Encrypting File System

[Guest]

If a file is encrypted on computer A on home network, why is not possible to
view the file on computer B even when the EFS certificate has been installed
on computer B?

I have looked at Advanced Attributes Details button as per chapter 17 of
Windows XP Professional Resource Kit and it does not seem possible to select
a user of a different computer without the use of active directory. I don't
have active directory on my home network.

 

[Guest]

That's right. ComputerA must be trusted for delegation in an Active
Directory environment in order to allow remote access to its encrypted files.
Through delegation with the user's credentials, ComputerA can decrypt the
files and send them in plaintext over the wire to ComputerB. ComputerB may
have the key, but it can't do the decrypting.

See Delegated Server Mode:
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx

Thanks.
Pat

 

[hiroshi]

Hi,

I have a desktop and a laptop, both with Windows XP Pro.
I encrypt files on the laptop and I want to access them
from the desktop over a peer-to-peer network.

I did some search and found your post.
But it is too obscure for me to understand.

Are you saying it's impossible?

If it's possible, will you tell me exactly how to configure
the machines to enable the viewing?

Thank you.

 

[Guest]

It's impossible to share encrypted files between computers on a peer-to-peer
network. Sharing encrypted files requires an Active Directory network, the
kind of network most people have at work.

Thanks.
Pat

 

[hiroshi]

Well, that clarifies it more than anything I could find anywhere else,
thank you.

But how come I could do it on Windows 2000, and in fact, Windows XP
upgraded from 2000?
Is there any way to put XP into the same mode in which Windows XP
upgraded from Windows 2000 is?

 

[Guest]

Yes, sharing encrypted files on a workgroup was possible in Windows 2000.
The change in behavior is because of the differences in the security models
of the two operating systems. Windows XP is more secure. There is no way to
make it work in Windows 2000 mode.

Thanks.
Pat

 

[hiroshi]

So when Windows XP has been upgraded from Windows 2000, it is
running in a kind of compatibility mode that is less secure
than native XP mode?
Is it a serious insecurity?
I didn't find any mention of this anywhere. Any pointers?

Thanks.

 

[Guest]

Once you upgrade to Windows XP you are running in the more secure Windows XP
mode. Adding SP2 provides even more security to the system.

BTW, SP2 also includes the "cipher /x" option that you can run in a command
prompt to back up your EFS certificate and key. It creates a .pfx file that
you should store on a floppy for safe-keeping.

Thanks.
Pat

 

[hiroshi]

I am confused again.

You wrote:

A: It is impossible to share encrypted files between computers on a
peer-to-peer network in Windows XP.

B: It is possible in Windows 2000.

C: The cause of different behavior is that Windows 2000 uses a less
secure security model than the one in Windows XP.

D: When you upgrade from Windows 2000 to XP, the security model used
is the more secure XP model.


Fact: It is POSSIBLE to share encrypted files between Windows XP
computers on a peer-to-peer network, if the Windows XP that hosts the
files has been upgraded from Windows 2000.



Now, if an upgraded XP uses the new XP security model, and if the new
XP model is the reason that XP does not allow sharing encypted files
on a peer-to-peer network, why I can do it on the upgraded XP?

It seems to me that it is either:

1) Windows XP upgraded from Windows 2000 uses the less secure Windows
2000 security model,

2) The new Windows XP security model can allow sharing encrypted files
on a peer-to-peer network,

or

3) The change of security models and the change in behavior in sharing
encrypted files are not related.


What am I missing?

Hiroshi

 

[DreamFly]

Hi, It's easy, visit http://www.dreamflysoft.com and download Cool
File Encryption to help you.