Jump to content
Posted 05 June 2010 - 01:13 PM
Posted 05 June 2010 - 01:22 PM
Posted 05 June 2010 - 01:23 PM
Posted 05 June 2010 - 01:27 PM
The following is the list of standard practices:
* Teach users to export their certificates and private keys to removable media and store the media securely when it is not in use. For the greatest possible security, the private key must be removed from the computer whenever the computer is not in use. This protects against attackers who physically obtain the computer and try to access the private key. When the encrypted files must be accessed, the private key can easily be imported from the removable media.
* Encrypt the My Documents folder for all users (User_profile\My Documents). This makes sure that the personal folder, where most documents are stored, is encrypted by default.
* Teach users to never encrypt individual files but to encrypt folders. Programs work on files in various ways. Encrypting files consistently at the folder level makes sure that files are not unexpectedly decrypted.
* The private keys that are associated with recovery certificates are extremely sensitive. These keys must be generated either on a computer that is physically secured, or their certificates must be exported to a .pfx file, protected with a strong password, and saved on a disk that is stored in a physically secure location.
* Recovery agent certificates must be assigned to special recovery agent accounts that are not used for any other purpose.
* Do not destroy recovery certificates or private keys when recovery agents are changed. (Agents are changed periodically). Keep them all, until all files that may have been encrypted with them are updated.
* Designate two or more recovery agent accounts per organizational unit (OU), depending on the size of the OU. Designate two or more computers for recovery, one for each designated recovery agent account. Grant permissions to appropriate administrators to use the recovery agent accounts. It is a good idea to have two recovery agent accounts to provide redundancy for file recovery. Having two computers that hold these keys provides more redundancy to allow recovery of lost data.
* Implement a recovery agent archive program to make sure that encrypted files can be recovered by using obsolete recovery keys. Recovery certificates and private keys must be exported and stored in a controlled and secure manner. Ideally, as with all secure data, archives must be stored in a controlled access vault and you must have two archives: a master and a backup. The master is kept on-site, while the backup is located in a secure off-site location.
* Avoid using print spool files in your print server architecture, or make sure that print spool files are generated in an encrypted folder.
* The Encrypting File System does take some CPU overhead every time a user encrypts and decrypts a file. Plan your server usage wisely. Load balance your servers when there are many clients using Encrypting File System (EFS).
0 members, 0 guests, 0 anonymous users