RE: Tired of fighting with Group Policy and Offline File Encryption
- From: Engineer_Dell <Engineer_Dell@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 26 Jun 2006 14:31:01 -0700
The only thing which is left that I can make out by your post is check
whether "SetClient Connection Encryption Level" is not configured, as it may
create the problem. It Specifies whether to enforce an encryption level for
all data sent between the client and the remote computer. Important: If FIPS
compliance has already been enabled by the System cryptography: Use FIPS
compliant algorithms for encryption, hashing, and signing Group Policy, you
cannot change the encryption level by using this Group Policy or by using
Terminal Services Configuration. If the status is set to Enabled,
encryption for all connections to the server is set to the level you specify.
By default, encryption is set to High. The following encryption levels are
available:
FIPS Compliant: encrypts data sent from client to server and from server to
client to meet the Federal Information Processing Standard 140-1 (FIPS
140-1), a security implementation designed for certifying cryptographic
software. Use this level when Terminal Services connections require the
highest degree of encryption. FIPS 140-1 validated software is required by
the U.S. Government and requested by other prominent institutions.
High: encrypts data sent from client to server and from server to client by
using strong 128-bit encryption. Use this level when the remote computer is
running in an environment containing 128-bit clients only (such as Remote
Desktop Connection clients). Clients that do not support this level of
encryption cannot connect. Client Compatible: encrypts data sent from
client to server and from server to client at the maximum key strength
supported by the client. Use this level when the remote computer is running
in an environment containing mixed or legacy clients.
Low: encrypts data sent from the client to the server using 56-bit
encryption. Note that data sent from the server to the client is not
encrypted when Low is specified.
If the status is set to Disabled or Not Configured, the encryption level is
not enforced through Group Policy. However, administrators can set the
encryption level on the server using the Terminal Services Configuration tool.
So Set the status to "High" and then check it should apply to xp clients :)
Good LucK !!
"Nivek R." wrote:
I'm trying to ensure that the Offline Files (client-side cache), on my.
client computers are encrypted. I tried applying the Group Policy:
Computer Config \ Admin Templates \ Network \ Offline Files \ Encrypt the
Offline Files Cache = Enabled, but that only served to grey out the "Encrypt
offline files to secure data" box in the "Folder Options" ==> "Offline
Files" Tab, but did not force a check mark into that box. Essentially, it
took away the user's ability to encrypt the files, but it didn't actually
encrypt them. The same issue was discussed, but not satisfactorily answered
by the MS Tech at
http://www.derkeiler.com/Newsgroups/microsoft.public.windowsxp.security_admin/2006-04/msg00511.html.
This also led me to look into the hotfix suggested at MS KB810859
(http://support.microsoft.com/default.aspx?scid=kb;en-us;810859), but I
wasn't getting the error that the hotfix applied to in my event logs, also,
my test user is an admin on both machines, so I didn't think the hotfix
should apply. The document was also vague about where the hotfix should be
applied (client or dc?), and it looked as though my settings in the
system.adm file in both locations was correct. I also read various Technet
articles about EFS, and none seemed to have the answer I was looking for.
In an effort to get to the root of the problem, I've deployed a test lab
with two clients using CSC. On these PCs, I've enabled offline files. I've
checked the "Encrypt..." box on one, but not the other. When I apply the
GP, the encrypt box stays checked or unchecked based upon how it was before
applying the GP. However, when I checked the box on the one computer, the
"encrypting" progress bar never appeared. When I browse to either
computer's CSC directory from my admin computer over the network, no files
appear in green (as they should when encrypted - all systems are running XP
SP2). I tried first re-initializing the cache (CTRL + SHIFT + click
"Delete"), but that didn't help, so I disabled offline files on both
machines, deleted the "EncryptCache" registry value under the following
keys:
HKLM \ Software \ MS \ Windows \ Current Ver \ NetCache (I think this one
has precedence)
HKLM \ Software \ Policies \ Microsoft \ NetCache (Don't even know what this
is for)
I then deleted all items out of the CSC folder on both machines and
rebooted. Re-enabled offline files and encryption, but again, the
"encrypting" progress bar never appeared. So I can't even get the files to
encrypt correctly, let alone get the GPO to apply its encryption policy
correctly. I'm trying to avoid going door-to-door to encrypt files on every
client PC, and trying to make it so users can't decrypt files that have
already been encrypted. Microsoft's documentation has really done nothing
for me here, except maybe run me around in circles. I could run insert a
..reg file in a logon.bat, however I really don't want to give my users
registry access, and I'm not confident that would even work, since nothing
else seems to be actually encrypting the files.
Any help here would be GREATLY APPRECIATED. Thank you.
Pertinent info:
Both PCs are identical - XP SP2 Toshiba laptops, 256MB RAM, GPs are now set
to do nothing except allow the use of EFS - so nothing in GPs should be
interfering with the encryption of files. Other GPs from the same test GPO
were applying correctly when they were enabled. Nothing's compressed (which
would prevent encryption from occurring). Files are on NTFS partitions.
The test users that are trying to encrypt the files are local admins, also,
I've tried applying settings using a Domain Admin as well.
Other pertinent docs I've read through and tried to apply practices from:
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/csc_encrypt.mspx
http://www.microsoft.com/technet/prodtechnol/winxppro/reskit/c18621675.mspx
http://technet2.microsoft.com/WindowsServer/en/Library/b505401c-5ec8-4f0f-b82b-ea24b28bfbad1033.mspx?mfr=true
http://technet2.microsoft.com/WindowsServer/en/Library/7161080d-270c-4a1c-8ce1-8d45dd6d7b591033.mspx?mfr=true
http://technet2.microsoft.com/WindowsServer/en/Library/04122595-5d30-4b19-945a-b6e4bb33bd6f1033.mspx?mfr=true
http://thesource.ofallevil.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx
http://www.microsoft.com/technet/archive/community/columns/tips/inttips.mspx?mfr=true
- References:
- Prev by Date: Items displayed in Places Bar
- Next by Date: RE: Tired of fighting with Group Policy and Offline File Encryption
- Previous by thread: Tired of fighting with Group Policy and Offline File Encryption
- Next by thread: RE: Tired of fighting with Group Policy and Offline File Encryption
- Index(es):
Relevant Pages
|
Loading
