• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 613
  • Last Modified:

How do we encrypt one folder on Windows 2003 for specific user access?

We have a Windows 2003 (small business) server, and would like to control access to a few HR related files, in one folder.  Since the files are accessed directly by MS Office, the actual folder location does not matter.  There are two files in question, and if it is simpler we can encrypt each file separately with its own password

Every user account has a password that is known to most of the other users, so normal Windows security or EFS won't work for this situation.  Due to other software running on the network, the user passwords are actually account ID's for another program, and the management does not want to change this situation.  

Is there a third party program that can hide or encrypt a folder on a server share, that will allow simple access to one or two users when they enter a password?  TrueCrypt looks promising, but it appears that if one user has it mounted (now unencrypted) that any other user can see the contents.

We have also considered running TrueCrypt or similar software on one computer, then sharing it and granting access to the other two users.  The users are not very computer literate, and will panic if forced to jump through a number of screens, etc.  TrueCrypt looks good, because it can be invoked using command line statements that can be hidden behind a shortcut.

Any ideas?
  • 3
  • 2
3 Solutions
You can encrypt files and folders directly in Windows 2003.  If you right click on the folder and click Properties, then the Advanced button, there is an Encryption check box.  This will encrypt the folder (or file) so only the user that does this can view the contents (by default).  You can then share those keys with the other user who needs access too.  I clicked on the help for the checkbox and got the following:

Best practices
Ensure files intended for encryption are created and remain encrypted

Encrypt folders before creating sensitive files in them for maximum security. Doing this causes the files to be created as encrypted and their data is never written to the disk as plaintext.
Encrypt the My Documents folder if you save most of your documents to the My Documents folder. This ensures that your personal documents are encrypted by default. For Roaming User Profiles, this should only be done when the My Documents folder is redirected to a network location.
Encrypt folders instead of individual files so that, if a program creates temporary files during editing, these are encrypted as well.
Manage private keys to ensure file security
The designated recovery agent should export the data recovery certificate and private key to disk, secure them in a safe place, and delete the data recovery private key from the system. In this way, the only person who can recover data for the system is the person who has physical access to the data recovery private key.
The number of designated recovery agents should be kept to a minimum. This exposes fewer keys to cryptographic attack and provides a higher level of assurance that encrypted data will not be decrypted inappropriately.
Use Microsoft Certificate Services to manage Encrypting File System (EFS) and Data Recovery Agent (DRA) certificates and private keys.

When configuring Certificate Services and using a custom certificate template to issue EFS certificates, do not select the Prompt the user during enrollment and require user input when the private key is used option. This option prevents EFS from using the private key for encryption or decryption.
Provide security and reliability of data at all times
Encrypt sensitive data on computers that are members of a domain. This protects against compromise of data though offline cryptographic attacks.
Use Internet Protocol security (IPSec) to ensure that data remains encrypted as it is transmitted over the network. EFS can be used in conjunction with Web Distributed Authoring and Versioning (WebDAV) to store encrypted data on the Internet. In addition, EFS can be used with Server Message Block (SMB) signing to ensure that the transmission and reception of EFS files across a network is not altered in any way.
Back up the entire server that stores server-based encrypted data regularly. This ensures that, in case of data recovery, the profiles that include decryption keys can be restored.
Rich RumbleSecurity SamuraiCommented:
There aren't many apps like EFS, where you can assign multiple users the ability to encrypt/decrypt the same data, and for good reason really...
It looks like TreCrypt is planning something like this in the future http://www.truecrypt.org/future.php
See also the FAQ
Q: It is possible to mount a single TrueCrypt volume from multiple operating systems (for example, a volume shared over network)?
A: Yes, but the volume must be mounted in read-only mode under each of the systems (see the section Mount Options in the documentation). Note that this requirement is not related to TrueCrypt but, for example, to the fact that data read from a conventional file system under one OS while the file system is being modified by another OS might be inconsistent.
 So if the volume is open on one pc, they make their changes, and someone else had it open and they make theirs, the latest cahnges will be the saved ones.

Command line options http://www.truecrypt.org/user-guide/command-line-usage.php
Rich RumbleSecurity SamuraiCommented:
Also keyfiles allow multiple users to access data
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

4RunnerBobAuthor Commented:
EFS would work great, but there are other users who know the passwords for the specific user accounts; we are not allowed to change the passwords to something different (and unknown to others).  Don't get me started on "we never change our passwords, it is too hard to learn new ones"....  (It appears that there are scripts which use the existing passwords, and they do not want to update them.

That said, we need to provide a specific password to open up two files.  At this point it looks like TrueCrypt will work, since it blocks the second user from accessing the files until the first user has dismounted the TrueCrypt volume.

Split points awarded, since the EFS suggestion would be valid in most cases, and the TrueCrypt information was very helpful.  Thanks to both VortexAdmin and richrumble for your help.
You're welcome. Thanks for the points.  Good luck to you.
Rich RumbleSecurity SamuraiCommented:
EFS suffers from the same thing, if one user updated the file, while someone else was too, the latest changes would over-write the others. Thanks and Good Luck!

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now