Re: How to Copy EFS(encrypted) Files....



Ok found it. I stand corrected. However there is still an inherent
limitation. EFS over WebDAV is limited to 400 MB file size. This is where I
was hitting a wall, I was attempting to move some OS image files as a test
that are 1 gig plus.

There does still seem to be some latency inherent when using WebDAV, it
should be faster than waiting for the decrypt / re-encrypt however it will
still be somewhat slow. As Kea will have to transfer the files to a WebDAV
location from the source machine and then turn around and download them to
the destination machine.

Thanks for the links. I pasted the verbage below:

EFS with WebDAV Folders
The Windows XP client supports a new method for encrypting files to remote
servers through a protocol known as WebDAV. When the Windows XP client maps a
drive to a WebDAV access point on a remote server, files may be encrypted
locally on the client and then transmitted as a raw encrypted file to the
WebDAV server using an HTTP PUT command. Similarly, encrypted files
downloaded to a Windows XP client are transmitted as raw encrypted files and
decrypted locally on the client using an HTTP GET command. The temporary
internet files location is used for intermediate transfer of the files using
HTTP where the WebDAV "proppatch" and "propfind" verbs are used to detect and
set the encrypted file attribute for Windows XP. Therefore, only public and
private key pairs on the client are ever used in encrypting files.

The WebDAV redirector is a new mini-redirector that supports the WebDAV
protocol for remote document sharing using hypertext transfer protocol
(HTTP). The WebDAV redirector supports the use of existing applications, and
it allows file sharing across the Internet (through firewalls, routers, etc.)
to HTTP servers. Both Internet Information Server (IIS) 5.0 (Windows 2000)
and IIS 6.0 (Windows Server 2003) support WebDAV folders known as Web
folders. The WebDAV re-director does have some general limits on the file
that may be transmitted using the WebDAV protocol. The actual limitation may
vary dependent on the amount of virtual memory available, but in general 400
megabytes is the maximum file size that may be used in Windows XP with EFS
over WebDAV.


--
David Davis [MCSE, CCNA, Security +]



"Paul Adare" wrote:

> In article <E0BB5BA1-B4ED-4D4E-A699-01E63B1FDDE2@xxxxxxxxxxxxx>, in the
> microsoft.public.security news group, =?Utf-8?B?RGF2aWQgRGF2aXM=?=
> <DavidDavis@xxxxxxxxxxxxxxxxxxxxxxxxx> says...
>
> > Unless I am missing something here:
> > http://www.microsoft.com/technet/security/topics/cryptographyetc/efs.mspx#EJAA
>
> While hosted on a Microsoft web site, this article was not written by
> Microsoft. While I have a lot of respect for Roberta you need to keep
> this in mind.
>
> >
> > Under the section: Remote Storage of Encrypted Files Using SMB File Shares
> > and WebDAV
> >
> > It states: "If encrypted files are going to be stored on a remote server,
> > the server must be configured to do so, and an alternative method, such as IP
> > Security (IPSec) or Secure Sockets Layer (SSL), should be used to protect the
> > files during transport."
> >
> > This implies that, during transport, files are still decrypted.
>
> This only applies to CIFS/SMB and not WebDAV regardless of the section
> heading.
>
> > Using WEBdav
> > allows remote users to "access" encrypted files over the web via
> > authentication.
>
> No, you're not understanding how the WebDAV protocol works here nor how
> it works with EFS.
>
> Try this simple experiment. Encrypt a file locally and then copy it to a
> WebDAV share. Logon locally to the server hosting the WebDAV share as
> the user who originally encrypted the file and try to decrypt it. You'll
> fail to do so as unlike the CIFS/SMB scenario the file is not decrypted
> and then re-encryoted at the destination, which causes a user profile to
> be created on the remote server which contains the EFS certificate and
> key pair used to perform the encryption on the remote SMB/CIFS server.
>
> >
> > Howeve If you have different documentation please forward to me. It is
> > definately worth confirming which scenario is true.
>
> There's tons of documentation on EFS over WebDAV on the Microsoft web
> site that will confirm how it actually works as opposed to how you think
> it works.
>
> Here's just one simple example:
>
> http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.msp
> x
>
> or
>
> http://tinyurl.com/576kx
>
> In the EFS Enhancements in Windows XP and Windows Server 2003 section
> read the fourth bullet from the bottom of the list.
>
>
> --
> Paul Adare
> MVP - Windows - Virtual Machine
> http://www.identit.ca/blogs/paul/
> Ca·nadi·an (k-nd-n) adj. & n.
> n: An educated, unarmed American with health care.
>
.



Relevant Pages

  • Re: How to Copy EFS(encrypted) Files....
    ... Remote Storage of Encrypted Files Using SMB File Shares ... > the server must be configured to do so, and an alternative method, such as IP ... This only applies to CIFS/SMB and not WebDAV regardless of the section ...
    (microsoft.public.security)
  • Re: How to Copy EFS(encrypted) Files....
    ... Remote Storage of Encrypted Files Using SMB File Shares ... the server must be configured to do so, and an alternative method, such as IP ... Using WEBdav ...
    (microsoft.public.security)
  • Re: Cannot decrypt about 5% of encrypted files
    ... there's nothing there about WebDAV or not using encryption at all! ... number of users before the encryption problem began. ... Have you looked into the EFS whitepaper to understand *how* EFS works. ... Microsoft, since their people, including their certificates experts, ...
    (microsoft.public.security)
  • [NT] Vulnerability in WebDAV XML Message Handler DoS (MS04-030)
    ... Get your security news from a reliable source. ... send a specially crafted WebDAV request to a server that is running IIS ... Mitigating Factors for WebDAV Vulnerability ...
    (Securiteam)
  • Re: WebDAV disabled!
    ... but the Web Service Extension named WebDAV is nothing to do with OWA - ... that extension enables WebDAV on the entire server, ... Look at the properties of the Microsoft Exchange Server ...
    (microsoft.public.exchange.admin)