Re: Encrypted File System

Tech-Archive recommends: Fix windows errors by optimizing your registry

If you're trying to prevent the admin from viewing the files, I recommend getting a 3rd party encryption product instead of trying to use EFS. I don't have specific recommendations, although I know a couple of people who swear by Cryptainer. Just google for encryption, and IMO you should get a product with business class tech support - there are a lot of free or shareware apps that I'd avoid. Your users will have the inconvenience of having to enter a password when they access the directory, but all the administrator-related issues will be avoided.

I guess your situation prevents you from just trusting the admin not to view the files? For example, nothing technical stops me from reading my boss's e-mails, but I don't do it.


<freakrz@xxxxxxxxxxx> wrote in message news:d23d6b1b-2b2c-4732-883c-6c59324eb98c@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
On Mar 13, 10:47 am, Jim Behning SBS MVP
<jimbehn...@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
On Thu, 13 Mar 2008 07:43:04 -0700 (PDT), frea...@xxxxxxxxxxx wrote:
>On Mar 13, 10:28 am, "kj [SBS MVP]" <KevinJ....@xxxxxxxxxxxxxxxxxx>
>wrote:
>> frea...@xxxxxxxxxxx wrote:
>> > Hi,

>> > i run a sbs2k3 server and i have a folder that needs to be secured
>> > from the administrator,but acessable to the other users.so after some
>> > research i ve found out that i could use the encrypted file system to
>> > encrypt the folder and files.it would block the access to the
>> > admin,but still he would be the default recovery agent within the
>> > domain.

>> The best you could do is make in 'inconvenient' for an admin.

>> > so i figued out that i would create another admin account to perform
>> > all the regular tasks/backups and use the domain admin just for
>> > recovery purposes.

>> With enough admin group membership, the alternate admin can add to the
>> recovery agent lists.

>> > i would also like to know if would help to create a new account and
>> > give itself admin privleges to perform the routine tasks and
>> > backups,instead of using the domain admin account?

>> It just reamains 'inconvenient' for the alternate admin. Don't forget >> about
>> backups and accounts that access to the backup files.

>> > what permissions or groups should i assign the new account so that it
>> > has all the admin access except for the efs key recovery?

>> EFS revocery is in group policy. If the admin had the priviledges to >> modify
>> the policy or add additionals, then they can read the efs files.

>> > after i encrypt a folder and when i try to share the files within the
>> > folder by adding users i recieve an message like this "no appropriate
>> > certificates correspond to the user" how do i get the certificates >> > for
>> > the users that i want to let access?

>> prospective users must first encyrpt a file thereby optaining an efs >> cert
>> and have it published to ad.

>> > i would also like to know ,if shadow copies enabled on the
>> > server ,would retain the previous version of the folder/files?

>> Previous efs versions? Yes, I think so. Can't think of a reason why >> not.

>> > what other things should i be aware before deploying the EFS.

>> > Thank You.

>> --
>> /kj

>Why you don't trust your admin?

>Its not about trust.These files are supposedly require clearance and
>are considered sensitive.so is there another way i could do
>this.instead of interrupting his tasks...~

Are they Word or other files that can be password protected?- Hide quoted text -

- Show quoted text -

Yes.there are of different formats. would it work if i have a complete
drive setup for the folder and set permissions on the drive such that
the new account with minimal admin rights could just perform regular
tasks on server and not access that drive.if i deny the access for
that account to that new drive.

what are the minimal rights required for the user account to login to
the server physically or remotely and perform maintainance tasks and
back up files,also logon remotely on the computers in the network to
perform maintainance tasks.

Thank You

.

Relevant Pages

  • Re: EFS access
    ... other account cannot open or copy the EFS files to a different ... Is there a way to use EFS to block even the ... opening of an EFS protected folder from another admin account? ... NTFS permissions, however, can. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: ENCRYPTION - Oh Man, Ive done it now!
    ... The recovery cert thumbprint could be viewed using Explorer Add User UI. ... > with your admin again, see if he/she can decrypt them. ... > XP encryption (Just right clicked on it, advanced, and said "encrypt ... >> Then my Domain account got hosed on the domain controller. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Forgot administrator password for XP Pro
    ... there the Icon with admin and pwd ... account, where you can reset the password. ... In XP Pro, encryption is available, but ... it is tied to the account credentials. ...
    (microsoft.public.windowsxp.general)
  • EFS recovery problem
    ... I have a Power User Account. ... Log out of Admin, ... Still no access to EFS ...
    (microsoft.public.windowsxp.security_admin)
  • Re: EFS recovery problem
    ... I am not sure at which point your EFS access was broken, ... A recovery agent will only be of use if it was set up before ... Since your account is now set with the same password as before, ... Log out of Admin, ...
    (microsoft.public.windowsxp.security_admin)