Evaluator's Guide

NOTE: This Guide is out of date. Do not use.

This page is here for historical purposes only. You may get the full EFS Assistant Administrator's Guide by downloading from the Releases tab.

Introduction

The EFS Assistant is a tool that helps administrator's use EFS to enforce an appropriate encryption policy on their client computers. It is a small application that is installed and run on your client computers that receives its configuration via group policy (generally distributed by Active Directory). Depending on how you configure the tool, the EFS Assistant will cause various files and folders on the system to be encrypted using Microsoft's Encrypting File System (EFS). The EFS Assistant is intended to be run periodically on your organization's client computers to ensure that confidential data files get and stay encrypted.

This Mini-Evaluator's Guide is intended to get an idea of how you can evaluate whether the EFS Assistant would be appropriate for your organization. This guide will help you understand how to:
  • Install the tool
  • Run the tool
  • Review the results
  • Update the Configuration
  • Uninstall

Read This Section First!

The EFS Assistant does its best to avoid messing up your system, but you should know a few things before your run it:
  1. The EFS Assistant is primarily designed to run on single user systems. If your system is used by more than one user regularly, there is a chance that other user's files might get encrypted. You should exercise caution when running the tool on a multiple-user system.
  2. Support for folders configured to roam as part of a roaming user profile is limited at best. While there is a configuration setting to support encryption of these files, this capability is not working and should not be used. It is likely that this feature will be removed before release.
  3. The EFS Assistant configures EFS to encrypt files. Some anti-virus or backup tools may have issues dealing with EFS-encrypted files. For instance, there is a known issue with EFS and Symantec anti-virus on Vista machines. Before running the tool, please back up critical files. It is also a good idea to do a controlled test of EFS on your system prior to running the EFS Assistant.
  4. The tool can run in reporting mode. If you are concerned about actually encrypting your files, but want to see what the tool would do if you ran it, configure the tool to run in Reporting Only mode (see below).
  5. There is a limitation in Excel 2003 and earlier that prevents it from displaying more than 65536 rows in a spreadsheet. If you have a machine with more files/folders than this, the report displayed in these versions of Excel will not be complete. Excel 2007 does not have this problem.

Installing the tool

The following section describes installation of the tool.

The tool can be installed in two ways: interactively and in background mode. We recommend that evaluators install the tool in interactive mode. To install, simply double-click the EFSAssistant.msi file.

After you have accepted the license, etc., you will have the opportunity to install 5 features. We recommend installing all 5. The description of each feature in the installer should provide enough information to undertand the purpose of each feature. For more detailed information, see the Installer Design document.

Running the tool

When you install the "Evaluation Settings" feature, the tool is automatically configured to encrypt specified folders and perform file categorization. "Encrypt specified folders" means that the tool will encrypt certain folders that Microsoft has determined should be encrypted (for example, My Documents, etc.). More folders can easily be added to this list using the Group Policy editor (see below). "File categorization" means that the tool will review the contents of all folders and encrypt the folder and its contents if the folder contains only Word, Excel, or Powerpoint files. Note that types of files that will cause file categorization to succeed can be modified by the adminstrator (see below).

You can run the tool by choosing it from the start menu (under Microsoft EFS Assistant). The tool will notify you that it has started with balloon in the system tray. When it has finished it will display another balloon.

Reviewing the results

Once the tool has run, you can review the results by running the "EFS Assistant Results Viewer". This VBScript pulls the results of the encryption run out of WMI and sends it to a CSV file. This file will be created in your My Documents folder. Next, the script starts Excel and allows you to view the file in a easy to read manner. Note that older versions of Excel (prior to 2007) will only display the first 65536 lines of the CSV file.

You can also see what files are encrypted by using Windows Explorer. Folders and files that have their names in green are ones that have been encrypted. (If you don't see any green folders, go to Tools->Folder Options in the Explorer window and make sure that "Snow encrypted or compressed NTFS folders in color" is selected under the View tab.)

Updating the Configuration

If you are happy with the results of the encryption run, you can stop here and move straight to planning for a pilot deployment. On the other hand, you may want to make some changes to the configuration. To do so, you must use the Group Policy editor to edit the local group policy on your machine.

You can start the Group Policy editor by typing "gpedit.msc" in the Run... dialog box and hitting enter. Under Computer Configuration then Administrative Settings you will find the configuration options for the EFS Assistant. Some settings you might want to modify are:
  • Reporting mode - Enabling will only tell you what the tool would do, but will not actually cause any files to be encrypted.
  • Folders to encrypt - This is a list of folders that the tool will always encrypt. Note that any folder specified in this list will include all its subfolders, unless that subfolder is on the list of folders not to encrypt.
  • Folders not to encrypt - This is a list of folders that the tool will never encrypt. Like the previous configuration setting, an subfolders of the folders on this list will also not be encrypted, unless that folder is on the list of folders to encrypt.
  • File types to encrypt - This is a list of file extensions that should be considered as encryptable files. These settings should be entered as file extensions including the period (for example, ".ppt"). This list is used in two ways:
    • When the tool does file categorization (see below), this is the list of file types that are considered data files.
    • When the tool is configured to encrypt individual files, any files with these extensions in uncategorized folders will be encrypted. See below for further information.
  • Encrypt individual files - When this setting is set, data files in uncategorized folders will be encrypted individually.
One thing you should be aware of: when you install the "Evaluation Settings", you will be writing certain configuration settings to the area of the registry that is used by Group Policy. However, we do not set these settings through the local group policy itself. This means that even though the Group Policy editor does not show it, certain configuration options are set. These options are:
  • Folder Encryption Mode - set to encrypt specified folders and perform file categorization (see below)
  • Debugging Mode - Set to enabled
  • File types to encrypt - set to contain ".ppt, pptx, .doc, .docx, .xls, .xlsx"

Key Concepts

Folder classification

Folders can be classified as either Green, Yellow, or Red, although Yellow is actually just a shorthand of "unclassifiable". These classifications have the following meaning:
  • Green - A folder classified as green should be encrypted. Folders can be green for a number of reasons, such as the user specified the folder on the "Folders to encrypt" list.
  • Red - A folder classified as red should not be encrypted. Folders can be red for a number of reasons, for example, they might contain critical Windows files.
  • Yellow - A folder is classified as Yellow when the tool cannot figure out if it Red or Green. For example, if the user creates a random folder called "C:\DataFiles", this would most likely be classified as a yellow folder because the administrator probably did not know this folder exist until he reviewed the log.
The tool knows what to do with green folders: encrypt them. The tool also knows what to do with red folders: leave them alone. The problem is what to do with yellow folders. The tool has two primary ways of dealing with these folders, described below.

File Categorization

File categorization is one way the tool tries to handle folders that the administrator did not know about when he set the configuration (that is, that are not on either the 'Folders to encrypt list' or the 'Folders not to encrypt' list.

When doing file categorization, when the tool finds a folder that it does not have on either of its two lists, the tool will look at the files inside that folder and make a decision. If the folder contains only data files (that is, files that listed in the 'File types to encrypt' list), the tool will encrypt the folder and all the files in it. (Note that the tool will not encrypt subfolders of this folder.)

If the folder contains any files that are not considered data files, the tool will leave the folder alone (and unencrypted).

Encrypting individual files

If file categorization does not meet your needs, you can also tell the tool to encrypt individual files. This setting can work either instead of, or in addition to, file categorization. If 'Encrypt individual files' is set, the tool will encrypt all files of the types specified in 'File types to encrypt' that occur in unclassified folders. Generally speaking, if you set this setting and adequately enumerate your data file types, you can encrypt the vast majority of the data files on your organizations laptops.

Typical Configurations

You might want to try out one or more of the following typical configurations for EFS Assistant. Some typical configurations are:

Encrypt only specified folders (minimal encryption)

This is the most conservative encryption mode. To configure this mode, configure the following settings:

Configuration Option Setting Impact
Folder encryption mode Specified folders only Only encrypt specific folders, do not do file categorization
Folders to encrypt Folder paths that you want encrypted Only these folders will be encrypted
Folders not to encrypt Folder paths that you want to leave unencrypted In this mode, these are exceptions to the folders to encrypt list above. Since folders inherit, if you tell the tool to encrypt c:\data it will encrypt everything under that folder. If you want to leave c:\data\program unencrypted, add it to this list.

Encrypt specified folders and folders with data files (conservative encryption)

This is the default configuration mode and is fairly conservative. In this mode, the tool will encrypt the folders you tell it to (not including the folders you tell it not to, of course). In addition, it will scan for folders that only contain data files and encrypt those as well.

To configure this mode, configure the following settings:

Configuration Option Setting Impact
Folder encryption mode Specified folders and file categorization Encrypt specific folders and do file categorization (encrypt any folder that only contains data files)
Folders to encrypt Folder paths that you want encrypted Only these folders will be encrypted
Folders not to encrypt Folder paths that you want to leave unencrypted In this mode, these are exceptions to the folders to encrypt list above. Since folders inherit, if you tell the tool to encrypt c:\data it will encrypt everything under that folder. If you want to leave c:\data\program unencrypted, add it to this list.
File types to encrypt List of file extensions (including the period) that should be considered data files These file types will be considered as data files for the purposes of file categorization

Encrypt specified folders, folders with data files, and all data files in unencrypted folders (aggressive encryption)

This is a fairly aggressive encryption mode. In this mode, the tool will encrypt the folders you tell it to (not including the folders you tell it not to, of course). In addition, it will scan for folders that only contain data files and encrypt those as well. Finally, whenever if finds a data file in an uncategorized (yellow) folder, it encrypts the data file itself.

To configure this mode, configure the following settings:

Configuration Option Setting Impact
Folder encryption mode Specified folders and file categorization Encrypt specific folders and do file categorization (encrypt any folder that only contains data files)
Folders to encrypt Folder paths that you want encrypted Only these folders will be encrypted
Folders not to encrypt Folder paths that you want to leave unencrypted In this mode, these are exceptions to the folders to encrypt list above. Since folders inherit, if you tell the tool to encrypt c:\data it will encrypt everything under that folder. If you want to leave c:\data\program unencrypted, add it to this list.
File types to encrypt List of file extensions (including the period) that should be considered data files These file types will be considered as data files for the purposes of file categorization and for encrypting data files
Encrypt individual files Enabled Causes all data files on the disk to be encrypted unless they are in a red folder

Encrypt almost everything (very aggressive encryption)

This is the most aggressive encryption mode. This mode tells the EFS Assistant to encrypt every folder and its contents unless it is specifically instructed not to. Basically, the tool only honors its internal list of folders not to encrypt as well as the folders you specify on the "Folders not to encrypt" list. Everything else will be encrypted. NOTE: This mode should be used with extreme caution. It could encrypt something that should not be encrypted.

To configure this mode, configure the following settings:

Configuration Option Setting Impact
Folder encryption mode Maximize encryption Encrypt any file not on the red list
Folders not to encrypt Folder paths that you want to leave unencrypted Any folder on this list (and its subfolders) will not be encrypted.

Uninstalling

When you are done testing, you can uninstall the tool. Uninstalling will remove:
  • the tool
  • the administrative templates
  • the evaluation setting registry changes
  • the Start menu shortcuts
  • The reporting tool
In addition, you should be aware that when you uninstall, you will effectively remove the logging data stored in WMI. However, any files you saved from the reporting tool will still be available.

NOTE: Removing the tool does not decrypt any files. If you wish to reverse all encryption performed by the EFS Assistant, you can use the CIPHER.EXE utility on each drive on which EFS encryption was performed. For example, to decrypt all the files on your C: drive, use the command "CIPHER.EXE /d /a /s:C:\" from a command prompt. As long as you close all your applications before running this command, CIPHER will be able to gain exclusive access to all folders and files to decrypt them. Note that if you had previously encrypted any files using EFS, the CIPHER tool will decrypt those files also.

Last edited May 3, 2007 at 8:33 PM by billcan, version 12

Comments

No comments yet.