No. Encryption overrides ntfs permissions as far as access to the data. Another user
may be able to delete your data but not access unless they are a recovery agent on
the file or know your password AND have access to the EFS private keys. You can not
add recovery agents after the fact. If your disk was stolen and attached to another
computer, they would not be able to access your EFS files if your and the recovery
agents private keys are not on the disk which would still require your password to
access. Let someone who has never had their computer connected to your drive connect
it to their computer and you will see they can not access the data in the EFS files
even it they give themselves full control of the drive or folders. --- Steve
Zen Andreas said:
I have tried this, but noticed that if you give the disk to
someone who happens to use Win2000 too and is logged in as an
administrator, he or she can add himself to the list of users
granting himself access to the directories without any
trouble..... This would make encryption obsolete?
This worked without copying a certificate to the other machine...
Is there anyway of simply restricting it to 2 computers? On both
computers I have administrator access and I do not need it on any
other computer...
Many thanks for your help.
Steven L Umbach said:
The only way would be to use encryption such as EFS. If the drive has no operating
system on it and no user profiles then a third party finding it would not be able to
decrypt the EFS files since they would not have access to the EFS private key that is
needed and stored in the users and recovery agents profile. In W2K two parties can
decrypt EFS files - the user who decrypted them and the designated recovery agent
who would be the built in administrator account by default on a stand a alone machine
and possibly a domain administrator,etc on a domain machine. Efs info can show what
users can decrypt a file and their related thumbprint info for the associated
certificate/private key. If you use EFS if is a good idea to run cipher /w on the
drive before shutting down to try to remove any cleartext remnants of encrypted
files. EFS has it's hazards in that if you have to reinstall the operating system and
you do not back up your EFS private keys, you will lose permanent access to your
data. Be sure to read the link below on EFS best ractices. --- Steve
http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316
I have an external disk (60GB) which I use daily between my home-
and the office-computer.
Both computers run Win2000.
I have tried to encrypt the data and add user rights, but using
other computers this is easy to change once logged in as
administrator on a third party Win2k computer.
What is the best way of securing access to this (firewire) disk
(or directories) such that if I loose it "no one" can have (easy)
access to it?
Many thanks
