[ Pobierz całość w formacie PDF ]
.The functions are grouped as EFS functions.Applications still run in user mode, so when a userrequests encryption by using the Explorer or the Cipher Utility, the activity will start here.The NTFS driver, which was first introduced in Windows NT 3.1, is in the kernel mode.Since users canprotect sensitive data only on a NTFS partition, this driver has an active role in the overall encryptionprocess.Figure 6.8 shows both old and new components.Figure 6.8.These are the EFS components.Previous Table of Contents NextProducts | Contact Us | About Us | Privacy | Ad Info | HomeUse of this site is subject to certain Terms & Conditions, Copyright © 1996-2000 EarthWeb Inc.All rightsreserved.Reproduction whole or in part in any form or medium without express written permission ofEarthWeb is prohibited.Read EarthWeb's privacy statement.http://corpitk.earthweb.com/reference/pro/1928994024/ch06/06-04.html (3 of 3) [8/3/2000 6:53:40 AM]Configuring Windows 2000 Server Security:Encrypting File System for Windows 2000Configuring Windows 2000 Server Securityby Thomas W.Shinder, M.D., MCSE, MCP+I, MCT, Debra Littlejohn Shinder, MCSE, MCP+I, MCT,D.Lynn White, MCSE, MCPS, MCP+I, MCTSyngress Publishing, Inc.ISBN: 1928994024 Pub Date: 06/01/99Search this book:Search TipsAdvanced SearchPrevious Table of Contents NextThese are new key components of the Encrypting File System:Title" EFS Driver.EFS is really a device driver connected with the NTFS driver, both of which run inWindows 2000 s kernel mode.Whenever a user needs encryption or decryption to occur, the EFSdriver works with the cryptography services in Windows 2000 s user mode.The EFS communicateswith the KsecDD (security device driver) to request many of the required key management services.-----------When the NTFS needs to complete an impossible encryption task, the EFS driver takes on thatresponsibility." EFS Callouts.These are functions that the EFS driver can handle for the NTFS driver.When theEFS driver initializes, it registers these functions with the NTFS driver.The EFS Callouts are in theprotected environment of the kernel mode, so the EFS Callouts are not available for direct user access." KsecDD.This takes the EFS request and talks with the Security Subsystem on behalf of the EFSdriver.The KsecDD acts as a connection between the needed LPC calls and the Local SecurityAuthority Subsystem in user mode." EFS Services.These are in the Local Security Authority Server, which is part of the Local SecurityAuthority Subsystem.In user mode, the Encrypting File System Services interface with the MicrosoftBase Cryptographic Provider 1.0 to provide File Encryption Keys and to generate the needed DataDecryption Fields and Data Recovery Fields.The Encrypting File System Service is used to obtain andenforce the Encryption Data Recovery Process and to locate the user s key pair when it is needed." Cryptographic Provider.For file encryption on Windows 2000, this is the Microsoft BaseCryptographic Provider 1.In the future releases of Windows 2000, support will be added so thatthird-party vendors can write their own Cryptographic Providers and have them tied to the EncryptingFile System functions.One role of the Cryptographic Provider currently is to provide RSA encryptionoperations.The Encryption ProcessBefore any encryption can be used on Windows 2000, the EFS device driver must be installed.When theEFS driver initializes, it notifies the NTFS driver of its existence, and it also registers seven related functionsat that time.In the registration of these functions, the EFS driver seems to be telling the NTFS driver,  Herehttp://corpitk.earthweb.com/reference/pro/1928994024/ch06/06-05.html (1 of 3) [8/3/2000 6:53:45 AM]Configuring Windows 2000 Server Security:Encrypting File System for Windows 2000is a list of things I can do for you. (See the sidebar for the list of the EFS Callback functions.)When the NTFS driver receives a request for EFS, it looks into the table of EFS Callback functions andinvokes the function that the EFS driver must execute.The EFS driver will not communicate directly withthe Local Security Authority Subsystem (LSASS), which runs in unprotected user mode.The EFS driversends a request to encrypt or decrypt a file to the LSASS, but an additional driver intercepts this request inkernel mode.The driver used to send the actual LPC message to Local Security Authority Subsystem,KsecDD, resides in kernel mode.The Local Security Authority Server, which is part of the LSASS, listensfor these LPCs.When the LSASRV receives a call from the FEClient (File Encryption Client DLL) toencrypt a file, it invokes the internal function EfsRpcEncryptFileSrv.EfsRpcEncryptFileSrv handles these tasks in the early stages of a file encryption request:" Impersonates the user making the encryption request" Creates a log file that is used by LSASRV to keep a record of the encryption process from start tofinish" Loads the impersonated user s profile into the Registry" Makes a call to the internal function EncryptFileSrvThere is a reason that impersonation occurs.The System account has always been used by the Local SecurityAuthority Subsystem by default.If this account were used for the encryption process, the System s privatekey would be needed to decrypt the file.The objective of the Encrypting File System is to encrypt the fileand then require a unique private key belonging to the user for any future usage.By impersonating the user,the proper private key is used in the manipulation of the file.The log file that is created when a encrypt file request is received is used to record the events in theencrypting process.The log file is on the same drive as the encrypted file in the System Volume Informationsubdirectory.The name of the log file is EFS0.LOG.If an EFS0.LOG file already exists, the name of the logfile is generated by incrementing the numeric value by one digit [ Pobierz caÅ‚ość w formacie PDF ]