Channel Strategies for the CIOThis is the second of a two-part tip about protecting data at rest with BitLocker. In our first tip, How to use BitLocker as part of a customer data protection program,
Requires Free Membership to View
we defined “data at rest,” and
talked about utilizing three Windows technologies -- BitLocker, NTFS and EFS -- to provide that
protection. We covered the overall function of the three technologies, and discussed some specific
BitLocker settings and details. In this second part of the tip, we will talk about the Encrypting
File System (EFS) and NTFS permissions, and then run through a scenario where the three
technologies might be used.
EFS and NTFS permissions
First let’s review the purpose of NTFS and EFS in the context of protecting
data at rest.
NTFS (new technology file system) provides access control (i.e., permissions) for data at rest. NTFS file permissions provide run-time protection in the form of access control on files and folders. NTFS does not provide any form of off-line protection of data.
Encrypting File System (EFS) provides file- and folder-level encryption in Windows operating systems. EFS provides protection for both offline and run-time modes. One quick point to remember is that EFS is applied at the system level; when a file or folder is moved or copied from a system that uses EFS to protect data, the EFS protection is also removed.
NTFS details
The only thing that’s required to enable NTFS access controls is to ensure the partition is
formatted as NTFS. Once that is done, access controls are ready to be used. Be sure to set
appropriate NTFS file permissions to allow the Windows operating system to enforce desired run-time
access controls. Having appropriate folder structure and initial permissions allows the inheritance
properties of NTFS access controls to protect data appropriately.
EFS details
Similar to NTFS, EFS is simple to enable and to get working. Once an operating system that supports
EFS (Enterprise and Ultimate editions of Windows Vista and Windows 7, as well as Windows Server
2008) is in place, simply find a file or folder to protect with EFS, right-click the object, go to
Properties->General->Advanced->”Encrypt contents to secure data”, then select “OK”. At
this point, Windows will create the appropriate keys, encrypt the files or folder, and store the
keys needed for decryption in the user’s profile.
Of course, it’s important to make sure encrypted files can be recovered. There are two basic ways to do this:
- Use a data recovery agent (DRA) : This configuration option specifies an account, other than the owner’s, that can be used to decrypt a file. By default, the administrator account is the DRA (local admin for workgroup or standalone, 1st Active Directory [AD] Domain Controller [DC] administrator account in a domain). This is the preferred method.
- Allow additional users access to the encrypted file.
It is beyond the scope of this tip to describe these recovery methods in detail. You can investigate which option would work best in your customer’s environment by reviewing information on the Microsoft TechNet site. In general, however, using the default DRA, exporting the certificate and keeping it secure is the method that is most likely to work consistently for the various situations you might encounter.
Usage scenario
If you are deploying a software package for your customer, and you have already configured the
BitLocker settings for offline protection, you can then incorporate NTFS and EFS for even greater
protection.
First ensure the NTFS permissions are set to restrict access to the files that contain the sensitive information or keys to the application account that needs access to those files. Then use EFS to encrypt the files, in order to protect them from other users on the system.
At this point in time, you will have the following protections for your customer’s sensitive information:
- NTFS permission: Only the application user account, local SYSTEM and local administrator can access the files. This will be enforced by the running Windows operating system.
- EFS: Only the application user account and local administrator account will have the keys needed to decrypt the data. This will be enforced by the running Windows operating system, as well as encrypted data when the operating system was not running.
- BitLocker: The data will only be accessible after the volume is appropriately unlocked and the Windows operating system is up and running.
BitLocker, NTFS and EFS: A powerful set of free tools
As a reseller or IT consultant, you can leverage the combination of BitLocker, NTFS and EFS to
provide protection for data at rest, and the best part is there is no development required. These
are all built-in technologies that can be leveraged by you, and by your applications or
architecture designs, reducing potential cost to you and your customers.
About the author:
Phil Cox is a principal consultant of SystemExperts Corporation, a consulting firm that
specializes in system security and management. He is a well-known authority in the areas of system
integration and security.
His experience includes Windows, UNIX, and IP-based networks integration, firewall design and implementation and ISO 17799 and PCI compliance. Phil frequently writes and lectures on issues dealing with heterogeneous system integration and compliance with PCI-DSS. He is the lead author of Windows 2000 Security Handbook Second Edition (Osborne McGraw-Hill) and contributing author for Windows NT/2000 Network Security (Macmillan Technical Publishing).
This was first published in April 2011
Join the conversationComment
Share
Comments
Results
Contribute to the conversation