Archive for May 23, 2010

Here are some of the new features:

  • Automated System Recovery (ASR). This feature simplifies the restoration of the operating system partition.
  • Goodbye, Emergency Repair Disk. There is no more ERD in Windows Server 2003. The only repair options are the Recovery Console or ASR.
  • Emergency Management Services (EMS). If a server cannot be reached via the network, EMS provides an out-of-band connection to the server via a serial port.
  • Online Crash Analysis. The kernel-mode debugging utilities in Windows Server 2003 can now run on the same machine as the operating system they are monitoring. This permits running a variety of debugging chores at the console.
  • Volume Shadow. Locked files create problems for backup programs. Users get irate when you tell them that you can’t restore a file because it was locked during the backup while they were working from home. The Volume Shadow service takes a snapshot of a locked file so that the backup program can save the snapshot.
  • System Restore. This feature, only present on XP, periodically takes snapshots of the system configuration that you can use as checkpoints for rolling back the system to a previous configuration.
  • Online event tracking. If an application fails or otherwise causes a system error, the system collects information about the failure and sends that information to Microsoft, where it is compiled and analyzed for trends.
  • Shutdown Event Tracker. This “feature,” if you want to call it that, requires that you specify a reason each time you shut down a system. This reason is put in the Event log. If the system crashes, you must specify a reason when the system restarts.
  1. Open an empty MMC console using START | RUN | MMC.
  2. From the console menu, select CONSOLE | ADD/REMOVE SNAP-IN. The Add/Remove Snap-in window opens.
  3. Click Add. The Add Standalone Snap-in window opens.
  4. Double-click Certificates to load the snap-in. If you are logged on with an account that does not have administrator privileges, the only option is to load the your own personal certificates. Otherwise, you get additional choices of computer and service certificates.
  5. With the snap-in loaded, save the console with a descriptive name, such as Cert.msc. You may want to save it in \WINNT\System32 along with the rest of the console files so that another administrator can use it. The console does not point at your specific certificate. It loads the certificates of the user who launches the console.
  6. Expand the tree to CertificatesCurrent User | Personal | Certificates. Certificates issued to you are listed in the right pane. The Intended Purposes column lists the certificate’s function. If you have ever encrypted a file, you will have at least one EFS certificate. The domain Administrator account will have two certificates, one for EFS and one for File Recovery (FR).
  7. Double-click a certificate to view the contents.

You can use the Certificates snap-in to obtain new certificates. This is not generally necessary for EFS certificates because the EFS service obtains the certificate automatically when you encrypt a file. If you want to designate more Data Recovery Agents, though, you’ll need to obtain File Recovery (FR) certificates for them. You can request them using the Certificates snap-in.

EFS only issues one self-signed FR certificate. In a domain, it is issued to the domain Administrator account. For a local machine, it is issued to the first user who logs on to the machine following Setup. You’ll need a Certification Authority (CA) to issue any further FR certificates.

If you have evaluated EFS in Windows 2000 and found critical features missing, it’s worth taking a second look at EFS in Windows Server 2003 and XP. The changes include the following:

  • New and more cryptographically robust encryption methods. You can now choose between DESX encryption (used by Windows 2000) and 3DES (Triple-DES), an algorithm that complies with government standards for handling of non-classified documents.
  • Offline file encryption. This feature is one of the most significant improvements in Windows Server 2003 and XP. It enables users to use a highly convenient feature, offline file storage, while retaining the ability to protect their files with encryption.
  • Encrypted file transfer over WebDAV. The Web-based Distributed Authorizing and Versioning redirector uses HTTP rather than SMB. Encrypted files are transferred in their encrypted state rather than being decrypted prior to transport as happens with SMB. Also, servers can store encrypted files using WebDAV without compromising security with Kerberos delegations.
  • More flexible group policy control. EFS can now be disabled throughout a domain with a single click of the mouse in a group policy. This contrasts with Windows 2000, which requires removing and re-importing X.509 certificates to control encryption.
  • Shared encrypted files. Users with encrypted files can assign access to other users. This enhances the use of EFS in a workgroup. Only individual users can be given access, not groups. Additional users can only be selected by users who already have access.
  • Copy warnings. Explorer now warns users when they attempt to copy or move encrypted files to an unprotected location such as a Zip drive, floppy drive, or FAT partition. New switches in COPY and XCOPY permit overriding these protections, if necessary.
  • Visual cues. The Explorer shell now shows the names of encrypted files and folders in a different color, similar to the way compressed files are displayed in Windows 2000.
  • Improved command-line administration. The CIPHER command-line utility has been updated with several new features, including the ability to generate file recovery certificates, the ability to search for encrypted files on a volume, the ability to refresh certificates for all encrypted files on a volume, and the ability to wipe all unused disk space to remove temporary files. (The wipe feature was released in Windows 2000 SP3.)
  • Security improvements. Although not strictly an EFS improvement, the handling of the crypto Master key has been changed so that it is not updated when a local user password is changed by anyone other than the user. This eliminates a serious deficiency for standalone laptops and desktops. Now a hacker cannot use utilities to change a user’s password (or the Administrator password) on a standalone machine to gain access to encrypted files.

Not every change is a welcome one, however. In Windows 2000, files cannot be encrypted without the certificate of a Data Recovery Agent (DRA). This ensures that a user cannot encrypt files and then quit the company and leave you without a means of recovering the files. In Windows Server 2003 and XP, it is possible to encrypt files without a DRA. This “feature” has potentially serious consequences because users could encrypt their files and then lose the private key, thereby losing access to the files permanently.