DOCUMENT:Q243756 17-JAN-2001 [iis]
TITLE :HOWTO: Use Encrypting File System (EFS) with IIS
PRODUCT :Internet Information Server
The information in this article applies to:
- Microsoft Internet Information Services version 5.0
Microsoft Windows 2000 employs a security technology named Encrypting File
System (EFS), which enables users to encrypt and decrypt files. Windows users
can utilize EFS to keep sensitive files safe from unauthorized access. This
article summarizes how to use this technology to encrypt personal Web documents
for additional security.
WARNING: EFS will fail encryption attempts on files with the System attribute.
Administrators should not attempt to defeat this safeguard to encrypt files in
the system directory. The private keys needed for decryption are not available
during the boot process. Therefore, a system will be rendered unusable if its
system files are encrypted. Future releases of Windows may provide secure boot
capabilities that support encryption of system files.
EFS is enabled for documents in Windows 2000 through an optional advanced file
attribute. To implement this feature, follow these steps:
1. In Windows Explorer, create a new folder named SecureTest in the root folder
for your Web site.
2. In the new folder, save the following Active Server Pages (ASP) code as
You are logged on as:
3. Right-click the Default.asp file and then click Properties.
4. Click Advanced.
5. Select the Encrypt contents to secure data check box.
6. Click OK.
7. If you are prompted to encrypt the parent folder, select the Encrypt the file
only radio button and then click OK.
8. Click OK again to return to Windows Explorer.
When you browse to the http:///SecureTest/default.asp page, the
page requires authentication and your user name is displayed, even if anonymous
authentication is enabled for the entire Web site. This is because files that
are encrypted with EFS are private files, and only the user that encrypted the
files can browse to them. The authentication method used may be Basic/Clear
Text, Windows Integrated, or Digest, depending on how the Web site is
The following is a list of best practices regarding EFS:
- Protect the private keys associated with data recovery certificates. Export
them into a Personal Information Exchange (.pfx) file protected with a strong
password. Store .pfx files on a floppy disk, and lock the floppy disk away
- Encrypt folders rather than individual files. Explorer only allows encryption
at the folder level. However, the Cipher.exe file can encrypt individual
files. Applications work on files in various ways. For example, when a user
edits a file with an application, the application may create temporary files
in the same folder as the original. Encrypting at the folder level ensures
that these temporary files are not created or saved as plain text.
- Encrypt the My Documents folder (%UserProfile%\My Documents) to ensure that
the personal folder, in which most Microsoft Office documents are saved, is
encrypted by default.
- Encrypt the Temp folder (%TEMP%) to ensure that the temporary files that are
created by various applications are encrypted.
For additional information on Windows File Protection, click the article number
below to view the article in the Microsoft Knowledge Base:
Q222193 Description of the Windows 2000 Windows File Protection Feature
For additional information on Web site authentication methods, click the article
numbers below to view the articles in the Microsoft Knowledge Base:
Q264921 INFO: How IIS Authenticates Browser Clients
Q142868 IIS: Authentication and Security Features
Q222028 Setting Up Digest Authentication for Use with Internet Information
Additional query words: iis efs
Technology : kbiisSearch kbiis500
Version : :5.0
Issue type : kbinfo
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO
EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR
ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES
SO THE FOREGOING LIMITATION MAY NOT APPLY.
Copyright Microsoft Corporation 2001.