Archived from groups: microsoft.public.windowsxp.security_admin (
More info?)
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/CryptFS.mspx
is an excellent source of information on EFS's behavior. From the doc:
Copying, Moving and Saving Encrypted Files
Because of the unique nature of encrypted files, different results can occur
when moving or copying encrypted files between locations. For example, when
copying an encrypted file from a local machine to a server on the network,
different results of the copy operation will occur depending on the operating
system being used on the server. In general, copying a file will inherit
the EFS properties of the target, but a move operation will not inherit the
EFS properties of the target folder.
When copying an encrypted file:
* If using Windows 2000 and the target server is running Microsoft® Windows
NT Server 4.0, the file will be silently decrypted and copied to the server.
If using Windows XP or Windows Server 2003, the user will be warned and prompted
to allow the decryption operation.
* If the target server is running Windows 2000 or Windows Server 2003, and
the machine account of the server is trusted for delegation in the Active
Directory, the file will be silently decrypted and copied to the server where
it will be re-encrypted using a local profile and encryption key.
Note: the file is transmitted on the network between the client and the server
in an unprotected format. If this file contains confidential information,
care should be given to ensure that the network connection also provides
secure transmission of the data. Such network data protection might include
IP Security (IPSec).
* If the target server is running Windows 2000 or Windows Server 2003 and
the machine account of the server is not trusted for delegation in the Active
Directory, or the server is in a workgroup or a Windows NT 4.0 domain, the
file will not be copied and the user will receive an "access denied" error
message.
The "access denied" error message is returned to applications from the NTFS
file system in order to ensure compatibility with existing applications.
The use of an alternate or more descriptive error message would cause many
applications to fail or behave erratically.
The Windows XP Professional client contains some enhancements in the area
of copying encrypted files. Both the shell interface and the command-line
now support an option to allow or disallow file decryption. When an encrypted
file is copied to a target location that does not allow remote encryption,
the user will be prompted with a dialog box that allows a choice of whether
or not to decrypt the file.
Steve Riley
steriley@microsoft.com
> matt_heff wrote:
>
>> I have a user who works on two machines and routinely copies
>> encrypted files between them via her home directory on the server.
>> She can view all of the encrypted files on both PCs (when opened
>> locally or on the server), even though she has different EFS
>> certificates on each machine. (She does not have a roaming profile.)
>> I was under the impression that this can't be done. PCs are XP and
>> the server is 2003. Can anybody explain to me why this is? Thanks.
>>
> I may have this wrong, but I think that when the files are copied to
> the server, they have been unencrypted, and thus readable by anyone
> with permissions to that file. I believe the files are only encrypted
> when they are residing on the source PC.
>
> Can anyone refute that? I'd be happy to have my understanding of this
> corrected by a knowledgeable source.
>
Facebook
Twitter
Instagram