baffled by efs

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

xp pro 2
small psychology office
need to encrypt client files so all psychologists can see them
need to encrypt business files so only owner can see them

I keep thinking in terms of a password is needed to open the files or
folders. Apparently that isn''t the way efs works.

I'm hoping I don't have to hire another specialist to set this up.

Right now the computer opens on the one "user" screen and that's that.

My main fear is, I end up not being able to read anything and lose it all.

John
8 answers Last reply
More about baffled
  1. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    While EFS does have a way to "share" files, it's really designed more for
    protecting files so that only the owner can access them. Mostly we see EFS
    deployed on laptops to help keep the data confidential in case the laptop
    gets stolen. EFS is integrated into the file system and automatically decrypts
    files when the owner is logged in -- that's why you don't see any separate
    password prompts.

    For your case, a separate product, Windows Rights Management Services, is
    better. The owner of a file can indicate who's allowed to do what -- read,
    print, modify, delete, and so on. You can also set an "age limit" on files
    so that they can't be used at all after a certain date. RMS requires Office
    2003 Professional, Active Directory, and RMS CALs. There's lots of product
    info and some deployment guides at http://www.microsoft.com/rms.

    Steve Riley
    steriley@microsoft.com


    > xp pro 2
    > small psychology office
    > need to encrypt client files so all psychologists can see them
    > need to encrypt business files so only owner can see them
    > I keep thinking in terms of a password is needed to open the files or
    > folders. Apparently that isn''t the way efs works.
    >
    > I'm hoping I don't have to hire another specialist to set this up.
    >
    > Right now the computer opens on the one "user" screen and that's that.
    >
    > My main fear is, I end up not being able to read anything and lose it
    > all.
    >
    > John
    >
  2. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Steve Riley [MSFT] wrote:
    > While EFS does have a way to "share" files, it's really designed more
    > for protecting files so that only the owner can access them. Mostly we
    > see EFS deployed on laptops to help keep the data confidential in case
    > the laptop gets stolen. EFS is integrated into the file system and
    > automatically decrypts files when the owner is logged in -- that's why
    > you don't see any separate password prompts.
    >
    > For your case, a separate product, Windows Rights Management Services,
    > is better. The owner of a file can indicate who's allowed to do what --
    > read, print, modify, delete, and so on. You can also set an "age limit"
    > on files so that they can't be used at all after a certain date. RMS
    > requires Office 2003 Professional, Active Directory, and RMS CALs.
    > There's lots of product info and some deployment guides at
    > http://www.microsoft.com/rms.
    >
    > Steve Riley
    > steriley@microsoft.com
    >
    >
    >
    >> xp pro 2
    >> small psychology office
    >> need to encrypt client files so all psychologists can see them
    >> need to encrypt business files so only owner can see them
    >> I keep thinking in terms of a password is needed to open the files or
    >> folders. Apparently that isn''t the way efs works.
    >>
    >> I'm hoping I don't have to hire another specialist to set this up.
    >>
    >> Right now the computer opens on the one "user" screen and that's that.
    >>
    >> My main fear is, I end up not being able to read anything and lose it
    >> all.
    >>
    >> John
    >>
    >
    >
    Thanks I'll try it

    john
  3. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    On Sat, 25 Dec 2004 09:54:47 -0800, Steve Riley [MSFT]

    The original poster's in a tuff situation; legally, confidentially
    requires scrupulous attention to privacy, but accountability also
    requires ongoing preservation of records. As he righly mentions, EFS
    is great for privacy but increases the risk of data loss, unless
    backup arrangements are as meticulously admin'd as privacy/access.

    >While EFS does have a way to "share" files, it's really designed more for
    >protecting files so that only the owner can access them. Mostly we see EFS
    >deployed on laptops to help keep the data confidential in case the laptop
    >gets stolen. EFS is integrated into the file system and automatically decrypts
    >files when the owner is logged in -- that's why you don't see any separate
    >password prompts.

    That's also why it may fall short of what you are looking for, unless
    something else is used to prevent visibility whenever logged on.

    >For your case, a separate product, Windows Rights Management Services, is
    >better. The owner of a file can indicate who's allowed to do what -- read,
    >print, modify, delete, and so on. You can also set an "age limit" on files
    >so that they can't be used at all after a certain date. RMS requires Office
    >2003 Professional, Active Directory, and RMS CALs. There's lots of product
    >info and some deployment guides at http://www.microsoft.com/rms.

    Is RMS strong enough? Risks of reading files through 3rd-partyware,
    viewers or older Office versions?

    Ultimately, it comes down to the crunch of privacy vs. risk of data
    loss. A file that's present, but no-one knows the pwd or decryption
    key, may be effectively as lost as one barfed by ChkDsk /F.


    >---------- ----- ---- --- -- - - - -
    Proverbs Unscrolled #37
    "Build it and they will come and break it"
    >---------- ----- ---- --- -- - - - -
  4. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    > Is RMS strong enough? Risks of reading files through 3rd-partyware,
    > viewers or older Office versions?

    There's no risk of third-partyware (cool term) or older versions of Office
    reading the docs. RMS a system that's composed of an authentication mechansm
    (AD), an xRML certificate server/policy generator (RMS Server), a client
    portion (RMS client), and rights-aware applications (Office 2003 Professional).

    When you compose a document and then protect it, the application's interface
    into the RMS client asks you how you want to protect it: who (users) are
    allowed to do what (access controls like read, print, edit, etc.) and how
    long the document should last (expiration -- of the document, not the rights).
    Finally the document is encrypted with a 256-bit AES key, which is then itself
    encrypted with a series of other keys. (See the technical docs for all the
    details.)

    It is this encrypted document which is then stored. Without possession of
    the necessary keys, you can't decrypt the document key, meaning that you
    can't decrypt the document. If you try to open a protected document in anything
    other than the application used to create the document (or in the rights
    management add-on for IE), you'll just get a bunch of binary junk. Only the
    correct rights-aware application can make sense of the encrypted file format,
    validate the manifest, authenticate the user, and decrypt the document key.
    Then the application will render the decrypted contents in the window and
    (in conjunction with the RMS client) enforce the rights present on the document.
    Without the client, the application is unable to properly parse and render
    the file.

    The RMS key store, a file on your PC called LOCKBOX.DLL, is itself resistant
    to tampering: if you try to move it to another PC, or if you change your
    system clock, for example, the file will self-destruct.

    RMS also includes a way for an "RMS auditor" of sorts to take ownership of
    files created by people who have subsequently left the company. There's been
    a lot of thought put into this product to make it enterprise-class right
    at version 1.0. I'm pretty impressed with it (of course, you'd expect me
    to say that! hehe).

    Steve Riley
    steriley@microsoft.com


    > On Sat, 25 Dec 2004 09:54:47 -0800, Steve Riley [MSFT]
    >
    > The original poster's in a tuff situation; legally, confidentially
    > requires scrupulous attention to privacy, but accountability also
    > requires ongoing preservation of records. As he righly mentions, EFS
    > is great for privacy but increases the risk of data loss, unless
    > backup arrangements are as meticulously admin'd as privacy/access.
    >
    >> While EFS does have a way to "share" files, it's really designed more
    >> for protecting files so that only the owner can access them. Mostly
    >> we see EFS deployed on laptops to help keep the data confidential in
    >> case the laptop gets stolen. EFS is integrated into the file system
    >> and automatically decrypts files when the owner is logged in --
    >> that's why you don't see any separate password prompts.
    >>
    > That's also why it may fall short of what you are looking for, unless
    > something else is used to prevent visibility whenever logged on.
    >
    >> For your case, a separate product, Windows Rights Management
    >> Services, is better. The owner of a file can indicate who's allowed
    >> to do what -- read, print, modify, delete, and so on. You can also
    >> set an "age limit" on files so that they can't be used at all after a
    >> certain date. RMS requires Office 2003 Professional, Active
    >> Directory, and RMS CALs. There's lots of product info and some
    >> deployment guides at http://www.microsoft.com/rms.
    >>
    > Is RMS strong enough? Risks of reading files through 3rd-partyware,
    > viewers or older Office versions?
    >
    > Ultimately, it comes down to the crunch of privacy vs. risk of data
    > loss. A file that's present, but no-one knows the pwd or decryption
    > key, may be effectively as lost as one barfed by ChkDsk /F.
    >
    >> ---------- ----- ---- --- -- - - - -
    >>
    > Proverbs Unscrolled #37
    > "Build it and they will come and break it"
    >> ---------- ----- ---- --- -- - - - -
    >>
  5. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    On Sun, 26 Dec 2004 14:38:35 -0800, Steve Riley [MSFT]

    >> Is RMS strong enough? Risks of reading files through 3rd-partyware,
    >> viewers or older Office versions?

    >There's no risk of third-partyware (cool term) or older versions of Office
    >reading the docs. RMS a system that's composed of an authentication mechansm
    >(AD), an xRML certificate server/policy generator (RMS Server), a client
    >portion (RMS client), and rights-aware applications (Office 2003 Professional).

    >...the document is encrypted with a 256-bit AES key, which is then itself
    >encrypted with a series of other keys.

    That's the key point; so rights-unaware apps can't see anything,
    instead of the risk of seeing everything.

    >It is this encrypted document which is then stored. Without possession of
    >the necessary keys, you can't decrypt the document key, meaning that you
    >can't decrypt the document.

    >The RMS key store, a file on your PC called LOCKBOX.DLL, is itself resistant
    >to tampering: if you try to move it to another PC, or if you change your
    >system clock, for example, the file will self-destruct.

    DoS opportunities abound there, then. I hope it's not one of those
    always-same-name, always-same-place files?

    I understand sensitivity to system clock changes, but what about
    natural risks such as laptops and time zones, flat CMOS batteries and
    motherboard replacements, and time servers that nudge the clock?

    >RMS also includes a way for an "RMS auditor" of sorts to take ownership of
    >files created by people who have subsequently left the company. There's been
    >a lot of thought put into this product to make it enterprise-class right
    >at version 1.0. I'm pretty impressed with it (of course, you'd expect me
    >to say that! hehe).

    It does sound well thought-out, but it has to be part of a strong
    whole, else it could be both ineffective and dangerous.

    The data loss risks seem to be similar in magnitude as EFS, so you
    need to be absolutely COAB certain of backing up both the data files,
    and the key as held in the .DLL or whatever. How does the fragility
    of that .DLL work in the context of a data restore?

    There may be an additional risk, beyond EFS, when it comes to VBA or
    macro infection of "data" files. An av running on EFS may be able to
    scan files, but this is likely not the case here. So I'd want to rip
    out or totally suppress any scripts, VBA, macros etc. within these
    files, as these would be well-positioned to export file contents.

    Finally, one has to consider de-facto "programming" opportunities that
    arise when exploitable code defects come to light. For example, a
    JPEG embedded in a .DOC that exploited the JPEG handler to run as raw
    code could be a problem, if av can't scan in in the encrypted file.


    >---------- ----- ---- --- -- - - - -
    Proverbs Unscrolled #37
    "Build it and they will come and break it"
    >---------- ----- ---- --- -- - - - -
  6. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    On Tue, 28 Dec 2004 19:24:39 +0200, "cquirke (MVP Win9x)"

    >Changing the month to look up dates etc. changes the date when you
    >close the dialog, unless you are careful to undo, even if you
    >carefully didn't click on any dates while fiddling. That's on Win95
    >SR2 and Win98 SE; dunno if it's different in XP.

    >I'm just thinking, it's a casual and likely unreported practice that
    >could spawn a few support calls :-p

    More on this: In Win98 SE, it appears as if cursory changes in this
    dialog take immediate effect. I picked this up because I know Eudora
    will prompt for new version checks every month, and it did this as
    soon as I changed from December in the drop-down list of months, even
    though I hadn't clicked a date, not Apply, OK or close-the-dialog.

    If this is the case, it makes it rather dangerous to be sensitive to
    timedate changes in realtime, as Office Rights Management appears to
    do. If a user falls into this hole, the chances of them remembering
    it and mentioning it in a support call are very low indeed.


    >---------- ----- ---- --- -- - - - -
    "He's such a character!"
    ' Yeah - CHAR(0) '
    >---------- ----- ---- --- -- - - - -
  7. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    "John" wrote:

    > xp pro 2
    > small psychology office
    > need to encrypt client files so all psychologists can see them
    > need to encrypt business files so only owner can see them
    >
    > I keep thinking in terms of a password is needed to open the files or
    > folders. Apparently that isn''t the way efs works.
    >
    > I'm hoping I don't have to hire another specialist to set this up.
    >
    > Right now the computer opens on the one "user" screen and that's that.
    >
    > My main fear is, I end up not being able to read anything and lose it all.
    >
    > John
    >
    >
    >

    Hey John,
    ever heard of FTP's?? U can lock different users into different
    "paths"."folders".or what have you and if you would really like U can always
    partition the drive inot halves!! Allowing you free reign, one side for
    buisness and one for Dr'in type stuff, oh and btw.Im suicidal or was until I
    got my SS going again! : )
  8. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    John,

    Why are you thinking of encrypting your files? EFS will provide data
    protection but will not protect against data tampering. If you want to
    control access, you need to set up right permissions.

    Here is a good overview of EFS -
    http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx

    --
    Shreeniwas Kelkar [MSFT]

    This posting is provided "AS IS" with no warranties, and confers no rights.


    "poker_pro@hotmail.com" <poker_pro@hotmail.com@discussions.microsoft.com>
    wrote in message news:6813BD50-1C13-4CB7-A270-1287627FAB9A@microsoft.com...
    >
    >
    > "John" wrote:
    >
    >> xp pro 2
    >> small psychology office
    >> need to encrypt client files so all psychologists can see them
    >> need to encrypt business files so only owner can see them
    >>
    >> I keep thinking in terms of a password is needed to open the files or
    >> folders. Apparently that isn''t the way efs works.
    >>
    >> I'm hoping I don't have to hire another specialist to set this up.
    >>
    >> Right now the computer opens on the one "user" screen and that's that.
    >>
    >> My main fear is, I end up not being able to read anything and lose it
    >> all.
    >>
    >> John
    >>
    >>
    >>
    >
    > Hey John,
    > ever heard of FTP's?? U can lock different users into different
    > "paths"."folders".or what have you and if you would really like U can
    > always
    > partition the drive inot halves!! Allowing you free reign, one side for
    > buisness and one for Dr'in type stuff, oh and btw.Im suicidal or was until
    > I
    > got my SS going again! : )
Ask a new question

Read More

Windows XP