WinXP Encryption

[Aftab]

Hi!
I want to know, if I encrypt a folder, can administrator of domain
controller view that folder content, through Remote Desktop Connection.
I login to a domain.

Thanks

 

[Drew Cooper [MSFT]]

Probably. And there are other routes than just Remote Desktop.

If your machine is joined to a domain, it is affected by group policy. Most
likely there is an EFS recovery policy in place that is applied to your
machine. How to check:
Right click on an encrypted file. Go to
Properties->General->Advanced->Details.
Is there a recovery agent listed? If so, the holder of that certificate
(and private key) can read/decrypt your files.

By default, a domain has an EFS recovery policy in the default domain
policy. By default, the domain administrator is issued the recovery key
pair on the first DC in a domain.

 

[Roger Abell]

First, with EFS one does not encrypt folders.
One can set a folder so that any files stored into it
will be encrypted, but the folder itself is not encrypted.

Next, what ETS keys are needed in order to view an
encrypted file in the clear can be determined by looking
at the file's EFS thumbprint. This is within the properties
of the file. You may see only your info, or you may also
see info for a data recovery agent. Anyone that can log
into your machine and have the one of EFS keys corresponding
to what you see listed is who can access your files.

If you are in a domain that does have a functioning data
recovery agent, then someone that logs into your machine
with that account will be able to access your files.
If you are in a W2k3 Active Directory, domain level
administrators may have other options that they could
use based on whether your EFS cert/key was escrowed.
But keep in mind that potentially any account can access
the files, if it has the needed EFS key loaded.