Re: EFS...can it be given to a group or folder ..win2003

From: Drew Cooper [MSFT] (dcoop_at_online.microsoft.com)
Date: 03/16/04

  • Next message: Ken Fuji: "NTFS vs. Share permissions and best practices" 
    Date: Mon, 15 Mar 2004 18:24:31 -0800

    If you export a certificate from the Certificates mmc snapin and have the
    private key present, you can export with private key - that will generate a
    .pfx.
    If you use "cipher /r" on XP or WS03, it will generate a .cer (certificate
    but no private key - for the recovery policy) and a .pfx (certificate and
    private key - have your users import this one). 

    -- 
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.
<anonymous@discussions.microsoft.com> wrote in message
news:dd2201c40ad3$508e0b40$a101280a@phx.gbl...
> Where do you get the ".pfx" from?
>
> >-----Original Message-----
> >Here's the EFS whitepaper.  It ought to clear up any
> terminology problems:
> >http://www.microsoft.com/technet/prodtechnol/winxppro/dep
> loy/cryptfs.mspx
> >
> >If you have each of the users import a .pfx file
> containing the recovery
> >agent's certificate and private key, they will all be
> able to open/decrypt
> >one another's files.
> >If you don't want the users to be able to decrypt all
> files in your domain
> >you can put those users in their own OU (Organizational
> Unit in the Active
> >Directory) and make them all recovery agents for the
> OU.  This is explained
> >a bit in the whitepaper.
> >-- 
> >Drew Cooper [MSFT]
> >This posting is provided "AS IS" with no warranties, and
> confers no rights.
> >
> >
> ><anonymous@discussions.microsoft.com> wrote in message
> >news:7cca01c40330$f0732cd0$a501280a@phx.gbl...
> >> Maybe I am not an expert as you are.
> >> Can you give me the steps for the workaround you are
> >> talking about ?
> >> I am trying to give a few domain users rights to
> >> view/modify files that are created in an EFS folder by
> >> another user. Possibly your solution may work, but
> then I
> >> didn't comprehend what you said.
> >> Thanks a bunch.
> >> >-----Original Message-----
> >> >This is what I mean by rights management:
> >>
> >http://www.microsoft.com/windowsserver2003/technologies/r
> i
> >> ghtsmgmt/default.mspx
> >> >
> >> >A workaround that some people use to do group
> encryption
> >> with EFS is to put
> >> >all of the users who will be sharing in the same OU
> and
> >> give them all the RA
> >> >certificate/key pair for that OU.  That way when any
> of
> >> them encrypts a
> >> >file, all of the others can open/modify it.
> >> >-- 
> >> >Drew Cooper [MSFT]
> >> >This posting is provided "AS IS" with no warranties,
> and
> >> confers no rights.
> >> >
> >> >
> >> ><anonymous@discussions.microsoft.com> wrote in message
> >> >news:478701c40251$03cd76e0$a601280a@phx.gbl...
> >> >> Thanks for the reply. Can you send me some more
> detail
> >> as
> >> >> to what you mean my 'rights management'.
> >> >> Are you saying that this can be done
> through 'Trusted
> >> >> Certificates' ?
> >> >>
> >> >> >-----Original Message-----
> >> >> >EFS sharing is for files only.  It doesn't support
> any
> >> >> kind of inheritance.
> >> >> >When a file is created in a folder marked for
> >> encryption,
> >> >> it is encrypted by
> >> >> >its creator.
> >> >> >
> >> >> >If you want groups to share encrypted materials,
> rights
> >> >> management is
> >> >> >probably a better Microsoft solution.
> >> >> >-- 
> >> >> >Drew Cooper [MSFT]
> >> >> >This posting is provided "AS IS" with no
> warranties,
> >> and
> >> >> confers no rights.
> >> >> >
> >> >> >
> >> >> >"Santanu Mitra"
> <anonymous@discussions.microsoft.com>
> >> >> wrote in message
> >> >> >news:721901c4024b$385cb8e0$a001280a@phx.gbl...
> >> >> >> I am trying to figure out if there is a way to
> give
> >> >> >> multiple user (through windows domain group OR
> >> >> indinidual)
> >> >> >> rights to view/modify an encrypted folder.
> >> >> >> I have figured out that I can do so on a file
> level
> >> but
> >> >> >> not on the folder.
> >> >> >> Is there a way through domain policy or
> whatever ?
> >> >> >> Thanks.
> >> >> >
> >> >> >
> >> >> >.
> >> >> >
> >> >
> >> >
> >> >.
> >> >
> >
> >
> >.
> >
  • Next message: Ken Fuji: "NTFS vs. Share permissions and best practices"

    Relevant Pages

    • Re: DRA is Decrypting Files when it shouldnt be!!!
      ... > EFS is allowing the RA to decrypt 200 files that were encrypted BEFORE an RA ... > encryption to get the RA to decrypt encrypted files. ... the default RA certificate was used. ... certificate and private key only when needed). ...
      (microsoft.public.windowsxp.security_admin)
    • Re: EFS and DRA. Admin unable to decrypt
      ... >So the certificate is used to identify the user & the ... EFS encryption key, the system will generate one for him. ... file using *his* private key, because his public key was incorporated ... into the public-key encryption of the FEK. ...
      (microsoft.public.windowsxp.security_admin)
    • Key Recovery and Decryption
      ... I had the encryption key backed up on ... and designating a Data Recovery Agent. ... to install the Administrator's Data Recovery Certificate ... corresponding private key but if I try to export this ...
      (microsoft.public.windowsxp.security_admin)
    • Re: securing folder on external disk(s)
      ... > where the encryption comes in I think). ... > If, as you advices, I'd use the EFS. ... The key is a self-signed certificate that is generated the first time ... them _as long as the private key is unknown_. ...
      (microsoft.public.security)
    • Re: Issues with SSL on Win CE 5.0
      ... the certificate context after importing the certificate and the private key. ... This posting is provided "AS IS" with no warranties, and confers no rights. ...
      (microsoft.public.windowsce.embedded)