Glenn said:
What thoughts do people have on efs encrypting the documents and
settings root so that all new user profiles are EFS encryped . Is this
feasible/reliable?
Thanks
Glenn
There are many perils in using efs. Why would you want to encrypt everyone's
documents? I would only consider this in an active directory environment
where you can more easily set up a recovery agent. Anyone who uses efs
sooner or later loses data due to it. Make sure you have a good backup
strategy. Make sure you have a recovery agent set up. Make sure you export
all user efs keys and the recovery agent efs key. Something as simple as
user forgetting their password can cause data loss.
Most importantly read everything you can find on efs. Make sure you test and
understand how to recover efs files when a user profile gets lost,
corrupted, changed, etc. Test and retest many times before implementing it.
Here is a starting point for reading:
http://www.microsoft.com/technet/security/topics/cryptographyetc/efs.mspx
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx
http://support.microsoft.com/?kbid=241201
Personally I would not recommend doing this. If you really need user's
documents to be secure then ntfs permissions and enforcing that they be
stored on a physically secure server is a better idea. If the users are
using laptops then look at 3rd party encryption solutions. Be aware that if
the encryption is any good there is always the danger of data loss. The
whole point of encryption is to make the data hard to get at.
Kerry
