Using EFS for laptops in a domain

[Knox]

Hi,
I'm planning on deploying EFS to laptops in our domain. I plan on
encrypting "my documents" and have been testing that configuration myself.
One annoying feature is that I create a document on my laptop and now I want
to share it by moving it to the network. Unfortunately, when I drag it to
the correct spot on the server, it is also encrypted on the server.

I don't want to disable encryption on the server, but I would like to
disable it in certain folders. Or have the copy operation at least ask the
user what they want to do. I plan to expand the use of EFS on the server
instead of what the users do today, which is password protect individual
files in Word and Excel.

"Educating the user" sounds great, but I know if I keep forgetting to
decrypt the file once I put it on the server, that our standard users will
really be at a loss.

Any ideas?

 

[Steven L Umbach]

The second link below shows how to disable EFS for a folder. I have never
tried it myself so you will need to test it to see if works as you want. Be
very careful with EFS as it is not all that hard for users to be denied
access to their own files if there is not a good recovery strategy in force.

http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316
http://searchwincomputing.techtarget.com/tip/0,289483,sid68_gci1211361,00.html

If instead you want to prevent EFS on the folder level, you can create a
desktop.ini file in the folder. This file should contain the following two
lines:
[Encryption]
Disable=1

This will affect the folder itself and all its files. However, it does not
have any impact on its subfolders and their content.

 

[Knox]

I much appreciate your reply. I had already searched the web for disabling
EFS and had not found anything. I'll give the folder disabling a try and
report back here how it works.

Do you ever see the problem of encrypted laptops wanting to share files to
servers? How do people generally handle this?

I'm backing up certificates and currently have two different users assigned
as recovery agents and I think I'll add a third. What are the likely
problems that might cause a user to not have access to his own files? The
only one I can think of is the user forgetting his password.

Thanks again,

Knox

The second link below shows how to disable EFS for a folder. I have never
tried it myself so you will need to test it to see if works as you want.
Be very careful with EFS as it is not all that hard for users to be denied
access to their own files if there is not a good recovery strategy in
force.

http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316
http://searchwincomputing.techtarget.com/tip/0,289483,sid68_gci1211361,00.html

If instead you want to prevent EFS on the folder level, you can create a
desktop.ini file in the folder. This file should contain the following two
lines:
[Encryption]
Disable=1

This will affect the folder itself and all its files. However, it does not
have any impact on its subfolders and their content.

Hi,
I'm planning on deploying EFS to laptops in our domain. I plan on
encrypting "my documents" and have been testing that configuration
myself. One annoying feature is that I create a document on my laptop and
now I want to share it by moving it to the network. Unfortunately, when
I drag it to the correct spot on the server, it is also encrypted on the
server.

I don't want to disable encryption on the server, but I would like to
disable it in certain folders. Or have the copy operation at least ask
the user what they want to do. I plan to expand the use of EFS on the
server instead of what the users do today, which is password protect
individual files in Word and Excel.

"Educating the user" sounds great, but I know if I keep forgetting to
decrypt the file once I put it on the server, that our standard users
will really be at a loss.

Any ideas?

 

[Knox]

Well, I'm sorry to say that "disable EFS in a folder" is implemented in a
stupid way. I set up the file as suggested. I tried to encrypted a file in
the folder. It rejected the attempt and gave a good error message. Good!
But the real test is dragging an encrypted file into the folder. It happily
accepted the file with no problem. It remains encrypted and no warnings are
issued. You can access the file if you have the key normally.

Oh well.

I much appreciate your reply. I had already searched the web for disabling
EFS and had not found anything. I'll give the folder disabling a try and
report back here how it works.

Do you ever see the problem of encrypted laptops wanting to share files to
servers? How do people generally handle this?

I'm backing up certificates and currently have two different users
assigned as recovery agents and I think I'll add a third. What are the
likely problems that might cause a user to not have access to his own
files? The only one I can think of is the user forgetting his password.

Thanks again,

Knox

The second link below shows how to disable EFS for a folder. I have never
tried it myself so you will need to test it to see if works as you want.
Be very careful with EFS as it is not all that hard for users to be
denied access to their own files if there is not a good recovery strategy
in force.

http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316
http://searchwincomputing.techtarget.com/tip/0,289483,sid68_gci1211361,00.html

If instead you want to prevent EFS on the folder level, you can create a
desktop.ini file in the folder. This file should contain the following
two lines:
[Encryption]
Disable=1

This will affect the folder itself and all its files. However, it does
not have any impact on its subfolders and their content.

Hi,
I'm planning on deploying EFS to laptops in our domain. I plan on
encrypting "my documents" and have been testing that configuration
myself. One annoying feature is that I create a document on my laptop
and now I want to share it by moving it to the network. Unfortunately,
when I drag it to the correct spot on the server, it is also encrypted
on the server.

I don't want to disable encryption on the server, but I would like to
disable it in certain folders. Or have the copy operation at least ask
the user what they want to do. I plan to expand the use of EFS on the
server instead of what the users do today, which is password protect
individual files in Word and Excel.

"Educating the user" sounds great, but I know if I keep forgetting to
decrypt the file once I put it on the server, that our standard users
will really be at a loss.

Any ideas?

 

[Steven L Umbach]

Sharing of EFS files is cumbersome because only each file can be shared and
the EFS file owner needs to configure what users can also decrypt the file.
To add to the complexity users most likely will have different EFS
certificates/private key on the server than on their local computer unless
they exported and imported their EFS certificate/private key from one to the
other before any file was encrypted on the computer they imported to and
then they need to have a user profile to import into. A server trusted for
delegation will automatically request and receive an EFS certificate/private
key for a user and create a mini profile for that user if they do not have a
profile on the server and encrypt a file on it unless the user is using a
roaming profile [though I have never tried that myself].

Glad to hear you have a couple of RAs. It is possible for a user to loose
access to his EFS files if his operating system is reinstalled without first
backing up his EFS certificate/private key to a password protected .pfx file
or if his private key becomes deleted or corrupted. It is stored in the user
profile.

Steve

I much appreciate your reply. I had already searched the web for disabling
EFS and had not found anything. I'll give the folder disabling a try and
report back here how it works.

Do you ever see the problem of encrypted laptops wanting to share files to
servers? How do people generally handle this?

I'm backing up certificates and currently have two different users
assigned as recovery agents and I think I'll add a third. What are the
likely problems that might cause a user to not have access to his own
files? The only one I can think of is the user forgetting his password.

Thanks again,

Knox

The second link below shows how to disable EFS for a folder. I have never
tried it myself so you will need to test it to see if works as you want.
Be very careful with EFS as it is not all that hard for users to be
denied access to their own files if there is not a good recovery strategy
in force.

http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316
http://searchwincomputing.techtarget.com/tip/0,289483,sid68_gci1211361,00.html

If instead you want to prevent EFS on the folder level, you can create a
desktop.ini file in the folder. This file should contain the following
two lines:
[Encryption]
Disable=1

This will affect the folder itself and all its files. However, it does
not have any impact on its subfolders and their content.

Hi,
I'm planning on deploying EFS to laptops in our domain. I plan on
encrypting "my documents" and have been testing that configuration
myself. One annoying feature is that I create a document on my laptop
and now I want to share it by moving it to the network. Unfortunately,
when I drag it to the correct spot on the server, it is also encrypted
on the server.

I don't want to disable encryption on the server, but I would like to
disable it in certain folders. Or have the copy operation at least ask
the user what they want to do. I plan to expand the use of EFS on the
server instead of what the users do today, which is password protect
individual files in Word and Excel.

"Educating the user" sounds great, but I know if I keep forgetting to
decrypt the file once I put it on the server, that our standard users
will really be at a loss.

Any ideas?

 

[Steven L Umbach]

I was not sure exactly what would happen so thanks for reporting back the
results though they were disappointing. Another good place to post EFS
questions is in the Microsoft.public.security.crypto newsgroup.

Steve

Well, I'm sorry to say that "disable EFS in a folder" is implemented in a
stupid way. I set up the file as suggested. I tried to encrypted a file
in the folder. It rejected the attempt and gave a good error message.
Good! But the real test is dragging an encrypted file into the folder. It
happily accepted the file with no problem. It remains encrypted and no
warnings are issued. You can access the file if you have the key
normally.

Oh well.

I much appreciate your reply. I had already searched the web for
disabling EFS and had not found anything. I'll give the folder disabling
a try and report back here how it works.

Do you ever see the problem of encrypted laptops wanting to share files
to servers? How do people generally handle this?

I'm backing up certificates and currently have two different users
assigned as recovery agents and I think I'll add a third. What are the
likely problems that might cause a user to not have access to his own
files? The only one I can think of is the user forgetting his password.

Thanks again,

Knox

The second link below shows how to disable EFS for a folder. I have
never tried it myself so you will need to test it to see if works as you
want. Be very careful with EFS as it is not all that hard for users to
be denied access to their own files if there is not a good recovery
strategy in force.

http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316
http://searchwincomputing.techtarget.com/tip/0,289483,sid68_gci1211361,00.html

If instead you want to prevent EFS on the folder level, you can create a
desktop.ini file in the folder. This file should contain the following
two lines:
[Encryption]
Disable=1

This will affect the folder itself and all its files. However, it does
not have any impact on its subfolders and their content.


Hi,
I'm planning on deploying EFS to laptops in our domain. I plan on
encrypting "my documents" and have been testing that configuration
myself. One annoying feature is that I create a document on my laptop
and now I want to share it by moving it to the network. Unfortunately,
when I drag it to the correct spot on the server, it is also encrypted
on the server.

I don't want to disable encryption on the server, but I would like to
disable it in certain folders. Or have the copy operation at least ask
the user what they want to do. I plan to expand the use of EFS on the
server instead of what the users do today, which is password protect
individual files in Word and Excel.

"Educating the user" sounds great, but I know if I keep forgetting to
decrypt the file once I put it on the server, that our standard users
will really be at a loss.

Any ideas?

 

[Knox]

Thanks for the real world kind of problems I might face. I'm really trying
to avoid EFS on the server except for some very specialized uses. But I
definitely want it on the laptops.

I tried a few other things just FYI... I made a share on a server, and in
the security I "denied" being able to write attributes and extended
attributes. I figured if I couldn't write the encrypted flag, it wouldn't
encrypt the file. Instead it cheerfully allowed encrypted files to be
copied into that directory, but then I couldn't set or clear the encryption
flag since of course, I didn't have rights to do so. But somehow a copy
operation overcomes that.

Knox

Sharing of EFS files is cumbersome because only each file can be shared
and the EFS file owner needs to configure what users can also decrypt the
file. To add to the complexity users most likely will have different EFS
certificates/private key on the server than on their local computer unless
they exported and imported their EFS certificate/private key from one to
the other before any file was encrypted on the computer they imported to
and then they need to have a user profile to import into. A server trusted
for delegation will automatically request and receive an EFS
certificate/private key for a user and create a mini profile for that user
if they do not have a profile on the server and encrypt a file on it
unless the user is using a roaming profile [though I have never tried that
myself].

Glad to hear you have a couple of RAs. It is possible for a user to loose
access to his EFS files if his operating system is reinstalled without
first backing up his EFS certificate/private key to a password protected
.pfx file or if his private key becomes deleted or corrupted. It is stored
in the user profile.

Steve

I much appreciate your reply. I had already searched the web for
disabling EFS and had not found anything. I'll give the folder disabling
a try and report back here how it works.

Do you ever see the problem of encrypted laptops wanting to share files
to servers? How do people generally handle this?

I'm backing up certificates and currently have two different users
assigned as recovery agents and I think I'll add a third. What are the
likely problems that might cause a user to not have access to his own
files? The only one I can think of is the user forgetting his password.

Thanks again,

Knox

The second link below shows how to disable EFS for a folder. I have
never tried it myself so you will need to test it to see if works as you
want. Be very careful with EFS as it is not all that hard for users to
be denied access to their own files if there is not a good recovery
strategy in force.

http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316
http://searchwincomputing.techtarget.com/tip/0,289483,sid68_gci1211361,00.html

If instead you want to prevent EFS on the folder level, you can create a
desktop.ini file in the folder. This file should contain the following
two lines:
[Encryption]
Disable=1

This will affect the folder itself and all its files. However, it does
not have any impact on its subfolders and their content.


Hi,
I'm planning on deploying EFS to laptops in our domain. I plan on
encrypting "my documents" and have been testing that configuration
myself. One annoying feature is that I create a document on my laptop
and now I want to share it by moving it to the network. Unfortunately,
when I drag it to the correct spot on the server, it is also encrypted
on the server.

I don't want to disable encryption on the server, but I would like to
disable it in certain folders. Or have the copy operation at least ask
the user what they want to do. I plan to expand the use of EFS on the
server instead of what the users do today, which is password protect
individual files in Word and Excel.

"Educating the user" sounds great, but I know if I keep forgetting to
decrypt the file once I put it on the server, that our standard users
will really be at a loss.

Any ideas?