Windows 7 includes the encrypting file system (EFS), which allows users to encrypt and decrypt files that are stored on an NTFS volume. This technology is only available in the Professional, Enterprise, and Ultimate editions of Windows 7. By using EFS, folders and files are kept secure against intruders who might gain unauthorized physical access to the device, for example, by stealing a computer or a removable drive.
EFS uses a process known as public key encryption. In public key encryption, a user has 2 keys: a public key, also known as a certificate, and a private key. The public key is kept in the computer’s store and accessible to everyone. Users can use the public key to encrypt data. The private key is kept in the user’s private certificate store and can only be used by the user. The private key decrypts data which has been encrypted using the public key. The first time a user encrypts a file on a computer running Windows 7, the computer creates an EFS certificate and private key. This allows you to even encrypt data on an external drive, flash drive, etc. EFS encryption works so that even if a user has read access to a file on a flash drive, for example, they cannot actually open the file unless they have the appropriate encryption certificate.
Files and folders on a drive can only be encrypted if the drive is formatted with the NTFS file system. Also, a file or folder cannot be both encrypted and compressed at the same time. If a file or folder is compressed and you encrypt it, the compression will be lost. If you COPY an encrypted file to a compressed folder, the file will remain compressed - not encrypted. If you MOVE a compressed file to an encrypted folder, the file will decompress and become encrypted. If you copy an encrypted file or folder to a FAT32 volume, Windows 7 decrypts the file when it is copied.
You can encrypt a file with EFS using the following steps:
Right-click the folder or file you want to encrypt and then click Properties.
Click the General tab and then click Advanced.
Select the Encrypt contents to secure data checkbox and then click OK.
Encrypted file icons are colored green in Windows Explorer. To unencrypt files and folders, simply follow the instructions above, but uncheck the Encrypt contents to secure data checkbox.
If the encrypted file needs to be shared with another user on the same computer, they need to export their EFS certificate. You would then import it and add the certificate to the shared file.
The first time you encrypt a folder or file, you should back up your encryption certificate. If your certificate and key are lost or damaged, and you do not have a backup, you won’t be able to access the folders/files that you have encrypted. Read Back up Encrypting File System (EFS) certificate for instructions on this.
To recover encrypted files with lost or damaged keys, you use a special EFS certificate. To use this special certificate, you have to create the recovery certificate, install it, and then update other EFS certificates with the recovery certificate. To do this, follow these steps:
Click Start and enter cmd into the search box to open a command prompt.
If you are using removable media such as a disk or flash drive (recommended) to store your certificate, plug it in now.
Navigate to the directory on the drive where you want to store the recovery certificate by typing drive letter and then pressing Enter.
Type cipher /r: [filename] (where filename is the name that you want to give to the recovery certificate) and then press Enter. If you are prompted for an administrator password or confirmation, type the password or provide confirmation. The recovery certificate will be save to the location you specified.
Permissions:
In the last section of this guide, sharing was discussed and the topic of permissions came up several times. Below we will explain permissions in more detail. Read the following carefully and note the distinctions between FILE and FOLDER.
NTFS File Permissions:
NTFS file permissions are used to control the access that a user, group, or application has to folders and files. They are referred to as NTFS permissions because a drive must be formatted with NTFS in order to utilize these permissions. NTFS file permissions are used to control the access that a user, group, or application has to files. This first table displays the available permissions for files.
Full Control
Read, write, modify, execute, change attributes, permissions, and take ownership of the file.
Modify
Read, write, modify, execute, and change the file's attributes.
Read & Execute
Display the file's data, attributes, owner, and permissions, and run the file (if it's a program or has a program associated with it for which you have the necessary permissions).
Read
Display the file's data, attributes, owner, and permissions.
Write
Write to the file, append to the file, and read or change its attributes.
Windows 7 has the option of denying a user or users a particular permission. For example, if you wanted to make sure that Bob is unable to read any files, then simply deny him read permissions. Permissions are cumulative, except for Deny, which overrides everything. By cumulative, we mean that a user's effective permissions are the result of combining the user's assigned permissions and the permissions assigned to any groups that the user is a member of. For example, if Bob is assigned Read access to a file, and the "sales" group that Bob is a member of has Write permissions assigned, Bob's effective permissions is are Read and Write for that file.
NTFS Folder Permissions:
NTFS Folder permissions determine the access that is granted to a folder and the files and subfolders within that folder. These permissions can be assigned to a user or group. The following table displays the various permissions for folders.
Full Control
Read, write, modify, and execute files in the folder, change attributes, permissions, and take ownership of the folder or files within.
Modify
Read, write, modify, and execute files in the folder, and change attributes of the folder or files within.
Read & Execute
Display the folder's contents and display the data, attributes, owner, and permissions for files within the folder, and run files within the folder (if they're programs or have a program associated with them for which you have the necessary permissions).
List Folder Contents
Display the folder's contents and display the data, attributes, owner, and permissions for files within the folder, and run files within the folder (if they're programs or have a program associated with them for which you have the necessary permissions).
Read
Display the file's data, attributes, owner, and permissions.
Write
Write to the file, append to the file, and read or change its attributes.
The Read & Execute and List Folder Contents folder permissions appear to be exactly the same, however, they are inherited differently, thus are different permissions. Files can inherit the Read & Execute permissions but can't inherit the List Folder Contents permission. Folders can inherit both.
File permissions override folder permissions. For example, let's say that Bob has read access to a file called file.txt which is located in a folder that he has no access to. In this case, the file will be invisible to the Bob and since he cannot list the folder contents, he would have to access the file using the UNC path or the logical file path.
Special Access File Permissions:
Windows 2000 & 2003 also support special access permissions which are made by combining other permissions. The following tables will show special access permissions and the recipes to make them.
File Special Permissions
Full Control
Modify
Read & Execute
Read
Write
Traverse Folder/Execute File
X
X
X
List Folder/Read Data
X
X
X
X
Read Attributes
X
X
X
X
Read Extended Attributes
X
X
X
X
Create Files/Write Data
X
X
X
Create Folders/Append Data
X
X
X
Write Attributes
X
X
X
Write Extended Attributes
X
X
X
Delete Subfolders and Files
X
Delete
X
X
Read Permissions
X
X
X
X
X
Change Permissions
X
Take Ownership
X
Synchronize
X
X
X
X
X
Special Access Folder Permissions:
Below are the special access permissions for folders.
Folder Special Permissions
Full Control
Modify
Read & Execute
List Folder Contents
Read
Write
Traverse Folder/Execute File
X
X
X
X
List Folder/Read Data
X
X
X
X
X
Read Attributes
X
X
X
X
X
Read Extended Attributes
X
X
X
X
X
Create Files/Write Data
X
X
X
Create Folders/Append Data
x
x
X
Write Attributes
X
X
X
Write Extended Attributes
X
X
X
Delete Subfolders And Files
X
Delete
X
X
Read Permissions
X
X
X
X
X
X
Change Permissions
X
Take Ownership
X
Synchronize
X
X
X
X
X
X
Remember that file permissions override the permissions of its parent folder. Anytime a new file is created, the file will inherit permissions from the target folder.
Share Permissions:
Share level permissions only apply when a file or folder is being accessed via the network and do not apply to a user logged into the machine locally. The following are the different share-level permissions:
Read
View files and subdirectories. Execute applications. No changes can be made.
Change
Includes read permissions and the ability to add, delete or change files or subdirectories
Full Control
Can perform any and all functions on all files and folders within the share.
The Deny permission can also be applied to shares. The Deny permission overrides all others. When folders on FAT and FAT32 volumes are shared, only the share level permissions apply as these systems do not support file and directory (NTFS) permissions. When folders on NTFS volumes are shared, the effective permission of the user will be the most restrictive of the NTFS and share permissions. This means that if Bob is trying to access a file called mystuff located on myshare and he has share permissions of read and file permissions of full control, his effective permissions would be read. Conversely, if his share permissions are full control and his file permissions are read, he will still only have read permissions to mystuff.
Effective Permissions:
Determining effective permissions can get confusing, especially on enterprise networks. In Windows 7, there is help. To view effective permissions, follow these steps:
Right click on the file or folder that you wish to find the effective permissions for and click Properties.
Click on the Security tab and then the Advanced button.
In the new window, click the Effective Permissions tab. Type in a group or user to check.
This feature lists the permissions that would be granted to the selected group or user based solely on the permissions granted directly through group membership. It does not take into account share permissions.
Copying, Moving, and Inheritance:
The next table shows what happens to files when they are copied or moved within or across NTFS partitions.
Moving within a partition
Does not create a new file - simply updates location in directory. File keeps its original permissions.
Moving across a partition
Creates a new file and deletes the old one. Inherits the target folders permissions.
Copying within a partition
Creates a new file which inherits permissions of target folder.
