Bạn có thể thêm cả một File Services vai trò và vai trò In dịch vụ hầu hết các phiên bản của Windows Server 2008. Bạn không thể thêm vai trò phiên bản Web hoặc Itanium. Bằng cách thêm vào những vai trò này, bạn có thể chia sẻ cả thư mục và máy in, làm cho chúng có thể truy cập cho người dùng trong mạng. Khi bạn thêm vai trò File Services, | Encrypting File System 381 FIGURE Encrypting a file with EFS Symmetric Key Created Data Encrypted with Symmetric Key Unencrypted File _r Encrypted File _r Symmetric Key Encrypted with User s Public Key Encrypted Symmetric Key Stored in File Data Decryption Field DDF Encrypted Data __r The symmetric key is stored with the file so that the file can be decrypted when necessary. Since it is stored with the file it needs to be protected. The symmetric key is encrypted with the user s public key step 3 and then stored in the data decryption field of the file step 4 . Figure shows the process when a file is opened and decrypted. When the user attempts to open the file the user s EFS certificate which holds the user s private key is accessed step 1 . The encrypted symmetric key is retrieved from the DDF step 2 . Note that the data is still encrypted at this point. The user s private key is then used to decrypt the symmetric key step 3 . With the symmetric key decrypted it can then be used to decrypt the data step 4 . At the core of this process is the user s private key which is kept in the user s EFS certificate. Once a user logs on she will have automatic access to the certificate. If another user attempts to open the file he won t have access to the first user s certificate and the private key. Without the private key the data can t be decrypted. Although you may occasionally read that EFS-protected data is compromised it s not because the EFS encryption is hacked. Instead a user s password is guessed or hacked. Once the user s password is known anyone can log on as that user and gain automatic access to EFS-protected files. Using strong passwords can go a long way toward protecting users accounts and EFS-protected data. 382 Chapter 8 Planning Windows Server 2008 Security FIGURE Decrypting a file with EFS User s Private Key Retrieved from User s EFS Certificate Encrypted Symmetric Key Retrieved from DDF Data Decryption .
