Encrypting File System (EFS) in Windows Server 2003 Environment

In Windows 2000, Microsoft introduced Encrypted File System (EFS) - a new feature built into the operating system that makes securing user files much better than just file system permissions that have been available on NTFS partitions in previous versions of Windows. 

The main reason for this enhancement is that NTFS security can be easily circumvented once an attacker gains physical access to the computer. A number of readily available third-party tools can be used to provide read and write access to data stored on NTFS partitions by circumventing protection provided by the operating system. Once the system is booted from a floppy containing the third-party NTFS driver, the disk and all of its data becomes easily accessible. 

Although you can password protect the BIOS and restrict which devices are bootable, this still does not prevent someone from removing the hard drive, attaching it to another computer, and accessing it via another Windows 2000/XP installation or installing another instance of Windows altogether. Fortunately, EFS can help provide privacy of your data in such scenarios. 

EFS uses the combination of symmetrical and public/private key encryption to secure content designated by the user in files residing on NTFS partitions. The symmetrical key (created dynamically at the time of encryption and different for each encrypted file) is used to perform the encryption process and is stored together with the encrypted file. The public key is used for encryption of the symmetrical key and is also stored along with the encrypted file. The private key, necessary for decryption, resides within the user profile. This way the information stored on the hard drive, although still accessible via third-party utilities, is in an unreadable format and therefore useless without the private key. 

There are, however, still some possible security issues with the EFS that users should be aware of: