How do Windows services access folders encrypted with NTFS EFS
Maybe BitLocker instead of EFS?
we have a server located at a remote location [...] stop anyone from pulling out the disks and making a copy.
Well, you could use BitLocker Full-Disk-Encryption and store the decryption key inside the mainboard's TPM chip. And set BitLocker to automatically unlock the volume on boot.
This would mean that a thief would have to steal the WHOLE SERVER and not just pull out a disk.
This BitLocker volume unlocking mode of operation is called TPM only.
Here's a blog article that lists the different modes:
Luis Rocha, Count Upon Security blog, 2014-06-23, BitLocker with TPM in 10 steps. (Archived here.):
- TPM Only: No authentication required for the boot sequence but protects against offline attacks and is the most transparent method to the user.
This would at least make any attempt to get at the key much easier to prevent/detect.
Sooner or later your executable will need to be in the memory of the server hosting it. So it will be available for analysis anyway.
In order to be loaded to memory, it must be decrypted if it was encrypted earlier.
In other words, once you have control over the remote server the data which you will be running there will be available for analysis.
No EFS for system folders.
Documentation says: You can't do it. (I haven't tried, but the docs are rather clear about it.)
The MSDN entry File Encryption (archived here) says:
Note that the following items cannot be encrypted:
- Compressed files
- System files
- System directories
- Root directories
- Transactions