Re: EFS question

From: Brian Komar [MVP] (bkomar_at_nospam.identit.ca)
Date: 09/15/05

• Next message: Chuck: "Re: Workgroup is not accessible."
• Previous message: David H. Lipman: "Re: severing tcp connections"
• Maybe in reply to: Shenan Stanley: "Re: EFS question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Thu, 15 Sep 2005 15:19:27 -0500

In article <F0A0F543-DAA9-45D0-A468-E83F5474ED7A@microsoft.com>,
robg@discussions.microsoft.com says...
> I have a share on a windows 2003 server which contains important files that i
> want to have encrypted via EFS and accessed by a only a handfull of people on
> the network.
>
> I understand the process of creating certificates for each user and then
> adding these to access the encrypted file/s. My question is, how can i
> prevent the user from copying the file locally to their machine, sending it
> too themselfs via email or ftp etc, then exporting their certificate and
> private key etc and then reading the file from a different location.
>
> Is it possible to prevent the user from doing this?
>
> Thanks for any advice.
>
>
There is one part of the process that you do not understand.
- When you encrypt files on a file share, the encryption/decryption
actually takes place on the remote server.
- The encryption keys for the users are stored in the user profiles on
the remote server
- The remote server must be trusted for delegation so that the remote
server can impersonate the user when accessing the file.
- The files are actually transmitted in the clear on the network to the
user's workstation.

Based on what you are trying to prevent, this would be another threat
that you should be concerned with. As mentioned in another reply to
this thread, RMS may be a better solution for you.

Brian

---

• Next message: Chuck: "Re: Workgroup is not accessible."
• Previous message: David H. Lipman: "Re: severing tcp connections"
• Maybe in reply to: Shenan Stanley: "Re: EFS question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Encryption keys ... I meant to say that the symmetric key is used to encrypt the ... known phrase, not the private key. ... > cert plus the time stamp on the server), ... encrypt using the symmetrical key. ... (microsoft.public.dotnet.general) Re: Problems with public key decryption with RSA ... with securing the "Private key" at the clients. ... Encrypt key / IV with public RSA key of server. ... Sign hash and sign data elements with HMAC-SHA1 using symmetric key. ... (microsoft.public.dotnet.framework) Re: Problems with public key decryption with RSA ... with securing the "Private key" at the clients. ... Encrypt key / IV with public RSA key of server. ... Sign hash and sign data elements with HMAC-SHA1 using symmetric key. ... (microsoft.public.platformsdk.security) Re: Problems with public key decryption with RSA ... with securing the "Private key" at the clients. ... Encrypt key / IV with public RSA key of server. ... Sign hash and sign data elements with HMAC-SHA1 using symmetric key. ... (microsoft.public.dotnet.security) Re: A cryptography solution for a client/server winforms app ... good idea if you want to learn crypto. ... you control both the client and server, you don't even need to use a ... code the client to ignore certificate trust errors. ... encrypt the memory stream. ... (microsoft.public.dotnet.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(17)