DFS , EFS and NTFRFS

  • Thread starter Thread starter David Bowen
  • Start date Start date
D

David Bowen

OK, I'll start by apologizing for all the abbreviations that are about to
turn up. And I should apologize for cross-posting with .file_system, but
I'm suspecting I'll get more of the EFS crowd here.

ACL: Access Control List
AD: Active Directory
CA: Certificate Authority
DC: Domain Controller
DFS: Distributed File System
DHCP: Dynamic Host Configuration Protocol
DNS: Domain Name System
EFS: Encrypting File System
NTFRS: NT File Replcation Service
NTFS: NT File System
OK: Okay :)

I have Windows 2003. 3 machines, all DCs. Two of them are running DNS and
DHCP (with the 20/80 trick).

I have files that I replicate using NTFRS. I also use DFS extensively. The
combination of DFS and NTFRS appears to work well. I've also got some group
policy entries for "My Documents" re-direction targetting a DFS folder
(different per user) - I know it's against best-practice, but it's terribly
useful.

My problem is that I'm going on holiday in six months time and I'd like to
encrypt my files so that if someone steals my servers whilst I'm away they
can't just slot the drive into their server and use their local admin
priviliges to give themselves permission to my files (which are obviously
locked down by ACLs in my environment).

I dreamt of using EFS to do this and so I set myself up as a CA and
configured the auto-enrollment magic etc. I did have an issue with the fact
that the list of users who can transparently access the file is *not*
associated at the folder level. That's OK because I made myself and my
girlfriend Data Recovery Agents so she can get to everything that I encrypt
(and vice-versa).

So then I ran a number of tests and all was well. I thought I'd be brave
and so I encrypted my "My Documents" folder as my first real-world test.
Sadly I then discovered quite a few errors in
%WINDOWS%\Debug\NtFrs_0005.log.

<StuGenerateStage: 5780:00:00 4171:00:00 S0: 19:44:03> ++
OpenEncryptedFileRaw failed on \\?\V:\DFS Secure\David\My
Documents\Apple3.txt; WStatus: ERROR_SHARING_VIOLATION

Now this seemed a bit odd as there wasn't anyone using the file. I even
popped to www.sysinternals.com and fetched Process Explorer which I admit
didn't help much on this occasion.

Having decided this was probably an encyption-related issue I tried to setup
the NTFRS Service to have an "EFS Recovery Agent" certificate. That was a
silly thing to try because certificates are only issued to machines or
users. So I created a new "Service" account and gave it a certificate, made
it and Enterprise Admin, added it to my list of users that are mentioned in
the file ACL and then setup the NTFRS service on all three machines to use
this new account. That yielded:

<SndCsMain: 3264:00:00 873:00:00 S0: 19:44:28> ++ ERROR - EXCEPTION
(00000721) : WStatus: RPC_S_SEC_PKG_ERROR


which doesn't look nice.

So I reverted all my NTFRS service accounts to be LocalSystem and then did
what you do in these cases - I went back to Google. Now I'll admit to
reading a lot of the documentation on DFS, EFS, NTFRS and NTFS but I never
came across:

http://support.microsoft.com/?kbid=229928

which is titled:

Design Decisions, Defaults and Behavior for FRS File and Folder Filters in
DFS and SYSVOL Replica Sets

And this document kindly informs me (amongst other things):

Other files excluded by FRS
In addition to files and directories excluded by filters, replication does
not occur for the following cases:
- EFS-enabled files and folders. EFS-encrypted files are computer-specific
and excluded from replication.

Well as you can imagine I stopped smiling. Well I would have done if I
wasn't pretty glum already.

Seeing as how all my certificates are auto-enrolled in AD and that my CA is
fully accessable and that all my machines are in the same domain I'm a bit
surpised to find out that my encrypted files are "computer-specific". So I
did the obvious test and copy-and-pasted an encypted file to another machine
and it de-crypted just fine from a user session on the remote machine (which
assumedly picks up my EFS certificate / key from AD). That was what my
other tests showed and it appears to make sense to me.

Basically I'm now confused as I can't see why NTFRS doesn't just lift the
file up and squirt it (still encrypted) over to the other NTFRS hosts. I
would have more luck using XCopy than NTFRS in this case.

Does anybody have any experience that could help me here (notably a way to
stop NTFRS filtering EFS'd files)?

David Bowen
 
The subject line should be

DFS , EFS and NTFRS

I think I got carried away with my F key.
 
I should mention that:

http://support.microsoft.com/default.aspx?scid=kb;en-us;272279&sd=tech

How to Troubleshoot the File Replication Service and the Distributed File
System

Seems to occur over-and-over in my searches too. This is because of the
phrase:

9. Verify whether or not the source file had been excluded from replication.
Confirm that the file is not Encrypting File System (EFS) encrypted, a NTFS
file system (NTFS) junction, or excluded by a file or folder filter on the
originating replica member. If any of these situations are true, FRS does
not replicate the file or directory
 
Sounds like doing so is not supported. Why not encrypt them with a third
party utility instead?

http://securityadmin.info/faq.asp#encryption

Depending on the utility, this might have the added advantage of also
allowing you to encrypt the entire hard drive if you wanted, including
windows system files and other files that might contain data you don't want
stolen.
 
Sounds like doing so is not supported. Why not encrypt them with a third
party utility instead?
<<

A perfectly sensible suggestion.

Sadly I'll be here here next week saying "I'm doing DFS, NTFRS, ... oh and
encryption using XYZ" and the first response I'll get is "turn off XYZ" and
see what happens. I guess I'm just fatigued at the moment - that prospect
doesn't fill me with joy.


Karl, I'm afraid I have my IE security set to high. I had to lower it to
see the page which is obviously a bit worrying for me.

Depending on the utility, this might have the added advantage of also
allowing you to encrypt the entire hard drive if you wanted, including
windows system files and other files that might contain data you don't want
stolen.

Yep, good point. I think I'd decided that it's just my "Secure" area that I
was worried about (and %TEMP%, and ....). My DFS replica set is even called
"Secure" and all the "My Documents" point to it. My girlfriend knows that
anything in there is safe because of the "real-time" replication and the
regular DVD backups I do (yes it's 8GiB). She did believe that the ACLs
made it secure, but now she knows about encryption she thinks that would be
even better (and I think that too!)

David
 
Back
Top