This is the second of a two-part tip about protecting data at rest with BitLocker. In our first tip, How to use BitLocker as part of a customer data protection program, we defined “data at rest,” and talked about utilizing three Windows technologies -- BitLocker, NTFS and EFS -- to provide that protection. We covered the overall function of the three technologies, and discussed some specific BitLocker settings and details. In this second part of the tip, we will talk about the Encrypting File System (EFS) and NTFS permissions, and then run through a scenario where the three technologies might be used.
EFS and NTFS permissions
First let’s review the purpose of NTFS and EFS in the context of protecting data at rest.
NTFS (new technology file system) provides access control (i.e., permissions) for data at rest. NTFS file permissions provide run-time protection in the form of access control on files and folders. NTFS does not provide any form of off-line protection of data.
Encrypting File System (EFS) provides file- and folder-level encryption in Windows operating systems. EFS provides protection for both offline and run-time modes. One quick point to remember is that EFS is applied at the system level; when a file or folder is moved or copied from a system that uses EFS to protect data, the EFS protection is also removed.
The only thing that’s required to enable NTFS access controls is to ensure the partition is formatted as NTFS. Once that is done, access controls are ready to be used. Be sure to set appropriate NTFS file permissions to allow the Windows operating system to enforce desired run-time access controls. Having appropriate folder structure and initial permissions allows the inheritance properties of NTFS access controls to protect data appropriately.
Similar to NTFS, EFS is simple to enable and to get working. Once an operating system that supports EFS (Enterprise and Ultimate editions of Windows Vista and Windows 7, as well as Windows Server 2008) is in place, simply find a file or folder to protect with EFS, right-click the object, go to Properties->General->Advanced->”Encrypt contents to secure data”, then select “OK”. At this point, Windows will create the appropriate keys, encrypt the files or folder, and store the keys needed for decryption in the user’s profile.
Of course, it’s important to make sure encrypted files can be recovered. There are two basic ways to do this:
- Use a data recovery agent (DRA) : This configuration option specifies an account, other than the owner’s, that can be used to decrypt a file. By default, the administrator account is the DRA (local admin for workgroup or standalone, 1st Active Directory [AD] Domain Controller [DC] administrator account in a domain). This is the preferred method.
- Allow additional users access to the encrypted file.
It is beyond the scope of this tip to describe these recovery methods in detail. You can investigate which option would work best in your customer’s environment by reviewing information on the Microsoft TechNet site. In general, however, using the default DRA, exporting the certificate and keeping it secure is the method that is most likely to work consistently for the various situations you might encounter.
If you are deploying a software package for your customer, and you have already configured the BitLocker settings for offline protection, you can then incorporate NTFS and EFS for even greater protection.
First ensure the NTFS permissions are set to restrict access to the files that contain the sensitive information or keys to the application account that needs access to those files. Then use EFS to encrypt the files, in order to protect them from other users on the system.
At this point in time, you will have the following protections for your customer’s sensitive information:
- NTFS permission: Only the application user account, local SYSTEM and local administrator can access the files. This will be enforced by the running Windows operating system.
- EFS: Only the application user account and local administrator account will have the keys needed to decrypt the data. This will be enforced by the running Windows operating system, as well as encrypted data when the operating system was not running.
- BitLocker: The data will only be accessible after the volume is appropriately unlocked and the Windows operating system is up and running.
BitLocker, NTFS and EFS: A powerful set of free tools
As a reseller or IT consultant, you can leverage the combination of BitLocker, NTFS and EFS to provide protection for data at rest, and the best part is there is no development required. These are all built-in technologies that can be leveraged by you, and by your applications or architecture designs, reducing potential cost to you and your customers.
About the author:
Phil Cox is a principal consultant of SystemExperts Corporation, a consulting firm that specializes in system security and management. He is a well-known authority in the areas of system integration and security.
His experience includes Windows, UNIX, and IP-based networks integration, firewall design and implementation and ISO 17799 and PCI compliance. Phil frequently writes and lectures on issues dealing with heterogeneous system integration and compliance with PCI-DSS. He is the lead author of Windows 2000 Security Handbook Second Edition (Osborne McGraw-Hill) and contributing author for Windows NT/2000 Network Security (Macmillan Technical Publishing).