Windows 2000 - EFS keeps your files secure on the road

As long as you feed Windows 2000 a good dollop of RAM (aim for 256MB if your budget allows it), you should be very pleased with the operating system on your portable. However, portables are inherently "nickable" so it pays to look into some form of protection for your files against prying eyes.

There are several steps that you can take to prevent unauthorised access to your files. First, ensure that the hard disk is formatted with NTFS, not FAT32. The small performance drop is worth it, as you'll gain improved security (as well as a degree of fault tolerance).

NTFS provides fine-grained permissions and access controls on files, and as long as you enforce long, non-obvious passwords, it might be enough to stave off unauthorised access by casual, non-techie intruders. Techie rogues will easily bypass NTFS security, however.

Clearly, you need to do more. Passwords in your applications (e.g., Microsoft Word or Excel) protect the files you're working with, but there are plenty of cracking programs available for these.

Encryption File System

Windows 2000 offers a middle way to protect your files: the Encryption File System (EFS). This is implemented as a set of kernel-mode drivers, and you can't bypass them to access the hard disk without going through the file system. EFS uses public-key cryptography with data encrypted by a randomly generated public key; data can only be decrypted with a user's private key, however.

Data is encrypted with the DESX mechanism, which is a 128-bit key variant of the US Government Data Encryption Standard (56-bit, and now cracked). 128-bit encryption can probably be cracked, but it requires substantial computing power and time to do so - there are approximately 3.4x1038 possible key combinations.

The advantages to EFS are that it's totally transparent to users, yet provides a relatively high level of security. It is tightly integrated with NTFS, using file system attributes to store the encryption keys. You can also publish public EFS keys within Active Directory, to make them available to other users.

EFS has a few caveats. It doesn't protect files copied to non-NTFS file volumes, nor does it encrypt files sent across a network. You should also never attempt to encrypt system files - the EFS driver isn't loaded until after boot-up, so your system would be inaccessible if the system files were encrypted (as a protective measure, EFS refuses to encrypt files with the System attribute set). Finally, you must use cut-and-paste for moving files, not drag-and-drop, to ensure the files stay encrypted when you move them.

EFS is very easy to use. First, remember that you should encrypt folders, not individual files - Microsoft's Best Practices for EFS document advises folder-level encryption as the best way to ensure that files are not decrypted unexpectedly. Once you've selected the folder to encrypt (My Documents is a good candidate, and perhaps also the temp folder), simply right-click on the folder icon, select Properties-General and click the Advanced button; in the dialogue that pops up, tick the "Encrypt contents for enhanced security" box.

When you exit the dialogue box, Windows 2000 will start the encryption process. Once the encryption is finished, the files cannot be accessed, copied or deleted by anyone apart from the user who encrypted them (although see caveats above). All files added to the folder will be encrypted transparently. To remove encryption, click on the encrypted file or folder, and remove the tick in the "Encrypt contents." box.

There is also a command-line utility, cipher.exe, which can be used in batch files, but it's not necessary for basic encryption work.

Forgot the password?

What do you do if you have forgotten the user password, but need access to the encrypted files? Luckily, Windows 2000 creates a certificate by default, which sets the Administrator account as the Encrypted Data Recover Agent. You access the EDRA through the Microsoft Management Console (e.g., by clicking on Start-Run and typing in mmc /c).

The EDRA can also be assigned to an account other than Administrator, if you wish. It's worth exporting the certificate and private key to a securely kept floppy disk, in case you need to shift or restore the files to a new computer.

To recover encrypted data, simply log on as the Administrator (or the account designated for EDRA), fire up Explorer and clear the "Encrypt contents." box as above. If you don't want EFS at all on your computer, delete the EDRA certificate to disable it. To prevent abuse, EFS is unavailable without an EDRA certificate.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Juha Saarinen

PC World
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?