EFS question

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I have a user who works on two machines and routinely copies encrypted files
between them via her home directory on the server. She can view all of the
encrypted files on both PCs (when opened locally or on the server), even
though she has different EFS certificates on each machine. (She does not
have a roaming profile.) I was under the impression that this can't be done.
PCs are XP and the server is 2003. Can anybody explain to me why this is?
Thanks.
 
matt_heff said:
I have a user who works on two machines and routinely copies encrypted files
between them via her home directory on the server. She can view all of the
encrypted files on both PCs (when opened locally or on the server), even
though she has different EFS certificates on each machine. (She does not
have a roaming profile.) I was under the impression that this can't be done.
PCs are XP and the server is 2003. Can anybody explain to me why this is?
Thanks.
Click to expand...

I may have this wrong, but I think that when the files are copied to the
server, they have been unencrypted, and thus readable by anyone with
permissions to that file. I believe the files are only encrypted when
they are residing on the source PC.

Can anyone refute that? I'd be happy to have my understanding of this
corrected by a knowledgeable source.

--
The reader should exercise normal caution and backup the Registry and
data files regularly, and especially before making any changes to their
PC, as well as performing regular virus and spyware scans. I am not
liable for problems or mishaps that occur from the reader using advice
posted here. No warranty, express or implied, is given with the posting
of this message.
 
null said:
I may have this wrong, but I think that when the files are copied to
the server, they have been unencrypted, and thus readable by anyone
with permissions to that file. I believe the files are only encrypted
when they are residing on the source PC.

Can anyone refute that? I'd be happy to have my understanding of this
corrected by a knowledgeable source.
Click to expand...

I'm no EFS expert, but here is a link to an MS KB article that explains
all about EFS:

http://tinyurl.com/6l6xx

Malke
 
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/CryptFS.mspx
is an excellent source of information on EFS's behavior. From the doc:

Copying, Moving and Saving Encrypted Files

Because of the unique nature of encrypted files, different results can occur
when moving or copying encrypted files between locations. For example, when
copying an encrypted file from a local machine to a server on the network,
different results of the copy operation will occur depending on the operating
system being used on the server. In general, copying a file will inherit
the EFS properties of the target, but a move operation will not inherit the
EFS properties of the target folder.

When copying an encrypted file:

* If using Windows 2000 and the target server is running Microsoft® Windows
NT Server 4.0, the file will be silently decrypted and copied to the server.
If using Windows XP or Windows Server 2003, the user will be warned and prompted
to allow the decryption operation.

* If the target server is running Windows 2000 or Windows Server 2003, and
the machine account of the server is trusted for delegation in the Active
Directory, the file will be silently decrypted and copied to the server where
it will be re-encrypted using a local profile and encryption key.

Note: the file is transmitted on the network between the client and the server
in an unprotected format. If this file contains confidential information,
care should be given to ensure that the network connection also provides
secure transmission of the data. Such network data protection might include
IP Security (IPSec).

* If the target server is running Windows 2000 or Windows Server 2003 and
the machine account of the server is not trusted for delegation in the Active
Directory, or the server is in a workgroup or a Windows NT 4.0 domain, the
file will not be copied and the user will receive an "access denied" error
message.

The "access denied" error message is returned to applications from the NTFS
file system in order to ensure compatibility with existing applications.
The use of an alternate or more descriptive error message would cause many
applications to fail or behave erratically.

The Windows XP Professional client contains some enhancements in the area
of copying encrypted files. Both the shell interface and the command-line
now support an option to allow or disallow file decryption. When an encrypted
file is copied to a target location that does not allow remote encryption,
the user will be prompted with a dialog box that allows a choice of whether
or not to decrypt the file.


Steve Riley
(e-mail address removed)
 
null is correct. When you encrypt a doc, you are setting the property
locally. So most likely what is happening is:

File encrypted with key 1(PC1) ---> File not encypted (server) ---> File
encrypted with key 2 (PC2)

What is happening is that each PC is encrypting the file because the person
set the property at the PCs to encrypt.

This would be the case if the user only set encryption at the first PC. If
you would like to protect the file on all three systems then you will need
to replace the EFS key and cert on PC2 with the one from PC1 and set
encryption on the file server. If you only turn on file encryption on the
file server, then you will not be able to open the server's file from the
other PC.

You should read the KB, Best Practices for EFS:
http://support.microsoft.com/default.aspx?scid=kb;en-us;223316

Probably a bit of overkill, but there is a Tech Ref doc on EFS for anyone
interested in the details:
http://www.microsoft.com/resources/...v/2003/all/techref/en-us/W2K3TR_efs_Intro.asp

--
Michiko Short [MSFT]

This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.
 
Steve's email does show the correct behavior. What is odd is that the person
has not noticed the warning message. If the server cannot encrypt the file
(which it cannot if it does not have access to the person's EFS key) then it
should give a warning that it cannot encrypt.

Michiko Short said:
null is correct. When you encrypt a doc, you are setting the property
locally. So most likely what is happening is:

File encrypted with key 1(PC1) ---> File not encypted (server) ---> File
encrypted with key 2 (PC2)

What is happening is that each PC is encrypting the file because the
person set the property at the PCs to encrypt.

This would be the case if the user only set encryption at the first PC. If
you would like to protect the file on all three systems then you will need
to replace the EFS key and cert on PC2 with the one from PC1 and set
encryption on the file server. If you only turn on file encryption on the
file server, then you will not be able to open the server's file from the
other PC.

You should read the KB, Best Practices for EFS:
http://support.microsoft.com/default.aspx?scid=kb;en-us;223316

Probably a bit of overkill, but there is a Tech Ref doc on EFS for anyone
interested in the details:
http://www.microsoft.com/resources/...v/2003/all/techref/en-us/W2K3TR_efs_Intro.asp

--
Michiko Short [MSFT]

This posting is provided "AS IS" with no warranties, and confers no
rights.
Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.


Malke said:
I'm no EFS expert, but here is a link to an MS KB article that explains
all about EFS:

http://tinyurl.com/6l6xx

Malke
--
MS MVP - Windows Shell/User
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
Click to expand...
Click to expand...
 
Back
Top