Sign in with
Sign up | Sign in
Your question

EFS question

Last response: in Windows XP
Share
September 15, 2005 2:56:11 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I have a share on a windows 2003 server which contains important files that i
want to have encrypted via EFS and accessed by a only a handfull of people on
the network.

I understand the process of creating certificates for each user and then
adding these to access the encrypted file/s. My question is, how can i
prevent the user from copying the file locally to their machine, sending it
too themselfs via email or ftp etc, then exporting their certificate and
private key etc and then reading the file from a different location.

Is it possible to prevent the user from doing this?

Thanks for any advice.

--
robg

More about : efs question

Anonymous
September 15, 2005 5:23:18 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

robg wrote:
> I have a share on a windows 2003 server which contains important
> files that i want to have encrypted via EFS and accessed by a only a
> handfull of people on the network.
>
> I understand the process of creating certificates for each user and
> then adding these to access the encrypted file/s. My question is, how
> can i prevent the user from copying the file locally to their
> machine, sending it too themselfs via email or ftp etc, then
> exporting their certificate and private key etc and then reading the
> file from a different location.
>
> Is it possible to prevent the user from doing this?
>
> Thanks for any advice.

What kind of files?

After all, once I load it for viewing, what's to keep me from copying the
text to Notepad? Saving as a wordpad file or as a file on my own machine?

If a person can read it (no matter how much security they have to go through
to get to that point) on their own machine - it can be copied and sent
elsewhere in some form.. even screenshots or OCR'd screenshots, etc.

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html
Anonymous
September 15, 2005 7:19:27 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

In article <F0A0F543-DAA9-45D0-A468-E83F5474ED7A@microsoft.com>,
robg@discussions.microsoft.com says...
> I have a share on a windows 2003 server which contains important files that i
> want to have encrypted via EFS and accessed by a only a handfull of people on
> the network.
>
> I understand the process of creating certificates for each user and then
> adding these to access the encrypted file/s. My question is, how can i
> prevent the user from copying the file locally to their machine, sending it
> too themselfs via email or ftp etc, then exporting their certificate and
> private key etc and then reading the file from a different location.
>
> Is it possible to prevent the user from doing this?
>
> Thanks for any advice.
>
>
There is one part of the process that you do not understand.
- When you encrypt files on a file share, the encryption/decryption
actually takes place on the remote server.
- The encryption keys for the users are stored in the user profiles on
the remote server
- The remote server must be trusted for delegation so that the remote
server can impersonate the user when accessing the file.
- The files are actually transmitted in the clear on the network to the
user's workstation.

Based on what you are trying to prevent, this would be another threat
that you should be concerned with. As mentioned in another reply to
this thread, RMS may be a better solution for you.

Brian
Related resources
Can't find your answer ? Ask !
Anonymous
September 16, 2005 12:51:50 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

robg schrieb:

> I have a share on a windows 2003 server which contains important files that i
> want to have encrypted via EFS and accessed by a only a handfull of people on
> the network.
>
> I understand the process of creating certificates for each user and then
> adding these to access the encrypted file/s. My question is, how can i
> prevent the user from copying the file locally to their machine, sending it
> too themselfs via email or ftp etc, then exporting their certificate and
> private key etc and then reading the file from a different location.
>
> Is it possible to prevent the user from doing this?

May be you should consider using a TerminalServer that is except for the
RDP port completely firewalled from the rest of the network (incoming and
outgoing), and of course, it is not member of a domain. RDP with
deactivated clipboard and forwarding of local drives would allow the users
to see and work with the data, without copying it (except the ability to
make screenshots of the remote display, but there is not possibility to
suppress that as Shenan already pointed out).

Jan
Anonymous
September 16, 2005 1:03:38 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Jan Peter Stotz schrieb:

> robg schrieb:
>
>> I have a share on a windows 2003 server which contains important files that i
>> want to have encrypted via EFS and accessed by a only a handfull of people on
>> the network.
>>
>> I understand the process of creating certificates for each user and then
>> adding these to access the encrypted file/s. My question is, how can i
>> prevent the user from copying the file locally to their machine, sending it
>> too themselfs via email or ftp etc, then exporting their certificate and
>> private key etc and then reading the file from a different location.
>>
>> Is it possible to prevent the user from doing this?

Additionaly to my previous post there may exist another alternative: RMS
"Windows Rights Management Services"

http://www.microsoft.com/windowsserver2003/technologies...

I haven't worked with it and don't know it in detail but if the
confidential data is produced/viewed/edited by MS-Programs they may be
RMS-ready....

Jan
September 16, 2005 5:09:01 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Thanks to everyone for taking the time to reply to my posting. I will look
into RMS.


--
robg


"Brian Komar [MVP]" wrote:

> In article <F0A0F543-DAA9-45D0-A468-E83F5474ED7A@microsoft.com>,
> robg@discussions.microsoft.com says...
> > I have a share on a windows 2003 server which contains important files that i
> > want to have encrypted via EFS and accessed by a only a handfull of people on
> > the network.
> >
> > I understand the process of creating certificates for each user and then
> > adding these to access the encrypted file/s. My question is, how can i
> > prevent the user from copying the file locally to their machine, sending it
> > too themselfs via email or ftp etc, then exporting their certificate and
> > private key etc and then reading the file from a different location.
> >
> > Is it possible to prevent the user from doing this?
> >
> > Thanks for any advice.
> >
> >
> There is one part of the process that you do not understand.
> - When you encrypt files on a file share, the encryption/decryption
> actually takes place on the remote server.
> - The encryption keys for the users are stored in the user profiles on
> the remote server
> - The remote server must be trusted for delegation so that the remote
> server can impersonate the user when accessing the file.
> - The files are actually transmitted in the clear on the network to the
> user's workstation.
>
> Based on what you are trying to prevent, this would be another threat
> that you should be concerned with. As mentioned in another reply to
> this thread, RMS may be a better solution for you.
>
> Brian
>
!