Disable EFS


Disable EFS

Roberta Bragg

Hardening Windows Systems Get a glimpse inside Roberta Bragg's new book "Hardening Windows systems" with this series of book excerpts. This excerpt from Chapter 1, "An immediate call to action," explains why you should disable EFS if you don't have a policy in place to manage it. Click for the complete book excerpt series or purchase the book.

Disable EFS

Unless you have implemented a policy for the management of EFS that includes recovery procedures and key backup, disable EFS. EFS is enabled by default, but not turned on. Accordingly, it is easy for users to use the service to encrypt files without understanding how to protect themselves from data loss. EFS can be disabled in Group Policy. The local group policy, created by using the group policy snap-in and selecting the local computer, can be used to disable EFS on a single computer, while a domainbased Group Policy can be used to disable EFS for an entire domain.

    To disable EFS:
    1. Open the default domain GPO.
    2. For a Windows Server 2003 domain:
      a. Right-click the Public Key Policies, Encryption File System policy.
      b. Right-click the Encrypting Files System folder and select Properties.
      c. Select to uncheck the Allow Users to Encrypt Files Using Encrypting File System (EFS).

    3. For a Windows 2000 domain:
      a. Right-click the Public Key Policies, Encrypted Data Recovery node.
      b. In the details pane, right-click the certificate designated for File Recovery and select Delete.
      c. Right-click the Encrypting Data Recovery Agents folder and select Delete Policy.

More information on how best to manage EFS is included in Chapter 10.

Click for the next excerpt in this series: Ban wireless networks that don't meet tough security policy requirements.

Click for book details or purchase the book.

Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

COMMENTS powered by Disqus  //  Commenting policy