How To Disable Eps

By Author: Shirley Green
Total Articles: 129
Comment this article

If your EPS policy is not to use it, or if you want to ensure recovery of MCP certification and need time to design and deploy a solution, you should disable EPS. There is a risk with any technology. By default, EPS is available to anyone with a user account. Without proper training and a file recovery process in place, the information in EPS files can be lost. This is because the EPS keys required to decrypt the file can be lost or damaged. If the EPS keys are not present and undamaged, EPS encrypted files cannot be read.
EPS is disabled by clearing the Allow Users To Encrypt Files Using Encrypting File System (EPS) check box.This check box is located on the Properties page for the Encrypting File System policy in the GPO. The local Security Policy can be used to disable EPS on a single system, while the domain GPO can be used to disable EPS for the domain. This option is available by opening the GPO and navigating to the Security Settings area of the GPO. Right-click the Encrypting File System policy, and select properties to locate this option. In Windows 2000, EPS could be disabled ...
... simply by deleting all recovery agents. This method will not work in Windows XP or free CIW exam questions, as both allow EPS to not have a recovery agent.
A Windows Server 2003 Enterprise Edition computer with the certificate services can be configured to issue EPS certificates with a file archival property. When properly implemented, the EPS keys are archived at the CA and can be recovered as necessary. This implementation was described in Chapter 2.

Consider the safety of keys that have been backed up.Backed-up keys can also be damaged or lost. Just as you should verify data backups, you should also verify backed-up encryption keys by importing them into an account. However,providing all users with an additional account to do so is impractical and might prove to be a security liability, as users might forget to delete the account profile or otherwise remove the encryption keys and thus provide another account that can access their files.
Consider the protection offered by the password for backed-up keys.The keys do not have to be imported back to the original account for which they are issued. They can be imported into any account if the password used to export the keys is known. If the password is weak or stored with the backed-up keys, the keys might easily be used in a successful MCITP certification attack on EPS.