Step-by-Step Guide to EFS Recovery

In this scenario John Smith is an employee who uses his domain credentials to have direct access to Example-Server01 which many employees use to store their confidential customer’s data. John uses the folder C:\Example_Customer1 to store his exclusive customer’s data and he uses EFS to encrypt the content of this folder.

After a few months John has been asked to leave the company with immediate effect due to integrity issues and therefore the IT security administrator needs to recover the files he stored in C:\Example_Customer1.

Continue reading

Configuring EFS using Cipher.exe

In this exercise you will learn how to encrypt and decrypt files and folders using cipher.exe command-line utility on a Windows Server 2012 R2:

  1. Log on to Example-Server01 and create a new folder named Confidential_Docs in partition C.
  2. Double click and open Confidential_Docs and create a text document in it and name it Daily_Doc.txt.
  3. Double click Daily_Doc.txt and type something in it. Click File and then Save and then close the Notepad text editor.
  4. Open the Start screen and type cmd.exe and press Enter to open Windows command line.
  5. Type the following command and press Enter to encrypt the Confidential_Docs folder and all the content inside:
  6. Cipher.exe /E /S:C:\Confidential_Docs
  7. To decrypt the same folder, you will need to use the following command:
  8. Cipher.exe /D /S:C:\Confidential_Docs

Continue reading

Step-by-Step Guide to Disable Encrypting File System (EFS)

You can disable EFS for a folder, a computer or even the entire domain. In order to disable EFS for a folder create a file called Desktop.ini that contains:

[Encryption]

Disable=1

All you need to do is to save this file in the folder in which you want EFS to be disabled. When the user wants to encrypt the folder or the files in the folder, this will show him/her a message that “An error occurred applying attributes to the file: filename. The directory has been disabled for encryption.”

Please note that only the current folder with all the files in it are affected by the Desktop.ini file. If you create a subfolder, both the subfolder and any files in it can be encrypted. Also, encrypted files can be copied or moved, without losing their encryption, into the directory that contains the Desktop.ini file.

Disabling EFS for a Stand-Alone Computer

If you want to disable EFS for the entire computer, you need to add an entry to the computer Registry:

  1. In the Run dialog box, type regedit.exe.
  2. Navigate to the subkey HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows NT\CurrentVersion\EFS.
  3. On the Edit menu, point to New, and then click DWORD Value.
  4. Enter EfsConfiguration for the value name and 1 for the value data to disable EFS. (A value of 0 enables EFS.)
  5. Restart the computer.
  6. If EFS is disabled and a user tries to encrypt a file or folder, a message tells the user that “An error occurred applying attributes to the file: filename. The directory has been disabled for encryption.”

Continue reading