Encrypting remote files with EFS

• Previous message: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: To disable SMB packet and secure channel signing enforcement on Windows Server 2003-based domain controllers"
• Next in thread: Robert Schwartz: "Re: Encrypting remote files with EFS"
• Reply: Robert Schwartz: "Re: Encrypting remote files with EFS"
• Reply: Bruce K. Marshall: "Re: Encrypting remote files with EFS"
• Maybe reply: Zack Schiel: "RE: Encrypting remote files with EFS"
• Maybe reply: Depp, Dennis M.: "RE: Encrypting remote files with EFS"
• Maybe reply: Zack Schiel: "RE: Encrypting remote files with EFS"
• Maybe reply: jbaskerville_at_cfl.rr.com: "Re: Encrypting remote files with EFS"
• Maybe reply: Depp, Dennis M.: "RE: Encrypting remote files with EFS"
• Maybe reply: AnthonyBlumfield_at_msn.com: "Re: Encrypting remote files with EFS"
• Maybe reply: Zack Schiel: "RE: Encrypting remote files with EFS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 10 May 2005 09:03:47 -0500
To: <focus-ms@securityfocus.com>

We are in the midst of deploying EFS to protect specific folders on laptop hard drives.  We want EFS used only for that purpose-locally; as such, we do not want users to have the ability to encrypt files that are residing on file servers.  According to my understanding of EFS, which seems to be confirmed by the quote below from Windows help, users shouldn't be able to do so unless we specifically enable file server(s) to be trusted for delegation in AD.

"In a domain environment, remote encryption is not enabled by default. To enable encryption for a specific computer, your network administrator can make that computer trusted for delegation. For more information, consult your network administrator."

However, some of our servers are allowing files to be encrypted and decrypted remotely-and these servers are *not* marked as trusted for delegation in AD.  Further, the user that encrypted the file can scoot over to another PC, log in as themselves, and access the file-and we have no CA infrastructure in place; these are locally-generated EFS certificates that do not chain back past the local client machine.  The certificate thumbprints in the personal store for the user account on the two PCs do not match, yet they can access the file just the same, while other user accounts cannot. 

I'm thoroughly confused by this behavior, and would appreciate any experts chiming in and cluing me in as to why 1) some servers are allowing remote encryption, while others are not, and 2) why locally-generated EFS certs are behaving this way. 

Our environment:
-Windows 2000 native-mode domain
-All DCs are Win2k, file servers are a 2k/2003 mix
-Clients are 2000/XP; the OS of the client/server doesn't seem to matter-some 2k3 servers allow remote encryption, some don't, and some 2000 servers allow, while others don't. 

Thanks,

-Zack-

---------------------------------------------------------------------------
---------------------------------------------------------------------------

• Previous message: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: To disable SMB packet and secure channel signing enforcement on Windows Server 2003-based domain controllers"
• Next in thread: Robert Schwartz: "Re: Encrypting remote files with EFS"
• Reply: Robert Schwartz: "Re: Encrypting remote files with EFS"
• Reply: Bruce K. Marshall: "Re: Encrypting remote files with EFS"
• Maybe reply: Zack Schiel: "RE: Encrypting remote files with EFS"
• Maybe reply: Depp, Dennis M.: "RE: Encrypting remote files with EFS"
• Maybe reply: Zack Schiel: "RE: Encrypting remote files with EFS"
• Maybe reply: jbaskerville_at_cfl.rr.com: "Re: Encrypting remote files with EFS"
• Maybe reply: Depp, Dennis M.: "RE: Encrypting remote files with EFS"
• Maybe reply: AnthonyBlumfield_at_msn.com: "Re: Encrypting remote files with EFS"
• Maybe reply: Zack Schiel: "RE: Encrypting remote files with EFS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]