How to protect the security of important data files in a domain environment (I)-EFS encryption (I)

Document directory

•  

EFS (Encrypting File System, Encrypted File System)Windows 2000/XP is a special practical function. files and data on NTFS volumes can be directly encrypted and saved, greatly improving data security.

Hi, everyone. I want to discuss this topic from simple to difficult, is originated in the Forum on a netizen's question (link: http://bbs.51cto.com/thread-604202-1.html ). there may be many friends who are interested in this issue, so let's take a look at how to solve it.

The security of documents has always been a part of the company's attention. in my own company, due to the nature of the enterprise, employees are prohibited from carrying mobile storage devices in and out of the organization (employees who have security department security checks will be expelled if they violate regulations ), in addition, the company's clients (more than 1500 computers) All performed USB port control, Netscreen hardware firewall + ISA Proxy Server restricted access, and so on, and so on, deployed multiple security measures. as we can see, the company attaches great importance to information security! So, is it impeccable? If someone uses his/her own domain account to log on to my computer while I am not in the domain environment, what if I peeked at my important files (which should never have been viewed by him/her? If the file is opened and printed or copied, the tape does not trigger a metal detector.

So what methods should we use to avoid such a situation? The premise is:

I. Try to spend as little money as possible. Now we advocate open-source and throttling. It's hard to apply for anything. Let alone thousands of software and hardware.

II. it is important that users (employees) have a good user experience and cannot perform complicated operations. operations are too complex, which may lead to user operation errors and fail to achieve the effect. In addition, in the long run, users will have resistance and will not use it very much.

3. encryption technology is mature, not like PDF. There are hundreds or 80 types of cracking tools for encrypted files such as winrar.

Well, the goal is clear. Let's start the challenge journey.

First look at the existing environment. windows XP Professional is basically installed on the client operating system of the company, there are a few Windows 2000 Professional, and the partition format on the disk is basically NTFS (the old 2000 also uses FAT32 format, the Windows XP system is uniformly installed by our IT department and can be ensured to be In the NTFS Disk File Format ). we need to replace all the residual FAT32 with NTFS before asking for the leading role today.

Find the Win2000 client from the lan first. there are a variety of means, the most worry-free, send a factory mail to notify users to view their computer information, and then not the ntfs call or e-mail feedback, that is too dynamic, and it does not reflect the level of our system engineers... therefore, you can use scripts to collect client information and then import it to the database for search (--- the most professional and cumbersome practice). Fortunately, SMS2003 is in my environment, saving you trouble, go to the computer set and check it out ~

[Illustration]

After finding a remote control request and obtaining control of the client, we need to convert the disk format. I believe you are familiar with the command:

CONVERT volume/FS: NTFS [/V] [/CvtArea: filename] [/NoSecurity] [/X]

If you are prompted that the current domain user has insufficient permissions and you do not want to log out and switch to the administrator account, use the runas command.

Restart the computer to convert the disk format.

Next, let's take the lead in this article --- EFS (Encrypting File System, encrypted File System)

Let's briefly introduce EFS. from Windows 2000/XP/Server 2003, the System has been equipped with EFS (Encrypting File System, encrypted File System ), it can perform transparent encryption operations on files and folders stored on NTFS disk volumes. when it comes to user transparency, it is because the files you (users) use to encrypt will not generate any operations that allow you to enter a password or the like during access, it seems that it is no different from accessing unencrypted files. we will see the demo later.

In fact, DFS encryption technology also uses the principle of public/private key cryptography. This principle should be paved with the fear that a few thousand words are not enough to write. You just need to remember one thing: public key encryption, private Key decryption. therefore, any NTFS file encrypted by a user's public key can only be decrypted by the user's private key. Other users who do not hold the user's private key cannot decrypt/view the file.

To use EFS to encrypt files or folders, it is really very simple:

The CTO of a domain user wants to encrypt an important file.

Right-click the file to be encrypted and choose Properties> advanced> encrypted content to protect data"

OK.

If you want to encrypt the entire folder, perform the above operations in the folder properties. The difference is that you need to choose whether to encrypt only this folder or all the data in the folder (file, subfolders) encryption.

Click "OK" to complete the encryption. The file name turns green. Double-click the CTO file to view the modification.

Then we log out of the system and use another domain user CFO to log in. Locate the file and double-click it,

Access is denied. As a result, the user CFO cannot view the files that the user CTO has encrypted using EFS. Some friends asked, what if this file is in a shared folder?

You will be prompted to be unable to view and copy. Even if you are using the same domain account to log on.

I remember a netizen asked if the copied PARTITION WAS IN THE FAT32 format, the result would be the same.

Access is still denied.

Why?

The truth is simple.

Who has the secret key to open the box.

The question is, where is the key stored in the House (the computer that stores encrypted files? If I give me the key, can I open the box?

Go back to the computer on which cto encrypts <important materials>. Make sure to log on to the console using the cto domain account and use the mmc command (or use certmgr. msc), add the "certificate" Management Unit, and select "My User Account"

Click Open personal --- certificate. You can see a certificate corresponding to the current cto user name. We choose to export it.

You must select "Yes, export private key". The private key is the unlocked key we are searching.

Keep default

The external key header must have a password box before it can be handed over to others. How can this problem be solved? Be considerate.

Remember, you need to give the key to someone else, and your password in the password box will also be handed over to others.

Name the key

Finished, Export

The legendary "Bloody uploadkey"

Now we can log on to the cfo System and find the exported cto key.

Double-click Import and enter the password set during export.

After the import is successful, you can view the cto certificate in the Certificate Management Control Unit of cfo.

Note that only the user certificate of the newly imported cto is not the same as that of the cfo. This is because the cfo has not encrypted the file using EFS and has performed EFS encryption for the first time, the corresponding certificate is displayed.

Cfo can now view the files encrypted by cto.

This actually has some consequences. You think, cfo has obtained the cto private key. In the future, cfo will be able to read the cto's encrypted file cfo on this machine, and cto will quit, is there a way for the cto to specify which encryption can be viewed by the cfo?

In fact, this problem has been solved in the Windows XP Professional version,

To achieve this, the cfo must also use DFS encryption to generate its own user certificate.

Note: I have deleted the imported cto certificate, simulating that the cto certificate has not been imported

At this time, cfo is no longer able to access cto-encrypted files.

For example, if cfo wants to access a cto-encrypted file, the file name is <extremely important information> and the access is denied.

Go back to log on with the cto account. Right-click the "details" button next to this file and click "users who can access this file transparently" to add the file.

We can see that the cfo user certificate is also listed. We can add it.

Log out, and then log on with cfo

Cfo can see the EFS files shared by cto. However, he is greedy and wants to see the one next to it.

I want to speculate and add my certificate...

That's it.

After the DFS encryption settings, the cto only needs to protect its account and password, so there is no need to worry that someone can secretly log on to his local computer to view his important information.

However, it is very important that the netizens who have suffered this loss remember that the private key used to decrypt the file must be exported with the Certificate for backup, otherwise, if you re-install the operating system without importing the corresponding user certificate, you cannot decrypt it even if you log on with the same user.

What should I do if I forget to back up the certificate with a key? I can only tell you that there may be some software on the Internet that you can try to crack EFS encryption, but the probability of full recovery is very low. either you can try to reconstruct the computer SID and the account/domain account SID used for encryption, which is very difficult. therefore, I think it is the king to prevent the risks before they happen,

Since we have been talking about the environment in the domain, I will introduce the EFS Recovery Agent in the domain in the next article of EFS. What is its usage and how to use it ?... At the same time, we will analyze the defects and shortcomings of using EFS in the domain ~

Reproduced http://mrfly.blog.51cto.com/151750/191592