Re: Encrypting remote files with EFS

From: Bruce K. Marshall (bkmlstsgohere_at_comcast.net)
Date: 05/10/05

  • Next message: Marc Fossi: "SecurityFocus Microsoft Newsletter #240" 
    To: "Zack Schiel" <ZSchiel@blueandco.com>
Date: Tue, 10 May 2005 15:28:16 -0500

    Zack,

    My suspicion would be that the files on the suspect servers are not actually
    encrypted. The behavior is not consistent with my experience or
    expectations.

    Have you verified that the encrypted attribute is still set on files while
    on the server? 

    ----
Bruce K. Marshall - bmarshall@securityps.com
Security PS - Kansas City
----- Original Message ----- 
From: "Zack Schiel" <ZSchiel@blueandco.com>
To: <focus-ms@securityfocus.com>
Sent: Tuesday, May 10, 2005 9:03 AM
Subject: Encrypting remote files with EFS
We are in the midst of deploying EFS to protect specific folders on laptop 
hard drives. We want EFS used only for that purpose-locally; as such, we do 
not want users to have the ability to encrypt files that are residing on 
file servers. According to my understanding of EFS, which seems to be 
confirmed by the quote below from Windows help, users shouldn't be able to 
do so unless we specifically enable file server(s) to be trusted for 
delegation in AD.
"In a domain environment, remote encryption is not enabled by default. To 
enable encryption for a specific computer, your network administrator can 
make that computer trusted for delegation. For more information, consult 
your network administrator."
However, some of our servers are allowing files to be encrypted and 
decrypted remotely-and these servers are *not* marked as trusted for 
delegation in AD. Further, the user that encrypted the file can scoot over 
to another PC, log in as themselves, and access the file-and we have no CA 
infrastructure in place; these are locally-generated EFS certificates that 
do not chain back past the local client machine. The certificate thumbprints 
in the personal store for the user account on the two PCs do not match, yet 
they can access the file just the same, while other user accounts cannot.
I'm thoroughly confused by this behavior, and would appreciate any experts 
chiming in and cluing me in as to why 1) some servers are allowing remote 
encryption, while others are not, and 2) why locally-generated EFS certs are 
behaving this way.
Our environment:
-Windows 2000 native-mode domain
-All DCs are Win2k, file servers are a 2k/2003 mix
-Clients are 2000/XP; the OS of the client/server doesn't seem to 
matter-some 2k3 servers allow remote encryption, some don't, and some 2000 
servers allow, while others don't.
Thanks,
-Zack-
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
  • Next message: Marc Fossi: "SecurityFocus Microsoft Newsletter #240"