The 'tools\internet
options\advanced' menu contains some useful features for enhancing the privacy
and security of Internet Explorer. Some of these we will talk about later, but
for now, enabling the 'empty temporary internet files folder when browser is
closed' option will save you some effort.
All
'business' versions of Windows since Win2K (In other words, Windows 2000, XP pro
and 2003 server, but not XP Home edition) have included a method of encrypting
your files to make them inaccessible to other users on the same machine or on
the network, the Encrypting File System (EFS). This is an excellent tool to
prevent your data from ending up in the wrong hands, but there are some huge
pitfalls
too. Let's
take a look.
Windows XP can be instructed to encrypt specific files or folders
on a per-user basis. This means that when user A decides he wants
to encrypt his documents folder, a symmetrical key is generated to encrypt the contents,
then this key is in turn encrypted with the public key of a
public/private key pair generated by the OS specifically for user A, meaning that only user A's
private key can now unlock the files.
This
is easy to do, and works well, but there is one huge problem.
What happens if user A's account is accidentally deleted, or when you have to reinstall the
operating system due to some catastrophic failure?
No problem, right? The files are still thereā¦
Well yes they
are, but no one can access them. The key to decipher the files
was encrypted with User A's public key. User A no longer exits, therefore neither
does the private key you need to unlock the files. In Windows 2000,
the 'administrator' account was designated as a recovery agent, so that any file encrypted by EFS
could be unencrypted by the administrator also.
This gave you a lifeline, as long as you
did not also delete the administrator account.
Windows XP has no recovery agent by default, so there is
no way to recover your encrypted files if you mess up. The only
safe way to use EFS (and Microsoft's recommended policy) is to designate a user
as a data recovery agent, then export that recovery agent's public and private
keys in the form of a digital certificate file that can be stored outside the computer
on a floppy disk or other media.
If the worst happens, any user can then import this certificate,
and that user can then be made into a data recovery agent to decrypt the files.
Let's look at how to do this.
RSS Newsletter
