Re: WinXP Encryption

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 02/06/04

• Next message: Roger Abell: "Re: finding administrators password"
• Previous message: anonymous_at_discussions.microsoft.com: "Mr. Abell, a follow up on the no local admin account"
• In reply to: Aftab: "WinXP Encryption"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Thu, 5 Feb 2004 19:59:38 -0700

First, with EFS one does not encrypt folders.
One can set a folder so that any files stored into it
will be encrypted, but the folder itself is not encrypted.

Next, what ETS keys are needed in order to view an
encrypted file in the clear can be determined by looking
at the file's EFS thumbprint. This is within the properties
of the file. You may see only your info, or you may also
see info for a data recovery agent. Anyone that can log
into your machine and have the one of EFS keys corresponding
to what you see listed is who can access your files.

If you are in a domain that does have a functioning data
recovery agent, then someone that logs into your machine
with that account will be able to access your files.
If you are in a W2k3 Active Directory, domain level
administrators may have other options that they could
use based on whether your EFS cert/key was escrowed.
But keep in mind that potentially any account can access
the files, if it has the needed EFS key loaded.

-- 
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
"Aftab" <mk_aftab@yahoo.com> wrote in message
news:uQaXvhA7DHA.1504@TK2MSFTNGP12.phx.gbl...
> Hi!
> I want to know, if I encrypt a folder, can administrator of domain
> controller view that folder content, through Remote Desktop Connection.
> I login to a domain.
>
> Thanks
>
>

---

• Next message: Roger Abell: "Re: finding administrators password"
• Previous message: anonymous_at_discussions.microsoft.com: "Mr. Abell, a follow up on the no local admin account"
• In reply to: Aftab: "WinXP Encryption"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Encrypting Folders: Which ones? ... EFS uses PKI which complicates such setup. ... I would not suggest that you encrypt the whole documents and settings ... folder or entire user's profile folder but instead encrypt only the ... create a base image to image so many laptops. ... (microsoft.public.windowsxp.security_admin) Re: EFS network folders ... EFS was introduced to prevent abuse from unauthorized access to stolen hard ... So I thought that enabling EFS on a folder would encrypt contents making ... >> folder on server, from the workstation, to encrypted status. ... (microsoft.public.win2000.security) Outlook 2002 / EFS bug report ... I am currently implementing XP EFS on a corporate network and suggesting ... This would typically include the Outlook ... temp/attachments folder. ... (microsoft.public.outlook) Re: EFS network folders ... > So I thought that enabling EFS on a folder would encrypt contents making ... >>> folder on server, from the workstation, to encrypted status. ... (microsoft.public.win2000.security) Re: Enable "Encrypt contents to secure data" option in Windows Exp ... option available during install). ... to green for the folder and file names, ... Select the folder you wish to encrypt. ... In order for this option to work in Microsoft Windows XP home you must ... (microsoft.public.windowsxp.general)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(16)