1. Log on to the Windows XP Pro system as the Local Administrator.

2. Launch Explorer by right-clicking the Start button and selecting Explore.

3. Select the root of the C: drive in the left pane.

You may have to enable viewing of the folders and files on the C: drive by selecting Show The Contents Of This Folder in the right pane.

4. Right-click on the C: drive and select Properties.

5. Confirm that the volume’s file system is NTFS, and then click OK.

EFS is not available on any FAT file systems, including floppy disks. It is available only on volumes formatted with NTFS.

6. In the right pane, right-click in the white area and select New ⇒ Folder. Name the folder GOODSTUFF.

7. Right-click the new GOODSTUFF folder and select Properties.

8. In the Properties dialog box, select the Security tab. Under Group Or User Names, select Users ComputerNameUsers on the list of Group Or User Names, where ComputerName is the name of your computer.

In the case shown, the computer name is XP1.

9. Enable the Write permission under Permissions For Users. Click OK. You have now confirmed that the volume supports EFS and you have created a storage location for the local users of the system.

1. Right-click on My Computer and select Manage to open the Computer Management console.

2. Expand Local Users And Groups. Select the Users subfolder.

3. In the right pane, right-click in the white space and select New User.

4. Type User1 for both User Name and Full Name. Type Password1 in the Password and Confirm Password fields. Clear the option User Must Change Password At Next Logon, and enable the options User Cannot Change Password and Password Never Expires. Click Create.

The setting User Must Change Password At Next Logon is grayed out when you enable the User Cannot Change Password or the Password Never Expires settings.

5. You will see a new, empty New User dialog box. Type User2 for User Name and Full Name. Type Password1 in the Password and Confirm Password fields. Clear the option User Must Change Password At Next Logon, and enable both User Cannot Change Password and Password Never Expires. Click Create.

6. Click Close. Confirm the existence of the two new user accounts for User1 and User2.

7. Minimize the Computer Management console by clicking the X in the upper-right corner.

1. To define an EFS Data Recovery Agent (DRA) policy, you must produce a DRA certificate for the local administrator. Still logged on as Local Administrator, open a command window by selecting Start ⇒ Run and entering CMD. Then click OK.

2. You will create a location to hold the certificates and view the properties of the command (Cipher) used to create the certificates. At the command prompt, enter the command cd. Press Enter, which returns you to the root of the C: drive.

3. At the command prompt, enter the command md AA. Press Enter to create a new folder called C:AA.

4. At the command prompt, enter the command cd AA. Press Enter to place your focus in the new C:AA folder.

5. At the command prompt, enter the following command and view the results:

6. To create the certificates required for EFS Data Recovery, at the command prompt enter this command:

7. Type the password Password1 and press Enter.

8. To confirm the password, type Password1 a second time and press Enter. The two certificates for DRA are produced in the C:AA folder.

9. Close the command window.

10. Select Start ⇒ Programs ⇒ Administrative Tools ⇒ Local Security Policy.

11. In the Local Security Settings dialog box, expand Public Key Policies and select Encrypting File System.

12. Right-click on Encrypting File System and select Add Data Recovery Agent. This launches the Add Recovery Agent Wizard. Click Next.

13. On the Select Recovery Agents screen, click the Browse Folders button and browse to C:AA.

14. Select the AdminEFSDRA.cer file that you just created with the Cipher command. Click Open. This pulls the certificate file into the Add Recovery Agent Wizard.

15. Click the Next button, and then click Finish.

16. Close the Local Security Settings dialog box.

17. Right-click the Start button and select Explore.

18. Open the folder C:AA.

19. Right-click on the file AdminEFSDRA.pfx and select Install PFX.

20. In the Certificate Import Wizard, click Next.

21. Confirm the certificate file with the .PFX extension is entered in the File Name field. Click Next.

The filename may be presented in the older DOS 8.3 short filename format: C:AAADMINE~1.PFX. This is acceptable.

22. Enter the password Password1 to access the private key associated with the certificate.

This password was implemented in the two certificates created with the Cipher command earlier.

23. Leave the two check boxes deselected and click Next in the wizard.

24. Allow the Certificate Store location to be automatically selected, and click Next in the wizard.

25. Click Finish. You should see a message reporting that the import was successful. Click OK to clear the message.

26. Log off as Local Administrator by selecting Start ⇒ Log Off Administrator.

27. You have now confirmed and configured the C: drive for EFS, you have created two users to implement EFS, and you have successfully configured the local administrator as the EFS Data Recovery Agent.

1. Log on to the local computer as User1 with the password Password1.

2. Launch Explorer by right-clicking the Start button and selecting Explore.

3. Select the root of the C: drive in the left pane.

You may have to enable viewing of the folders and files on the C: drive by selecting Show The Contents Of This Folder in the right pane.

4. In the right pane, double-click the folder GOODSTUFF.

5. Right-click in the white space in the right pane and select New ⇒ Text Document.

6. Rename the text document Secrets.txt.

7. Open Secrets.txt with Notepad and type a message.

8. Save Secrets.txt with the new content.

9. Close Notepad.

10. Right-click Secrets.txt and select Properties.

11. In the Properties dialog box, on the General tab click Advanced.

12. In the Advanced Attributes dialog box, enable the option Encrypt Contents To Secure Data.

Notice that if you also try to enable compression, the Encrypt Contents To Secure Data check box clears. Encryption and compression are mutually exclusive for content on NTFS volumes.

13. Click OK.

14. Click Apply in the Properties dialog box. You will be prompted to either encrypt the folder and all content or encrypt just this one file. Select Encrypt The File Only.

EFS can be implemented for a single file at a time or can be implemented at the folder level. When EFS is implemented at the folder level, any newly created files or folders in the EFS folder inherit the encryption attribute and will be encrypted with the EFS encryption key of the owner/creator of the new content.

15. Select the Security tab of the Properties dialog box. Select the Users group in the top pane. Notice that users of the local system have Read & Execute, Read, and Write permissions inherited from parent folders. Click OK.

Notice in Explorer that Secrets.txt is displayed in green (the default color and settings) to indicate its EFS status.

16. Open Secrets.txt with Notepad and view your message to confirm that you can access the data even though the file is now encrypted.

17. Close Notepad.

1. Log on to the local computer as User2 with the password Password1.

2. Launch Explorer by right-clicking the Start button and selecting Explore.

3. Select the root of the C: drive in the left pane.

You may have to enable viewing of the folders and files on the C: drive by selecting Show The Contents Of This Folder in the right pane.

4. In the right pane, double-click the folder GOODSTUFF.

5. Attempt to open Secrets.txt. Notepad launches, but even though you just confirmed that you have permission to read the Secrets.txt document, you get the error message Access is denied. EFS has this document encrypted so that only User1 and the EFS Data Recovery Agent can decrypt the file.

6. Click OK to clear the error message, and then close Notepad.

1. Still logged on as User2, in the GOODSTUFF folder in Explorer, right-click in the white space in the right pane and select New ⇒ Text Document.

2. Rename the new text document User2Secrets.txt.

3. Open User2Secrets.txt with Notepad and type a message.

4. Save User2Secrets.txt with the new content.

5. Close Notepad.

6. Right-click User2Secrets.txt and select Properties.

7. Click Advanced.

8. Enable Encrypt Contents To Secure Data.

9. Click OK in the Advanced Attributes dialog box.

10. Click Apply in the User2Secrets.txt Properties dialog box. You will be prompted to either encrypt the folder and all content or encrypt just this one file. Select Encrypt The File Only.

In order for User1 to enable User2 to decrypt Secrets.txt, User2 must, at least on one file, enable EFS on this system. This generates the encryption key for User2 so that User1 can enable the access to Secrets.txt using User2’s encryption key.

11. Select the Security tab of the Properties dialog box. Select the Users group in the top pane. Notice that users of the local system have Read & Execute, Read, and Write permissions inherited from parent folders.

12. Click OK.

13. Notice in Explorer that both files, Secrets.txt and User2Secrets.txt, are now displayed in green (the default color and settings), indicating the EFS status of the files.

14. Open User2Secrets.txt with Notepad and view your message to confirm that you can access the data when logged on as User2 even though the file is now encrypted.

15. Close Notepad.

16. Log off as User2.

1. Log on to the local computer as User1 with the password Password1.

2. Launch Explorer by right-clicking the Start button and selecting Explore.

3. Select the root of the C: drive in the left pane.

4. In the right pane, double-click the folder GOODSTUFF.

5. Open Secrets.txt with Notepad to confirm that User1 has access to the EFS content.

6. Close Notepad.

7. In Explorer, attempt to open User2Secrets.txt. Once again Notepad launches, but even though you just confirmed that User1 has permissions to read the User2Secrets.txt document, you get the error message Access is denied. EFS has this document encrypted so that only User2 can decrypt the file.

8. Click OK to clear the error message, and then close Notepad.

9. In Explorer, right-click on Secrets.txt and select Properties.

10. Click Advanced.

11. Select Details. Notice that User1 is the only user listed as Users Who Can Transparently Access This File. Also notice that Administrator is listed as the Data Recovery Agent for Secrets.txt. This is the due to the EFS Data Recovery Agent policy you implemented earlier in this task.

12. Click Add.

13. Highlight User2.

14. Click View Certificate. This certificate for User2 holds User2’s encryption key. With this key, User1 can grant User2 access to the EFS content, Secrets.txt. Close the certificate.

15. Click OK in the Select User dialog box.

16. Notice that now both User1 and User2 are listed as Users Who Can Transparently Access This File.

17. Click OK in the Encryption Details dialog box.

18. Click OK in the Advanced Attributes dialog box.

19. Click OK in the Secrets.txt Properties dialog box.

20. Open and view Secrets.txt to confirm that you still have access to the data.

21. Close Secrets.txt.

22. Log off as User1.

1. Log on to the local computer as User2 with the password Password1.

2. Launch Explorer by right-clicking the Start button and selecting Explore.

3. Select the root of the C: drive in the left pane.

You may have to enable viewing of the folders and files on the C: drive by selecting Show The Contents Of This Folder in the right pane.

4. In the right pane, double-click the folder GOODSTUFF.

5. Attempt to open Secrets.txt. You now have access to the contents of Secrets.txt as User2.

6. Log off as User2.