Using a Certificate Authority for the Encrypting File Service (223338)


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional
This article was previously published under Q223338

SUMMARY

The Encrypting File System (EFS) is a feature of Windows 2000 that allows users to encrypt data directly on volumes that use the NTFS file system. It operates by using certificates based on the X.509 standard. If no Certificate Authority (CA) is available from which to request certificates, the EFS subsystem automatically generates its own self-signed certificates for users and default recovery agents.

There are several circumstances in which an organization may want to implement Certificate Authorities, as opposed to allowing EFS to generate its own self-signed certificates.

MORE INFORMATION

The following are some reasons why an organization might want to use a Certificate Authority for EFS certificate generation:
  • More flexible EFS recovery management. With a Certificate Authority infrastructure, it is possible for an organization to issue specific recovery certificates for dedicated recovery computers, rather than to domain controllers.
  • Centralized certificate management. Administrators can control the lifetime of issued EFS certificates, and can publish certificate revocation lists to control how long recovery certificates are valid.
  • Scalability. Certificate Authorities can be distributed throughout an organization, providing their own set of templates that define the types of certificates that can be issued at each level.
For additional information about EFS, see "Step-by-Step Guide to Encrypting File System (EFS)" on the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/windows2000/w2kccadm/dataprot/w2kadm21.mspx

Modification Type:MinorLast Reviewed:12/8/2005
Keywords:kbenv kbinfo KB223338
©2004 Microsoft Corporation. All rights reserved.