Encrypting File System (EFS): LSU Overview
*Disclaimer: BEFORE YOU START, discuss the use of Encrypting File System (EFS) with the your Departmental Technology Support Professional (TSP).
At LSU, thousands of laptops are in use, so it's important to adequately secure University information on mobile systems. The University is also covered by the Louisiana Database Security Breach Notification Law, which requires LSU to notify individuals whenever personal data about them has been lost, including losses from the theft of laptops. For these reasons, the IT Security and Policy Office is happy to announce the availability of the Encrypting File System for all users in LSU's Active Directory.
Encrypting File System is a technology built into Windows 2000 and Windows XP that provides secure, encrypted, per-user storage that's well integrated into the rest of the Windows file system. For example, EFS can be used to encrypt everything on a user's desktop, all their offline e-mail and all documents that they have locally. EFS uses encryption certificates generated from LSU's PKI to ensure that the encrypted data is safe even if the user's laptop is lost. Access and use of the data is seamless to the end user, all key management happens automatically through Active Directory, and no new passwords need to be remembered. ITS encourages all IT contacts that maintain mobile computers (or any other computer where physical security cannot be guaranteed) to deploy EFS to protect the data on them. As long as you're joined to LSU's Active Directory, there's no additional software to deploy, you maintain full data recovery capabilities, and the entire system can be managed through Group Policy.
Setting up your Users Up to use EFS
ITS can automatically provision all your users in Active Directory with certificates without requiring any client side work. These are published by our globally trusted subordinate Certificate Authority located in the Frey Computing Services. There are two steps to fully implement EFS for the user:
1. Contact the PKI administration team at email@example.com and request for your organization or a group of employees of your organization to be configured for auto-enrollment.
2. Once they have been given proper permissions, you will be able to ENROLLING for the first time.
3. After the initial enrollment, the certificates will be renewed automatically every year.
4. Enable Context Menu Encryption.
5. Encrypt the documents and files.
ITS is providing a registry file that will enable Context (right-click) Menu Integration of EFS as well as a script that will encrypt the My Documents folder, the Desktop Folder, and the Outlook Data Folder.
Please be careful as to what you encrypt using EFS. The registry key can be pushed down with group policy and the script as a one-time logon script that will seamlessly enable encryption for that user on those folders.
Enable EFS on your Computer
As part of the Active Directory system, you already have access to Encrypting File System. The only steps you need to take are to ENABLE right-click encryption.
As part of this document, we have made available a registry key that will allow you to do so. This registry key will also define your file view to show encrypted files in green for easy identification. In some instances, your computer may already have a context menu “Encrypt” option because of your computer's group policy in Active Directory.
To test whether or not you have this option available, right-click on a file or folder and look for an Encrypt option. The following is a screenshot of this.
What Items Should I Encrypt
EFS is a very powerful and potentially dangerous tool. With this in mind, you should consider carefully what files and folders you want to encrypt.
For most people, the best practices are to encrypt the My Documents folder, the Outlook Application folder within the Documents and Settings folder, the Desktop Folder, and any other folders used to store day-to-day documents and data.
With the context menu "Encrypt" option enabled, all that is necessary to do this is to right-click on the folder and left-click Encrypt. You will know a folder is encrypted because it will show in green.
NOTE: Please make sure that a certificate issued by LSU CA is being used for encryption and not a local certificate. A local certificate will be lost as soon as a machine is rebuilt and the files encrypted will not be recoverable.
What Items Should I NOT Encrypt
Do not encrypt an entire volume unless it’s a data volume only. If you encrypt Program Files or the Windows Folder, you will potentially make your computer un-bootable.
It is VERY IMPORTANT that Operating System files are not encrypted, as the computer cannot decrypt a file or folder unless it is operating in the context of the user that encrypted those files.
One of the biggest concerns associated with using EFS is losing data or losing access to data. The IT Security and Policy Office will work with you to establish a group policy that will setup proper data recovery steps.
Disabling EFS for your AD Group
If you don’t want your users to have the ability to use EFS you can create a group policy that will prevent them from using it at all. The following are the steps necessary to prevent EFS usage:
1. Open the GPO that you want to edit. You can use Active Directory Users and Computers or the GPMC to edit the GPO.
2. In the Group Policy Object Editor, expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Public Key Policies, and then click Encrypting File System.
3. Right-click Encrypting File System, and then click Properties.
4. Select the Allow users to encrypt files using Encrypting File System (EFS) check box, then click OK.
EFS Helper Files
Note: If you have any questions or concerns, please contact the IT Security and Policy Office at firstname.lastname@example.org.
4/25/2014 1:17:44 PM