EFS and multiple users

  • Thread starter Thread starter Jerry Robles de Medina
  • Start date Start date
J

Jerry Robles de Medina

Hi,
I would like to implement EFS on a folder on my Windows 2000 SP2 server with
AD.All my clients are also Windows 2000 Pro SP2.
This folder contains shared files used by all of the users, but I want to
implement some security and thought EFS was right for it.Will I get problems
if my users will try to open and write to those files, or should I be
looking for something else.

Thanks,

Jerry
 
Thanks Mike,

The files I am talking about are word en excel documents.So I can implement
EFS on that shared folder on the server and the users will be able to open
en modify their documents, but they cannot copy their documents on a floppy
and read it at home.Am I right?Because that is the purpose.

I still have some questions that i hope you or someone else can help me
with.
1.If I delete the certificate and private key after I exported it, can the
users still read and write the documents?
2.Most of the users have their documents on their pc's, is it better to have
their docu's on a server, and if it is so will the bandwith play a role(we
run 100mbps on a switch).Or should I just implement EFS on every pc.
Thanks again for the time.
Jerry
 
Sorry EFS works only on NTFS and floppy can't be formatted as NFTS so... (OK
it can be formatted as NTFS but ...). Main purpose of EFS is to protect
data in the company (on HDD and on Servers) not while in transit (over the
network etc...).

EFS also doesn't protect your from users using USB HDD or Internet to e-mail
files to themselves. Before EFS encrypted file is sent over internet it is
decrypted...
EFS will only work on HDD and Backup tapes. If someone would e.g. steal
backup tape they wouldn't get far with it even if they did a restore to FAT
or FAT32...

But also true ... they would only be able to steal data that user encrypted.
If I encrypted e.g. my files you wouldn't be able to steal them (only I
could).

Don't forget to set up Domain Recovery Agent. This will allow you to always
have access to your employees files (e.g. if someone decides to leave the
company).

The product that you are looking for is due out from Microsoft some time
this year. It will allow you to set who has the right to e.g. print
document, forward document out of the company or copy it to floppy HDD. Well
users will still be able to take digital photos of their screens... that
will be a bit harder to protect...
 
I skipped few questions... Here are the answers:
1.If I delete the certificate and private key after I exported it, can the
users still read and write the documents?

I am not sure if I understand this. Let say I encrypted some files. Now you
export my keys and erase them from my PC. I won't be able to access the
files any more (I don't have the key any more)... But if you give them back
to me ... then I would be again able to read and write to them ...
2.Most of the users have their documents on their pc's, is it better to have
their docu's on a server, and if it is so will the bandwith play a role(we
run 100mbps on a switch).Or should I just implement EFS on every pc.

Let say I encrypt a file on my PC. Now I have to copy it to the server
(because of e.g. backup). First file will decrypt on my PC and will be sent
unencrypted over the network to the file server where it will be encrypted
or not -- depending on whether destination folder has encryption turned on
or off. Files will usually inherit parent folder settings (permissions, EFS
or compression settings). There are few rules and/or exceptions to this ...
No Bandwidth would not be a problem. Personally I would do this on server
because I would still want to backup this files on tape just in case. Since
you need to encrypt them they must be important to I guess backup is a must.
If you need to also secure data transfers on the network (when e.g. copying
files and folder from clients to servers) you can use built in IPSec (Win2K
or higher can support this via policies). This will put more stress mainly
on file server also network and clients. Clients and network should not be a
problem, but server well it depends on hardware configuration, number of
users...

Mike
 
As far as I am aware, Win 2000 does not support sharing of
EFS protected files. If this is extremely important to
you, then you will need to upgrade to Windows XP or
Windows 2003 Server
 
Hi Mike,
Thanks a lot, I think I have learned enough from you so that i can do my
implementation.
I think it can be done and already busy with it.`
Thanks!
Jerry
 
Back
Top