Chapter 6 - Encrypting the File System for Windows 2000

Abstract

Many file encryption products currently offered in the market by third party vendors are designed around password keys. This kind of encryption is not very secure, because the encrypted file can be hacked quickly by brute force. Security products that were available before Windows 2000 required the user to encrypt and decrypt files manually with each usage. On occasion, users encrypt a file and then forget the password. The third-party product can handle this major problem in one of two ways: the product can provide data recovery or it cannot provide recovery. The more secure encryption software at the application level will not provide data recovery. The downside of this limitation becomes evident when a person is authorized, needs to get to the data, and has forgotten the password. If the vendor did provide some form of data recovery, security is weakened, and the recovery code is now the system's weak point. Some of the Windows 2000 Encrypting File System code runs down in protected mode. The kernel mode must not be available to users, or the operating system will crash. Microsoft has built encryption into the operating system, making encrypted data more secure than ever before. The new feature of the Encrypting File System on Windows 2000 provides an element of security that Windows NT and third-party encryption software never approached in the past.