How to use encryption

You can encrypt files and folders using the same procedure you use to compress them (see "How to use compression" earlier in this session). The Advanced Attributes dialog box also contains a check box labeled "Encrypt contents to protect data." Checking that check box encrypts the files or folders you've selected.

You cannot apply both compression and encryption to the same files or folders. If you select one option, the other is automatically cleared. You have to choose one or the other.

When you encrypt a file, Windows Server 2003 asks if you want to encrypt only the file, or if you want to encrypt the file and its parent folder. Select the appropriate option to complete the encryption process.

By default, only the user who encrypts a file can decrypt it. So, while it is a common practice for administrators to compress files for their users, the users have to encrypt their own files. Once a file is encrypted, not even an administrator can access it.

By default, the names of encrypted file and folder are displayed in green. You can change the color by selecting Folder Options from the Tools menu in Windows Explorer.

After you encrypt a file, you can view its Advanced Attributes again and click the Details button next to the encryption check box. The Encryption Details dialog box, shown in Figure 8-2, enables you to specify other users who can decrypt the file. You can also see (but not modify) a list of users who can act as Data Recovery Agents, which are users authorized to decrypt the file on behalf of your organization.

Encryption Details for C:\Dociiments and Settings'..Administrator'',My D.

J sers Who Can Transparently Access This File:

User Name

1 Certificate Thum...

[email protected]]

4939 B49B 954...

Add.. ;|

Backup Keys

Data Recovery Agents For This File As Defined By Recovery Policy:

Certificate Thum... T

Recovery Agent Name

Data Recovery Agents For This File As Defined By Recovery Policy:

Certificate Thum... T

Recovery Agent Name

Figure 8-2 Managing an encrypted file

Users on the "allowed" list can access encrypted files transparently, as if they were not encrypted at all. Users on the Recovery Agents list must take special steps to decrypt a file, and they must save a decrypted copy in order to access the contents of the file.

Rules for encrypted files and folders






















Encryption follows the same rules for moving and copying as file compression (see "Rules for compressed files and folders" earlier in this session). Encrypted items that are moved on the same volume retain their encryption; items moved to a different volume, or copied, take on the encryption attribute of their new folder.

Remember that only the user who encrypts a file (or users they permit) can decrypt it. This rule often trips me up when I'm trying to move files to a different volume or copy the file. Because those operations may require the file to be decrypted, they can be performed only by a user with permission to decrypt the file.

Recovering encrypted files

Domain administrators define recovery agents using domain security policy. These agents are added to the "recovery agents" list of all encrypted files on all computers that belong to the domain. The agents can decrypt any encrypted file. To do so, they must back up the encrypted file, restore it to a secure computer, log on as a recovery agent, and decrypt the file.

World Metro Bank

World Metro Bank has decided to make good use of the Encrypting File System. Users in the bank are encouraged to encrypt sensitive files that contain confidential customer information, such as loan documents. Once a customer loan is complete, the encrypted files are backed up to tape for archival purposes and removed from the file servers.

Should the files ever be needed, they can be restored from tape, and either decrypted by the original loan officer or decrypted by one of the bank's designated Recovery Agents.

Encrypted file recovery is usually performed only if the original, encrypting user has left the organization, has somehow lost her digital encryption certificate (which is usually managed automatically by her workstation operating system), or if a law enforcement agency requests that the file be decrypted.

Encrypted file recovery can be a complicated task, depending on the configuration of your organization's domains. Read the Windows Server 2003 documentation thoroughly before attempting to recover encrypted files.

Disk Quotas

One of the most common uses for Windows Server 2003 is as a file server: a central repository where users can store their data files. Unfortunately, users often forget to clean up old files, they save many copies of the same file, and they do other things that result in a lot of server disk space being consumed. Sure, hard disks 10 Min. are getting bigger and less expensive every day, but no company wants to pay for To Go disk space that's being wasted.

Disk quotas were created to help manage how users utilize server disk space. You can define quotas, which assign specific space limitations (called thresholds) to specific users. The thresholds apply for an entire volume, and users who exceed the threshold can be cut off — preventing them from using any more disk space.

Quota warnings are sent using the Windows Messenger service and appear as a small pop-up dialog box on users' computers. Users' computers must be running the Messenger service (which is installed and started by default) in order to receive quota warnings.

Using disk quotas

You have to enable disk quotas on a per-volume basis, and they can be enabled only on volumes that use the NTFS file system. To enable disk quotas, right-click the volume in Windows Explorer, and click on the Quota tab. As shown in Figure 8-3, checking the "Enable Quota management" check box makes the rest of the tab's options available to you.


e to

00 y

Local Disk (C:) Properties


. . .

Shadow Copies | Remote Storage Quoti

^^ Status: Disk quotas are disabled

Shadow Copies | Remote Storage Quoti

^^ Status: Disk quotas are disabled

Enable quota management ¡Deny disk space to users exceeding quota limilj Select the default quota limit loi new useis on this volume: (* Do not limit disk usage C Limit disk space to |No Limit

Set warning level to.i |No Limit

Select the quota logging options for this volume:

V Loa event when a user exceeds theii quota limit

V Log event when a user exceeds theii warning level

.Quota Entries.. j

Figure 8-3 Enabling quota management

The Quota tab has several options. Here's what they do:

• Deny disk space to users exceeding quota limit. Check this check box to prevent users from using any more disk space once they exceed their quota threshold.

• Limit disk space to. This option enables you to specify the maximum amount of disk space each user can utilize on the volume.

• Set warning level to. This option warns users that they are approaching their quota limit when they reach the designated utilization level. This option should be set at a lower level than the "Limit disk space to" option.

• Logging options. The two logging options cause Windows .NET Server 2003 to create an Event Log entry whenever a user exceeds the warning limit you set or when they exceed their quota limit.

The options on the Quota tab are the defaults and apply to all users who do not have a specific quota entry. If you leave the "Do not limit disk space to" option selected (the default), only those users with a specific quota entry are limited.

Only files that a user owns count against that user's quota. By default, users own the files they create. Administrators (or anyone with the correct permissions) can take ownership of a file; when they do so, the file then counts against their quota.

To create a quota entry, click the Quota Entries button. The Quota Entries dialog box, shown in Figure 8-4, enables you to review existing entries, edit them, and create new ones.

Figure 8-4 Quota entries

To create a new quota entry, select New Quota Entry from the Quota menu. Enter the user names (you cannot use groups) that the new quota will apply to. Then, enter the maximum amount of disk space and a warning level for those users. Keep the following facts in mind:

• Quota entries override the default settings, which you specify on the Quota tab.

• Windows Server 2003 creates a default quota entry for Administrators, specifying no limit. Applying a limit to Administrators can cause Windows Server 2003 to malfunction.

• Any users who do not have a specific quota entry will use the default quota, which you specify on the Quota tab.

• If you set a default quota on the Quota tab, you can exempt specific users by creating a "No limit" quota on the Quota Entries dialog box and including the appropriate user accounts in the quota entry.

• Quotas are created on a per-volume basis. If your server has multiple volumes, and you want the same quotas on each volume, you have to create them on each volume. The Quota Entries dialog box enables you to export quota entries to a file. You can then import those entries from the file into another volume's Quota Entries dialog box.


e to

00 y if

You can use the Quota Entries dialog box to see which quota entries have reached a warning level and which ones have been exceeded. Checking the dialog box every so often is a great way to keep tabs on your users' disk use.

Disk quotas and compression

What if your users compress some of their files? The files use less disk space, but the users may need to uncompress the files some day. To avoid problems when users uncompress their files, Windows Server 2003 uses the uncompressed file size in quota calculations, regardless of how much disk space the file is actually using.

This behavior may cause some confusion with your users. They can use Windows Explorer to see that the compressed files aren't using the entire amount of space allotted in their quota, yet they may be receiving warning messages that their quota is approaching its limit. You need to educate your users and explain that the uncompressed file size is used in quota calculations.



In this session, you learned how to use file compression to compress files so that they use less disk space than they normally would. You also learned how to use file encryption to protect sensitive files and how to recover encrypted data if necessary. You also learned how to use disk quotas to limit the amount of disk space users can fill up on your servers.

Quiz Yourself

1. What happens if you move a compressed file to a different hard disk? (See "Rules for compressed files and folders.")

2. What happens if you mark a folder for encryption and then create a new Notepad file in that folder? (See "How to use encryption.")

3. Can you encrypt and compress a file at the same time? (See "How to use encryption.")

4. What types of restrictions can you apply using disk quotas? (See "Disk Quotas.")

5. How does file compression interact with disk quotas? (See "Disk quotas and compression.")

Computer Hard Drive Data Recovery

Computer Hard Drive Data Recovery

Learn How To Recover Your Hard Drive Data After A Computer Failure.

Get My Free Ebook

Post a comment