Platform Differences That Affect the Use of EPS

EPS has been available since the introduction of 70-291. In addition to improved file and key recovery options, two major differences in EPS between Windows 2000, Windows XP after service pack 1, and Windows Server 2003 are the default designation of encryption protocols and the ability to share an EPS file.

The default encryption protocol used in Windows XP post-service pack (SP) 1 and Windows Server 2003 is 256-bit Advanced Encryption Standard (AES). This encryption protocol is very strong, but the encryption protocol used by default in Windows 2000 is 56-bit DES-X. You must not attempt to open Windows XP or Windows Server 2003 EPS encrypted files on a Windows 2000 computer. Because the files encrypted on the Windows XP post-SP 1 computer have been encrypted with a different encryption algorithm, you will not be able to read them using Windows 2000. You might also corrupt the encrypted file by trying to do so.
The encryption protocol is changed by either editing the registry or using the Group Policy Security Option: System Cryptography. Use FIPS Compliant Algorithms For Encryption. If this free Security+ practice exams option is enabled, 3DES will be used for encrypting files. The registry can be edited to select the default EPS encryption algorithm.
File ACLs can manage access to files, but sometimes an additional layer of protection is necessary. If an attacker can gain access to your network, she might be able to com-promise an administrator account and thus access sensitive files. If a laptop contains sensitive files and is lost, the added protection of encryption, if properly managed, can prevent unauthorized individuals from reading the files. In these cases and in others, the Encrypting File System (EPS) can be used to add a layer of protection. If, however, its use is not properly managed and users aren't trained in using it, EFS offers little pro?tection and can even block legitimate access to encrypted data.
This policy is similar to the one that determines whether Active Directory objects can be audited, albeit specific to file, printer, and registry permis-sions. Set it for success and failure in the comptia security+, and then set SACLs on objects as required.