Through ACLs (access-control lists) of user and group permissions, Windows NT and its descendent, Windows 2000, effectively control users' access to files on NTFS (NT File System) disks. However, these protections are enforced only while the system is running. Disk data remains vulnerable to anyone who can gain physical access to the system. Someone with malice in mind need only stick a DOS disk in the system, reboot it and then run Winternals Software's NTFSDOS. With that inexpensive tool, a meddler would have access to every file on the system.

Administrators have relied on physical security, BIOS power on passwords, and even removing the floppy and CD-ROM drives from their systems. Although these techniques work well at headquarters--where all the servers are in a card-key protected data center guarded 24x7--social engineering to get around these safeguards is easier in branch offices: There users store valuable data on workstations' local hard drives, servers share space with the coffee pot and cleaners have the office to themselves after 6 p.m.

A lost, stolen or misdirected laptop can pose an even bigger problem, as Qualcomm CEO Irwin Jacobs learned this past September. Jacobs' IBM laptop, which had been used for a slide-show-type presentation focusing on Qualcomm's wireless telecommunications technology, disappeared as Jacobs left the podium to chat with members of the audience at a conference. According to The Associated Press, the password-protected system contained proprietary information that could be valuable to foreign governments.

Assuming that the theft was a case of corporate espionage, as opposed to a simple snatch, the thief acquired not only $4,000 worth of sexy black status symbol but also information he or she could sell to competitors, or use for blackmail or insider trading.

Best Bet: Encryption

The only way to protect data on systems that may fall into the hands of "black hats" is to encrypt it. Unless your laptop was stolen by the National Security Agency (in which case you have even bigger problems), a hard drive full of strongly encrypted files is just a fast-spinning stack of aluminum Frisbees.

File-encryption and disk-locking programs like Symantec Corp.'s Norton Your Eyes Only and PGP have been available for a long time, but they've been difficult to install and use and required users to remember additional passwords or pass-phrases. File encryption requires that users remember to encrypt files before leaving the office and forces them to decrypt files when needed. Even worse, users have to remember not to leave decrypted copies of files lying around on their hard drives.

Having been designed to let an individual user protect his or her data, rather than to help a corporate IT department protect information assets, these products also typically lack data-recovery features, such as key escrow. These features are critical to recovering data when users forget their passwords or encryption keys, or leave the organization. You can spend many hours cracking a user's forgotten passwords to gain access to that really important file he or she encrypted at 3 a.m. A built-in data-recovery system could save many hours of labor and ensure that the data is always recovered.

Automatic Encryption

EFS, a standard, always-installed feature of Windows 2000's NTFS 5, tries to solve these problems by providing a simple-to-use, almost completely transparent encryption system for Windows 2000 systems on NTFS disks, complete with designated data-recovery agents. All you need to do to start encrypting files is to set the "encrypt contents to secure data" attribute on the folder in which you want to store your encrypted data and start copying and saving files. Files are transparently encrypted and decrypted as they are written to and read from the disk. As a result, you can encrypt your users' data in their directories on your Windows 2000 server even if your users are still using client operating systems that don't support serious data security, such as Windows 95. As a file system, EFS encrypts as data is written to the disk and decrypts as it's read from the disk. When a user at a workstation accesses an encrypted directory on a Windows 2000 server, the data is decrypted at the server and then sent to the workstation.

Unlike methods that encrypt and decrypt files at a user command, automatic encryption extends to temporary copies of files created by applications, like Microsoft Office, that use the suggested temporary file-creation APIs in Windows. Of course, applications that store temp files in other directories may still present security risks.

Even a senior vice president should be able to handle encrypting files if you set up his or her laptop to run Windows 2000 so the My Documents directory is encrypted. If the user copies a file to a floppy disk or attaches it to an e-mail, it's automatically decrypted, so he or she can't accidentally send an encrypted file to an important client. Of course, using S/MIME (Secure MIME) on the e-mail program might be a good idea here. Once the files are encrypted, any other user who tries to access the directory will get an "access denied" message when the file system can't decrypt the file for that user.

Unfortunately, the initial release of EFS doesn't support encrypted files or directories that are accessible by multiple users. Microsoft plans to add this feature in the future.

Of course there are times, such as when you're sending files through insecure transports like interoffice mail or the Internet, when you want to keep a file encrypted even though it's not still in an encrypted folder on an NTFS volume. Windows 2000 adds switches (/E for export encrypted file and /I for import encrypted file) to the command-line copy command. You can export to any type of media supported by the system, but you have to import back to an encrypted directory on an NTFS volume. Once the file is back on an NTFS volume, you must either log in as the user who encrypted the file or use the recovery agent to open the file.

You manage recovery agents through the group-policy Microsoft Management Console (MMC) snap-in for Windows 2000 domains or the Local Security application on a Windows 2000 Professional workstation. Once you've issued the users certificates, you can designate the user or certificate as a recovery agent for a domain or an OU (organizational unit). By default, the administrator user is the recovery agent for the entire domain or system. In a typical organization, you would create several OUs--one for normal users, another for highly sensitive data like HR material and one for senior executives. On the highly sensitive OUs, you would remove the administrator as a recovery agent and create a recovery-agent user account, with the password stored in a sealed envelope in the VP of HR's safe. While you're at it, select "export" from the "all tasks" menu, save the certificate to a disk and store that in the safe as well.

This flexibility to create recovery agents specifically for these sensitive groups finally lets us as system administrators tell senior managers they can keep their data on the server, where we can back it up without needing to have access to the data. Windows 2000-aware backup applications, including Veritas Software's Backup Exec and Computer Associates International's ArcserveIT, back up EFS files without decrypting them.

What Makes EFS Tick

Like all new toys, EFS sounds just great at first. Now that we've kicked the tires, let's look under the hood and see how it works. When a user saves a file to an encrypted directory or changes the attributes on a file to "encrypted," a randomly generated 128-bit DESX key is used to encrypt the file. (Forty-bit keys are used in international versions of Windows 2000.) The user's public key is used to encrypt this file-encryption key, which is stored in a new file attribute called the data-decryption field. Then the public key for each recovery agent is used to create a data-recovery field for the file.

When the user tries to open the file, his or her private key is used to decrypt the data-decryption field, and the resulting file-encryption key is used to decrypt the file. If the user leaves the company or forgets his password, the network administrator can use the Windows 2000 resource-kit utility EFSinfo to view the designated recovery agent for the files and folders. The recovery agent can then use the EFSrecvr command-line utility to decrypt the files.

All in all, EFS is a good solution for protecting files from black hats. Microsoft has done a great job of making encryption transparent to the user and a decent job of doing the same for the administrator. We're hopeful that Microsoft will extend the current offering with 3DES encryption and multiuser access to make EFS even more valuable.

Howard Marks is founder and chief scientist of Networks Are Our Lives, a network design and consulting firm in Hoboken, N.J. Send your comments on this article to him at hmarks@naol.com.