Re: encryption question
From: dave (anonymous_at_discussions.microsoft.com)
Date: 06/11/04
- Next message: Troy: "Re: GUI tool needed"
- Previous message: Janneth: "ERROR CODE 07xe"
- In reply to: Marin Marinov: "Re: encryption question"
- Next in thread: Marin Marinov: "Re: encryption question"
- Reply: Marin Marinov: "Re: encryption question"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 10 Jun 2004 20:53:18 -0700
Thanks for the response. The point of implementing EFS
was to have an additional safeguard against hackers
accessing files on our network. If for some reason they
were able to get in past our firewall protection they
would EFS to deal with. Although we dont want to rely on
the users to encrypt the files, have to train them on how
to do this (even though its pretty simple to do) which is
why I wanted to do the entire drive and somehow give
everyone access (which would require a recovery policy
created for each person - instead of just the
administrator)....of course if you think about it, if the
hacker is good enough to get past a firewall they would
be good enough to crack at least one of the USER ACCOUNTS
on the network which would have a recovery policy created
for them which in turn would grant the hacker access to
encrypted files anyways.
Oh well, any other ideas? :)
Dave
>-----Original Message-----
>In article <1a8ae01c44e4d$8b6a3be0$a001280a@phx.gbl>,
>anonymous@discussions.microsoft.com says...
>> I have a question about encryption...
>>
>> 1. Is it possible to encrypt the entire drive on a
file
>> server (running w2k3) - but still allow everyone in
the
>> company to use the files? If so, how?
>>
>> My understanding is only the person who "encrypts" the
>> file can access it, unless you manually add users to
have
>> access. This would be very painful to do on thousands
of
>> files.
>>
>> Lemme know.
>>
>> Thanks!
>>
>Hi Dave,
>This doesn't sound like a good idea. What are you trying
to accomplish
>that cannot be done with permissions? A good EFS
implementation requires
>a lot of planning and preparation and as a start you
should have an
>enterprise CA to issue users digital certificates.
>Straight to your question now - you could encrypt the
entire drive
>unless this is the boot or system volume. There is no
built-in way to
>add multiple users' certificates for a specific file
though there is an
>EFS API function (AddUsersToEncryptedFile) to do this.
Your
>understanding is right, with the addition that all
recovery agents can
>also access the file and all users whose certificates
are added to this
>file.
>Also bare in mind that EFS encrypted files travel over
the network in
>clear text form. Plus, in your case they are on a server
which should be
>properly physically secured and provided you implemented
correct access
>permissions you shouldn't be worried about users gaining
access to other
>users' files. That's why you should think very carefully
whether you
>need EFS at all and consider the new and increased
administrative issues
>you'll be having.
>
>HTH
>--
>Cheers,
> Marin Marinov
> MCT, MCSE 2003/2000/NT4.0,
> MCSE:Security 2003/2000, MCP+I
>-
>This posting is provided "AS IS" with no warranties, and
confers no
>rights.
>
>"True knowledge exists in knowing that you know nothing."
>Socrates
>.
>
- Next message: Troy: "Re: GUI tool needed"
- Previous message: Janneth: "ERROR CODE 07xe"
- In reply to: Marin Marinov: "Re: encryption question"
- Next in thread: Marin Marinov: "Re: encryption question"
- Reply: Marin Marinov: "Re: encryption question"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
