Re: Folder Redirection Data Encryption
From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 07/14/04
- Next message: Steven L Umbach: "Re: LOSSING MAPPED DRIVE"
- Previous message: Darren Ludlam: "Win 2000 CAL's"
- In reply to: anonymous_at_discussions.microsoft.com: "Folder Redirection Data Encryption"
- Next in thread: anonymous_at_discussions.microsoft.com: "Re: Folder Redirection Data Encryption"
- Reply: anonymous_at_discussions.microsoft.com: "Re: Folder Redirection Data Encryption"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 14 Jul 2004 23:30:46 GMT
First the remote server must be trusted for delegation in it's account properties in
Active Directory users and Computers. Then it would be best to logon and create a
user profile on that server and either encrypt a file there to generate a encryption
certificate/private key or import your existing one into that profile using a .pfx
file by exporting your current EFS certificate/private key. If you do not create a
user profile on that server then a "mini" profile will be created the first time you
encrypt a file on it creating a EFS certificate/private key in that profile. If you
do that an use EFS on your desktop, you run the risk of having two separate EFS
certificate/keys that can be confusing and even lead to loss of data in case of a
computer problem. For instance if you decide to copy an EFS file from the server to
your desktop, the file will go over the network unencrypted. If you encrypt it on
your computer and seen it back to the server, it could be decrypted by a totally
different EFS certificate/private key if the same certificate private key is not on
your desktop and server. Efsinfo is a handy tool to display what certificates/private
keys can decrypt a EFS file.
Be VERY careful with EFS as it is easy to lose access to your own data if their is a
problem. Always keep copies of your EFS certificate/private key offline in a .pfx
file in case of a problem - you must export your private key also with the
certificate. There is NO way to get your EFS data if all your keys and recovery agent
keys are destroyed due to corruption/operating system failure/rebuild. XP Pro uses
AES 256 encryption for EFS - strong stuff. Windows 2000 computers require a
"recovery" agent in order to encrypt files while XP Pro does not. In a domain I
highly recommend that all users files be encrypted with a recovery agent in place as
users will be lax in EFS procedures. See the links below for more info. -- Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;320044
http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316 -- a must read for
anyone considering EFS.
http://www.microsoft.com/resources/documentation/windows/2000/server/reskit/en-us/distsys/wsrvdsys.mspx
-- more detailed info.
<anonymous@discussions.microsoft.com> wrote in message
news:2da1301c469f2$2302e190$a301280a@phx.gbl...
> I want to implement Group police folder redirection to
> store my documents folder on the server, but I would like
> to encrypted files and folder as they are access across
> the network. What is the best way to encrypt this
> information? Windows AD 2000 server 2000 Pro and XP
> clients.
- Next message: Steven L Umbach: "Re: LOSSING MAPPED DRIVE"
- Previous message: Darren Ludlam: "Win 2000 CAL's"
- In reply to: anonymous_at_discussions.microsoft.com: "Folder Redirection Data Encryption"
- Next in thread: anonymous_at_discussions.microsoft.com: "Re: Folder Redirection Data Encryption"
- Reply: anonymous_at_discussions.microsoft.com: "Re: Folder Redirection Data Encryption"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
