Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

How do we encrypt one folder on Windows 2003 for specific user access?

Posted on 2006-06-21
6
Medium Priority
?
612 Views
Last Modified: 2011-09-20
We have a Windows 2003 (small business) server, and would like to control access to a few HR related files, in one folder.  Since the files are accessed directly by MS Office, the actual folder location does not matter.  There are two files in question, and if it is simpler we can encrypt each file separately with its own password

Every user account has a password that is known to most of the other users, so normal Windows security or EFS won't work for this situation.  Due to other software running on the network, the user passwords are actually account ID's for another program, and the management does not want to change this situation.  

Is there a third party program that can hide or encrypt a folder on a server share, that will allow simple access to one or two users when they enter a password?  TrueCrypt looks promising, but it appears that if one user has it mounted (now unencrypted) that any other user can see the contents.

We have also considered running TrueCrypt or similar software on one computer, then sharing it and granting access to the other two users.  The users are not very computer literate, and will panic if forced to jump through a number of screens, etc.  TrueCrypt looks good, because it can be invoked using command line statements that can be hidden behind a shortcut.

Any ideas?
0
Comment
Question by:4RunnerBob
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 5

Accepted Solution

by:
VortexAdmin earned 1000 total points
ID: 16956005
You can encrypt files and folders directly in Windows 2003.  If you right click on the folder and click Properties, then the Advanced button, there is an Encryption check box.  This will encrypt the folder (or file) so only the user that does this can view the contents (by default).  You can then share those keys with the other user who needs access too.  I clicked on the help for the checkbox and got the following:

Best practices
Ensure files intended for encryption are created and remain encrypted

Encrypt folders before creating sensitive files in them for maximum security. Doing this causes the files to be created as encrypted and their data is never written to the disk as plaintext.
Encrypt the My Documents folder if you save most of your documents to the My Documents folder. This ensures that your personal documents are encrypted by default. For Roaming User Profiles, this should only be done when the My Documents folder is redirected to a network location.
Encrypt folders instead of individual files so that, if a program creates temporary files during editing, these are encrypted as well.
Manage private keys to ensure file security
The designated recovery agent should export the data recovery certificate and private key to disk, secure them in a safe place, and delete the data recovery private key from the system. In this way, the only person who can recover data for the system is the person who has physical access to the data recovery private key.
The number of designated recovery agents should be kept to a minimum. This exposes fewer keys to cryptographic attack and provides a higher level of assurance that encrypted data will not be decrypted inappropriately.
Use Microsoft Certificate Services to manage Encrypting File System (EFS) and Data Recovery Agent (DRA) certificates and private keys.
 
Caution

When configuring Certificate Services and using a custom certificate template to issue EFS certificates, do not select the Prompt the user during enrollment and require user input when the private key is used option. This option prevents EFS from using the private key for encryption or decryption.
Provide security and reliability of data at all times
Encrypt sensitive data on computers that are members of a domain. This protects against compromise of data though offline cryptographic attacks.
Use Internet Protocol security (IPSec) to ensure that data remains encrypted as it is transmitted over the network. EFS can be used in conjunction with Web Distributed Authoring and Versioning (WebDAV) to store encrypted data on the Internet. In addition, EFS can be used with Server Message Block (SMB) signing to ensure that the transmission and reception of EFS files across a network is not altered in any way.
Back up the entire server that stores server-based encrypted data regularly. This ensures that, in case of data recovery, the profiles that include decryption keys can be restored.
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 1000 total points
ID: 16959936
There aren't many apps like EFS, where you can assign multiple users the ability to encrypt/decrypt the same data, and for good reason really...
It looks like TreCrypt is planning something like this in the future http://www.truecrypt.org/future.php
See also the FAQ
Q: It is possible to mount a single TrueCrypt volume from multiple operating systems (for example, a volume shared over network)?
A: Yes, but the volume must be mounted in read-only mode under each of the systems (see the section Mount Options in the documentation). Note that this requirement is not related to TrueCrypt but, for example, to the fact that data read from a conventional file system under one OS while the file system is being modified by another OS might be inconsistent.
 So if the volume is open on one pc, they make their changes, and someone else had it open and they make theirs, the latest cahnges will be the saved ones.
http://www.truecrypt.org/user-guide/multi-user-environment.php

Command line options http://www.truecrypt.org/user-guide/command-line-usage.php
-rich
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 1000 total points
ID: 16959959
Also keyfiles allow multiple users to access data
http://www.truecrypt.org/user-guide/keyfiles.php
-rich
0
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

 

Author Comment

by:4RunnerBob
ID: 16992262
EFS would work great, but there are other users who know the passwords for the specific user accounts; we are not allowed to change the passwords to something different (and unknown to others).  Don't get me started on "we never change our passwords, it is too hard to learn new ones"....  (It appears that there are scripts which use the existing passwords, and they do not want to update them.

That said, we need to provide a specific password to open up two files.  At this point it looks like TrueCrypt will work, since it blocks the second user from accessing the files until the first user has dismounted the TrueCrypt volume.

Split points awarded, since the EFS suggestion would be valid in most cases, and the TrueCrypt information was very helpful.  Thanks to both VortexAdmin and richrumble for your help.
0
 
LVL 5

Expert Comment

by:VortexAdmin
ID: 16992833
You're welcome. Thanks for the points.  Good luck to you.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 16992933
EFS suffers from the same thing, if one user updated the file, while someone else was too, the latest changes would over-write the others. Thanks and Good Luck!
-rich
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
I don't pretend to be an expert at this, but I have found a few things that are useful. I hope that sharing them here will help others, so they will not have to face some rather hard choices. Since I felt this to be a topic of enough importance and…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question