Re: EFS network folders

From: Rix (r.noli@tin.it)
Date: 12/13/02 

From: "Rix" <r.noli@tin.it>
Date: Fri, 13 Dec 2002 16:14:24 GMT

Well,
EFS was introduced to prevent abuse from unauthorized access to stolen hard
disks from laptops or desktops. That was beacuse NTFS itself could prevent
unwanted acces to user data setting security attributes to folders and
files, but that wouldn't work if a HD was stolen and installed in a new
NT/2000 installation.
Right?
So I thought that enabling EFS on a folder would encrypt contents making
data accessible only by the user that applied the encryption to a particular
folder or file.
But it looks like that any user member of the same group of the user that
stores encrypted data on a network (or local) folder can still "read"
contents even if encrypted!
Say that EFS works only if the disk is unmounted and attached to a new (or
different) installation.
Right?

"D. Cross [MS]" <dcross@online.microsoft.com> wrote in message
news:e9ZiY6roCHA.1964@TK2MSFTNGP10...
> EFS does not work that way. Your steps are confusing, can you restate the
> repro steps for the problem?
>
> --
>
> David B. Cross [MS]
>
> --
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
> "Rix" <r.noli@tin.it> wrote in message
> news:XZ3K9.10731$ab2.297354@news1.tin.it...
> > A WinXP + SP1 workstation is connected to a Windows 2000 Server + SP3.
> >
> > User Goofy (member of Administrators on wks and server), switches a
> network
> > folder on server, from the workstation, to encrypted status.
> > The content of the files in the encrypted folder is readable by any user
> > member of the Administrators group on the server.
> > Example: mydoc.txt opened on the server by any admin with Notepad, shows
> > itself unscrambled, unencrypted....
> > Why is that?
> >
> > What I want to achieve is:
> > user Goofy places it's files on the server in a way that for any other
> user
> > except him are encrypted!
> >
> > I've followed what explained in Technet's article
> >
>
(http://www.eu.microsoft.com/technet/treeview/default.asp?url=/TechNet/prodt
> > echnol/winxppro/proddocs/encrypt_to_encrypt_remotefile.asp) "To encrypt
a
> > file or folder on a remote computer".
> >
> > 1) I have enabled "trust for delegation" on the server
> > 2) From the workstation i have selected the network folder and in the
> > advanced properties selected "encrypt contents to secure data".
> > 3) When the operation completed the folders on the server appeared in
> green
> > color (files also).
> > 4) When logging from the server with the administrator account, files
are
> > readable!
> >
> > Any hint?
> >
> >
>
>

Relevant Pages

  • Re: Serious EFS Issue
    ... user's information it copied her Documents and Settings to the 2003 server. ... I am also using folder redirection with her My Documents folder, ... where I am having issues with her data encryption. ... > for use with EFS (use the account to look in the Certificates ...
    (microsoft.public.windows.server.security)
  • Re: WinXP Encryption
    ... with EFS one does not encrypt folders. ... but the folder itself is not encrypted. ... into your machine and have the one of EFS keys corresponding ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Folder Redirection Data Encryption
    ... user profile on that server and either encrypt a file there to generate a encryption ... encrypt a file on it creating a EFS certificate/private key in that profile. ...
    (microsoft.public.win2000.networking)
  • Re: Folder Redirection Data Encryption
    ... >First the remote server must be trusted for delegation ... >certificate/private key or import your existing one into ... >encrypt a file on it creating a EFS certificate/private ...
    (microsoft.public.win2000.networking)
  • Re: Using EFS for laptops in a domain
    ... I had already searched the web for disabling ... EFS and had not found anything. ... If instead you want to prevent EFS on the folder level, ... I drag it to the correct spot on the server, it is also encrypted on the ...
    (microsoft.public.windowsxp.security_admin)