Improve company productivity with a Business Account.Sign Up


How do we encrypt one folder on Windows 2003 for specific user access?

Posted on 2006-06-21
Medium Priority
Last Modified: 2011-09-20
We have a Windows 2003 (small business) server, and would like to control access to a few HR related files, in one folder.  Since the files are accessed directly by MS Office, the actual folder location does not matter.  There are two files in question, and if it is simpler we can encrypt each file separately with its own password

Every user account has a password that is known to most of the other users, so normal Windows security or EFS won't work for this situation.  Due to other software running on the network, the user passwords are actually account ID's for another program, and the management does not want to change this situation.  

Is there a third party program that can hide or encrypt a folder on a server share, that will allow simple access to one or two users when they enter a password?  TrueCrypt looks promising, but it appears that if one user has it mounted (now unencrypted) that any other user can see the contents.

We have also considered running TrueCrypt or similar software on one computer, then sharing it and granting access to the other two users.  The users are not very computer literate, and will panic if forced to jump through a number of screens, etc.  TrueCrypt looks good, because it can be invoked using command line statements that can be hidden behind a shortcut.

Any ideas?
Question by:4RunnerBob
  • 3
  • 2

Accepted Solution

VortexAdmin earned 1000 total points
ID: 16956005
You can encrypt files and folders directly in Windows 2003.  If you right click on the folder and click Properties, then the Advanced button, there is an Encryption check box.  This will encrypt the folder (or file) so only the user that does this can view the contents (by default).  You can then share those keys with the other user who needs access too.  I clicked on the help for the checkbox and got the following:

Best practices
Ensure files intended for encryption are created and remain encrypted

Encrypt folders before creating sensitive files in them for maximum security. Doing this causes the files to be created as encrypted and their data is never written to the disk as plaintext.
Encrypt the My Documents folder if you save most of your documents to the My Documents folder. This ensures that your personal documents are encrypted by default. For Roaming User Profiles, this should only be done when the My Documents folder is redirected to a network location.
Encrypt folders instead of individual files so that, if a program creates temporary files during editing, these are encrypted as well.
Manage private keys to ensure file security
The designated recovery agent should export the data recovery certificate and private key to disk, secure them in a safe place, and delete the data recovery private key from the system. In this way, the only person who can recover data for the system is the person who has physical access to the data recovery private key.
The number of designated recovery agents should be kept to a minimum. This exposes fewer keys to cryptographic attack and provides a higher level of assurance that encrypted data will not be decrypted inappropriately.
Use Microsoft Certificate Services to manage Encrypting File System (EFS) and Data Recovery Agent (DRA) certificates and private keys.

When configuring Certificate Services and using a custom certificate template to issue EFS certificates, do not select the Prompt the user during enrollment and require user input when the private key is used option. This option prevents EFS from using the private key for encryption or decryption.
Provide security and reliability of data at all times
Encrypt sensitive data on computers that are members of a domain. This protects against compromise of data though offline cryptographic attacks.
Use Internet Protocol security (IPSec) to ensure that data remains encrypted as it is transmitted over the network. EFS can be used in conjunction with Web Distributed Authoring and Versioning (WebDAV) to store encrypted data on the Internet. In addition, EFS can be used with Server Message Block (SMB) signing to ensure that the transmission and reception of EFS files across a network is not altered in any way.
Back up the entire server that stores server-based encrypted data regularly. This ensures that, in case of data recovery, the profiles that include decryption keys can be restored.
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 1000 total points
ID: 16959936
There aren't many apps like EFS, where you can assign multiple users the ability to encrypt/decrypt the same data, and for good reason really...
It looks like TreCrypt is planning something like this in the future
See also the FAQ
Q: It is possible to mount a single TrueCrypt volume from multiple operating systems (for example, a volume shared over network)?
A: Yes, but the volume must be mounted in read-only mode under each of the systems (see the section Mount Options in the documentation). Note that this requirement is not related to TrueCrypt but, for example, to the fact that data read from a conventional file system under one OS while the file system is being modified by another OS might be inconsistent.
 So if the volume is open on one pc, they make their changes, and someone else had it open and they make theirs, the latest cahnges will be the saved ones.

Command line options
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 1000 total points
ID: 16959959
Also keyfiles allow multiple users to access data
Building an Effective Phishing Protection Program

Join Director of Product Management Todd OBoyle on April 26th as he covers the key elements of a phishing protection program. Whether you’re an old hat at phishing education or considering starting a program -- we'll discuss critical components that should be in any program.


Author Comment

ID: 16992262
EFS would work great, but there are other users who know the passwords for the specific user accounts; we are not allowed to change the passwords to something different (and unknown to others).  Don't get me started on "we never change our passwords, it is too hard to learn new ones"....  (It appears that there are scripts which use the existing passwords, and they do not want to update them.

That said, we need to provide a specific password to open up two files.  At this point it looks like TrueCrypt will work, since it blocks the second user from accessing the files until the first user has dismounted the TrueCrypt volume.

Split points awarded, since the EFS suggestion would be valid in most cases, and the TrueCrypt information was very helpful.  Thanks to both VortexAdmin and richrumble for your help.

Expert Comment

ID: 16992833
You're welcome. Thanks for the points.  Good luck to you.
LVL 38

Expert Comment

by:Rich Rumble
ID: 16992933
EFS suffers from the same thing, if one user updated the file, while someone else was too, the latest changes would over-write the others. Thanks and Good Luck!

Featured Post

Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

This article is about building a VRF-Aware site to site VPN tunnels in Cisco CSR1000V router with IOS XE. There are two VRF-Aware Policy Based IPsec VPN tunnels configured on CSR1000V router one with NAT and another without NAT.
This article is about building a Route Based site to site VPN tunnels in Cisco CSR1000V router with IOS XE. There are two Route Based IPsec VPN tunnels configured on CSR1000V router, traffic from app server is with NAT and rest is without NAT.
Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

579 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question