Ensure EFS File System Encryption at Rest is Enabled Rule
This rule requires enabling EFS file system encryption at rest for enhanced security.
| Rule | EFS file system encryption at rest should be enabled |
| Framework | Federal Financial Institutions Examination Council (FFIEC) |
| Severity | ✔ High |
Rule Description:
The rule requires enabling EFS (Encrypting File System) encryption at rest for Federal Financial Institutions Examination Council (FFIEC) compliant systems. This ensures that data stored on the file system is protected and inaccessible to unauthorized users or entities.
Troubleshooting Steps:
- 1.
Verify EFS Compatibility: Ensure that the operating system used in the system is compatible with EFS encryption. EFS is available on Windows Professional, Enterprise, and Ultimate editions.
- 2.
Check File System Type: Ensure that the file system on the target drive is NTFS. EFS encryption is only supported on NTFS file systems.
- 3.
Check Administrative Rights: Make sure you have administrative rights on the computer to enable EFS encryption for files and folders.
- 4.
Verify EFS Certificates: Ensure that the appropriate EFS certificates are available on the system. If the required certificates are missing, you will need to acquire or generate suitable certificates.
Necessary Codes:
Note: There are no specific codes provided for this rule, as enabling EFS encryption typically involves configuration changes rather than writing code.
Step-by-step Guide for Remediation:
Follow these steps to enable EFS file system encryption at rest for FFIEC compliant systems:
- 1.
Identify the files and folders to be encrypted: Determine the specific files and folders that need to be protected using EFS encryption.
- 2.
Check EFS Encryption Status: Check if the files or folders are already encrypted using EFS. Right-click on a file or folder, select "Properties," and navigate to the "General" tab. If the "Encrypt contents to secure data" option is already enabled, the file or folder is already encrypted.
- 3.
Enable EFS Encryption for New Files/Folders: To encrypt new files and folders, follow these steps:
a. Right-click on the file or folder you want to encrypt.
b. Select "Properties" from the context menu.
c. In the "General" tab, click on the "Advanced" button.
d. Check the "Encrypt contents to secure data" checkbox.
e. Click "OK" to close the "Advanced Attributes" window.
f. Click "OK" again to close the "Properties" window.
- 4.
Enable EFS Encryption for Existing Files/Folders: To enable EFS encryption for existing files and folders, follow these steps:
a. Right-click on the file or folder you want to encrypt.
b. Select "Properties" from the context menu.
c. In the "General" tab, click on the "Advanced" button.
d. Check the "Encrypt contents to secure data" checkbox.
e. If prompted to apply changes to all subfolders and files, choose the desired option.
f. Click "OK" to close the "Advanced Attributes" window.
g. Click "OK" again to close the "Properties" window.
- 5.
Verify EFS Encryption: To verify that the files and folders are encrypted using EFS, follow these steps:
a. Right-click on the encrypted file or folder.
b. Select "Properties" from the context menu.
c. In the "General" tab, verify that the "Encrypt contents to secure data" option is checked.
- 6.
Backup EFS Certificates: It is crucial to back up EFS certificates regularly to avoid data loss. Refer to your organization's policies and procedures for managing EFS certificates and perform regular backups accordingly.
Conclusion:
By following the provided steps, you can enable EFS file system encryption at rest for Federal Financial Institutions Examination Council (FFIEC) compliant systems. This ensures that sensitive data stored on the file system remains protected and inaccessible to unauthorized entities or users. Regularly verify and backup EFS certificates to maintain data integrity.