found
If you do not consider EFS as a possible cause, it is difficult to determine the cause when you encounter a problem. When a user attempts to access a file encrypted by another user, the user will obtain one of the following two types of information based on the access method or application: access is denied or the file is damaged.

If the access request is denied, most end users will think that the reason is that the system administrator mistakenly locks the file, so they will seek help from the Administrator. If a staff member only looks for the cause of the failure by viewing the file or folder permissions, there is no indication that the user access is denied. Only the advanced attributes of an opened file can reveal the cause of the problem. Many humans will be wasted on finding other potential factors, such as group permission conflicts.

In terms of the two prompts that the user cannot read the EFS file, it is good to reject the access. If you receive information indicating that the file is corrupted, you may delete the file. Because EFS does not prevent deletion, you can perform this operation. If the person who tries to solve the file corruption problem does not take esp as a potential factor, it may even be worse than a File Corruption message. There are already some tragic stories that may happen on hypothetical occasions. Example:

Two users who work in different time periods share the same Windows XP Professional system. Users working in the evening shift have a lot of downtime to view all aspects of the system. After discovering the encrypt contents to secure data (Encrypting File Content to ensure data security) settings, he decided to activate this function. "What are the disadvantages of ensuring data security ?" He said to himself.

He also selected a file shared by the same user in the folder. The default EFS settings show that not only the file is encrypted, but the parent folder is also encrypted. The user accepts this information and click OK. Every file created in this folder is encrypted by the user who created it and cannot be read by other users. The late shift user modified these files, confirmed that there was no problem and believed that all work was normal.

When a white-shift user tries to open a file in this folder, she will receive a message indicating that the file data may be corrupted. Then she called the technical support staff to report the problem. As part of the work, files in folders need to be written every day, so this problem needs to be quickly solved. Technical support staff began to find the cause of the problem. He tried to delete the file and restore it from the backup at night, but unfortunately the EFS file is still encrypted during backup, so the recovered file also seems to be damaged. Technical support personnel believe this indicates that there is a problem with the application editing this file. So he re-installed the program, but the problem still exists. The technical support staff decided to reinstall the operating system to quickly solve the problem and back up data. The reinstallation of the operating system erased the key used to decrypt the data. Now, the file is completely unreadable!

Of course, even if the above error is not made, data loss caused by EFS may still occur. After the encrypted data is backed up, what will happen if the system crashes and cannot be started and the system is re-installed? There are many ways to avoid such potential troubles. However, giving up using EFS is considered out of consideration. The system status or EFS password can be backed up and restored to the re-installed system, so that you can re-access data. If you use EFS on the network, there will no longer be a pure "Best Solution"-this will be a required solution (note, you can take steps in the Active Directory environment to avoid such errors and make the environment safer. But these steps are not part of the default EFS settings ).

Laptop is the best place to use EFS
The last question I want to discuss is whether you need to use EFS. EFS does not help data security in environments where data is most vulnerable (for example, when data is uploaded or transmitted over the Internet. It cannot work on a vast majority of removable storage media and floppy disks, and data is easily lost when these storage media are used. In what environment should EFS be used? Microsoft's EFS-related whitepaper is very vivid. According to the description in the White Paper, EFS is designed to penetrate NTFS's local data protection in a way that may be physically controlled. I hope your network environment is not as vulnerable to thieves as most desktop customer systems (if so, you should not store sensitive data on these systems ).

This also makes a particular computer system the main use of EFs: Laptop. If a laptop user on your network must store sensitive data on these systems, the data must be encrypted. If you will use the EFS technology above, you should ensure that you follow Microsoft's best method and extract the private key from the operating system and store it on a floppy disk, or use a better way to store it on a smart card. Similarly, if you need this function, you 'd better use Windows XP because it is relatively simple to remove EFS from a physically controlled system, and the steps that prevent the use of EFS will not be implemented on Windows 2000. I will explain this later.

Remove EFS from Win2k/XP Workstation
If you find that EFS does not apply to your network environment, you need to disable EFS on Windows 2000 or Windows XP. I will first introduce how to disable Windows 2000.

Windows 2000
Microsoft makes sure that it is possible to restore encrypted data, even if you accidentally delete the user account that encrypts the file. To recover data, a user must be specified as a recovery agent on each Windows 2000 system. By default, this user is the administrator. This means that, by default, the system administrator can decrypt any files encrypted on the local system. This also provides a simple method to break through the EFS protection of Windows 2000. If the laptop is stolen, thieves can access encrypted data as long as they log on with an administrator account. To access the system with an administrator account, you only need to use a floppy disk containing the ntfsdos tool of winternals to start the system. Then, delete the Sam file and leave the system administrator password blank. Even if other accounts are used as recovery agents, thieves who have the Administrator identity can change the account password and log on to the account. Therefore, you must not only store the private key of the user using EFS on the laptop on a floppy disk or smart card, but also save and restore the Proxy account information. This makes ESF very inconvenient in actual use.

Why not delete the recovery proxy? The reason is that this will disable EFS on Windows 2000. You can also use this method to disable EFS. B. Open the Local System security policy and delete the system administrator authentication from the folder marked as encrypted data recovery agents (encrypted data recovery agent.

Figure B

Windows XP
Windows XP is designed to allow deletion of recovery proxy, which improves the vulnerability in Windows 2000. It is good news for users who want to use EFS on their own laptops. However, this also means that you must find a different method to disable ESP on Windows XP. We still use the Group Policy to disable EFS on the XP system in an Active Directory Network, but we must first import an Administrator template to the domain group policy. If you have never created a. ADM file before, don't worry. This is a simple process. Copy and paste the text in list A to a text file in notepad.

Now save this file with the efs-disable.adm name. Introduce the Group Policy to the domain. [if you are not familiar with this process, right-click the field in the ad users and computers tool and select Properties ). Click the Group Policy tab and click Edit )]. After introducing the Group Policy to the domain, open the Computer Configuration box. Left-click the Administrative Templates folder. You can see the Add/Remove templates (Add/delete template) option. Select this option and click Add. Find the. ADM file you just created and click open. Click Close. Now you have completed all the settings. You can see that there is a directory named Special EFS handling (Special EFS handle) under Administrative Templates.

Figure C

Set disable XP and. Net EFs (disable XP and. Net EPS) to allow (c ). All XP systems in this domain will disable EFS. This occurs in the Local System Windows XP Professional system group policy process will not take effect in a running SP1 ads environment. You may see the error message shown in D.

Figure D

If you find that this method does not work on the local XP system after testing, you can use the following content. reg file: [HKEY_LOCAL_MACHINE/software/Microsoft/Windows NT/CurrentVersion/EFS] "efsconfiguration" = DWORD: 00000001

Double-click the. reg file and import it to the Registry. I have successfully tested this method on a system that does not run SP1.

With full preparation and proper use, EFS can add the extra security you need on the local network. I hope that after reading this article, you can easily determine whether EFS technology should be used. If you think you need to use this technology, you need to carefully read Microsoft's white papers related to this topic and review the specific steps of its best implementation method. Microsoft makes it easy to use on EFS ads, and the White Paper will provide you with more information needed to correctly configure EFS.