[ Pobierz całość w formacie PDF ]
.The basic COPY command has been extended with two new switches that allow the exporting and importingof a cipher-text object.The /E switch exports an encrypted file in ciphertext without setting the EFS bit.Thisfile can only then be read by using the COPY command again with the /I switch, which copies the ciphtertext file and marks the encryption bit.The encryption of files does not modify the normal file operations of renaming or moving.When you movean encrypted file on the same partition, the pointer in the directory is changed, but nothing in the encryptionfields is modified.A rename operation on an encrypted file will changes only the filename, once again notmodifying any field tied to the encryption process.The new Cipher Utility allows users to encrypt/decrypt files or directories at the command prompt.Theincluded switches for this utility allow the user to indicate whether the requested operating should beperformed on all files and subdirectories, and whether the operation is to continue in the event an error hasoccurred, and they force encryption of already encrypted files.The EfsRecvr Utility can be used to recover an encrypted file if the owner s private key is corrupted or lost.This EfsRecvr utility has switches that are similar to the Cipher Utility in that the Recovery Agent canindicate how much of the directory structure is to be recovered and whether the process should continue evenif an error has occurred.The Encrypting File System follows the Windows NT operating system model.Some of the encryptionactivity is handled down in the protected mode, known as the kernel mode, while other tasks are performedin user mode.The Windows 2000 has added in kernel mode the Encrypting File System driver, which, atinitialization time, registers seven EFS Callout functions with the NTFS driver.When the NTFS driver needsto do any Encrypting File System operation, the NTFS makes a call to one of the appropriate calloutfunctions.The other component employed in kernel mode is known as the KSecDD driver.The role of theKSecDD driver in the encryption process is to send the Local Procedure Call messages from the EncryptingFile System driver to the Local Security Authority Subsystem.Previous Table of Contents Nexthttp://corpitk.earthweb.com/reference/pro/1928994024/ch06/06-07.html (2 of 3) [8/3/2000 6:53:53 AM]Configuring Windows 2000 Server Security:Encrypting File System for Windows 2000Products | Contact Us | About Us | Privacy | Ad Info | HomeUse of this site is subject to certain Terms & Conditions, Copyright © 1996-2000 EarthWeb Inc.All rightsreserved.Reproduction whole or in part in any form or medium without express written permission ofEarthWeb is prohibited.Read EarthWeb's privacy statement.http://corpitk.earthweb.com/reference/pro/1928994024/ch06/06-07.html (3 of 3) [8/3/2000 6:53:53 AM]Configuring Windows 2000 Server Security:Encrypting File System for Windows 2000Configuring Windows 2000 Server Securityby Thomas W.Shinder, M.D., MCSE, MCP+I, MCT, Debra Littlejohn Shinder, MCSE, MCP+I, MCT,D.Lynn White, MCSE, MCPS, MCP+I, MCTSyngress Publishing, Inc.ISBN: 1928994024 Pub Date: 06/01/99Search this book:Search TipsAdvanced SearchPrevious Table of Contents NextWindows 2000 has added to the Local Security Authority Subsystem, which runs in user mode, a series ofTitleinternal functions for encryption/decryption operations.In the encryption process, the internal functionEncryptFileSrv plays a major role.Also located in user mode is a Cryptographic Provider, which currently isthe Microsoft Base Cryptographic Provider 1.One major responsibility of this Cryptographic Provider is toprovide the RSA encryption operation after a session has been established.-----------The EFS File Information is created by the EncryptFileSrv function call.The information includes achecksum, the Data Decryption Field, and the Data Recovery Field.The checksum is used at decryption timeto verify the integrity of the EFS File Information.The DDF is a list of owner key entries, and the DRF is alist of Recovery Agents key entries.This EFS File Information is used with every occurrence of decryption.FAQsQ: Do encrypted files have be stored on the local hard drive, which would result in users having to beresponsible for backing up their hard drive daily?A: The Encrypting File System is not limited in design to storage only on the local hard drive.Theencrypted file can be stored on any file server located on the network.The EFS is responsible for fileencryption and is not assigned the additional task of securing packets on the network.Thefunctionality of packet security on the network is part of SSL.Q: Our corporation is an international company.Can I use the 128-bit encryption at some locationsand not at others, without having encryption problems?A: By default, EFS provides standard 56-bit encryption to its U.S.customers.For security reasons,they can obtain the 128-bit encryption by ordering the Enhanced CryptoPAK from Microsoft.The filesencrypted with the Enhanced CryptoPAK can not be decrypted, accessed, or recovered on a systemthat supports 56-bit encryption only.Q: How would you summarize the basic steps that occur on Windows 2000 when a file is encrypted?A: The basic steps are:1.When a user executes an encryption request, the NTFS driver makes a request to theappropriate EFS Callout function.http://corpitk.earthweb.com/reference/pro/1928994024/ch06/06-08.html (1 of 3) [8/3/2000 6:53:55 AM]Configuring Windows 2000 Server Security:Encrypting File System for Windows 20002.The requester s user profile is loaded into the Registry if it is not already there.3.A log file is created that records events as they occur during the encryption process.4.The EFS identifies the user s key pair and then uses the public key to create an entry in theData Decryption Field for the user.5.Entries are created in the Data Recovery Field for each Recovery Agent.6 [ Pobierz caÅ‚ość w formacie PDF ]
zanotowane.pl doc.pisz.pl pdf.pisz.pl odbijak.htw.pl
.The basic COPY command has been extended with two new switches that allow the exporting and importingof a cipher-text object.The /E switch exports an encrypted file in ciphertext without setting the EFS bit.Thisfile can only then be read by using the COPY command again with the /I switch, which copies the ciphtertext file and marks the encryption bit.The encryption of files does not modify the normal file operations of renaming or moving.When you movean encrypted file on the same partition, the pointer in the directory is changed, but nothing in the encryptionfields is modified.A rename operation on an encrypted file will changes only the filename, once again notmodifying any field tied to the encryption process.The new Cipher Utility allows users to encrypt/decrypt files or directories at the command prompt.Theincluded switches for this utility allow the user to indicate whether the requested operating should beperformed on all files and subdirectories, and whether the operation is to continue in the event an error hasoccurred, and they force encryption of already encrypted files.The EfsRecvr Utility can be used to recover an encrypted file if the owner s private key is corrupted or lost.This EfsRecvr utility has switches that are similar to the Cipher Utility in that the Recovery Agent canindicate how much of the directory structure is to be recovered and whether the process should continue evenif an error has occurred.The Encrypting File System follows the Windows NT operating system model.Some of the encryptionactivity is handled down in the protected mode, known as the kernel mode, while other tasks are performedin user mode.The Windows 2000 has added in kernel mode the Encrypting File System driver, which, atinitialization time, registers seven EFS Callout functions with the NTFS driver.When the NTFS driver needsto do any Encrypting File System operation, the NTFS makes a call to one of the appropriate calloutfunctions.The other component employed in kernel mode is known as the KSecDD driver.The role of theKSecDD driver in the encryption process is to send the Local Procedure Call messages from the EncryptingFile System driver to the Local Security Authority Subsystem.Previous Table of Contents Nexthttp://corpitk.earthweb.com/reference/pro/1928994024/ch06/06-07.html (2 of 3) [8/3/2000 6:53:53 AM]Configuring Windows 2000 Server Security:Encrypting File System for Windows 2000Products | Contact Us | About Us | Privacy | Ad Info | HomeUse of this site is subject to certain Terms & Conditions, Copyright © 1996-2000 EarthWeb Inc.All rightsreserved.Reproduction whole or in part in any form or medium without express written permission ofEarthWeb is prohibited.Read EarthWeb's privacy statement.http://corpitk.earthweb.com/reference/pro/1928994024/ch06/06-07.html (3 of 3) [8/3/2000 6:53:53 AM]Configuring Windows 2000 Server Security:Encrypting File System for Windows 2000Configuring Windows 2000 Server Securityby Thomas W.Shinder, M.D., MCSE, MCP+I, MCT, Debra Littlejohn Shinder, MCSE, MCP+I, MCT,D.Lynn White, MCSE, MCPS, MCP+I, MCTSyngress Publishing, Inc.ISBN: 1928994024 Pub Date: 06/01/99Search this book:Search TipsAdvanced SearchPrevious Table of Contents NextWindows 2000 has added to the Local Security Authority Subsystem, which runs in user mode, a series ofTitleinternal functions for encryption/decryption operations.In the encryption process, the internal functionEncryptFileSrv plays a major role.Also located in user mode is a Cryptographic Provider, which currently isthe Microsoft Base Cryptographic Provider 1.One major responsibility of this Cryptographic Provider is toprovide the RSA encryption operation after a session has been established.-----------The EFS File Information is created by the EncryptFileSrv function call.The information includes achecksum, the Data Decryption Field, and the Data Recovery Field.The checksum is used at decryption timeto verify the integrity of the EFS File Information.The DDF is a list of owner key entries, and the DRF is alist of Recovery Agents key entries.This EFS File Information is used with every occurrence of decryption.FAQsQ: Do encrypted files have be stored on the local hard drive, which would result in users having to beresponsible for backing up their hard drive daily?A: The Encrypting File System is not limited in design to storage only on the local hard drive.Theencrypted file can be stored on any file server located on the network.The EFS is responsible for fileencryption and is not assigned the additional task of securing packets on the network.Thefunctionality of packet security on the network is part of SSL.Q: Our corporation is an international company.Can I use the 128-bit encryption at some locationsand not at others, without having encryption problems?A: By default, EFS provides standard 56-bit encryption to its U.S.customers.For security reasons,they can obtain the 128-bit encryption by ordering the Enhanced CryptoPAK from Microsoft.The filesencrypted with the Enhanced CryptoPAK can not be decrypted, accessed, or recovered on a systemthat supports 56-bit encryption only.Q: How would you summarize the basic steps that occur on Windows 2000 when a file is encrypted?A: The basic steps are:1.When a user executes an encryption request, the NTFS driver makes a request to theappropriate EFS Callout function.http://corpitk.earthweb.com/reference/pro/1928994024/ch06/06-08.html (1 of 3) [8/3/2000 6:53:55 AM]Configuring Windows 2000 Server Security:Encrypting File System for Windows 20002.The requester s user profile is loaded into the Registry if it is not already there.3.A log file is created that records events as they occur during the encryption process.4.The EFS identifies the user s key pair and then uses the public key to create an entry in theData Decryption Field for the user.5.Entries are created in the Data Recovery Field for each Recovery Agent.6 [ Pobierz caÅ‚ość w formacie PDF ]