Implementing EFS for select users

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hello - here's a good one..

We have our finance team and their workstations located on the same floor as
a 3rd party company. As a result, we want to apply EFS to the finance
workstations which connect to our banks etc. Problem is, I can't seem to work
it all out !

To explain, we have a total of 50 workstations in the finance team - only 4
of which we want to apply EFS to (select folders). These machines are all in
Active Directory and are used by multiple users at different times.

Can anyone explain what i should be doing here, or even point me in the
right direction ? I've got the Microsoft guides but they just dont seem to
help - keep getting errors about the selected users not having the
appropriate certificates.

thanks in advance !
 
It depends on if the workstations are Windows 2000 or XP Pro. For Windows
2000 you need to create a policy with an empty list of Recovery Agents for
the computers you want to disable it on and for Windows XP you need to
uncheck the box that allows EFS to be used. What you could do is disable it
on all computers at the domain level via Group Policy and then add the four
computers you want it enabled on into their own OU with a GPO linked to it
and configured where they will have it enabled. The links below explain more
on how to do this with Group Policy. Be VERY careful with EFS as it is easy
to lose permanent access to your data if best practices are not followed
such as using a Recovery Agent and having users baking up their EFS
certificate AND private key to password protected .pfx files. Note that you
can manage EFS by computer - not user. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;222022&sd=tech ---
Group Policy EFS for Windows 2000
http://www.petri.co.il/disable_efs_in_windows_xp_2003.htm --- Group Policy
EFS Windows XP/2003
http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316 --- EFS
best practices
 
It sounds like you want to encrypt common folders that are stored locally on
these machines and allow access to them by selected domain users who log onto
those machines. If that's the case, you would need to add each user's EFS
certificate to each file, and EFS in Windows 2000 cannot do that. (EFS in
Windows XP has a UI for adding users to encrypted files.)

If this would be acceptable to your situation, a workaround is to share the
same EFS certificate and key between users. Log onto the workstation as the
user who encrypted the files and back up (export) the EFS certificate and key
from his profile to a .pfx file. Have the other users log onto the same
machine and import that certificate/key into their profiles (just run the
..pfx file). Anyone who has that certificate and key and NTFS permissions to
the files will be able to open the files. For that reason, be sure to keep
the .pfx file private.

If this would work for you, steps for backing up the certificate and key are
at
http://www.microsoft.com/windows2000/techinfo/planning/security/efssteps.asp.
Look for "To back up your encryption certificate and private key."

Thanks.
Pat
 
Just a note as precaution, if the workaround outlined is followed . . .
be sure that the accounts into which the common EFS cert/key is
being imported do not have any pre-existing EFS encrypted files.
 
Well many thanks for your support on this one - I'm setting up a test machine
just now so i'll give it a shot and see what happens. fingers crossed eh !
 
Back
Top