Seting up encryption HOWT

[NewsGr]

We have a 2003 domain with 2 DCs and about 20 workstations. A client wants
us to encrypt all of their work.
This will need to be shared by about 5 internal people. I was looking at
windows EFS encryption but setting up certificates
is relatively new to me so I was wondering if there is a good guide on
setting this up. Most of our workstations are XP Pro
and the data will reside on a server -not a DC

thansk

Greg

 

[Steven L Umbach]

If you do not have a Certificate Authority EFS certificates will be
generated automatically and EFS certificates can be exported/imported [.cer
file and .pfx file which contains private key] via the mmc snapin for
certificates for user account. The links below should explain about all you
need to do and be VERY careful with EFS as it is possible for users to
permanently lose access to their encrypted files. You should understand the
concept of a Recovery Agent, decide if you want to use one, and have all
users trained to export their EFS private keys to a password protected .pfx
file in case of a disaster such as if the user's profile becomes corrupt or
the operating system is reinstalled. If a user encrypts data on multiple
computers then he will have a different EFS certificate/private key on each
computer [without roaming profiles or importing current EFS
certificate/private key] which can really complicate things and increase the
risk. Also EFS encryption is only as strong as the user's password as long
as the EFS private key used to encrypt the files is on the computer. ---
Steve


http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sharefilesefs.mspx
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx
http://www.microsoft.com/technet/security/topics/cryptographyetc/efs.mspx
http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316 -- a MUST
read for EFS users.