D
David Bowen
OK, I'll start by apologizing for all the abbreviations that are about to
turn up.
I have Windows 2003. 3 machines, all DCs. Two of them are running DNS and
DHCP (with the 20/80 trick).
I have files that I replicate using NTFRS. I also use DFS extensively. The
combination of DFS and NTFRS appears to work well. I've also got some group
policy entries for "My Documents" re-direction targetting a DFS folder
(different per user) - I know it's against best-practice, but it's terribly
useful.
My problem is that I'm going on holiday in six months time and I'd like to
encrypt my files so that if someone steals my servers whilst I'm away they
can't just slot the drive into their server and use their local admin
priviliges to give themselves permission to my files (which are obviously
locked down by ACLs in my environment).
I dreamt of using EFS to do this and so I set myself up as a CA and
configured the auto-enrollment magic etc. I did have an issue with the fact
that the list of users who can transparently access the file is *not*
associated at the folder level. That's OK because I made myself and my
girlfriend Data Recovery Agents so she can get to everything that I encrypt
(and vice-versa).
So then I ran a number of tests and all was well. I thought I'd be brave
and so I encrypted my "My Documents" folder as my first real-world test.
Sadly I then discovered quite a few errors in
%WINDOWS%\Debug\NtFrs_0005.log.
<StuGenerateStage: 5780:00:00 4171:00:00 S0: 19:44:03> ++
OpenEncryptedFileRaw failed on \\?\V:\DFS Secure\David\My
Documents\Apple3.txt; WStatus: ERROR_SHARING_VIOLATION
Now this seemed a bit odd as there wasn't anyone using the file. I even
popped to www.sysinternals.com and fetched Process Explorer which I admit
didn't help much on this occasion.
Having decided this was probably an encyption-related issue I tried to setup
the NTFRS Service to have an "EFS Recovery Agent" certificate. That was a
silly thing to try because certificates are only issued to machines or
users. So I created a new "Service" account and gave it a certificate, made
it and Enterprise Admin, added it to my list of users that are mentioned in
the file ACL and then setup the NTFRS service on all three machines to use
this new account. That yielded:
<SndCsMain: 3264:00:00 873:00:00 S0: 19:44:28> ++ ERROR - EXCEPTION
(00000721) : WStatus: RPC_S_SEC_PKG_ERROR
which doesn't look nice.
So I reverted all my NTFRS service accounts to be LocalSystem and then did
what you do in these cases - I went back to Google. Now I'll admit to
reading a lot of the documentation on DFS, EFS, NTFRS and NTFS but I never
came across:
http://support.microsoft.com/?kbid=229928
which is titled:
Design Decisions, Defaults and Behavior for FRS File and Folder Filters in
DFS and SYSVOL Replica Sets
And this document kindly informs me (amongst other things):
Other files excluded by FRS
In addition to files and directories excluded by filters, replication does
not occur for the following cases:
- EFS-enabled files and folders. EFS-encrypted files are computer-specific
and excluded from replication.
Well as you can imagine I stopped smiling. Well I would have done if I
wasn't pretty glum already.
Seeing as how all my certificates are auto-enrolled in AD and that my CA is
fully accessable and that all my machines are in the same domain I'm a bit
surpised to find out that my encrypted files are "computer-specific". So I
did the obvious test and copy-and-pasted an encypted file to another machine
and it de-crypted just fine from a user session on the remote machine (which
assumedly picks up my EFS certificate / key from AD). That was what my
other tests showed and it appears to make sense to me.
Basically I'm now confused as I can't see why NTFRS doesn't just lift the
file up and squirt it (still encrypted) over to the other NTFRS hosts. I
would have more luck using XCopy than NTFRS in this case.
Does anybody have any experience that could help me here (notably a way to
stop NTFRS filtering EFS'd files)?
David Bowen
turn up.
I have Windows 2003. 3 machines, all DCs. Two of them are running DNS and
DHCP (with the 20/80 trick).
I have files that I replicate using NTFRS. I also use DFS extensively. The
combination of DFS and NTFRS appears to work well. I've also got some group
policy entries for "My Documents" re-direction targetting a DFS folder
(different per user) - I know it's against best-practice, but it's terribly
useful.
My problem is that I'm going on holiday in six months time and I'd like to
encrypt my files so that if someone steals my servers whilst I'm away they
can't just slot the drive into their server and use their local admin
priviliges to give themselves permission to my files (which are obviously
locked down by ACLs in my environment).
I dreamt of using EFS to do this and so I set myself up as a CA and
configured the auto-enrollment magic etc. I did have an issue with the fact
that the list of users who can transparently access the file is *not*
associated at the folder level. That's OK because I made myself and my
girlfriend Data Recovery Agents so she can get to everything that I encrypt
(and vice-versa).
So then I ran a number of tests and all was well. I thought I'd be brave
and so I encrypted my "My Documents" folder as my first real-world test.
Sadly I then discovered quite a few errors in
%WINDOWS%\Debug\NtFrs_0005.log.
<StuGenerateStage: 5780:00:00 4171:00:00 S0: 19:44:03> ++
OpenEncryptedFileRaw failed on \\?\V:\DFS Secure\David\My
Documents\Apple3.txt; WStatus: ERROR_SHARING_VIOLATION
Now this seemed a bit odd as there wasn't anyone using the file. I even
popped to www.sysinternals.com and fetched Process Explorer which I admit
didn't help much on this occasion.
Having decided this was probably an encyption-related issue I tried to setup
the NTFRS Service to have an "EFS Recovery Agent" certificate. That was a
silly thing to try because certificates are only issued to machines or
users. So I created a new "Service" account and gave it a certificate, made
it and Enterprise Admin, added it to my list of users that are mentioned in
the file ACL and then setup the NTFRS service on all three machines to use
this new account. That yielded:
<SndCsMain: 3264:00:00 873:00:00 S0: 19:44:28> ++ ERROR - EXCEPTION
(00000721) : WStatus: RPC_S_SEC_PKG_ERROR
which doesn't look nice.
So I reverted all my NTFRS service accounts to be LocalSystem and then did
what you do in these cases - I went back to Google. Now I'll admit to
reading a lot of the documentation on DFS, EFS, NTFRS and NTFS but I never
came across:
http://support.microsoft.com/?kbid=229928
which is titled:
Design Decisions, Defaults and Behavior for FRS File and Folder Filters in
DFS and SYSVOL Replica Sets
And this document kindly informs me (amongst other things):
Other files excluded by FRS
In addition to files and directories excluded by filters, replication does
not occur for the following cases:
- EFS-enabled files and folders. EFS-encrypted files are computer-specific
and excluded from replication.
Well as you can imagine I stopped smiling. Well I would have done if I
wasn't pretty glum already.
Seeing as how all my certificates are auto-enrolled in AD and that my CA is
fully accessable and that all my machines are in the same domain I'm a bit
surpised to find out that my encrypted files are "computer-specific". So I
did the obvious test and copy-and-pasted an encypted file to another machine
and it de-crypted just fine from a user session on the remote machine (which
assumedly picks up my EFS certificate / key from AD). That was what my
other tests showed and it appears to make sense to me.
Basically I'm now confused as I can't see why NTFRS doesn't just lift the
file up and squirt it (still encrypted) over to the other NTFRS hosts. I
would have more luck using XCopy than NTFRS in this case.
Does anybody have any experience that could help me here (notably a way to
stop NTFRS filtering EFS'd files)?
David Bowen