Re: EFS not secure on LAN

From: Herb Martin (news_at_LearnQuick.com)
Date: 08/07/03 

Date: Thu, 7 Aug 2003 00:45:51 -0500

I am still watching this conversation with great interest
also.

This would pretty much devalue EFS for file server use.

"Rob Rohrbough" <Rob_RSD@yahoo.com> wrote in message
news:08d701c35c87$b7184fb0$a301280a@phx.gbl...
> Steve, thanks for the replies. I have been off on another
> project for the past few days. Just read your question
> for David Cross. I see that he has not replied. I would
> very much be interested in his response. I have tried
> once to contact a Microsoft tech who was helping me with
> encryption. I will try again tomorrow to do so.
>
> Rob
>
>
> >-----Original Message-----
> >But can User1 read User2's files from the in memory cache
> >versions?
> >
> >In other words, since the files are unencrypted for User2
> >when read, is that cache of the file accessible outside
> the
> >authentication context of User2?
> >
> >
> >"David Cross [MS]" <dcross@online.microsoft.com> wrote in
> message
> >news:%23Z2ki61VDHA.1896@TK2MSFTNGP12.phx.gbl...
> >> IN windows 2000, the EFS cache can only be cleared with
> a reboot. In
> >> Windows XP and above, the cache can be cleared with a
> user logoff.
> >>
> >> --
> >>
> >>
> >> David B. Cross [MS]
> >>
> >> --
> >> This posting is provided "AS IS" with no warranties,
> and confers no
> >rights.
> >>
> >> http://support.microsoft.com
> >>
> >> "Rob Rohrbough" <Rob_RSD@yahoo.com> wrote in message
> >> news:0bce01c3570f$23a8b210$7d02280a@phx.gbl...
> >> > Steven,
> >> >
> >> > Thanks for your reply. They can see the actual
> data. I
> >> > did play around with the NTFS file permissions and was
> >> > able to restrict access to directories by share. It
> >> > appears that, if you can gain access to a share up the
> >> > hierarchy, sub-folders will appear as well. That
> appears
> >> > to be different than my experience with different
> users on
> >> > the same machine.
> >> >
> >> > Anyway, after rebooting, the lack of a certificate
> kept
> >> > everyone, including the owner, from seeing the data
> in the
> >> > files. Apparently there is some kind of cache working
> >> > that needs to be cleared. It would be nice if there
> is a
> >> > less-severe way of clearing the cache. You have any
> ideas?
> >> >
> >> > Thanks again,
> >> >
> >> > Rob
> >> >
> >> >
> >> > >-----Original Message-----
> >> > > They can see the files or they can see the
> actual
> >> > data? Check ntfs
> >> > >advanced permissions also to see if any users or
> groups
> >> > exist there. Make
> >> > >sure that just the user you want is included in the
> ntfs
> >> > permissions and
> >> > >system if it is there, no one else - no everyone,
> users,
> >> > power users,
> >> > >guest, etc. Double check that the permissions
> assigned to
> >> > the folder have
> >> > >actually propagated down to the individual files.
> Check
> >> > the properties of
> >> > >the files to make sure they are in fact encrypted
> and use
> >> > the cipher utility
> >> > >in that folder to see if it reports the same. If
> network
> >> > users have proper
> >> > >ntfs/share permissions, they may be able to "see" the
> >> > encrypted files but
> >> > >not the file contents if they are in fact encrypted
> they
> >> > would get an access
> >> > >denied message when trying to access a file. You may
> >> > also want to
> >> > >reconsider sharing a whole drive, though that is not
> the
> >> > problem with your
> >> > >EFS.--- Steve
> >> > >
> >> > >http://support.microsoft.com/default.aspx?scid=kb;en-
> >> > us;298009
> >> > >http://support.microsoft.com/default.aspx?scid=kb;EN-
> >> > US;223316
> >> > >
> >> > >"Rob Rohrbough" <Rob_RSD@yahoo.com> wrote in message
> >> > >news:03af01c356e5$665657e0$a501280a@phx.gbl...
> >> > >> I have Win2k pro on a workgroup LAN. I have
> marked a
> >> > >> directory as secure and removed all permissions
> but the
> >> > >> owner's. When I log into the computer with
> another user
> >> > >> name, the folder is not accessible to that user.
> >> > >>
> >> > >> However, that directory is on a drive that is
> shared
> >> > with
> >> > >> other computers on my peer-to-peer LAN. Users on
> any
> >> > >> WinNT-based machine can see the encrypted data;
> users on
> >> > >> Win0x-based machines are restricted fromt the
> directory.
> >> > >>
> >> > >> I have removed the certificate from the system.
> >> > >>
> >> > >> What am I doing wrong?
> >> > >>
> >> > >> TIA,
> >> > >>
> >> > >> Rob
> >> > >
> >> > >
> >> > >.
> >> > >
> >>
> >>
> >
> >
> >.
> >

Relevant Pages

  • Re: Member Server Login Slow DMZ-Internal Subnet
    ... Relax, Steve, I was just joking. ... Please direct all replies to the newsgroup so all can benefit. ... Microsoft Windows MVP - Active Directory ...
    (microsoft.public.win2000.security)
  • Re: Disappearing messages.
    ... I've not followed through all the replies, Steve, but the problem may be ... your newsreader and the way it archives your messages. ... >>newsgroup on a server. ...
    (sci.anthropology)
  • Re: Problem with blank messages in OE6 Newsreader
    ... server and see if it has the same problem. ... > Steve W. wrote: ... >> alt.autos.gm) and download the headers. ... I know there is a post there because the replies show the ...
    (microsoft.public.windows.inetexplorer.ie6_outlookexpress)
  • Re: U GUYS
    ... You're feeding a troll, Steve. ... Tom Pepper Willett [Microsoft MVP - FrontPage] ... >> SOMEONE ASKS HOW TO MAKE A HYPERLINK THERE IS 50 REPLIES, ...
    (microsoft.public.frontpage.client)
  • Re: Wireless Networking With 2000 and XP
    ... * PLEASE post all messages and replies in the newsgroups ... >I am trying to build a small office wireless network where the computers ... > to communicate with the file server and so far all I can do with my ...
    (microsoft.public.win2000.networking)
Quantcast