Re: File Encryption

Thanks for the reply, I would try some of this, and option 2 seems really
interesting to me. Point is to show to authorities that nobody ever uses
EFS, even it has been enabled a year ago on more than 100 computers in our
domain.

Thanks again.

"Marin Marinov" <marin-online@xxxxxxxxxx> wrote in message
news:MPG.1dfa84c6fd48116598990f@xxxxxxxxxxxxxxxxxxxxxxx
> In article <#wBsoi39FHA.140@xxxxxxxxxxxxxxxxxxxx>, "Milan Stojanovic"
> <username piksi@host eunet dot not com but YU> says...
>>
>> Sorry for interrupting, but I think that it is a great idea to have
>> report
>> of all workstations with some encrypted file. Do I need to modify MOF and
>> use a script, or it can be made by default mof?
>>
>> thanks in advance...
> <snip>
> Hi Milan,
> I would argue that it's such a good idea and this goes back to my
> initial question - why would one need that ;) Technically speaking,
> there are ways you could potentially do it:
> - script that recurses through all files and folders and reports data
> either in WMI or dumps a NOIDMIF file
> - figuring out how to make software inventory report IsEncrypted for a
> file. Software inventory seems to store file inventory information in
> the FileSystemFile WMI class (http://tinyurl.com/bgvqy) under root\ccm
> \invagt. However, the XML file that it generates and passes on to the MP
> (http://tinyurl.com/dk8ko) doesn't seem to contain all the properties
> available in this class.
> - for folders only, making use of the Win32_Directory class and its
> Encrypted property
>
> Bare in mind though that most of these (probably except option 2) will
> likely result in a performance hit on the respective computers. And
> again - finding out which machines have encrypted files is arguably
> beneficial plus it's reactive, not proactive. As a best practice, if
> your organization hasn't deployed a "real" PKI, deployed and maintains
> certificates for the users for use with EFS, disable EFS on the clients.
> If people can encrypt files whenever they chose without this being an
> officially designed for and supported feature, this can cause you a lot
> of headaches...pardon, "administrative overhead" ;)
>
> HTH
> --
> Cheers,
> Marin Marinov
> MCT,MCSE,MCSE:Security,MCP+I
> -
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
> "True knowledge exists in knowing that you know nothing."
> Socrates


.

Relevant Pages

  • Re: File Encryption
    ... but I think that it is a great idea to have report ... > of all workstations with some encrypted file. ... Software inventory seems to store file inventory information in ... certificates for the users for use with EFS, disable EFS on the clients. ...
    (microsoft.public.sms.admin)
  • Re: Share protected folder with EFS
    ... Generally is NOT a good idea using EFS in a enterprise without a KRA and a DRA. ... so that a user from the network can open the file. ... when the user is trying to open the encrypted file he is getting an ... The encrypted folder was created by the Administrator ...
    (microsoft.public.windows.server.active_directory)
  • EFS Pilot
    ... I'm trying to configure a EFS pilot on our domain. ... We are running Windows ... I'm trying to configure EFS to use a Certificate Authority to allow multiple ... users to have access to a single encrypted file. ...
    (microsoft.public.windows.server.security)
  • Re: Encryption problem with Windows XP
    ... Do you have Windows XP Home or Pro? ... Encrypted File System is available with Windows XP Pro and not ... EFS is very good at what it does and there is no back door. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: which cert?
    ... > i have shared out the encrypted files on computerA on the LAN. ... EFS is a different animal when you introduce network sharing. ... Unless you start importing and exporting private keys between the ... you will be unable to connect to a remote encrypted file (or ...
    (microsoft.public.win2000.security)