Network user can access EFS restricted file

  • Thread starter Thread starter Rob Rohrbough
  • Start date Start date
R

Rob Rohrbough

I have some data I wish to encrypt. All of the CryptoAPI
strong algorithms are too slow. I am considering using
EFS (vs a third-party strong symmetric encryption like
Blowfish) on a Win2k Pro workstation in a peer-to-peer
network. The first basic test I ran showed that users on
other Win2k- or NT-based machines can still access the
files in the secured directory. Users on Win9x machines
were locked out as were other users (even with
administrative priviledges) on the same machine as the
files owner.

Here are more specifics: I have a partition, E:, which is
shared with all users on my network. I have created a
direcrory, SecTest, which I have encrypted and restricted
access from anyone but the owner of the directory. The NT
and Win2k machines are not accessing the file as the
owner. That is an option when connecting to a share, but,
AFAIK, I did not do that. I even created another
connection just to make sure I was not "connecting as".
Still could gain access.

Is this expected behavior? Is there a way to restrict
access to that directory from other machines on the LAN
short of putting the directory on a partition that is not
shared at all or by specific directory?

TIA,

Rob
 
I am not sure I understand you problem or question. I will still try to
answer.

If you encrypt your folder but have NTFS permissions everyone full control
(default setting on Win2K) users will be able to access folders or shares
but won't be able to actually read the content of the files. They will also
be able to delete all the encrypted files but not copy them.
If you want to also prevent users from seeing content of your folders and
prevent them right of deleting content of the folder you should also user
NTFS permission on secured folder (or share).
 
Mike,

Thanks for the reply. I have been away from the newsgroup
for a few days. For not understanding the question you
did very well. I am trying to prevent users from seeing
sensitive data in the files rather than preventing them
from seeing what files are in the folder. Ideally, I
would like only the local user logged in to see the data
in these files. Even though the drive is shared, I would
like the data to be visible only to the local user who is
logged in via the authorized ID (or only authorized
network users).

I finally got the system to deny access to the data while
allowing the files to show up in Windows Explorer. Before
today, all I could do is turn access to the folder on and
off with NTFS file permissions. Today, I learned how to
export the certificate, delete it, and import it again.

The trouble is, whenever the certificate is not installed,
no-one can access the data - including the owner.
Whenever the certificate is installed, everyone has access
to the data who has access to the folder or file. The
scary thing is that it almost makes sense to me. The
disappointing thing is that it doesn't matter that the
certificate is installed in the owner's Personal
certificate store, everyone can access the data anyway.

It appears that we can use EFS even with these
constraints. I would, however, like any additional feed
back as to whether I am missing something.

Thanks again,

Rob
 
Back
Top