Re: Encryption Across Network File Shares

---

• From: "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx>
• Date: Wed, 1 Feb 2006 01:57:07 -0600

---

The link below explains most everything you need to do if you read the part 
on Encrypted Files on a Server about three fourths the way into the white 
paper.

http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx

The computer with the share that you want to contain EFS files and the 
computers that users will use to access those EFS files need to be joined to 
the domain. Then for the computer with the share find it's computer account 
in Active Directory Users and Computers and select it's properties and make 
sure that trust computer for delegation is selected. It's account most 
likely is in the computers container unless it is a domain controller in 
which case it would be in the domain controllers container. Then you should 
be able to encrypt and decrypt files on the share from any domain computer 
either by first logging onto the computer with the share and importing your 
certificate/private key into your domain account, by encrypting a file while 
logged onto the computer with the share which will generate an EFS 
certificate/private key, or by simply encrypting a file on the share which 
will create a mini user profile on the computer with the share that will 
contain the EFS certificate/private key that is generated in the process.

Be very careful with EFS however in that it is easy to end up with multiple 
EFS certificates/private keys and if one is destroyed/corrupted you may lose 
permanent access to your EFS files. For instance if you access the share 
where the EFS file is, decrypt your file, copy it to your computer, and 
encrypt it again on your computer you could end up with a different EFS 
certificate/private key on your computer than what is on the computer with 
the share if the computer you copied it to did not have any EFS 
certificate/private key on it for your user profile. Then if you deleted the 
EFS file on the share and had a problem accessing your EFS file on your 
computer the EFS certificate/private key on the computer with the share 
would not be able to decrypt the file. Be sure to read the link below on EFS 
best practices.   --- Steve

http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316


"Rick Blake" <RickBlake@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message 
news:BA30FCF8-A0FA-4992-99D6-3E8277042703@xxxxxxxxxxxxxxxx
> I'm pretty familiar with Active Directory, and I have a domain already 
> setup
> so whatever steps you tell me, I'll carry them out word for word.
>
> I just need the successful steps to making encrypting and decrypting EFS
> files across a remote/network share easy and done the right way.
>
> Thanks, Rick Blake
>
> ------------------------------------------------------
>
> "Rick Blake" wrote:
>
>> Thanks, Steve for clearing this up. The web link I gave (below) made 
>> things
>> cloudy. The author of the website I mentioned (below) made it sound like 
>> you
>> could get away with not having to be joined to a domain.
>>
>> Anyway, with the PC1 & PC2 scenario (below) could you really help me out
>> here? I need it! You know your stuff concerning EFS, I can see that by 
>> the
>> posts you leave in this newsgroup.
>>
>> I'm a little confused and need a step-by-step (1-2-3,etc). Can you give 
>> me
>> the successfull "step-by-step" that I need to take, in order to access
>> encrypted files remotely.
>>
>> Here are some of the questions I have:
>>
>> * Which PC do I join to the domain?
>> * Which PC do I set "trusted for delegation"?
>> * what pc do I export my public/private certificate?
>> * what pc to I import my public/private certificate?
>> * Do I import into "Certificates\Personal or Certificated\Trusted People"
>>
>> I'm a person that needs to do this by a 1-2-3 example, especially with 
>> EFS.
>> I want to look at the step by step answers you give me and digest it.
>>
>> Could you take the time and write it out (with the PC1/PC2 example 
>> below)?
>>
>> I would appreciate it G-R-E-A-T-L-Y!!! :+)
>>
>> Thanks, Rick Blake
>>
>> -----------------------------------------
>> "Steven L Umbach" wrote:
>>
>> > Yes the computer needs to be a domain computer. The link below explains 
>> > more
>> > which you may have already read.  --- Steve
>> >
>> > http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prnb_efs_umpb.asp
>> >
>> >   1.. EFS must impersonate the user to obtain access to the necessary 
>> > public
>> > or private key. This requires the following:
>> >   2.. The computer must be a domain member in a domain that uses 
>> > Kerberos
>> > authentication because impersonation relies on Kerberos authentication 
>> > and
>> > delegation.
>> >   3.. The computer must be trusted for delegation.
>> >   4.. The user must be logged on with a domain account that can be
>> > delegated.
>> >
>> > "Rick Blake" <RickBlake@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> > news:B96784E9-1CDD-42E2-B159-3CEE1CDCFD31@xxxxxxxxxxxxxxxx
>> > >I have two XP Pro machines (PC1 & PC2) in a WORKGROUP environment - No
>> > >Domain.
>> > >
>> > > I logged on locally to PC1 and encrypted some files. I try to access 
>> > > those
>> > > files from PC2 through a shared folder (on PC1) and cannot open 
>> > > anything I
>> > > encrypted.
>> > >
>> > > I have tried the following to set this up but I think the writer of 
>> > > this
>> > > web
>> > > page could be wrong in his article:
>> > >
>> > > http://www.webspinnerstudios.com/how-to/network/windows/remotely_access_encrypted_files.htm
>> > >
>> > > I have read many articles that the only way to see remote files that 
>> > > are
>> > > encrypted, are as follows:
>> > >
>> > > You need PC1 joined to a domain and trusted for delegation before you 
>> > > can
>> > > access encrypted files across a network.
>> > >
>> > > Am I right or what am I missing here?
>> > >
>> > > Thanks Again, Rick
>> >
>> >
>> > 


.

---

• Follow-Ups:
  • Re: Encryption Across Network File Shares
    • From: Rick Blake

• References:
  • Re: Encryption Across Network File Shares
    • From: Steven L Umbach
  • Re: Encryption Across Network File Shares
    • From: Rick Blake
  • Re: Encryption Across Network File Shares
    • From: Rick Blake

• Prev by Date: Re: network restrictions
• Next by Date: Re: network restrictions
• Previous by thread: Re: Encryption Across Network File Shares
• Next by thread: Re: Encryption Across Network File Shares
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Encryption Across Network File Shares ... the user should be able to decrypt and work on the EFS files. ... for Delegation" and the user that is encrypting/decrypting will have to be ... certificate/private key into your domain account, by encrypting a file ... (microsoft.public.windowsxp.security_admin) Re: Encryption Across Network File Shares ... It looks as though you can only share encrypted files across a network by ... The computer with the share that you want to contain EFS files and the ... certificate/private key into your domain account, by encrypting a file while ... (microsoft.public.windowsxp.security_admin) Re: EFS Certificate Needed ... Backup and save on non-degrading media the EFS DRA .pfx file ... Foe sure I will follow "Windows Recommendations". ... that recovery agent will only have ... Best practices for the Encrypting File System ... (microsoft.public.security) Re: EFS Certificate Issue ... It's most useful for EFS certs when users have roaming profiles. ... user's Personal cert store, ... >> Keys are stored in a user's profile. ... >> generate) another keypair when encrypting a file. ... (microsoft.public.win2000.security) Re: What _does_ EFS stand for? ... EFS = Encrypting File System ... > space required to back up the entire disc so having done ... (microsoft.public.windowsxp.security_admin)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(18)