There are many options and strategies to consider when implementing encryption in Windows. Encryption can provide a valuable layer of protection for data, but it does come with a cost. Encrypting and decrypting data is slower than storing the data in unencrypted format. While the performance impact may not be noticeable, you must investigate its impact on your environment before encrypting large amounts of data. Encryption also increases the amount of administrative effort required to maintain system health. Policies must be kept up to date, and you should maintain recovery keys to use with encrypted objects if the primary keys become unusable. Maintaining recovery keys can require a significant amount of time for large organizations with many users. Before implementing encryption of any type, you must assess the cost to both performance and maintenance effort.

While no single set of rules or guidelines is the “best” for any specific environment, there are general best practices that should result in a secure environment. Here is a list of best practices for implementing encryption in a Windows environment:

• Change your passwords periodically. The longer passwords remain unchanged, the higher the probability they will be compromised. Change passwords at least every 6 months.

• Do not write down passwords. Use passwords that can be remembered. Passwords that are written down are easier for an attacker to find and use.

• Export recovery keys to removable media and store the media in a safe place. EFS or BitLocker recovery information should be physically stored in a separate, safe location.

• Encrypt the My Documents folder for all users. Since most people use My Documents for most document files, encrypting this folder will protect the most commonly used file folder.

• Never encrypt individual files—always encrypt folders. This keeps any sensitive data from ever being written to the disk in plaintext.

• Designate two or more recovery agent accounts per organizational unit. Designate two or more computers for recovery, one for each designated recovery agent account.

• Avoid using print spool files in your print server architecture, or make sure that print spool files are generated in an encrypted folder. This keeps sensitive information from being stored in plaintext on a print server.

• Use multifactor authentication when using BitLocker on operating system volumes to increase volume security.

• Store recovery information for BitLocker in Active Directory Domain Services to provide a secure storage location.

• Disable standby mode for portable computers that use BitLocker. BitLocker protection is effective only when computers are turned off or in hibernation.

• When BitLocker keys have been compromised, either format the volume or decrypt and encrypt the entire volume to remove the BitLocker metadata.

• Require strong passwords for all VPN connections.

• Use the strongest level of encryption that your situation allows for VPNs.

• Use SSTP for VPNs when possible.

• Disable SSID broadcasting for wireless networks.

• Never use WEP for wireless networks—only use WPA/WPA2/WPA3.

• Trust only certificates from CAs or trusted sites. Train users to reject certificates from unknown or untrusted sites.