Sarasota PC Monitor
Tech Talk (02/04)
Safeguarding Your Files
by Brian K. Lewis, Ph.D.*
Member of the Sarasota Personal Computer Users Group, Inc.There are times when you might not want all of your files and folders to be accessible to anyone who uses your computer. For instance, you may have grandchildren who love to use your computer when they are visiting. Naturally, you don't want them disturbing or destroying any of your important files. There are several ways you can protect the files and folders on your hard drive.
The easiest method is to simply create a hidden folder containing your most important files. This can easily be done using "My Computer" or "Windows Explorer". This system will work in Win98/ME and WinXP. I suspect it will also work in Win2K, but I haven't tried it.
Anyway, to start open up a "My Computer" window which shows the folders on your hard drive. Then, go to File - New and create a new folder. Give it any name you like. Then right click the folder and select "properties" on the pop-up menu. In the Properties window you will see a section marked "Attributes". Click in the box next to "Hidden" and then click "Apply". After you click "OK", the folder you created will disappear. If it does not disappear, then you have to change a setting in your folder options to NOT display hidden files and folders. To do that in WinXP, select "Tools" from the menu and then select "Options". In the Options window click on the "View" tab and under the item "Hidden Files and Folders" click in the circle by "do not show hidden files and folders". Obviously, if you click by the other line, your hidden files and folders will show.
In Win98 I prefer to use Windows Explorer as a file manager. So, open up WinExplorer and display your folder list. I then opened "My Documents" folder and selected one folder. Right clicking this folder and selecting "Properties". Then click in the box by "Hidden" in the "Attributes" section. Click on Apply and then OK. Finally, close Explorer and reopen it. If your folder options are set to not display hidden files and folders, you will no longer see the folder.
You can still access your hidden folder by typing in the path and file name in the "address bar" of the Windows Explorer window. However, you must type it exactly, or it won't be found. Also, if the folder does not disappear, then you need to check your folder view options. To do that, click on "View" from the Explorer top line menu and select "Folder Options". In the next window, click on the "View" tab. Then click by the "do not show hidden or system files". If you have to change this option, you need to close and reopen Explorer in order to see the change.
Once you have hidden a folder, you can find it by changing the view option back. You can also save documents in this folder as long as you know the path and the folder name. In any application instead of using the file listing to find the folder and save your file, you must type in the drive letter, the path and the file name. For example in Microsoft Word in the Save window, I can type in "{driveletter}:\test folder\test file and the file will be saved in the hidden folder. You can also find the file in the "My Computer" window by typing in the complete path/filename in the address line.
The only problem with this method of securing files is that anyone can still find them if they suspect that you might have hidden a folder. Obviously, as you can see from the ease in revealing hidden files, this is not a totally secure system.
Windows XP Professional does have a method for encrypting files that will protect them from anyone other than the user who created them. However, to use this system, you must password protect each user account on the system. Otherwise, other users will be able to access the encrypted files by using your user account. The administrator account can also access the encrypted files but can not open them directly. Note that this encryption is not available in the Home edition of Windows XP, only the Professional version and it requires that the NTFS file system be used on the hard disk. It will not work with the FAT32 file system.
The actual process of setting up encrypted files is quite simple. The difficult part is what is occurring behind the scenes that you never have to worry about. XP has a built-in Encryption File Service that handles the process for you. When you first encrypt a file or folder it randomly generates a File Encryption Key. The encryption uses the expanded "Data Encryption Standard" (DESX) or the "Triple-DES" (3DES). The DESX is the default encryption method. The encryption process uses a public and a private key. The private key is stored in an encrypted folder and is encrypted by a master key that is 64 bytes in length. The master key is generated by a strong random number generator. Should your files fall into the hands of some third party they would not be able to open them without the public/private key combination. This is especially useful for those using laptop computers when they travel. Should the computer be stolen, the encrypted files would not be accessible. Again, providing the user account is properly password protected.
Microsoft recommends that encryption be applied to a folder rather than to individual files. Then any files saved, copied or moved into that folder will be automatically encrypted. You can, for example, encrypt your "My Documents" folder by right-clicking the folder icon in "My Computer" and selecting "Properties". Then click on the "Advanced" button in the right side of the Attributes section. In the next window there is a section "Compress or Encrypt Attributes". Check the box by "encrypt contents" and click OK. When you are asked if this should apply to all subfolders and files, click OK. The contents of the folder will be automatically encrypted.
You really won't notice any difference in the handling of the encrypted files. You can open them in your usual application, modify them and save them. The encryption/decryption is handled on the fly by the EFS. Encryption is expected to be applied to data files, not applications, DLL's or system files. In fact, the operating system prevents encryption of system folders, files and locations in the %SYSTEMROOT%\... path. When a user attempts to encrypt a system file, or attempts to copy an encrypted file into the system path, the user will receive an "access denied" message.
Once you have encrypted a folder, then you should also set up a data recovery agent (DRA). This allows recovery of encrypted files where a user's data encryption key may have been lost or damaged. The administrator account on your computer can be setup as a data recovery agent. Another method to allow recovery of encrypted files is to export the EFS recovery keys to a backup media such as a floppy disk or a writeable CD.
In order to setup a DRA in Windows XP you must first create a recovery agent certificate. To do this, you must be logged in as an administrator. Then open a command prompt window by going to Start-Run and typing "cmd", without the quotes. You should be in the "Documents and Setting\admin-name" subdirectory. Admin-name being the administrator mode name on your computer. Then type "cipher /r:filename", again without the quotes. The filename can be anything you choose, but it can also be the administrator name you have assigned on your computer. This creates a file containing the certificate and a private key, the pfx file. It will also generate a certificate file, the cer file.
Next you need to run the Microsoft Management Console. Go to Start-Run and type in "mmc" and click OK. Then in the console window, select File, then select Add/Remove Snap-in. Then click the Add button. Under Snap-in, double-click Certificates, then select Computer Account and click Next. In the next window the box should read Local Computer. If it does, just click Finish. Otherwise, select Local Computer from the drop down list. Then click on Close. The certificate should show on the list of selected snap-ins for the console.
Next go back to Add/Remove Snap-in and click Add. Then select Group Policy and click Add. The box should then show Local computer as before, so click Finish, Close and OK. In the console window, click the plus sign by Group Policy. This should expand to show Local Computer policy. Keep opening categories to expand Computer configuration, Windows settings, Security settings and finally Public Key Policies. On the Action Menu select Add Data Recovery Agent. In the next window click on Browse. This should open the file window for \Documents and Settings\Admin-name and you should see the cer file you created earlier. Double click this to add the DRA to the Public Key Policy. Then close out the windows by clicking OK or Finish as appropriate. When you click OK in the console window it will ask you if you want to save the file, click on Save and you are really finished with this part.
If you have problems with any of this process, Windows Help files have information on DRA and the MMC. Searching on either of these terms will provide you with more help information. Although this system is not perfect, it will protect your files from most intrusions by unauthorized users. However, if your user account has only weak password protection, then it could be cracked and your files would be accessible. The encryption only protects the files from access by other users who can not access your user account.
*Dr. Lewis is a former university & medical school professor. He has been working with personal computers for more than thirty years. He can be reached via e-mail at bwsail@yahoo.com or voice mail at 941/925-3047. :
Copyright 2004. This article is from the February 2004 issue of the Sarasota PC Monitor, the official monthly publication of the Sarasota Personal Computer Users Group, Inc., P.O. Box 15889, Sarasota, FL 34277-1889. Permission to reprint is granted only to other non-profit computer user groups, provided proper credit is given to the author and our publication. We would appreciate receiving a copy of the publication the reprint appears in, please send to above address, Attn: Editor. For further information about our group, email: admin@spcug.org/ Web: http://www.spcug.org/The Sarasota Personal Computer Users Group, Inc. has 1,100+ members and was established in 1982. We are members of the Assoc. of PC User Groups (APCUG), the Florida Assoc. of PC Users Groups, Inc., and we are members of the America Online Ambassador Program.
See http://www.spcug.org for all reviews from the Sarasota PC Monitor, go to the Newsletter Section.