Disabling EFS for Individual Folders or Files

Disabling EFS for Individual Folders or Files
You might want to prevent the encryption of files in a certain folder to ensure that they remain available to everyone who has access to the folder. To disable encryption within a folder, use Notepad (or another text editor) to create a file that contains the following lines:

[Encryption]Disable=1

Save the file as Desktop.ini in the folder in which you want to prevent encryption. Any encrypted files already in the folder remain encrypted, but users who attempt to encrypt any other files will be stopped with this message: "The directory has been disabled for encryption."

Disabling encryption in this fashion doesn't disable encryption altogether, even within the folder you've set up. If you copy or move encrypted files into the folder, they remain encrypted. And if you create a subfolder within the folder, you can encrypt the subfolder and any files it contains.

Troubleshooting
--------------------------------------------------------------------------------

Files still become encrypted after you've disabled EFS for a folder.

You might discover that files added to a folder become encrypted even after you create the Desktop.ini file described here and store it in the folder. This can occur if encryption was already enabled for the folder when you added the Desktop.ini file. (With the file in place, you won't be able to set the encryption attribute for the folder.) To prevent new files from being encrypted, right-click the folder, choose Properties, click Advanced, and clear the Encrypt Contents To Secure Data check box.

It's possible, but generally not practical, to prevent certain files from being encrypted. You can do this in any of the following ways, each of which has a drawback:

Store the file in %SystemRoot% or one of its subfolders—folders in which encryption is never allowed. (Drawbacks: Windows makes it difficult to browse to these folders, and storing the file here might not fit your system of organizing files.)
Use the Attrib command to set the file's System attribute. (Drawback: By default, Windows Explorer does not display system files, so they're difficult to find.)
Remove Write permission from the file for users you want to prevent from encrypting. (Drawback: Removing Write permission also prevents users from editing the file.)
Strengthening EFS Protection
EFS provides extremely strong protection against attackers. Multiple levels of encryption make it all but impossible to crack. In Windows XP (but not Windows 2000), you can strengthen security even more by using Triple Data Encryption Standard (3DES) to encrypt and decrypt files instead of the default algorithm, expanded Data Encryption Standard (DESX). Although 3DES is more secure, it's slower because it processes each block of each file three times.

To enable 3DES protection, follow these steps:

Open Local Security Settings (Secpol.msc).
Select Security Settings\Local Policies\Security Options.
In the details pane, double-click System Cryptography: Use FIPS Compliant Algorithms For Encryption, Hashing, And Signing.
Select Enabled and click OK.
INSIDEOUT
--------------------------------------------------------------------------------

Protecting encrypted files from wily administrators

If you use EFS extensively and your computer is not a member of a domain, you might consider upgrading to Windows XP if you haven't already. That's because Windows XP adds another level of protection that directly affects the security of your encrypted files. In Windows 2000, an administrator can reset your password—a valuable trick if you forget the password. However, that means an unscrupulous administrator can reset your password, log in using your account, and peer into your encrypted files. The underhandedness won't go undetected (because your password has been changed, you'll need to contact the same administrator to reset it for you), but the damage will have been done. With Windows XP, in contrast, if anyone other than yourself changes your password, your certificates (which are needed for decrypting files, among other things) become inaccessible. Should a devious, but uninformed, administrator try to get your secrets by changing your password, you can restore access to your certificates by resetting your password to its previous value or by using your Password Reset Disk. For more information, see Recovering a Lost Password