Windows 2000 - EFS keeps your files secure on the road

As long as you feed Windows 2000 a good dollop of RAM (aim for 256MB if your budget allows it), you should be very pleased with the operating system on your portable. However, portables are inherently "nickable" so it pays to look into some form of protection for your files against prying eyes.

There are several steps that you can take to prevent unauthorised access to your files. First, ensure that the hard disk is formatted with NTFS, not FAT32. The small performance drop is worth it, as you'll gain improved security (as well as a degree of fault tolerance).

NTFS provides fine-grained permissions and access controls on files, and as long as you enforce long, non-obvious passwords, it might be enough to stave off unauthorised access by casual, non-techie intruders. Techie rogues will easily bypass NTFS security, however.

Clearly, you need to do more. Passwords in your applications (e.g., Microsoft Word or Excel) protect the files you're working with, but there are plenty of cracking programs available for these.

Encryption File System

Windows 2000 offers a middle way to protect your files: the Encryption File System (EFS). This is implemented as a set of kernel-mode drivers, and you can't bypass them to access the hard disk without going through the file system. EFS uses public-key cryptography with data encrypted by a randomly generated public key; data can only be decrypted with a user's private key, however.

Data is encrypted with the DESX mechanism, which is a 128-bit key variant of the US Government Data Encryption Standard (56-bit, and now cracked). 128-bit encryption can probably be cracked, but it requires substantial computing power and time to do so - there are approximately 3.4x1038 possible key combinations.

The advantages to EFS are that it's totally transparent to users, yet provides a relatively high level of security. It is tightly integrated with NTFS, using file system attributes to store the encryption keys. You can also publish public EFS keys within Active Directory, to make them available to other users.

EFS has a few caveats. It doesn't protect files copied to non-NTFS file volumes, nor does it encrypt files sent across a network. You should also never attempt to encrypt system files - the EFS driver isn't loaded until after boot-up, so your system would be inaccessible if the system files were encrypted (as a protective measure, EFS refuses to encrypt files with the System attribute set). Finally, you must use cut-and-paste for moving files, not drag-and-drop, to ensure the files stay encrypted when you move them.

EFS is very easy to use. First, remember that you should encrypt folders, not individual files - Microsoft's Best Practices for EFS document advises folder-level encryption as the best way to ensure that files are not decrypted unexpectedly. Once you've selected the folder to encrypt (My Documents is a good candidate, and perhaps also the temp folder), simply right-click on the folder icon, select Properties-General and click the Advanced button; in the dialogue that pops up, tick the "Encrypt contents for enhanced security" box.

When you exit the dialogue box, Windows 2000 will start the encryption process. Once the encryption is finished, the files cannot be accessed, copied or deleted by anyone apart from the user who encrypted them (although see caveats above). All files added to the folder will be encrypted transparently. To remove encryption, click on the encrypted file or folder, and remove the tick in the "Encrypt contents." box.

There is also a command-line utility, cipher.exe, which can be used in batch files, but it's not necessary for basic encryption work.

Forgot the password?

What do you do if you have forgotten the user password, but need access to the encrypted files? Luckily, Windows 2000 creates a certificate by default, which sets the Administrator account as the Encrypted Data Recover Agent. You access the EDRA through the Microsoft Management Console (e.g., by clicking on Start-Run and typing in mmc /c).

The EDRA can also be assigned to an account other than Administrator, if you wish. It's worth exporting the certificate and private key to a securely kept floppy disk, in case you need to shift or restore the files to a new computer.

To recover encrypted data, simply log on as the Administrator (or the account designated for EDRA), fire up Explorer and clear the "Encrypt contents." box as above. If you don't want EFS at all on your computer, delete the EDRA certificate to disable it. To prevent abuse, EFS is unavailable without an EDRA certificate.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Juha Saarinen

PC World
Show Comments

Father’s Day Gift Guide

Brand Post

Bitdefender 2019

Bitdefender solutions stop attacks before they even begin! Get cybersecurity that 500 MILLION users already have and trust.

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?