This rule specifies that EFS file system encryption at rest must be activated to ensure data security.
Rule | EFS file system encryption at rest should be enabled |
Framework | NIST 800-171 Revision 2 |
Severity | ✔ High |
Rule Description
EFS (Encrypting File System) is a feature in Microsoft Windows that provides file encryption on NTFS volumes. Enabling EFS file system encryption at rest helps meet the requirements of NIST 800-171 Revision 2. This rule ensures that EFS encryption is enabled on supported Windows systems to protect data stored on the local file system from unauthorized access.
Troubleshooting Steps
Verify EFS support: Ensure that the Windows version being used supports EFS file encryption. EFS is available on Windows 10 Professional, Enterprise, and Education editions, as well as on Windows Server operating systems.
Verify Encryption Settings: Verify the local group policy settings to determine if EFS encryption is already enabled. Run the following command in Command Prompt or PowerShell:
gpedit.msc
Navigate to "Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options" and look for the policy "System cryptography: Use system encryption for file data." If the policy is not set or disabled, EFS encryption needs to be enabled.
Enable EFS Encryption: To enable EFS encryption, follow these steps:
gpedit.msc
.Verify EFS Encryption: After enabling EFS encryption, verify if it is applied correctly:
Necessary Codes
No specific codes are required for this rule, as it involves modifying group policy settings using the Group Policy Editor.
Step-by-Step Guide for Remediation
Press the Windows key + R to open the Run dialog box.
Type
gpedit.msc
and press Enter to open the Group Policy Editor.In the Group Policy Editor, navigate to "Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options."
Locate the policy "System cryptography: Use system encryption for file data" in the list of policies.
Double-click on the policy to open its properties.
Select the checkbox "Enabled."
Click "Apply" and then "OK" to save the changes.
Close the Group Policy Editor.
Verify that EFS encryption is enabled by creating a test file on a local drive.
Right-click on the file, select "Properties," and go to the "General" tab.
Click on the "Advanced" button and ensure that the "Encrypt contents to secure data" checkbox is selected.
Click "OK" to save the changes.
EFS file system encryption at rest is now enabled on the system, meeting the requirements of NIST 800-171 Revision 2.