Encryption Across Network File Shares

[Guest]

I have two XP Pro machines (PC1 & PC2) in a WORKGROUP environment - No Domain.

I logged on locally to PC1 and encrypted some files. I try to access those
files from PC2 through a shared folder (on PC1) and cannot open anything I
encrypted.

I have tried the following to set this up but I think the writer of this web
page could be wrong in his article:

http://www.webspinnerstudios.com/how-to/network/windows/remotely_access_encrypted_files.htm

I have read many articles that the only way to see remote files that are
encrypted, are as follows:

You need PC1 joined to a domain and trusted for delegation before you can
access encrypted files across a network.

Am I right or what am I missing here?

Thanks Again, Rick

 

[Steven L Umbach]

Yes the computer needs to be a domain computer. The link below explains more
which you may have already read. --- Steve

http://www.microsoft.com/resources/...Windows/XP/all/reskit/en-us/prnb_efs_umpb.asp

1.. EFS must impersonate the user to obtain access to the necessary public
or private key. This requires the following:
2.. The computer must be a domain member in a domain that uses Kerberos
authentication because impersonation relies on Kerberos authentication and
delegation.
3.. The computer must be trusted for delegation.
4.. The user must be logged on with a domain account that can be
delegated.

 

[Guest]

Thanks, Steve for clearing this up. The web link I gave (below) made things
cloudy. The author of the website I mentioned (below) made it sound like you
could get away with not having to be joined to a domain.

Anyway, with the PC1 & PC2 scenario (below) could you really help me out
here? I need it! You know your stuff concerning EFS, I can see that by the
posts you leave in this newsgroup.

I'm a little confused and need a step-by-step (1-2-3,etc). Can you give me
the successfull "step-by-step" that I need to take, in order to access
encrypted files remotely.

Here are some of the questions I have:

* Which PC do I join to the domain?
* Which PC do I set "trusted for delegation"?
* what pc do I export my public/private certificate?
* what pc to I import my public/private certificate?
* Do I import into "Certificates\Personal or Certificated\Trusted People"

I'm a person that needs to do this by a 1-2-3 example, especially with EFS.
I want to look at the step by step answers you give me and digest it.

Could you take the time and write it out (with the PC1/PC2 example below)?

I would appreciate it G-R-E-A-T-L-Y!!! :+)

Thanks, Rick Blake

-----------------------------------------

 

[Guest]

I'm pretty familiar with Active Directory, and I have a domain already setup
so whatever steps you tell me, I'll carry them out word for word.

I just need the successful steps to making encrypting and decrypting EFS
files across a remote/network share easy and done the right way.

Thanks, Rick Blake

------------------------------------------------------

 

[Steven L Umbach]

The link below explains most everything you need to do if you read the part
on Encrypted Files on a Server about three fourths the way into the white
paper.

http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx

The computer with the share that you want to contain EFS files and the
computers that users will use to access those EFS files need to be joined to
the domain. Then for the computer with the share find it's computer account
in Active Directory Users and Computers and select it's properties and make
sure that trust computer for delegation is selected. It's account most
likely is in the computers container unless it is a domain controller in
which case it would be in the domain controllers container. Then you should
be able to encrypt and decrypt files on the share from any domain computer
either by first logging onto the computer with the share and importing your
certificate/private key into your domain account, by encrypting a file while
logged onto the computer with the share which will generate an EFS
certificate/private key, or by simply encrypting a file on the share which
will create a mini user profile on the computer with the share that will
contain the EFS certificate/private key that is generated in the process.

Be very careful with EFS however in that it is easy to end up with multiple
EFS certificates/private keys and if one is destroyed/corrupted you may lose
permanent access to your EFS files. For instance if you access the share
where the EFS file is, decrypt your file, copy it to your computer, and
encrypt it again on your computer you could end up with a different EFS
certificate/private key on your computer than what is on the computer with
the share if the computer you copied it to did not have any EFS
certificate/private key on it for your user profile. Then if you deleted the
EFS file on the share and had a problem accessing your EFS file on your
computer the EFS certificate/private key on the computer with the share
would not be able to decrypt the file. Be sure to read the link below on EFS
best practices. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316

 

[Guest]

Thanks, Steve.

I have a few questions though.

It looks as though you can only share encrypted files across a network by
having both machines joined to a domain, have the "Shared" machine "Trusted
for Delegation" and the user that is encrypting/decrypting will have to be
logged onto the domain to make this work. Is this correct?

If the (above) is correct, then how do non-domain computers and users access
encrypted files across a network share. Does Microsoft expect you to be in a
Domain enviroment once you want to access encrypted files across a remote
share?

Also, in this type of configuration (where the computer with the share) has
to be "Trusted for Delegation", does an enduser sitting on an XP box that
shares encrypted files with another user need to go up to the Network
Administrator and ask them to set their computer to ""Trusted for
Delegation". That's kind of a pain, don't you think?

I mean, I know what the Network Administrator's answer is going to be. The
Network Administrator is going to say to the enduser, "put your files on one
of my files servers, we don't allow sharing of encrypted files between client
machines".

Anyway, what do home owners do (that have a 8,400 sq ft home) with a PC in
the basement and one upstairs and they need to share files between PC's and
they do not want a domain environment, but they do want to access encrypted
files remotely through a share ONLY.

Thanks, Rick Blake

 

[Steven L Umbach]

Yes as far as I know the computers involved need to be in a domain, the user
needs to logon ad a domain user, and the computer with the share needs to be
trusted for delegation. What may work in a non domain is if the user access
the remote computer with the EFS files via Remote Desktop. Then I believe
the user should be able to decrypt and work on the EFS files. If the user
copies any of those files to his computer via RDP and encrypts them locally
he would want to make sure that he is using the same EFS certificate/private
key on both computers so that complications do not arise. --- Steve