Solved

How do we encrypt one folder on Windows 2003 for specific user access?

Posted on 2006-06-21
6
605 Views
Last Modified: 2011-09-20
We have a Windows 2003 (small business) server, and would like to control access to a few HR related files, in one folder.  Since the files are accessed directly by MS Office, the actual folder location does not matter.  There are two files in question, and if it is simpler we can encrypt each file separately with its own password

Every user account has a password that is known to most of the other users, so normal Windows security or EFS won't work for this situation.  Due to other software running on the network, the user passwords are actually account ID's for another program, and the management does not want to change this situation.  

Is there a third party program that can hide or encrypt a folder on a server share, that will allow simple access to one or two users when they enter a password?  TrueCrypt looks promising, but it appears that if one user has it mounted (now unencrypted) that any other user can see the contents.

We have also considered running TrueCrypt or similar software on one computer, then sharing it and granting access to the other two users.  The users are not very computer literate, and will panic if forced to jump through a number of screens, etc.  TrueCrypt looks good, because it can be invoked using command line statements that can be hidden behind a shortcut.

Any ideas?
0
Comment
Question by:4RunnerBob
  • 3
  • 2
6 Comments
 
LVL 5

Accepted Solution

by:
VortexAdmin earned 250 total points
ID: 16956005
You can encrypt files and folders directly in Windows 2003.  If you right click on the folder and click Properties, then the Advanced button, there is an Encryption check box.  This will encrypt the folder (or file) so only the user that does this can view the contents (by default).  You can then share those keys with the other user who needs access too.  I clicked on the help for the checkbox and got the following:

Best practices
Ensure files intended for encryption are created and remain encrypted

Encrypt folders before creating sensitive files in them for maximum security. Doing this causes the files to be created as encrypted and their data is never written to the disk as plaintext.
Encrypt the My Documents folder if you save most of your documents to the My Documents folder. This ensures that your personal documents are encrypted by default. For Roaming User Profiles, this should only be done when the My Documents folder is redirected to a network location.
Encrypt folders instead of individual files so that, if a program creates temporary files during editing, these are encrypted as well.
Manage private keys to ensure file security
The designated recovery agent should export the data recovery certificate and private key to disk, secure them in a safe place, and delete the data recovery private key from the system. In this way, the only person who can recover data for the system is the person who has physical access to the data recovery private key.
The number of designated recovery agents should be kept to a minimum. This exposes fewer keys to cryptographic attack and provides a higher level of assurance that encrypted data will not be decrypted inappropriately.
Use Microsoft Certificate Services to manage Encrypting File System (EFS) and Data Recovery Agent (DRA) certificates and private keys.
 
Caution

When configuring Certificate Services and using a custom certificate template to issue EFS certificates, do not select the Prompt the user during enrollment and require user input when the private key is used option. This option prevents EFS from using the private key for encryption or decryption.
Provide security and reliability of data at all times
Encrypt sensitive data on computers that are members of a domain. This protects against compromise of data though offline cryptographic attacks.
Use Internet Protocol security (IPSec) to ensure that data remains encrypted as it is transmitted over the network. EFS can be used in conjunction with Web Distributed Authoring and Versioning (WebDAV) to store encrypted data on the Internet. In addition, EFS can be used with Server Message Block (SMB) signing to ensure that the transmission and reception of EFS files across a network is not altered in any way.
Back up the entire server that stores server-based encrypted data regularly. This ensures that, in case of data recovery, the profiles that include decryption keys can be restored.
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 250 total points
ID: 16959936
There aren't many apps like EFS, where you can assign multiple users the ability to encrypt/decrypt the same data, and for good reason really...
It looks like TreCrypt is planning something like this in the future http://www.truecrypt.org/future.php
See also the FAQ
Q: It is possible to mount a single TrueCrypt volume from multiple operating systems (for example, a volume shared over network)?
A: Yes, but the volume must be mounted in read-only mode under each of the systems (see the section Mount Options in the documentation). Note that this requirement is not related to TrueCrypt but, for example, to the fact that data read from a conventional file system under one OS while the file system is being modified by another OS might be inconsistent.
 So if the volume is open on one pc, they make their changes, and someone else had it open and they make theirs, the latest cahnges will be the saved ones.
http://www.truecrypt.org/user-guide/multi-user-environment.php

Command line options http://www.truecrypt.org/user-guide/command-line-usage.php
-rich
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 250 total points
ID: 16959959
Also keyfiles allow multiple users to access data
http://www.truecrypt.org/user-guide/keyfiles.php
-rich
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 

Author Comment

by:4RunnerBob
ID: 16992262
EFS would work great, but there are other users who know the passwords for the specific user accounts; we are not allowed to change the passwords to something different (and unknown to others).  Don't get me started on "we never change our passwords, it is too hard to learn new ones"....  (It appears that there are scripts which use the existing passwords, and they do not want to update them.

That said, we need to provide a specific password to open up two files.  At this point it looks like TrueCrypt will work, since it blocks the second user from accessing the files until the first user has dismounted the TrueCrypt volume.

Split points awarded, since the EFS suggestion would be valid in most cases, and the TrueCrypt information was very helpful.  Thanks to both VortexAdmin and richrumble for your help.
0
 
LVL 5

Expert Comment

by:VortexAdmin
ID: 16992833
You're welcome. Thanks for the points.  Good luck to you.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 16992933
EFS suffers from the same thing, if one user updated the file, while someone else was too, the latest changes would over-write the others. Thanks and Good Luck!
-rich
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

How do we balance the user experience (UX) with reasonable security measures? It can be done, if you keep these fundamentals in mind.
February 24, 2017 — On February 23, Travis Ormandy, a vulnerability researcher at Google, reported on Twitter (https://twitter.com/taviso/status/834900838837411840) that massive stores of data have been leaked by CloudFlare, a company that provide…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

832 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question