Re: Encrypted File System

On Thu, 13 Mar 2008 07:43:04 -0700 (PDT), freakrz@xxxxxxxxxxx wrote:

On Mar 13, 10:28 am, "kj [SBS MVP]" <KevinJ....@xxxxxxxxxxxxxxxxxx>
wrote:
frea...@xxxxxxxxxxx wrote:
Hi,

  i run a sbs2k3 server and i have a folder that needs to be secured
from the administrator,but acessable to the other users.so after some
research i ve found out that i could use the encrypted file system to
encrypt the folder and files.it would block the access to the
admin,but still he would be the default recovery agent within the
domain.

The best you could do is make in 'inconvenient' for an admin.

so i figued out that i would create another admin account to perform
all the regular tasks/backups and use the domain admin just for
recovery purposes.

With enough admin group membership, the alternate admin can add to the
recovery agent lists.



i would also like to know if would help to create a new account and
give itself admin privleges to perform the routine tasks and
backups,instead of using the domain admin account?

It just reamains 'inconvenient' for the alternate admin. Don't forget about
backups and accounts that access to the backup files.



what permissions or groups should i assign the new account so that it
has all the admin access except for the efs key recovery?

EFS revocery is in group policy. If the admin had the priviledges to modify
the policy or add additionals, then they can read the efs files.

after i encrypt a folder and when i try to share the files within the
folder by adding users i recieve an message like this "no appropriate
certificates correspond to the user" how do i get the certificates for
the users that i want to let access?

prospective users must first encyrpt a file thereby optaining an efs cert
and have it published to ad.



i would also like to know ,if shadow copies enabled on the
server ,would retain the previous version of the folder/files?

Previous efs versions? Yes, I think so. Can't think of a reason why not.



what other things should i be aware before deploying the EFS.

Thank You.



--
/kj

Why you don't trust your admin?

Its not about trust.These files are supposedly require clearance and
are considered sensitive.so is there another way i could do
this.instead of interrupting his tasks...~
Are they Word or other files that can be password protected?
.

Relevant Pages

  • Re: EFS recovery problem
    ... I am not sure at which point your EFS access was broken, ... A recovery agent will only be of use if it was set up before ... Since your account is now set with the same password as before, ... Log out of Admin, ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Encrypted File System
    ... research i ve found out that i could use the encrypted file system to ... admin,but still he would be the default recovery agent within the ... The best you could do is make in 'inconvenient' for an admin. ... EFS revocery is in group policy. ...
    (microsoft.public.windows.server.sbs)
  • Re: EFS recovery problem
    ... > groups *should* _not_ effect efs. ... >>A recovery agent will only be of use if it was set up before ... >>and since changing the group memberships of an account should ... Log out of Admin, ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Encrypted File System
    ... If you're trying to prevent the admin from viewing the files, I recommend getting a 3rd party encryption product instead of trying to use EFS. ... Just google for encryption, and IMO you should get a product with business class tech support - there are a lot of free or shareware apps that I'd avoid. ... >>> so i figued out that i would create another admin account to perform ...
    (microsoft.public.windows.server.sbs)
  • Re: Encrypted File Systems
    ... Supposedly one of the big issues with EFS in 2K was that the Default ... So my impression was that if you had a competent admin who made his DRA ... anything to the contrary--that the encryption itself isn't all that bad. ... > I understand that the Windows EFS implementation had some issues on win2k, ...
    (Security-Basics)
Quantcast