Encrypting File System (EFS)

 



Many businesses share computers between multiple employees, and even if you have an assigned computer at your office it is probably connected to a network. Any networked computer can be accessed over the network given the proper permissions. Laptop computers are often used while traveling and thus have an increased risk of being stolen and having criminals gain access to sensitive business data stored on the computer.

 

One way to protect data on your computer is to use the Encrypting File System (EFS). The EFS on the business and professional versions (i.e. Windows 10 Pro, Enterprise, and Education) of Microsoft Windows provides file-level encryption to help protect data from attackers who have physical access to your computer. EFS encryption is tied to your user log-on credentials (password or access token), so if another user logs on to your computer, files protected with the EFS will not be accessible to that person. EFS also protects against off-line attacks, such as booting the computer from a CD or USB; or removing the hard-drive from a password protected computer and putting it in another computer to bypass operating system security.

  

To protect a file or folder with the EFS:

1. Right-click a file or folder that you want to encrypt.
2. Click Properties.
3. Click Advanced, on the ‘General’ tab.
4. Click the checkbox next to Encrypt contents to secure data.
5. Click OK.
6. Click Apply. A window will pop up asking you whether or not you want to only encrypt the selected folder, or the folder, subfolders, and files.
7. Click either Apply changes to this folder only or Apply changes to this folder, subfolders, and files.
8. Click OK.

 

Right click on the folder again, and choose the 'Security' tab. In the 'Group or user names:' box ensure that only 'SYSTEM' and your own user name are present. If an ‘Administrators’ group is listed in this box you may want to remove it to prevent system administrators from being able to access these encrypted files.

 

The EFS is a useful tool on a network when you need to restrict access to specific files to specified users. Files and folders encrypted with the EFS are accessed normally when you are logged in with the proper account or token, but if you are not properly logged in you will be denied access to any EFS encrypted document. It is important to note however that if your log-on credential changes (i.e. you get a new access token or delete your user account) you will lose access to any files encrypted with your old credential. In Windows 10, EFS encrypted have a small padlock displayed on the file icon. In Windows 7, EFS encrypted filenames are displayed with green letters.

 

For more information about the EFS, I recommend the YouTube Video: MCTS 70-680: Encrypting File System (EFS).