Sign in with
Sign up | Sign in
Your question

baffled by efs

Last response: in Windows XP
Share
December 25, 2004 12:38:47 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

xp pro 2
small psychology office
need to encrypt client files so all psychologists can see them
need to encrypt business files so only owner can see them

I keep thinking in terms of a password is needed to open the files or
folders. Apparently that isn''t the way efs works.

I'm hoping I don't have to hire another specialist to set this up.

Right now the computer opens on the one "user" screen and that's that.

My main fear is, I end up not being able to read anything and lose it all.

John

More about : baffled efs

Anonymous
December 25, 2004 12:54:47 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

While EFS does have a way to "share" files, it's really designed more for
protecting files so that only the owner can access them. Mostly we see EFS
deployed on laptops to help keep the data confidential in case the laptop
gets stolen. EFS is integrated into the file system and automatically decrypts
files when the owner is logged in -- that's why you don't see any separate
password prompts.

For your case, a separate product, Windows Rights Management Services, is
better. The owner of a file can indicate who's allowed to do what -- read,
print, modify, delete, and so on. You can also set an "age limit" on files
so that they can't be used at all after a certain date. RMS requires Office
2003 Professional, Active Directory, and RMS CALs. There's lots of product
info and some deployment guides at http://www.microsoft.com/rms.

Steve Riley
steriley@microsoft.com



> xp pro 2
> small psychology office
> need to encrypt client files so all psychologists can see them
> need to encrypt business files so only owner can see them
> I keep thinking in terms of a password is needed to open the files or
> folders. Apparently that isn''t the way efs works.
>
> I'm hoping I don't have to hire another specialist to set this up.
>
> Right now the computer opens on the one "user" screen and that's that.
>
> My main fear is, I end up not being able to read anything and lose it
> all.
>
> John
>
December 25, 2004 5:52:11 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Steve Riley [MSFT] wrote:
> While EFS does have a way to "share" files, it's really designed more
> for protecting files so that only the owner can access them. Mostly we
> see EFS deployed on laptops to help keep the data confidential in case
> the laptop gets stolen. EFS is integrated into the file system and
> automatically decrypts files when the owner is logged in -- that's why
> you don't see any separate password prompts.
>
> For your case, a separate product, Windows Rights Management Services,
> is better. The owner of a file can indicate who's allowed to do what --
> read, print, modify, delete, and so on. You can also set an "age limit"
> on files so that they can't be used at all after a certain date. RMS
> requires Office 2003 Professional, Active Directory, and RMS CALs.
> There's lots of product info and some deployment guides at
> http://www.microsoft.com/rms.
>
> Steve Riley
> steriley@microsoft.com
>
>
>
>> xp pro 2
>> small psychology office
>> need to encrypt client files so all psychologists can see them
>> need to encrypt business files so only owner can see them
>> I keep thinking in terms of a password is needed to open the files or
>> folders. Apparently that isn''t the way efs works.
>>
>> I'm hoping I don't have to hire another specialist to set this up.
>>
>> Right now the computer opens on the one "user" screen and that's that.
>>
>> My main fear is, I end up not being able to read anything and lose it
>> all.
>>
>> John
>>
>
>
Thanks I'll try it

john
Related resources
Anonymous
December 26, 2004 6:07:52 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

On Sat, 25 Dec 2004 09:54:47 -0800, Steve Riley [MSFT]

The original poster's in a tuff situation; legally, confidentially
requires scrupulous attention to privacy, but accountability also
requires ongoing preservation of records. As he righly mentions, EFS
is great for privacy but increases the risk of data loss, unless
backup arrangements are as meticulously admin'd as privacy/access.

>While EFS does have a way to "share" files, it's really designed more for
>protecting files so that only the owner can access them. Mostly we see EFS
>deployed on laptops to help keep the data confidential in case the laptop
>gets stolen. EFS is integrated into the file system and automatically decrypts
>files when the owner is logged in -- that's why you don't see any separate
>password prompts.

That's also why it may fall short of what you are looking for, unless
something else is used to prevent visibility whenever logged on.

>For your case, a separate product, Windows Rights Management Services, is
>better. The owner of a file can indicate who's allowed to do what -- read,
>print, modify, delete, and so on. You can also set an "age limit" on files
>so that they can't be used at all after a certain date. RMS requires Office
>2003 Professional, Active Directory, and RMS CALs. There's lots of product
>info and some deployment guides at http://www.microsoft.com/rms.

Is RMS strong enough? Risks of reading files through 3rd-partyware,
viewers or older Office versions?

Ultimately, it comes down to the crunch of privacy vs. risk of data
loss. A file that's present, but no-one knows the pwd or decryption
key, may be effectively as lost as one barfed by ChkDsk /F.



>---------- ----- ---- --- -- - - - -
Proverbs Unscrolled #37
"Build it and they will come and break it"
>---------- ----- ---- --- -- - - - -
Anonymous
December 26, 2004 6:07:53 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

> Is RMS strong enough? Risks of reading files through 3rd-partyware,
> viewers or older Office versions?

There's no risk of third-partyware (cool term) or older versions of Office
reading the docs. RMS a system that's composed of an authentication mechansm
(AD), an xRML certificate server/policy generator (RMS Server), a client
portion (RMS client), and rights-aware applications (Office 2003 Professional).

When you compose a document and then protect it, the application's interface
into the RMS client asks you how you want to protect it: who (users) are
allowed to do what (access controls like read, print, edit, etc.) and how
long the document should last (expiration -- of the document, not the rights).
Finally the document is encrypted with a 256-bit AES key, which is then itself
encrypted with a series of other keys. (See the technical docs for all the
details.)

It is this encrypted document which is then stored. Without possession of
the necessary keys, you can't decrypt the document key, meaning that you
can't decrypt the document. If you try to open a protected document in anything
other than the application used to create the document (or in the rights
management add-on for IE), you'll just get a bunch of binary junk. Only the
correct rights-aware application can make sense of the encrypted file format,
validate the manifest, authenticate the user, and decrypt the document key.
Then the application will render the decrypted contents in the window and
(in conjunction with the RMS client) enforce the rights present on the document.
Without the client, the application is unable to properly parse and render
the file.

The RMS key store, a file on your PC called LOCKBOX.DLL, is itself resistant
to tampering: if you try to move it to another PC, or if you change your
system clock, for example, the file will self-destruct.

RMS also includes a way for an "RMS auditor" of sorts to take ownership of
files created by people who have subsequently left the company. There's been
a lot of thought put into this product to make it enterprise-class right
at version 1.0. I'm pretty impressed with it (of course, you'd expect me
to say that! hehe).

Steve Riley
steriley@microsoft.com



> On Sat, 25 Dec 2004 09:54:47 -0800, Steve Riley [MSFT]
>
> The original poster's in a tuff situation; legally, confidentially
> requires scrupulous attention to privacy, but accountability also
> requires ongoing preservation of records. As he righly mentions, EFS
> is great for privacy but increases the risk of data loss, unless
> backup arrangements are as meticulously admin'd as privacy/access.
>
>> While EFS does have a way to "share" files, it's really designed more
>> for protecting files so that only the owner can access them. Mostly
>> we see EFS deployed on laptops to help keep the data confidential in
>> case the laptop gets stolen. EFS is integrated into the file system
>> and automatically decrypts files when the owner is logged in --
>> that's why you don't see any separate password prompts.
>>
> That's also why it may fall short of what you are looking for, unless
> something else is used to prevent visibility whenever logged on.
>
>> For your case, a separate product, Windows Rights Management
>> Services, is better. The owner of a file can indicate who's allowed
>> to do what -- read, print, modify, delete, and so on. You can also
>> set an "age limit" on files so that they can't be used at all after a
>> certain date. RMS requires Office 2003 Professional, Active
>> Directory, and RMS CALs. There's lots of product info and some
>> deployment guides at http://www.microsoft.com/rms.
>>
> Is RMS strong enough? Risks of reading files through 3rd-partyware,
> viewers or older Office versions?
>
> Ultimately, it comes down to the crunch of privacy vs. risk of data
> loss. A file that's present, but no-one knows the pwd or decryption
> key, may be effectively as lost as one barfed by ChkDsk /F.
>
>> ---------- ----- ---- --- -- - - - -
>>
> Proverbs Unscrolled #37
> "Build it and they will come and break it"
>> ---------- ----- ---- --- -- - - - -
>>
Anonymous
December 28, 2004 2:09:26 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

On Sun, 26 Dec 2004 14:38:35 -0800, Steve Riley [MSFT]

>> Is RMS strong enough? Risks of reading files through 3rd-partyware,
>> viewers or older Office versions?

>There's no risk of third-partyware (cool term) or older versions of Office
>reading the docs. RMS a system that's composed of an authentication mechansm
>(AD), an xRML certificate server/policy generator (RMS Server), a client
>portion (RMS client), and rights-aware applications (Office 2003 Professional).

>...the document is encrypted with a 256-bit AES key, which is then itself
>encrypted with a series of other keys.

That's the key point; so rights-unaware apps can't see anything,
instead of the risk of seeing everything.

>It is this encrypted document which is then stored. Without possession of
>the necessary keys, you can't decrypt the document key, meaning that you
>can't decrypt the document.

>The RMS key store, a file on your PC called LOCKBOX.DLL, is itself resistant
>to tampering: if you try to move it to another PC, or if you change your
>system clock, for example, the file will self-destruct.

DoS opportunities abound there, then. I hope it's not one of those
always-same-name, always-same-place files?

I understand sensitivity to system clock changes, but what about
natural risks such as laptops and time zones, flat CMOS batteries and
motherboard replacements, and time servers that nudge the clock?

>RMS also includes a way for an "RMS auditor" of sorts to take ownership of
>files created by people who have subsequently left the company. There's been
>a lot of thought put into this product to make it enterprise-class right
>at version 1.0. I'm pretty impressed with it (of course, you'd expect me
>to say that! hehe).

It does sound well thought-out, but it has to be part of a strong
whole, else it could be both ineffective and dangerous.

The data loss risks seem to be similar in magnitude as EFS, so you
need to be absolutely COAB certain of backing up both the data files,
and the key as held in the .DLL or whatever. How does the fragility
of that .DLL work in the context of a data restore?

There may be an additional risk, beyond EFS, when it comes to VBA or
macro infection of "data" files. An av running on EFS may be able to
scan files, but this is likely not the case here. So I'd want to rip
out or totally suppress any scripts, VBA, macros etc. within these
files, as these would be well-positioned to export file contents.

Finally, one has to consider de-facto "programming" opportunities that
arise when exploitable code defects come to light. For example, a
JPEG embedded in a .DOC that exploited the JPEG handler to run as raw
code could be a problem, if av can't scan in in the encrypted file.



>---------- ----- ---- --- -- - - - -
Proverbs Unscrolled #37
"Build it and they will come and break it"
>---------- ----- ---- --- -- - - - -
Anonymous
December 29, 2004 3:04:20 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

On Tue, 28 Dec 2004 19:24:39 +0200, "cquirke (MVP Win9x)"

>Changing the month to look up dates etc. changes the date when you
>close the dialog, unless you are careful to undo, even if you
>carefully didn't click on any dates while fiddling. That's on Win95
>SR2 and Win98 SE; dunno if it's different in XP.

>I'm just thinking, it's a casual and likely unreported practice that
>could spawn a few support calls :-p

More on this: In Win98 SE, it appears as if cursory changes in this
dialog take immediate effect. I picked this up because I know Eudora
will prompt for new version checks every month, and it did this as
soon as I changed from December in the drop-down list of months, even
though I hadn't clicked a date, not Apply, OK or close-the-dialog.

If this is the case, it makes it rather dangerous to be sensitive to
timedate changes in realtime, as Office Rights Management appears to
do. If a user falls into this hole, the chances of them remembering
it and mentioning it in a support call are very low indeed.



>---------- ----- ---- --- -- - - - -
"He's such a character!"
' Yeah - CHAR(0) '
>---------- ----- ---- --- -- - - - -
Anonymous
January 8, 2005 8:13:02 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

"John" wrote:

> xp pro 2
> small psychology office
> need to encrypt client files so all psychologists can see them
> need to encrypt business files so only owner can see them
>
> I keep thinking in terms of a password is needed to open the files or
> folders. Apparently that isn''t the way efs works.
>
> I'm hoping I don't have to hire another specialist to set this up.
>
> Right now the computer opens on the one "user" screen and that's that.
>
> My main fear is, I end up not being able to read anything and lose it all.
>
> John
>
>
>

Hey John,
ever heard of FTP's?? U can lock different users into different
"paths"."folders".or what have you and if you would really like U can always
partition the drive inot halves!! Allowing you free reign, one side for
buisness and one for Dr'in type stuff, oh and btw.Im suicidal or was until I
got my SS going again! : )
Anonymous
January 10, 2005 5:28:19 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

John,

Why are you thinking of encrypting your files? EFS will provide data
protection but will not protect against data tampering. If you want to
control access, you need to set up right permissions.

Here is a good overview of EFS -
http://www.microsoft.com/technet/prodtechnol/winxppro/d...

--
Shreeniwas Kelkar [MSFT]

This posting is provided "AS IS" with no warranties, and confers no rights.


"poker_pro@hotmail.com" <poker_pro@hotmail.com@discussions.microsoft.com>
wrote in message news:6813BD50-1C13-4CB7-A270-1287627FAB9A@microsoft.com...
>
>
> "John" wrote:
>
>> xp pro 2
>> small psychology office
>> need to encrypt client files so all psychologists can see them
>> need to encrypt business files so only owner can see them
>>
>> I keep thinking in terms of a password is needed to open the files or
>> folders. Apparently that isn''t the way efs works.
>>
>> I'm hoping I don't have to hire another specialist to set this up.
>>
>> Right now the computer opens on the one "user" screen and that's that.
>>
>> My main fear is, I end up not being able to read anything and lose it
>> all.
>>
>> John
>>
>>
>>
>
> Hey John,
> ever heard of FTP's?? U can lock different users into different
> "paths"."folders".or what have you and if you would really like U can
> always
> partition the drive inot halves!! Allowing you free reign, one side for
> buisness and one for Dr'in type stuff, oh and btw.Im suicidal or was until
> I
> got my SS going again! : )
!