Re: Encrypted File System
- From: freakrz@xxxxxxxxxxx
- Date: Thu, 13 Mar 2008 09:07:46 -0700 (PDT)
On Mar 13, 10:47 am, Jim Behning SBS MVP
<jimbehn...@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
On Thu, 13 Mar 2008 07:43:04 -0700 (PDT), frea...@xxxxxxxxxxx wrote:
On Mar 13, 10:28 am, "kj [SBS MVP]" <KevinJ....@xxxxxxxxxxxxxxxxxx>
wrote:
frea...@xxxxxxxxxxx wrote:
Hi,
i run a sbs2k3 server and i have a folder that needs to be secured
from the administrator,but acessable to the other users.so after some
research i ve found out that i could use the encrypted file system to
encrypt the folder and files.it would block the access to the
admin,but still he would be the default recovery agent within the
domain.
The best you could do is make in 'inconvenient' for an admin.
so i figued out that i would create another admin account to perform
all the regular tasks/backups and use the domain admin just for
recovery purposes.
With enough admin group membership, the alternate admin can add to the
recovery agent lists.
i would also like to know if would help to create a new account and
give itself admin privleges to perform the routine tasks and
backups,instead of using the domain admin account?
It just reamains 'inconvenient' for the alternate admin. Don't forget about
backups and accounts that access to the backup files.
what permissions or groups should i assign the new account so that it
has all the admin access except for the efs key recovery?
EFS revocery is in group policy. If the admin had the priviledges to modify
the policy or add additionals, then they can read the efs files.
after i encrypt a folder and when i try to share the files within the
folder by adding users i recieve an message like this "no appropriate
certificates correspond to the user" how do i get the certificates for
the users that i want to let access?
prospective users must first encyrpt a file thereby optaining an efs cert
and have it published to ad.
i would also like to know ,if shadow copies enabled on the
server ,would retain the previous version of the folder/files?
Previous efs versions? Yes, I think so. Can't think of a reason why not..
what other things should i be aware before deploying the EFS.
Thank You.
--
/kj
Why you don't trust your admin?
Its not about trust.These files are supposedly require clearance and
are considered sensitive.so is there another way i could do
this.instead of interrupting his tasks...~
Are they Word or other files that can be password protected?- Hide quoted text -
- Show quoted text -
Yes.there are of different formats. would it work if i have a complete
drive setup for the folder and set permissions on the drive such that
the new account with minimal admin rights could just perform regular
tasks on server and not access that drive.if i deny the access for
that account to that new drive.
what are the minimal rights required for the user account to login to
the server physically or remotely and perform maintainance tasks and
back up files,also logon remotely on the computers in the network to
perform maintainance tasks.
Thank You
.
- Follow-Ups:
- Re: Encrypted File System
- From: Dave Nickason [SBS MVP]
- Re: Encrypted File System
- References:
- Encrypted File System
- From: freakrz
- Re: Encrypted File System
- From: kj [SBS MVP]
- Re: Encrypted File System
- From: freakrz
- Re: Encrypted File System
- From: Jim Behning SBS MVP
- Encrypted File System
- Prev by Date: Re: "Pending File Rename Operations" refers to non-existent temporary files in C:\WINDOWS\SYSTEM32\FxsTmp
- Next by Date: Re: Old emails resent after SBS reboot/restart
- Previous by thread: Re: Encrypted File System
- Next by thread: Re: Encrypted File System
- Index(es):
Relevant Pages
|
