Windows 2000 - EFS keeps your files secure on the road

As long as you feed Windows 2000 a good dollop of RAM (aim for 256MB if your budget allows it), you should be very pleased with the operating system on your portable. However, portables are inherently "nickable" so it pays to look into some form of protection for your files against prying eyes.

There are several steps that you can take to prevent unauthorised access to your files. First, ensure that the hard disk is formatted with NTFS, not FAT32. The small performance drop is worth it, as you'll gain improved security (as well as a degree of fault tolerance).

NTFS provides fine-grained permissions and access controls on files, and as long as you enforce long, non-obvious passwords, it might be enough to stave off unauthorised access by casual, non-techie intruders. Techie rogues will easily bypass NTFS security, however.

Clearly, you need to do more. Passwords in your applications (e.g., Microsoft Word or Excel) protect the files you're working with, but there are plenty of cracking programs available for these.

Encryption File System

Windows 2000 offers a middle way to protect your files: the Encryption File System (EFS). This is implemented as a set of kernel-mode drivers, and you can't bypass them to access the hard disk without going through the file system. EFS uses public-key cryptography with data encrypted by a randomly generated public key; data can only be decrypted with a user's private key, however.

Data is encrypted with the DESX mechanism, which is a 128-bit key variant of the US Government Data Encryption Standard (56-bit, and now cracked). 128-bit encryption can probably be cracked, but it requires substantial computing power and time to do so - there are approximately 3.4x1038 possible key combinations.

The advantages to EFS are that it's totally transparent to users, yet provides a relatively high level of security. It is tightly integrated with NTFS, using file system attributes to store the encryption keys. You can also publish public EFS keys within Active Directory, to make them available to other users.

EFS has a few caveats. It doesn't protect files copied to non-NTFS file volumes, nor does it encrypt files sent across a network. You should also never attempt to encrypt system files - the EFS driver isn't loaded until after boot-up, so your system would be inaccessible if the system files were encrypted (as a protective measure, EFS refuses to encrypt files with the System attribute set). Finally, you must use cut-and-paste for moving files, not drag-and-drop, to ensure the files stay encrypted when you move them.

EFS is very easy to use. First, remember that you should encrypt folders, not individual files - Microsoft's Best Practices for EFS document advises folder-level encryption as the best way to ensure that files are not decrypted unexpectedly. Once you've selected the folder to encrypt (My Documents is a good candidate, and perhaps also the temp folder), simply right-click on the folder icon, select Properties-General and click the Advanced button; in the dialogue that pops up, tick the "Encrypt contents for enhanced security" box.

When you exit the dialogue box, Windows 2000 will start the encryption process. Once the encryption is finished, the files cannot be accessed, copied or deleted by anyone apart from the user who encrypted them (although see caveats above). All files added to the folder will be encrypted transparently. To remove encryption, click on the encrypted file or folder, and remove the tick in the "Encrypt contents." box.

There is also a command-line utility, cipher.exe, which can be used in batch files, but it's not necessary for basic encryption work.

Forgot the password?

What do you do if you have forgotten the user password, but need access to the encrypted files? Luckily, Windows 2000 creates a certificate by default, which sets the Administrator account as the Encrypted Data Recover Agent. You access the EDRA through the Microsoft Management Console (e.g., by clicking on Start-Run and typing in mmc /c).

The EDRA can also be assigned to an account other than Administrator, if you wish. It's worth exporting the certificate and private key to a securely kept floppy disk, in case you need to shift or restore the files to a new computer.

To recover encrypted data, simply log on as the Administrator (or the account designated for EDRA), fire up Explorer and clear the "Encrypt contents." box as above. If you don't want EFS at all on your computer, delete the EDRA certificate to disable it. To prevent abuse, EFS is unavailable without an EDRA certificate.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Juha Saarinen

PC World
Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?