Encrypting Data

Similar to Windows 2000, Windows Server 2003 supports the Microsoft Encrypting File System (EFS), which enables users and administrators to encrypt files using Windows strong built-in encryption capabilities. Encryption provides an extra level of security over file permissions: Even if the server is compromised and someone gains access to encrypted files, he won't be able to use the files without the appropriate decryption key.

Windows Server 2003 takes EFS one step further than Windows 2000, however, incorporating multiple-user access (a feature already present in Windows XP). Under Windows 2000, only the user who encrypted a file, or a designated recovery agent, can decrypt a file; in Windows Server 2003, users and administrators can designate other users to have decryption capabilities. To access the new feature, right-click any encrypted file and select Properties from the pop-up menu. Then, select Advanced in the Properties dialog box and click Details next to the check box that enables encryption. You'll see a dialog box similar to the one in Figure 4.9, in which you can manage the users who can access the file.

Figure 4.9. Adding multiple users is great for departments that need to protect files while still providing access for multiple users.



Keep in mind that EFS doesn't encrypt folders. You can designate a folder for encryption, but that simply tells Windows to individually encrypt each file within the folder. As a result, you can't assign multiple decryption users on a folder; you have to make the assignment on the files themselves. You can, however, highlight multiple files in Explorer and change their properties all at once.

Windows Server 2003 also provides complete support for encrypting network data via the IPSec network security protocol, Secure Sockets Layer (SSL) encryption for HTTP and other protocols, and so forth. For more information on these security options, see the cross-reference list at the end of this chapter.