Join Lisa Bock for an in-depth discussion in this video Encrypting files, folders, and drives, part of Foundations of IT Security: Core Concepts.
- In order to protect files and folders, new technology file system permissions can be set to allow or deny access to folders and files. I'm going to create a folder on the desktop. I'll name it Secret. Now let's take a look at the properties. I'll look at the security, you can see here information about the groups or users that have access to this folder. If I wanted to change their permissions for an entity I might want to say Deny control on anything Read, Write, Execute.
But if I really want to protect it, encryption provides another layer of protection. The Encrypting File System uses encryption to encrypt files and folders to ensure confidentiality. A general user can encrypt his or her folders and files and cherry pick through the ones they want to protect. Encrypting File System is easy, simple to use, and secure. It uses a symmetric File Encryption Key. The default algorithm is AES, but 3DES can be used.
The File Encryption Key is secure using public key encryption. Encryption and decryption is used by right clicking and going to Properties. On the General tab click Advanced. Under Advanced Attributes select Encrypt contents to secure data. Now I'm going to create a document and then put it in the Secret folder. Because it's in that folder, as you can see, it's green.
It's indicated that it is encrypted. We can see folders that are encrypted are represented in green. When I go into the folder, the documents themselves have inherited that encryption and they show up as green as well. Now I own this document, I encrypted it, and now I can read it. But let's take a look at something I might not be able to read because I didn't encrypt it. I'm looking around and I see a folder, Someone's Secrets. It's green, but can I access it? Oh, secret information, let's double click.
Well it said Word cannot open the document, user does not have access privileges. So it is really protected. BitLocker Drive Encryption uses encryption to protect data on entire drives or logical volumes. BitLocker does not support dynamic disks. BitLocker uses AES either 128 or 256 bit encryption. 256 bit encryption is the choice. Later versions of Windows, meaning 8 or above, and Windows server 2012 support BitLocker.
Also required is a Trusted Computing Group compliant BIOS or unified extensible firmware interface. A Trusted Platform Module is a Microchip in a system where BitLocker stores the encryption keys, and provides pre-startup system integrity verification and multifactor authentication. A Trusted Platform Module is not required for BitLocker. If the system does not have a Trusted Platform Module you'll need a removable drive to store the startup key and you'll need to configure BitLocker to run without a compatible Trusted Platform Module.
Let's compare the two. The Encrypted File System encrypts folders and files one by one. Users can encrypt independently, no special hardware is needed. And you do not have to be an administrator. BitLocker encrypts the entire drive. Meaning the entire drive is either on or off. BitLocker uses the Trusted Platform Module, and you must be an administrator to use BitLocker. BitLocker is used for enterprise networks and Encrypting File System is more suited for small business or home users.
It is available in Ultimate, Express, and Server operating systems. It is not available in Windows Home, Starter, and Basic versions of operating systems. Instead you can use AES Crypt or a similar product to encrypt your files and folders.
Note: This course maps to a number of the exam topics on the Microsoft Technology Associate (MTA) Security Fundamentals 98-367 certification exam and is recommended test prep viewing.
- Evaluating risks, threats, and vulnerabilities
- Minimizing the attack surface
- Avoiding worms and viruses
- Protecting your system from spyware
- Making web browsers more secure
- Securing wireless transmissions
- Encrypting files, folders, and drives
- Using virtual private networks