Re: EFS on shared file server



There is some solution (not manually solutions) to share encripted file to some users?
Thanks
Lorenzo

"Brian Komar (MVP)" <brian.komar.nospam@xxxxxxxxxxxxxxxxx> wrote in message news:OxjfNgPvIHA.4916@xxxxxxxxxxxxxxxxxxxxxxx
EFS is not designed for your solution.
It is user based, not group based.
GIving the recovery agent certificate and private key to users is about the worst/stupidest (seriously, give away the ability to open *any* EFS encrypted files!!!!) idea I have seen in some time.
Now, with Windows Vista and WIndows Server 2008, the behavior of EFS changes.
You may be able to use remote EFS in this scenario with Credential Roaming SErvices.
But you would still have to individually add users and their certificates.
Brian

"Lorenzo Soncini" <lorenzo.soncini@xxxxxxxxxxxxxxxxx> wrote in message news:Oi%23%23jsOvIHA.5520@xxxxxxxxxxxxxxxxxxxxxxx
You tell me all corect thing. I have readed and know the official solution....but I have many file and do the work manually is an hard work.
I think my is tipacally working scenario.

The only usable solution is use the Recovery Agent.
If someone have other solutions....

Lorenzo Soncini

"S. Pidgorny <MVP>" <slavickp@xxxxxxxxx> wrote in message news:e#Wjy4LvIHA.1936@xxxxxxxxxxxxxxxxxxxxxxx
EFS is for protecting local information. In your scenario, the file gets decrypted on the file server and sent to the client in clear, with no guarrantee of any protection whatsoever (unless everybody in HR is using Bitlocker). And because you're creating many recovery agents, the secrecy deteriorates while you have to manage recovery agents etcetera. Correct me if I'm incorrect but IT people also will have access to the information or the backup sets.

I would concentrate on protecting local access to the server console and maintaining the share ACLs.

Side note: MS guidelines for sharing access to EFS are in the http://support.microsoft.com/kb/308991 (equally applies to Windows Server 2003)


--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *


"Lorenzo Soncini" <lorenzo.soncini@xxxxxxxxxxxxxxxxx> wrote in message news:%23FQjHPKvIHA.3384@xxxxxxxxxxxxxxxxxxxxxxx
Hi,
I need to use EFS on a shared folder of my file server. For grant access to many people to the file in folder I have created many EFS Recovery Agent.
All work fine if I use a local file system, but on the file sever only the user who have encrypted the file can access to it and not the EFS Recovery agent.

Other question:
Is possible store the User Certificate for EFS on AD so if one user logon on different computer can always access encrypeted file?

The scenario:
In a company the Human Resource Office (HR) need EFS for the reservation of sensitive information about employees. But all the employees of the HRO need to access this information. Is not applicable the solution to manually add all user on the property of EFS in all encrypted file.

Thanks
Lorenzo Soncini



.



Relevant Pages

  • Re: WIN2000 Encrypted Folders & Administrator Profile
    ... Many thanks for your invaluable help. ... >> you may be able to recover the EFS files. ... >> profile of the user and Recovery Agent for those files. ... without exported private keys to ...
    (microsoft.public.win2000.security)
  • Re: EFS on shared file server
    ... GIving the recovery agent certificate and private key to users is about the worst/stupidest (seriously, give away the ability to open *any* EFS encrypted files!!!!) idea I have seen in some time. ... Now, with Windows Vista and WIndows Server 2008, the behavior of EFS changes. ...
    (microsoft.public.windows.server.security)
  • Re: EFS on shared file server
    ... I need to use EFS on a shared folder of my file server. ... For grant access to many people to the file in folder I have created many EFS Recovery Agent. ... Is possible store the User Certificate for EFS on AD so if one user logon on different computer can always access encrypeted file? ...
    (microsoft.public.windows.server.security)
  • EFS - setting up Recovery Agent
    ... I have another question re the EFS Recovery Agent. ... I need to use EFS in a specific server that belongs to a Windows 2k ... stations using smart cards)has an EFS policy using the default domain ...
    (microsoft.public.win2000.security)
  • Re: Password question
    ... This change [versus W2K EFS] was done to improve confidentiality of EFS encrypted ... In W2K a recovery agent was required for EFS while it is not in XP Pro. ... are followed including encrypting only folders and may include the use of cipher /w ... > To avoid such data loss, do not reset a user's password. ...
    (microsoft.public.cert.exam.mcse)