Lab 5-7 EFS

 

The Encrypted File System can be used to encrypt files that are for your eyes only. It must be turned on at the server to allow it to work. Be Warned! EFS can mess you over BIG time if you turn it on and users encrypt stuff then leave! While the administrators can decrypt files, if the domain has changed (been reinstalled) since EFS was turned on and the file was encrypted, you might lose the data forever.

 

That would be sad.

 

Requirement

Excellent (10)

Incomplete (5)

Not Attempted (0)

Accessed Task Scheduler

 

 

 

Set up backup task

 

 

 

Had teacher check off created task

 

 

 

Deleted the task

 

 

 

Filled out objectives of lab

 

 

 

Answered all questions on this sheet

 

 

 

 

Objectives of lab (List what you learned on this lab)

  1.  

 
  1.  

 
  1.  

 
  1.  

 
  1.  

 

 

Problems Completing Lab

 

First turn on EFS in your Active Directory:

To set Group Policy

1.

Click through the following path:

Computer configuration

Windows settings

Security settings

Public Key Policies

Encrypting File System

2.

Select Properties

3.

Select check from the check box to enable EFS as shown in Figure 11 below.

Figure 11: . Disabling EFS using Group Policy

Figure 11: . Disabling EFS using Group Policy

 

Take the following steps to use Encrypting File System (EFS) to manage data encryption:

  1. Run Windows Explorer from Start Menu > Programs > Accessories > Windows Explorer.

 

  1. In Windows Explorer, click the (D:) drive in the Folders section. In the details pane of Windows Explorer, right-click the folder to be encrypted, and click Properties.

 

  1. On the General tab page of the <foldername> Properties dialog box, click the Advanced button.

 

  1. In the Compress or Encrypt attributes section of the Advanced Attributes dialog box, select the Encrypt contents to secure data check box, and click the OK button. Note…you can compress OR you can encrypt.  You can’t do both!

 

  1. On the General tab page of the <foldername> Properties dialog box, click the Apply button. A confirmation dialog box will appear.

  2. In the Confirm Attribute Changes dialog box, specify folders to which these settings will apply, and click the OK button.

 

  1. Close the <foldername> Properties dialog box.

 

Show Encrypted Files in Color

The Windows XP client now allows both encrypted and compressed files to be displayed with alternate colors in Windows Explorer. This feature is enabled by setting folder options which can be found in Windows Explorer by selecting Tools and then Folder Options in the command menu.

To show encrypted files in color

1.

Select the View tab in the Folder Options dialog box

2.

Check the box for Show encrypted or compressed NTFS files in color as shown in Figure 20 below. When this is applied to a folder, all encrypted files will be displayed as green in Windows Explorer.

3.

If you would like to have this setting apply to all folders on the machine, select the Apply to All Folders button and choose Yes when prompted.

4.

Click OK to close the dialog box.

Complete the following:

1.       Create a new user called EFS user. Give him a password.

2.       Turn on the EFS file system.

3.       Log into the workstation as that user.

4.       Have that user create a folder named EFS1.

5.       Set encryption on contents of folder.

6.       Create three files within that folder (file1, file2, file3).

7.       Create another folder (not within EFS1) named EFS2.

8.       Create three files within that folder (encrypted, not encrypted, chicken lips).

9.       Encrypt chicken lips and encrypted.

10.   Show me!

 

Oh no! EFS User has been fired! Before he left he encrypted EVERYTHING in his folder and the new guy who took over can’t open anything!

1.       Create a new user named New Guy.

2.       Give New Guy full control to the folders EFS1 and EFS2.

3.       Log in as New Guy. Locate those folders. Can he open anything?

 

4.       Log in as administrator and locate the files. Can you open the encrypted ones? Why or why not?

 

5.       Right click on the file and decrypt it. Did it work? If you set your EFS policy correctly and you are an administrator in the domain, it sure should have!

 

 

 

Questions:

1.       What is the purpose of the EFS?

 

 

2.       Why is it turned off by default?

 

 

3.       Who can decrypt an encrypted file?

 

 

4.       What happens if EFS user leaves and encrypts everything in his folder, wreaking havoc upon your business?