Filesystem security is greatly enhanced in NTFS with the following:

• Encrypting Filesystem (EFS): An encryption technology that runs as an integrated system service providing transparent file encryption and decryption. File permissions and logon authentication protect files, folders, and network resources from unauthorized access. But what if a computer or disk is stolen? Without an access check, anyone that has physical access to disk or computer can access the data. When a user opens a file, EFS transparently decrypts the data. When a user saves the file, the data is encrypted without user intervention, in the background. EFS uses three encryption algorithms to encrypt and decrypt the data:
  • DESX: An enhanced version of Data Encryption Standard (DES).
  • 3DES or Triple-DES: Uses a 128-bit or 168-bit key.
  • AES or Advanced Encryption Standard: The best alternative to DESX and 3DES. It uses a 256-bit key and a symmetric encryption algorithm, and it is equally fast in software and hardware implementations—significantly faster than DESX or 3DES—making it suitable to use as an encryption standard of choice in Windows OS.
• Access Control Lists (ACL): Files and folders support Allow and Restrict permission types that can be applied at a granular level.
• BitLocker Drive Encryption: While EFS is a file-level encryption method that provides protection from users and processes, BitLocker is a volume-level encryption technology that provides additional data protection and security. It is integrated in the operating system and mitigates the threats of lost, stolen, or inadequately-decommissioned computers. It uses AES 265-bit encryption and supports the Trusted Platform Module (TPM) chip for increased security.