Folder Redirection Data Encryption

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I want to implement Group police folder redirection to
store my documents folder on the server, but I would like
to encrypted files and folder as they are access across
the network. What is the best way to encrypt this
information? Windows AD 2000 server 2000 Pro and XP
clients.
 
First the remote server must be trusted for delegation in it's account properties in
Active Directory users and Computers. Then it would be best to logon and create a
user profile on that server and either encrypt a file there to generate a encryption
certificate/private key or import your existing one into that profile using a .pfx
file by exporting your current EFS certificate/private key. If you do not create a
user profile on that server then a "mini" profile will be created the first time you
encrypt a file on it creating a EFS certificate/private key in that profile. If you
do that an use EFS on your desktop, you run the risk of having two separate EFS
certificate/keys that can be confusing and even lead to loss of data in case of a
computer problem. For instance if you decide to copy an EFS file from the server to
your desktop, the file will go over the network unencrypted. If you encrypt it on
your computer and seen it back to the server, it could be decrypted by a totally
different EFS certificate/private key if the same certificate private key is not on
your desktop and server. Efsinfo is a handy tool to display what certificates/private
keys can decrypt a EFS file.

Be VERY careful with EFS as it is easy to lose access to your own data if their is a
problem. Always keep copies of your EFS certificate/private key offline in a .pfx
file in case of a problem - you must export your private key also with the
certificate. There is NO way to get your EFS data if all your keys and recovery agent
keys are destroyed due to corruption/operating system failure/rebuild. XP Pro uses
AES 256 encryption for EFS - strong stuff. Windows 2000 computers require a
"recovery" agent in order to encrypt files while XP Pro does not. In a domain I
highly recommend that all users files be encrypted with a recovery agent in place as
users will be lax in EFS procedures. See the links below for more info. -- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;320044
http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316 -- a must read for
anyone considering EFS.
http://www.microsoft.com/resources/...000/server/reskit/en-us/distsys/wsrvdsys.mspx
-- more detailed info.
 
With approximately 250 users having their documents
redirected to the server what type of performance does
this have on the network. Will user notice longer delays
when trying to access their documents?
-----Original Message-----
First the remote server must be trusted for delegation in it's account properties in
Active Directory users and Computers. Then it would be best to logon and create a
user profile on that server and either encrypt a file there to generate a encryption
certificate/private key or import your existing one into that profile using a .pfx
file by exporting your current EFS certificate/private key. If you do not create a
user profile on that server then a "mini" profile will be created the first time you
encrypt a file on it creating a EFS certificate/private key in that profile. If you
do that an use EFS on your desktop, you run the risk of having two separate EFS
certificate/keys that can be confusing and even lead to loss of data in case of a
computer problem. For instance if you decide to copy an EFS file from the server to
your desktop, the file will go over the network
Click to expand...
unencrypted. If you encrypt it on
your computer and seen it back to the server, it could be decrypted by a totally
different EFS certificate/private key if the same
Click to expand...
certificate private key is not on
your desktop and server. Efsinfo is a handy tool to
Click to expand...
display what certificates/private
keys can decrypt a EFS file.

Be VERY careful with EFS as it is easy to lose access to your own data if their is a
problem. Always keep copies of your EFS
Click to expand...
certificate/private key offline in a .pfx
 
It won't be as fast as being local. As how much delay depends on network
speed/bandwidth and the capabilities of the server. Try ten or so test users to see
how it works out. If performance is excellent, then it probably should be fine with
the rest of them. The other upside is that it is a lot easier to backup their
documents folders that way. --- Steve
 
Back
Top