The encrypted file system provides a mechanism to secure data, which is maintained and resident on local hard drives and/or servers. This protects files from being accessed via the network, by unauthorized personnel.

While this provides protection for files stored on the hard drives, files, once e-mailed, transferred, etc. will become unencrypted. The EFS protection is to protect the system, when an unauthorized user gains access to the files and directories, via the network or through a local logon policy.

Recovery agents shall be established and managed to ensure data will not be lost, if the employee leaves or the system crashes. Where the system does not support this, e.g., XP, procedures shall be provided to users to ensure data may be recovered.

EFS shall be used on all systems where any SBU data resides, including taxpayer data.

The IRS shall utilize Public Key Infrastructure (PKI) within its implementation of Windows Server 2003 and Active Directory. PKI is a system of digital certificates, certification authorities (CAs) and other registration authorities (RAs) that verify and authenticate the validity of each party that is involved in an electronic transaction through the use of public key cryptography.

At minimum, IRS owned laptops, portables, and workstations operated outside of IRS facilities shall use encryption software to protect SBU data.

In Large Case sites, where Windows domains are configured, these shall be exempt from the encryption requirement, as long as:

Encryption shall be performed using algorithms determined to be compliant with Federal Information Processing Standards Publication (FIPS) 140-2, Security Requirements for Cryptographic Modules.

Approved COTS product information is available from the End User Equipment and Services (EUES) intranet web site, accessed via the authorized IRS intranet home page, at http://irweb.irs.gov/.

All data encrypted by EFS on workstations attached to the Windows Server environment shall be recoverable. By default, the Administrator Account on the Domain Controllers shall be designated as the Default Recovery Agents (DRAs). Additional DRAs will be needed and they will have the requirement of actually performing the recovery of data.

The DAA shall ensure the documentation of the DRA architecture with the IRS enterprise, within the DAA’s respective area(s) of responsibility. All actions taken by the DRAs shall be audited and reviewed by the DAA’s Data Security organization to ensure these are used, as appropriate.

Windows installations shall include 128-bit browser encryption, which is allowed for only US and Canadian use.

The following are explanations of the Windows specific Security Options dealing with network data protection.

Domain member: Digitally encrypt or sign secure channel data (always)
Windows 2000 - Secure channel: Digitally encrypt or sign secure channel data (always)

Domain member: Digitally Encrypt Secure Channel Data (when possible)
Windows 2000 - Secure channel: Digitally encrypt secure channel data (when possible)

Domain member: Digitally sign secure channel data (when possible)

Domain member: Require strong (Windows 2000 or later) session key
Windows 2000 - Secure channel: Require strong (Windows 2000 or later) session key

Network Access: Do not allow storage of credentials or .NET passports for network authentication

Microsoft Network Client: Digitally sign communications (always)
Windows 2000 - Digitally sign client communication (always)

Microsoft Network Client: Digitally sign communications (if server agrees)
Windows 2000: Digitally sign client communications (when possible)

Microsoft Network Client: Send unencrypted password to connect to third-party SMB servers
Windows 2000 - Send unencrypted password to connect to third-party SMB servers

Microsoft Network Server: Digitally sign communications (always)
Windows 2000: Digitally sign communications (always)

Microsoft Network Server: Digitally sign communications (if client agrees)
Windows 2000: Digitally sign communications (when possible)

Network Security: LAN manager authentication level
Windows 2000 - LAN Manager authentication level

Network Security: LDAP client signing requirements

Network Security: Minimum session security for NTLM SSP based (including secure RPC) clients

Network Security: Minimum session security for NTLM SSP based (including secure RPC) servers

System Cryptography: Force strong key protection for user keys stored on the computer

System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing

The following are explanations of the Windows specific Security Options dealing with the protection of information remnants that could leave a system exposed.

Network Security: Do not store LAN Manager password hash value on next password change
The SAM database typically stores a LANManager (LM) hash of account passwords. The SAM database should be secure on the workstation; however, if it is captured, the LM hash can be retrieved. Many vulnerabilities exist with the LM authentication model, and brute force attacks usually succeed with ease. Removing the LM hash from the SAM database helps protect the local account passwords.

Shutdown: Clear virtual memory pagefile
(Windows 2000 - Clear virtual memory pagefile when system shuts down)
Virtual memory extends the physical memory available to the CPU. As data and applications fill the available physical memory, the operating system writes less-frequently used pages of memory out to disk, into the virtual memory pagefile. This greatly extends the amount of"virtual" memory available to the computer.