Professional Windows Server 1002003 Security A Technical Reference [Electronic resources]

Roberta Bragg

نسخه متنی -صفحه : 194/ 60

Effect of Normal Operations on Encrypted Files

Encrypted files are still files. They can be deleted, copied, and moved. What happens to them then depends on the format of the file system, the encryption properties of the parent folder, and whether or not the user performing the option has the ability to decrypt the file. To know what to expect, remember that only NTFS on Windows 2000 and above supports file encryption and that file decryption may be transparent to the person who can decrypt it. Also remember that EFS-encrypted files still follow NTFS permissions.

Enabling Silent Decryption for Remote Storage

By default, encrypted files cannot be stored to a remote location that has not been properly set up to store them. A user can, of course, decrypt the file and store a plaintext copy at the remote location. There are also xcopy (/G) and copy (/d) switches that allow the process. When these switches are used to copy encrypted files, if the user is able to normally decrypt the file, the files are decrypted and stored remotely in plain text. Alternatively, a registry value may be modified to allow the file to be silently decrypted and saved to a remote location. The value is only used when storage is performed using copy or xcopy at the command line or when invoked programmatically. While this process changes the default behavior of EFS-encrypted files, it may be necessary in certain circumstances; for example, when EFS is used to locally encrypt files, IPSec encrypts data in flight, and some other server-based process protects the files at their remote location. The DWORD value, CopyFileAllowDecryptedRemoteDestination, is located at HKEY_ LOCAL_MACHINE\Software\Policies\Microsoft\Windows System\. Giving this DWORD a value of 1 enables this activity.

Normal results for moving and copying EFS-encrypted files are as follows:

If the encrypted file is copied or moved where EFS is not supported (FAT, FAT32, or NTFS on Windows NT 4.0 and below), and the user copying the file has permission to write to the new location and to decrypt the file, the file will be silently decrypted and saved to the new location; otherwise, an error will occur.

If the encrypted file is copied or moved to another location on the same computer and EFS is supported, the file will retain its encryption.

If the plaintext file is copied or moved to a folder on the same machine that is marked for encryption, the file will be encrypted, and the encryption key will be protected using the current user's key.

If the encrypted file is copied or moved to another computer, the user has the ability to decrypt the file, and the computer and user accounts are trusted in the Active Directory for delegation (this is not so by default), then the file is silently decrypted, copied across the network in plain text, and encrypted on the remote computer. The user's encryption credentials must be available on the remote computer.

The error message will always be Access Denied.

If the computer is either Windows XP Professional or Windows Server 2003 and the user encrypted the file and is now copying it to a location where it will be decrypted and stored in plain text because the location does not support encryption, the user will be warned and allowed to cancel the operation. If the operation is not cancelled, the file will be decrypted and stored in plain text.

If the user has Delete permission for the file and chooses to delete it, he can do so whether or not he has the ability to decrypt the file.

Systems files are protected from encryption as are locations in the %SYSTEMROOT%\... path. If a user attempts to copy an encrypted file to this path, she will receive the Access Denied error message.

When encrypted files are backed up using Ntbackup or another EFS-aware backup program, they retain their encryption. When they are restored, they are still encrypted.

The xcopy and copy commands can be used to copy encrypted files. When the /D switch is used, the file may be decrypted if required and stored in plain text.

Remote Storage," later in this chapter.