Use EFS To Encrypt Files on NTFS Volumes
This IT Pro Challenge virtual lab teaches you how to use the Windows File Explorer Encrypting File System (EFS) to encrypt files and folders. You will also learn how to use the cipher.exe command-line tool to manage file encryption. To test your work, you will try to access an encrypted file with an unauthorized user.
Already have an account? Sign In »
In this IT Pro Challenge, learners will use the Windows File Explorer to encrypt files and folders using the Encrypting File System (EFS). As proof of concept, learners will then create a new user account to attempt to access encrypted files and see that an unauthorized user cannot decrypt the file. Learners will also use the cipher.exe command-line tool to encrypt and decrypt files and view the encryption status of a file. The skills acquired in this lab are important for a career as a network or system administrator.
Overview
The scenario for this lab is that you are a system administrator, and your company uses Windows Server 2016. Your job is to make sure that the data at rest is protected. To accomplish this, you will use the Windows File Explorer to encrypt files and folders using the Encrypting File System (EFS). As a proof of concept, you will test your configuration by signing in as a different user and attempting to access an encrypted file. Finally, you will use the cipher.exe command-line tool to manage EFS file encryption.
Encrypt files and folders using File Explorer
Using Windows File Explorer, you need to create a folder (SampleFiles) in the root of C:, and then create two files in that folder (SampleFile1.txt, SampleFile2.txt). Then you need to encrypt SampleFile1.txt.
HINT: If you encrypt the file properly, you should see a small, gold lock icon on the file icon, which indicates that it was encrypted using EFS.
Next, you will create another folder (Folder1) inside C:\SampleFiles. Create a new file (SampleFile3.txt) inside that new folder. Encrypt Folder1, but only apply your changes to that folder. Create another text file (SampleFile4.txt) in C:\SampleFiles\Folder1. You will notice that this new file is encrypted because the folder that it’s in is encrypted.
Finally, open a command prompt window and use the __cipher c:\samplefiles\folder1 __command to view the encryption status of Folder1. If you see an “E” to the left of Folder1 in the response, that means that the file/folder is encrypted. If you see a “U,” that means the file is not encrypted.
Test EFS encryption
Launch Windows PowerShell and run the following command to add a new user (Administrator2): New-ADUser -Name Administrator2 -AccountPassword(ConvertTo-SecureString -AsPlainText 'Pa$$w0rd' -Force) -Enabled $true.
You need to add Administrator2 to the Domain Admins group by running the following command: Add-ADGroupMember -Identity "Domain Admins" -Members Administrator2.
Try to open C:\SampleFiles\SampleFile1.txt as Administrator2. You should not be able to decrypt the file.
Encrypt files and folders using Cipher.exe
Finally, you will use cipher.exe to encrypt SampleFile3.txt: cipher /e SampleFile3.txt. Then decrypt the file: cipher /d SampleFile4.txt. You should see a message that the file was decrypted.
Summary Conclusion
By taking this lab, you will learn how to encrypt files and folders using two methods: Windows File Explorer and cipher.exe. As proof of concept, you will also use Windows PowerShell to create a new user account and attempt to access encrypted files with this new account.
