Re: EFS mixed clients and shared folders

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 10/08/05

  • Next message: beb: "Re: Can encryrpted packets be cracked by middle man?" 
    Date: Fri, 7 Oct 2005 19:16:18 -0500

    One thing to check is that the server is trusted for delegation in it's
    computer account in Active Directory users and computers. See the link below
    that covers using EFS on a server share and I would also first try something
    simpler like a notepad file. I am not an expert in Office but I know that it
    can generate and use temporary files which adds more complexity to a
    configuration. Also have a user try to access the share remotely to see if
    they can encrypt a file and then decrypt it. What will happen is the first
    time a user does this is a "mini" user profile will be built for the user on
    the server with the share that will contain the users certificate and EFS
    private key that will also be generated for the user. Try a user that has
    never logged onto the server interactively. Note that if a user copies a
    file from the server share to his computer to an EFS folder on his computer
    the file is decrypted on the server, goes over the network in clear text,
    and then is encrypted again on his computer and if the user does not have
    the same EFS certificate/private key on his workstation a different EFS
    certificate/private key is used. The efsinfo utility is useful in
    determining what users and Recovery Agents can access an EFS file and can
    also display the thumbprint of the certificates which can be compared to the
    EFS certificates that exist for a user or RA on a computer. --- Steve

    http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prnb_efs_umpb.asp
    OR
    http://tinyurl.com/c4ded
    http://support.microsoft.com/default.aspx?scid=kb;en-us;243026&sd=tech --
    efsinfo details.

    "James Fabulous" <James.Fabulous@hotmail.com> wrote in message
    news:%2329npp4yFHA.3856@tk2msftngp13.phx.gbl...
    > I've done a good deal of reading today that has bolstered my understanding
    > of EFS and its uses and limitations. However a couple of questions are
    > still apparent when I use this knowledge.
    >
    > Scenario:
    > FolderA is shared as FolderA with Domain Admins having Full Control both
    > Sharing and NTFS security
    > FolderB is under FolderA and has the same permissions for NTFS
    > FolderB (and susequent contents an excel spread***) were encrypted by
    > UserA (a domain admin) on the server (Win2K3) using the GUI.
    >
    > UserA's works from a Win2K SP4 workstation and visits FolderA via the
    > network share and browses into FolderB. Double clicks the spread*** to
    > open the file which executes Excel and produces the error "Cannot access
    > read-only file FileA.xls" promptly followed by "Cannot access FileA".
    >
    > Is there a reason that an EFS encrypted file would not work under this
    > scenario? How do I resolve this?
    >
    > In addition to the issue above even when using the details tab (apparent
    > on
    > the Win2K3 server but not available on Win2K clients like UserA's
    > workstation) UserA adds certificates of another domain admin UserB. UserB
    > has an XPSP2 workstation but gets the same error when attempting to open
    > the
    > file in the same fashion as stated above.
    >
    > According to what I've read there should be no issue with that either -
    > Any
    > ideas?
    >
    > *SideNote - an EFS RA has been established and certificates exported to
    > offsite locations. When viewing the EFS properties for the file via the
    > Win2K3 server and the XP client the information shown is correct.
    >
    >

  • Next message: beb: "Re: Can encryrpted packets be cracked by middle man?"