Encrypt Offline Files - Access Denied

[someone]

Hi,

I've got a laptop with XP Professional on it. I use it to connect to
our small corporate LAN. I have a mapped drive to a DFSR share with our
main files on it. I like to have a copy of these files offline when I
travel.

So, I've set up offline files for the drive, and it synchronizes fine.
For security, I then changed the folder options for the offline files to
"Encrypt offline files to secure data". It fails with an "Access
denied" message for each and every file. When I turn off the "encrypt
offline files", it synchronizes again.

Unless there is a default policy is to disable encryption, I don't think
that has been set.

Where should I start looking?

 

[Steven L Umbach]

I don't use offline files but what I would try is to see if you can encrypt
any file on your computer. If you can not then you know that there is
probably a policy to disable EFS via Group Policy. You can go to the
properties of a file and select - encrypt. Then be sure to use a test file
and then select encrypt this file only - NOT folder and other files in
folder. Be VERY VERY careful with EFS as it is not uncommon for a user to
loose permanent access to their own files if a problem arises and proper
recovery procedures have not been implemented. EFS files can NOT be cracked
without the EFS user's private key.

Steve

http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316 --- EFS best
practices.

 

[someone]

I don't use offline files but what I would try is to see if you can encrypt
any file on your computer. If you can not then you know that there is
probably a policy to disable EFS via Group Policy. You can go to the

I have a local directory encrypted. I am able to encrypt and decrypt it
at will. I have also exported the key to a secure (and redundantly
backed up) location. I'm actually in the process of testing my data
protection and recovery procedures - so a BIG factor in which way I go
is how easily I can recover files WITH the proper key. I've mitigated
the losses of previous hard drives with utilities like BartPE and
assorted linux Live CDs. I need to make sure they play well with
encrypted files - as long as I have the key. For the offline files, I
don't really care if non-synced changes are lost. I'm mostly concerned
with having the network drive contents fall into the wrong hands if the
laptop is stolen.

properties of a file and select - encrypt. Then be sure to use a test file
and then select encrypt this file only - NOT folder and other files in
folder. Be VERY VERY careful with EFS as it is not uncommon for a user to
loose permanent access to their own files if a problem arises and proper
recovery procedures have not been implemented. EFS files can NOT be cracked
without the EFS user's private key.

Fair warning. I'm familiar with the opposite needs of data protection
vs. data recovery.

 

[Steven L Umbach]

There is a Group Policy setting to disable using EFS for offline files
though when something like that is enabled usually the option is grayed out.
You can check by running rsop.msc on your computer and looking for any such
setting under user configuration/administrative templates/network/offline
files. Another thing to check is that system has full control permissions to
the \windows folder and subfolders which it should by default. Also make
sure that any file you are trying to encrypt does not have the system
attribute set for some reason. Since I rarely use offline files I can not
think of much else. You may also want to post in one of the file_system
newsgroups and Microsoft.public.security.crypto newsgroup.

Steve

 

[someone]

There is a Group Policy setting to disable using EFS for offline files
though when something like that is enabled usually the option is grayed out.
You can check by running rsop.msc on your computer and looking for any such
setting under user configuration/administrative templates/network/offline
files. Another thing to check is that system has full control permissions to

When there is no such container for policies under my rsop.msc. I have
the user configuration folder, but no administrative templates or
network folder. Does it make a difference that I am logged in as a
member of the Domain Admin group?

the \windows folder and subfolders which it should by default. Also make

Looks good...

sure that any file you are trying to encrypt does not have the system
attribute set for some reason. Since I rarely use offline files I can not

A "dir /as" did not come back with any files.

think of much else. You may also want to post in one of the file_system
newsgroups and Microsoft.public.security.crypto newsgroup.

OK. If that policy bit above doesn't raise any eyebrows I'll repost in
the other group. Thanks for your time.

 

[Steven L Umbach]

Rsop.msc results for computer configuration will not matter if the user is
an administrator or not. If you do not see any settings for offline files
via rsop.msc then that means that it is not configured in Group Policy and
that the default settings are being used which means that using EFS for
offline files should be enabled. Something that may help, or may not, is to
try using filemon from SysInternals/Microsoft to monitor file activity in
real time when you try to use EFS for your offline files. Filemon will
record a lot of entries in a very short period of time so be sure to start
it just before you need to and then stop logging when access is denied. Then
look in it's log for access denied entries which may give you some sort of
clue. You can use the filter/highlight view in filemon to help find
pertinent log entries sucg as denied or access denied.

Steve

http://www.sysinternals.com/Utilities/Filemon.html --- filemon