Windows Vista : Permissions and Security (part 2) - Protect Your Files with Encryption

- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019

2. Protect Your Files with Encryption

Encryption effectively adds another layer of protection for your especially sensitive data, ensuring that a file can only be viewed by its creator (well, sort of). If any other user—even someone with administrator privileges—attempts to view the file, she will see only gibberish.

When a file is marked for encryption, the encryption and decryption of the file are handled by Windows invisibly in the background when its creator writes and views the file, respectively. The problem is that Windows Vista's on-the-fly encryption can be somewhat unpredictable, and security is one place where you don't want there to be any guesswork.

Encryption is a feature of the NTFS filesystem and is not available with any other filesystem. This means that if you copy an encrypted file onto, say, a memory card, USB key, or CD, the file will become unencrypted, since none of those drives support NTFS.

Here's how to encrypt a file:

  1. Right-click one or more files in Windows Explorer and select Properties.

  2. Under the General tab, click the Advanced button.

  3. Turn on the Encrypt contents to secure data option, click OK, and click OK again.

  4. If you encrypt a folder that contains files or other folders, Windows will ask you whether or not you want those contents to be encrypted as well. In most cases, you'll want to answer Yes. If you decline, the folder's current contents will remain unencrypted, and only newly created files will be encrypted.

After a file has been encrypted, you can continue to use it normally. You'll never have to manually decrypt an encrypted file in order to view it.

Encrypting a file may not guarantee that it remains encrypted forever. For example, some applications, when editing and saving files, will delete the original file and then recreate it in the same place. If the application is unaware of encryption, the protection will be lost. The workaround is to encrypt the folder containing the file rather than the file itself.

If you change the ownership of a file and the file is encrypted, the encryption will remain active for the original owner and creator of the file, even though that user no longer technically "owns" the file.

Since all users need to access files in certain folders, such as the \Windows and \Windows\System folders, Windows won't let you encrypt files and system folders or the root directories of any drives.

Compression, another feature of the NTFS filesystem, reduces the amount of space consumed by a file or folder. The rules that apply to compression are more or less the same as those that apply to encryption. But you cannot simultaneously use encryption and compression on any object; turn on one option in the Properties window, and Windows will turn the other off.

2.1. Highlight encrypted files in Windows Explorer

By default, Windows Explorer visually differentiates encrypted files, which can be a very handy way to keep track of the scope of your encryption. In Control Panel, open Folder Options, choose View tab, and turn on the Show encrypted or compressed NTFS files in color option to use this feature, or turn it off if you want all your filenames to be printed in black text. Click OK when you're done.

By default, the names of encrypted files appear in green, while those of compressed files appear in blue (except for icons on the desktop). Note that files can't be simultaneously compressed and encrypted (as mentioned in the previous section), so you'll never see any turquoise, teal, or aquamarine filenames.

Actually, that's not entirely true. You can customize the color Windows uses to highlight encrypted filenames by editing the Registry:

  1. Open the Registry Editor .

  2. Expand the branches to: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer.

  3. Create a new binary value by going to Edit → New → Binary Value, and type AltEncryptionColor for the name of the new value.

  4. Double-click the new AltEncryptionColor value, and then type a code to indicate the color you'd like to use, following this pattern:

    RR GG BB 00

    The RGB hex code used here follows the same scheme as RGB codes in HTML web pages (except for the two trailing zeros), which means you can use any common color mixer to generate the hex codes for you. For an excellent, free web-based color mixer, go to Or, if you have Adobe Photoshop, you can match an existing color with the eyedropper tool and grab the code from the # field in the color mixer window.

    For example, to get a nice aquamarine color, you'd type this:

    00 B4 C5 00

    Here, the first 00 indicates no red, the B4 is the hex code for 180 (out of 255; roughly 70% green), the C5 is the hex code for 197 (about 77% blue), and then the last two zeros are for good measure. Or, to get the default green color, type:

    00 80 40 00

    By the way, don't type the spaces; Registry Editor will do it for you.

  5. Likewise, you can customize the color used for compressed filenames by creating a new binary value named AltColor in this same key, and filling its value data with whatever RGB code you like.

  6. Close the Registry Editor when you're done. The change will take effect the next time you log in.

2.2. Allow others to access your encrypted files

By default, only you can read your own encrypted files. But what if you want someone else to have access to a file, yet keep your password to yourself and maintain the file's encrypted state?

Right-click a file or folder you've already encrypted, select Properties, and under the General tab, click the Advanced button. Click the Details button to open the User Access window shown in Figure 5.

Figure 5. This elusive window lets you share an encrypted file with another user while keeping your password secret and the file's encryption intact

If the Details button is grayed out (disabled) in the Advanced Attributes window, it means that encryption isn't yet active for the selected file or folder. If you just turned on the Encrypt contents to secure data option, you need to click OK here and in the main Properties window, then come back here before you can click Details.

To permit another user to access your files, click Add to show the Encrypting File System window.

Now, you won't necessarily see all the user accounts on your PC here, only those that already have security certificates. If you don't see the account you want to include here, you'll need to log in to that account and encrypt at least one file or folder.

If the user doesn't have an account on your PC, you can either create one, or you can install the user's own certificate on your PC by hand. To do this, ask the user to send you the certificate from her PC. Then, open the Start menu on your PC, type certmgr.msc, and press Enter to fire up the Certificate Manager. Expand the Personal branch and then select the Certificates folder. From the Action menu, select All Tasks → Import, and then complete the Certificate Import Wizard by following the prompts.

Note that the Expiration Date shown here represents the date the user's security certificate expires, and has nothing to do with the permissions you're setting up. No hurry, though; you've got at least 100 years.

2.3. View someone else's encrypted files

So, how do you access someone else's encrypted files without that person's permission? (This is an important question to ask if you care about the security of your own data.) If you try to view someone's encrypted files, you'll get an "Access is Denied" error message, as shown in Figure 6.

Figure 6. Try to access someone else's encrypted file, and you'll get this error

Not even administrators can view files encrypted by other users. However, any administrator can change any other user's password, and then subsequently log in to that user's account and view (or unencrypt) any of his protected files. This means that your files won't be totally secure unless you're the only administrator on the machine.

There is a little-known side effect to this fact: if the owner of encrypted files deletes his or her encryption keys, neither the user nor any administrator will be able to read the encrypted files until the key is reinstalled. 

2.4. The ins and outs of folder encryption

You can also encrypt a folder and all of its contents using the procedure for files shown earlier. It gets a little more complicated, though, when you mix and match encrypted and unencrypted files and folders, and it can be difficult to predict what happens to the folders' contents.

Now, if a file in an encrypted folder is moved into an unencrypted folder, the file becomes unencrypted. The exception is when you've specifically encrypted the file itself; in this case, the file remains encrypted, no matter where you put it. Whenever you try to encrypt a file located in an unencrypted folder, Windows warns you and gives you the option to encrypt the folder as well (shown in Figure 7).

Figure 7. Windows displays this warning if you encrypt a file located in an unencrypted folder

Be especially careful here, as the default is to encrypt the containing (parent) folder in addition to the selected file, which can be counterintuitive if you're accustomed to warnings that only deal with child objects. Check the Always encrypt only the file option if you never want to see this warning again.

If you ever inadvertently encrypt your desktop (by encrypting an item on your desktop, and then accepting the default in this box), the only way to unencrypt it is to open Windows Explorer, and unencrypt the source desktop folder (usually \Users\{your username}\Desktop).

If an unencrypted file is placed in an encrypted folder, the file will become encrypted, too. The catch is when one user encrypts a folder and another user places a file in that folder; in this case, the file is encrypted for the creator of the file, which means that the owner of the folder, the one who originally implemented the encryption, will not be able to read the file.

On the other hand, if the user places a file in a folder, and a different user comes along and encrypts the folder thereafter, only the user who implemented the encryption will be able to read the file, even though the file is officially "owned" by that first user.

2.5. Add Encrypt/Decrypt commands to context menus

If you find yourself frequently encrypting and decrypting files, having to repeatedly open the Properties window can be a pain. Instead, follow these steps to add Encrypt and Decrypt commands to the context menus for every file and folder:

  1. Open the Registry Editor .

  2. Expand the branches to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced.

  3. Create a new DWORD value by going to Edit → New → DWORD (32-bit) Value, and type EncryptionContextMenu for the name of the new value.

  4. Double-click the new EncryptionContextMenu value, enter 1 for the Value data, and click OK.

  5. Close the Registry Editor when you're done. The change will take effect immediately.

  6. To use this new trick, right-click any unencrypted file in Explorer or on your desktop, and select Encrypt. Or, right-click an already encrypted file, and select Decrypt.

If at least one of the selected items is a folder, you'll have the option of encrypting only the folder or all the folders contained therein. If encrypting any individual files, you'll also be asked if you wish to encrypt only the file or the parent folder as well.

2.6. Back up your encryption certificates

Think of your encryption certificate as the combination to a safe. Forget the combination, and you can't open the safe. Likewise, lose your certificate, and you won't be able to open your encrypted files.

Windows Vista's encryption system employs symmetric key cryptography, which uses the same key to encrypt and decrypt data. Windows generates a unique key for each user, so that no user can decrypt another user's data.

The first time you use encryption on your PC, Vista creates a new encryption certificate for you (if you don't already have one) and prompts you to back up your certificate with the window shown in Figure 8.

Figure 8. The first time you use encryption on your PC, you'll be prompted to back up your encryption certificate (key) so you can access your protected files even if you reinstall Windows

Whether or not you take Windows up on its offer, you can use one of the two included tools to manage your encryption certificates:

Certificate Manager

Open your Start menu, type certmgr.msc, and press Enter to fire up the Certificate Manager. Expand the Personal branch and select the Certificates folder to view the certificates installed on your PC. The one used for NTFS encryption is labeled Encrypting File System in the Intended Purposes column. View any certificate by double-clicking it.

You can back up a certificate by highlighting it and then selecting All Tasks → Export from the Action menu. Just save the file to a USB memory key or CD so it's safe in the event that your hard disk crashes and you need to install a second copy of Windows to access your data. 

NTFS Encryption Utility

The NTFS Encryption Utility (cipher.exe) lets you encrypt or decrypt files and manage certificates from the Command Prompt, but it's not included with all editions of Windows. It does have the added benefit of being able to perform some tricks that the Certificate Manager, just discussed, cannot.

Open a Command Prompt window (cmd.exe) and type cipher without any arguments to display the encryption status for all the files in the current folder. Encrypted files will be marked with an E; all others will marked with a U.

To encrypt a file, type cipher /e filename, where filename is the name of the file or folder (include the full path if it's in a different folder). Likewise, type cipher /d filename to turn off encryption for the item.

To back up your certificate, type cipher /r:filename at the prompt, where filename is the prefix of the output filename (without an extension). Cipher asks for a password, and then generates two separate files based on the specified filename. For example, if you type cipher /r:julius, you'll end up with two files: julius.pfx, which contains the Encrypting File System (EFS) recovery agent key and certificate, and julius.cer, which contains the EFS recovery agent certificate only (without the key). Double-click either file in Windows Explorer to import the certificate or key, or use the Certificate Manager.

Worried that your key got in the wrong hands? You can generate a new key at any time by typing cipher /k (without any other options). Then, type cipher /u to update the encrypted files on your system with the new key.

2.7. Secure your drive's free space

Normally, when you delete a file, only the file's entry in the filesystem table is deleted; the actual data contained in the file remains in the folder until it is overwritten with another file.

Cipher, discussed in the previous section, allows you to wipe a folder, which only means that it goes black and cleans out any recently deleted files, overwriting the leftover data with random bits. This effectively makes it impossible to subsequently recover deleted data with an "undelete" utility. Think of the wipe feature as a virtual paper shredder.

To wipe a folder, open a Command Prompt window and type cipher /w:foldername, where foldername is the full path of any folder on the drive to wipe. Although Cipher requires the path of a folder, it actually wipes all the free space on the drive. This means that the commands cipher /w:c:\Romulus and cipher /w:c:\Remus have exactly the same result.

Set up Cipher to wipe folders containing sensitive data at regular intervals (or when Windows starts) to automatically protect deleted data.

Note that Cipher's /w option does not harm existing data, nor does it affect any files currently stored in the Recycle Bin. It also works on unencrypted folders and encrypted folders alike.

  •  Windows Server 2003 : TCP/IP for AD Transport, Access, and Support (part 3) - Configuring the Windows Time Service, NetBIOS and WINS in an AD Domain
  •  Windows Server 2003 : TCP/IP for AD Transport, Access, and Support (part 2) - Configuring DNS for AD
  •  Windows Server 2003 : TCP/IP for AD Transport, Access, and Support (part 1) - AD/DNS Dependencies, How AD Uses DNS
  •  HP Envy X2 Review - A Hybrid Tablet-Laptop Failing To Bring Up A Complete Package (Part 2)
  •  HP Envy X2 Review - A Hybrid Tablet-Laptop Failing To Bring Up A Complete Package (Part 1)
  •  Windows 7 : Designing a Client Hardware Platform (part 2) - Boot from VHD
  •  Windows 7 : Designing a Client Hardware Platform (part 1)
  •  Windows 7 : Designing and Managing a Licensing Strategy (part 1) - Volume Licensing Activation Methods
  •  How To Transfer Data From SSD To HDD
  •  9 Interesting Apps For Windows 8
    Top 10
    Free Mobile And Desktop Apps For Accessing Restricted Websites
    MASERATI QUATTROPORTE; DIESEL : Lure of Italian limos
    TOYOTA CAMRY 2; 2.5 : Camry now more comely
    KIA SORENTO 2.2CRDi : Fuel-sipping slugger
    How To Setup, Password Protect & Encrypt Wireless Internet Connection
    Emulate And Run iPad Apps On Windows, Mac OS X & Linux With iPadian
    Backup & Restore Game Progress From Any Game With SaveGameProgress
    Generate A Facebook Timeline Cover Using A Free App
    New App for Women ‘Remix’ Offers Fashion Advice & Style Tips
    SG50 Ferrari F12berlinetta : Prancing Horse for Lion City's 50th
    - Messages forwarded by Outlook rule go nowhere
    - Create and Deploy Windows 7 Image
    - How do I check to see if my exchange 2003 is an open relay? (not using a open relay tester tool online, but on the console)
    - Creating and using an unencrypted cookie in ASP.NET
    - Directories
    - Poor Performance on Sharepoint 2010 Server
    - SBS 2008 ~ The e-mail alias already exists...
    - Public to Private IP - DNS Changes
    - Send Email from Winform application
    - How to create a .mdb file from ms sql server database.......
    programming4us programming4us