The following best practices are from a Microsoft document entitled
Protecting Data by Using EFS to Encrypt Hard Drives. EFS refers to the encrypted file system, the Microsoft way of encrypting files on-the-fly at the operating system level. The article describes what appears to be a complex procedure for creating and maintaining the software key which allows you to encrypt and decrypt the data. The procedure is not for the faint of heart. (Mr. Faint-Of-Heart reporting…). On the other hand there now seems to be a story per week about how someone’s laptop got stolen, which contains upteen social-security numbers or credit card records. Nothing trumps Physical Security. Don’t let the laptop out of your sight!
Alternatives are available that allow you to set up an encrypted volume on the hard drive, and to mount it as another drive letter.
Physical protection of the computer is paramount. There is no technological substitute for taking every precaution to ensure the computer is not stolen or physically compromised.
• Always use the mobile computer as part of an Active Directory domain.
• Store the private keys for users separately from the mobile computer and import them when needed.
• For common storage folders such as “My Documents” and temporary folders, encrypt the folder so that all new and temporary files will be encrypted when created.
• Always create new files, or copy existing plaintext files, into an encrypted folder when the data is extremely sensitive. This will ensure that all files have never existed in plaintext form on the computer, and that temporary data files cannot be recovered by using sophisticated disk analysis attacks.
• Encrypted folders can be enforced in a domain by using a combination of Group Policy, logon scripts and security templates to ensure that standard folders such as “My Documents” are configured as encrypted folders.
• The Windows XP operating system supports the encryption of data in offline files. Offline files and folders that are cached locally should be encrypted when using client-side caching policies.
• Use the system key utility SYSKEY in mode 2 or mode 3 (boot floppy or boot password) on the mobile computer to prevent the system from being booted by malicious users. The system key utility and its options are documented in online help for your version of Windows.
• Enable Server Message Block (SMB) signing in Group Policy for servers that are trusted for delegation and used for storing encrypted files. This setting is found in Group Policy at this location: GPO-name\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft Network Server: Always digitally sign communications.
• Ensure unencrypted data is removed from the hard drive after encryption of files and periodically thereafter.