The Encrypting File System (EFS) on Microsoft Windows is a file system filter that provides filesystem-level encryption and was introduced in version 3.0 of NTFS. The technology enables files to be transparently encrypted to protect confidential data from attackers with physical access to the computer.
EFS is enabled in all versions of Windows meant for professional use from Windows 2000 onwards. However, since significant caveats exist for its use, no files are encrypted by default and must explicitly be invoked by the user (in organizational settings encryption can also be mandated through Group Policy).
Cryptographic file system implementations for other operating systems are available, but generally incompatible with the Microsoft EFS. See also the list of cryptographic file systems.
Basic ideas
User authentication and access control lists can protect files from unauthorized access while the operating system is running, but are easily circumvented if an attacker gains physical access to the computer.
The most widely accepted solution is to store the files encrypted on the physical media (disks, USB pen drives, tapes, CDs and so on).
In the Microsoft Windows family of operating systems EFS enables this measure, although on NTFS drives only, and does so using a combination of public key cryptography and symmetric key cryptography to make decrypting the files extremely difficult without the correct key.
However, the cryptography keys for EFS are in practice protected by the user account password, and are therefore susceptible to most password attacks. In other words, encryption of files is only as strong as the password to unlock the decryption key.
Operation
EFS works by encrypting a file with a bulk symmetric key, also known as the File Encryption Key, or FEK. It uses a symmetric encryption algorithm because it takes a smaller amount of time to encrypt and decrypt large amounts of data than if an asymmetric key cipher is used. The symmetric encryption algorithm used will vary depending on the version and configuration of the operating system; see Algorithms used by operating system version below. The FEK (the symmetric key that is used to encrypt the file) is then encrypted with a public key that is associated with the user who encrypted the file, and this encrypted FEK is stored in the $EFS alternate data stream of the encrypted file. To decrypt the file, the EFS component driver uses the private key that matches the EFS digital certificate (used to encrypt the file) to decrypt the symmetric key that is stored in the $EFS stream. The EFS component driver then uses the symmetric key to decrypt the file. Because the encryption & decryption operations are performed at a layer below NTFS, it is transparent to the user and all their applications.
Folders whose contents are to be encrypted by the file system are marked with an encryption attribute. The EFS component driver treats this encryption attribute in a way that is analogous to the inheritance of file permissions in NTFS: if a folder is marked for encryption, then by default all files and subfolders that are created under the folder are also encrypted. When encrypted files are moved within an NTFS volume, the files remain encrypted. However, there are a number of occasions in which the file could be decrypted without the user explicitly asking Windows to do so.
Files and folders are decrypted before being copied to a volume formatted with another file system, like FAT32. Finally, when encrypted files are copied over the network using the SMB/CIFS protocol, the files are decrypted before they are sent over the network.
The most significant way of preventing the decryption-on-copy is using backup applications that are aware of the "Raw" APIs. Backup applications that have implemented these Raw APIs will simply copy the encrypted file stream and the $EFS alternate data stream as a single file. In other words, the files are "copied" (e.g. into the backup file) in encrypted form, and are not decrypted during backup.
Starting with Windows Vista, a user's private key can be stored on a smart card; Data Recovery Agent (DRA) keys can also be stored on a smart card.
Security
Vulnerabilities
Two significant security vulnerabilities existed in Windows 2000 EFS, and have been variously targeted since.
Decrypting files using the local Administrator account
In Windows 2000, the local administrator is the default Data Recovery Agent, capable of decrypting all files encrypted with EFS by any local user. EFS in Windows 2000 cannot function without a recovery agent, so there is always someone who can decrypt encrypted files of the users. Any non-domain-joined Windows 2000 computer will be susceptible to unauthorized EFS decryption by anyone who can take over the local Administrator account, which is trivial given many tools available freely on the Internet.
In Windows XP and later, there is no default local Data Recovery Agent and no requirement to have one. Setting SYSKEY to mode 2 or 3 (syskey typed in during bootup or stored on a floppy disk) will mitigate the risk of unauthorized decryption through the local Administrator account. This is because the local user's password hashes, stored in the SAM file, are encrypted with the Syskey, and the Syskey value is not available to an offline attacker who does not possess the Syskey passphrase/floppy.
Accessing private key via password reset
In Windows 2000, the user's RSA private key is not only stored in a truly encrypted form, but there is also a backup of the user's RSA private key that is more weakly protected. If an attacker gains physical access to the Windows 2000 computer and resets a local user account's password, the attacker can log in as that user (or recovery agent) and gain access to the RSA private key which can decrypt all files. This is because the backup of the user's RSA private key is encrypted with an LSA secret, which is accessible to any attacker who can elevate their login to LocalSystem (again, trivial given numerous tools on the Internet).
In Windows XP and beyond, the user's RSA private key is backed up using an offline public key whose matching private key is stored in one of two places: the password reset disk (if Windows XP is not a member of a domain) or in the Active Directory (if Windows XP is a member of a domain). This means that an attacker who can authenticate to Windows XP as LocalSystem still does not have access to a decryption key stored on the PC's hard drive.
In Windows 2000, XP or later, the user's RSA private key is encrypted using a hash of the user's NTLM password hash plus the user name - use of a salted hash makes it extremely difficult to reverse the process and recover the private key without knowing the user's passphrase. Also, again, setting Syskey to mode 2 or 3 (Syskey typed in during bootup or stored on a floppy disk) will mitigate this attack, since the local user's password hash will be stored encrypted in the SAM file.
Other issues
Windows can store versions of user account passphrases with reversible encryption, though this is no longer default behaviour; it can also be configured to store (and will by default on the original version of Windows XP and lower) Lan Manager hashes of the local user account passphrases, which can be attacked and broken easily. It also stores local user account passphrases as NTLM hashes, which can be fairly easily attacked using "rainbow tables" if the passwords are weak (Windows Vista and later versions don't allow weak passwords by default). To mitigate the threat of trivial brute-force attacks on local passphrases, older versions of Windows need to be configured (using the Security Settings portion of Group Policy) to never store LM hashes, and of course, to not enable Autologon (which stores plaintext passphrases in the registry). Further, using local user account passphrases over 14 characters long prevents Windows from storing an LM hash in the SAM - and has the added benefit of making brute-force attacks against the NTLM hash harder. Of course, if you consider the fact that EFS uses Triple DES or AES to encrypt files, you should use proper passphrases over 20 characters long to achieve equivalent strength against brute-force attacks.
When encrypting files with EFS - when converting plaintext files to encrypted files - the plaintext files are not wiped, but simply deleted. This means that they can be easily recovered unless they are overwritten. To fully mitigate known, non-challenging technical attacks against EFS, you should configure encryption at the folder level (so that all temporary files like Word document backups which are created in these directories are also encrypted). When you wish to encrypt individual files, copy them to an encrypted folder or encrypt the file "in place", and then securely wipe the disk volume. You can use the Windows Cipher utility (with the /W option) to wipe free space including that which still contains deleted plaintext files; various third-party utilities may work as well.
Anyone that can gain Administrators access can overwrite, override or change the Data Recovery Agent configuration. This is a very serious issue, since an attacker can for example hack the Administrator account (using third-party tools), set whatever DRA certificate they want as the Data Recovery Agent and wait. This is sometimes referred to as a t
Windows 2000 Logon Passwords
A new Windows 2000 installation, or a Windows 2000 upgrade from Microsoft Windows 95 or Microsoft Windows 98, may unexpectedly prompt you for a password. The following notification ...
How To Change a Windows 2000 User's Password Through ...
You can set a Windows 2000 user's password through the Lightweight Directory Access Protocol (LDAP) given certain restrictions. This article describes how to set or change the ...
Extracting Passwords From Windows to a Visual Basic ...
Hi I would like to pass a User Id, Password and System time after Windows 2000 has confirmed that the password has been changed. The event on which I
Password Recovery - CNET Windows 2000/NT Forums
Windows 2000/NT: Password Recovery - Get tips and advice on this topic, or read other Windows 2000/NT discussions on CNET Forums.
How do I reset a Windows 2000 administrator password?
Learn how to reset a lost or forgotten Windows 2000 password, a tip for Windows 2000 administrators.
Windows password cracker - windows xp 2000 2003 nt ...
Windows Password Cracker is an easy-to-use and fast Windows NT/2000/XP/2003/Vista password recovery software.
Windows Password Recovery, Administrator Password ...
Passware: Windows Password Recovery Key - Lost your Windows Vista/2003/XP/2000/NT user password? Unlock your installation, remove account protection, disable secure boot options ...
How to Reset / Recover Forgotten Windows NT / 2000 / XP ...
How to Reset / Recover Forgotten Windows NT / 2000 / XP / 2003 Administrator Password?
Windows 2000/XP Password Recovery - Free software ...
This application claims to recover a user password instantly for Windows 2000, XP Home, and XP Professional but didn t find passwords when tested.
Backdoor viruses & passwords
Windows BBS >Operating Systems >Windows 2000: Backdoor viruses & passwords ... Windows 2000 Post your Windows 2000 related questions here.