Re: EFS on shared file server

You tell me all corect thing. I have readed and know the official solution....but I have many file and do the work manually is an hard work.
I think my is tipacally working scenario.

The only usable solution is use the Recovery Agent.
If someone have other solutions....

Lorenzo Soncini

"S. Pidgorny <MVP>" <slavickp@xxxxxxxxx> wrote in message news:e#Wjy4LvIHA.1936@xxxxxxxxxxxxxxxxxxxxxxx
EFS is for protecting local information. In your scenario, the file gets decrypted on the file server and sent to the client in clear, with no guarrantee of any protection whatsoever (unless everybody in HR is using Bitlocker). And because you're creating many recovery agents, the secrecy deteriorates while you have to manage recovery agents etcetera. Correct me if I'm incorrect but IT people also will have access to the information or the backup sets.

I would concentrate on protecting local access to the server console and maintaining the share ACLs.

Side note: MS guidelines for sharing access to EFS are in the http://support.microsoft.com/kb/308991 (equally applies to Windows Server 2003)


--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *


"Lorenzo Soncini" <lorenzo.soncini@xxxxxxxxxxxxxxxxx> wrote in message news:%23FQjHPKvIHA.3384@xxxxxxxxxxxxxxxxxxxxxxx
Hi,
I need to use EFS on a shared folder of my file server. For grant access to many people to the file in folder I have created many EFS Recovery Agent.
All work fine if I use a local file system, but on the file sever only the user who have encrypted the file can access to it and not the EFS Recovery agent.

Other question:
Is possible store the User Certificate for EFS on AD so if one user logon on different computer can always access encrypeted file?

The scenario:
In a company the Human Resource Office (HR) need EFS for the reservation of sensitive information about employees. But all the employees of the HRO need to access this information. Is not applicable the solution to manually add all user on the property of EFS in all encrypted file.

Thanks
Lorenzo Soncini


.

Relevant Pages

  • Re: EFS on shared file server
    ... GIving the recovery agent certificate and private key to users is about the worst/stupidest (seriously, give away the ability to open *any* EFS encrypted files!!!!) idea I have seen in some time. ... Now, with Windows Vista and WIndows Server 2008, the behavior of EFS changes. ... Is possible store the User Certificate for EFS on AD so if one user logon on different computer can always access encrypeted file? ...
    (microsoft.public.windows.server.security)
  • Re: WIN2000 Encrypted Folders & Administrator Profile
    ... Many thanks for your invaluable help. ... >> you may be able to recover the EFS files. ... >> profile of the user and Recovery Agent for those files. ... without exported private keys to ...
    (microsoft.public.win2000.security)
  • Re: Password question
    ... This change [versus W2K EFS] was done to improve confidentiality of EFS encrypted ... In W2K a recovery agent was required for EFS while it is not in XP Pro. ... are followed including encrypting only folders and may include the use of cipher /w ... > To avoid such data loss, do not reset a user's password. ...
    (microsoft.public.cert.exam.mcse)
  • Re: Password question
    ... This change [versus W2K EFS] was done to improve confidentiality of EFS encrypted ... In W2K a recovery agent was required for EFS while it is not in XP Pro. ... are followed including encrypting only folders and may include the use of cipher /w ... > To avoid such data loss, do not reset a user's password. ...
    (microsoft.public.cert.exam.mcse)
  • Re: EFS on shared file server
    ... "Lorenzo Soncini" wrote in message ... GIving the recovery agent certificate and private key to users is about the worst/stupidest (seriously, give away the ability to open *any* EFS encrypted files!!!!) idea I have seen in some time. ... Now, with Windows Vista and WIndows Server 2008, the behavior of EFS changes. ...
    (microsoft.public.windows.server.security)