EFS question

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I have a share on a windows 2003 server which contains important files that i
want to have encrypted via EFS and accessed by a only a handfull of people on
the network.

I understand the process of creating certificates for each user and then
adding these to access the encrypted file/s. My question is, how can i
prevent the user from copying the file locally to their machine, sending it
too themselfs via email or ftp etc, then exporting their certificate and
private key etc and then reading the file from a different location.

Is it possible to prevent the user from doing this?

Thanks for any advice.

--
robg
5 answers Last reply
More about question
  1. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    robg wrote:
    > I have a share on a windows 2003 server which contains important
    > files that i want to have encrypted via EFS and accessed by a only a
    > handfull of people on the network.
    >
    > I understand the process of creating certificates for each user and
    > then adding these to access the encrypted file/s. My question is, how
    > can i prevent the user from copying the file locally to their
    > machine, sending it too themselfs via email or ftp etc, then
    > exporting their certificate and private key etc and then reading the
    > file from a different location.
    >
    > Is it possible to prevent the user from doing this?
    >
    > Thanks for any advice.

    What kind of files?

    After all, once I load it for viewing, what's to keep me from copying the
    text to Notepad? Saving as a wordpad file or as a file on my own machine?

    If a person can read it (no matter how much security they have to go through
    to get to that point) on their own machine - it can be copied and sent
    elsewhere in some form.. even screenshots or OCR'd screenshots, etc.

    --
    Shenan Stanley
    MS-MVP
    --
    How To Ask Questions The Smart Way
    http://www.catb.org/~esr/faqs/smart-questions.html
  2. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    In article <F0A0F543-DAA9-45D0-A468-E83F5474ED7A@microsoft.com>,
    robg@discussions.microsoft.com says...
    > I have a share on a windows 2003 server which contains important files that i
    > want to have encrypted via EFS and accessed by a only a handfull of people on
    > the network.
    >
    > I understand the process of creating certificates for each user and then
    > adding these to access the encrypted file/s. My question is, how can i
    > prevent the user from copying the file locally to their machine, sending it
    > too themselfs via email or ftp etc, then exporting their certificate and
    > private key etc and then reading the file from a different location.
    >
    > Is it possible to prevent the user from doing this?
    >
    > Thanks for any advice.
    >
    >
    There is one part of the process that you do not understand.
    - When you encrypt files on a file share, the encryption/decryption
    actually takes place on the remote server.
    - The encryption keys for the users are stored in the user profiles on
    the remote server
    - The remote server must be trusted for delegation so that the remote
    server can impersonate the user when accessing the file.
    - The files are actually transmitted in the clear on the network to the
    user's workstation.

    Based on what you are trying to prevent, this would be another threat
    that you should be concerned with. As mentioned in another reply to
    this thread, RMS may be a better solution for you.

    Brian
  3. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    robg schrieb:

    > I have a share on a windows 2003 server which contains important files that i
    > want to have encrypted via EFS and accessed by a only a handfull of people on
    > the network.
    >
    > I understand the process of creating certificates for each user and then
    > adding these to access the encrypted file/s. My question is, how can i
    > prevent the user from copying the file locally to their machine, sending it
    > too themselfs via email or ftp etc, then exporting their certificate and
    > private key etc and then reading the file from a different location.
    >
    > Is it possible to prevent the user from doing this?

    May be you should consider using a TerminalServer that is except for the
    RDP port completely firewalled from the rest of the network (incoming and
    outgoing), and of course, it is not member of a domain. RDP with
    deactivated clipboard and forwarding of local drives would allow the users
    to see and work with the data, without copying it (except the ability to
    make screenshots of the remote display, but there is not possibility to
    suppress that as Shenan already pointed out).

    Jan
  4. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Jan Peter Stotz schrieb:

    > robg schrieb:
    >
    >> I have a share on a windows 2003 server which contains important files that i
    >> want to have encrypted via EFS and accessed by a only a handfull of people on
    >> the network.
    >>
    >> I understand the process of creating certificates for each user and then
    >> adding these to access the encrypted file/s. My question is, how can i
    >> prevent the user from copying the file locally to their machine, sending it
    >> too themselfs via email or ftp etc, then exporting their certificate and
    >> private key etc and then reading the file from a different location.
    >>
    >> Is it possible to prevent the user from doing this?

    Additionaly to my previous post there may exist another alternative: RMS
    "Windows Rights Management Services"

    http://www.microsoft.com/windowsserver2003/technologies/rightsmgmt/default.mspx

    I haven't worked with it and don't know it in detail but if the
    confidential data is produced/viewed/edited by MS-Programs they may be
    RMS-ready....

    Jan
  5. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Thanks to everyone for taking the time to reply to my posting. I will look
    into RMS.


    --
    robg


    "Brian Komar [MVP]" wrote:

    > In article <F0A0F543-DAA9-45D0-A468-E83F5474ED7A@microsoft.com>,
    > robg@discussions.microsoft.com says...
    > > I have a share on a windows 2003 server which contains important files that i
    > > want to have encrypted via EFS and accessed by a only a handfull of people on
    > > the network.
    > >
    > > I understand the process of creating certificates for each user and then
    > > adding these to access the encrypted file/s. My question is, how can i
    > > prevent the user from copying the file locally to their machine, sending it
    > > too themselfs via email or ftp etc, then exporting their certificate and
    > > private key etc and then reading the file from a different location.
    > >
    > > Is it possible to prevent the user from doing this?
    > >
    > > Thanks for any advice.
    > >
    > >
    > There is one part of the process that you do not understand.
    > - When you encrypt files on a file share, the encryption/decryption
    > actually takes place on the remote server.
    > - The encryption keys for the users are stored in the user profiles on
    > the remote server
    > - The remote server must be trusted for delegation so that the remote
    > server can impersonate the user when accessing the file.
    > - The files are actually transmitted in the clear on the network to the
    > user's workstation.
    >
    > Based on what you are trying to prevent, this would be another threat
    > that you should be concerned with. As mentioned in another reply to
    > this thread, RMS may be a better solution for you.
    >
    > Brian
    >
Ask a new question

Read More

Windows Server 2003 Windows XP