Solved

How do we encrypt one folder on Windows 2003 for specific user access?

Posted on 2006-06-21
6
602 Views
Last Modified: 2011-09-20
We have a Windows 2003 (small business) server, and would like to control access to a few HR related files, in one folder.  Since the files are accessed directly by MS Office, the actual folder location does not matter.  There are two files in question, and if it is simpler we can encrypt each file separately with its own password

Every user account has a password that is known to most of the other users, so normal Windows security or EFS won't work for this situation.  Due to other software running on the network, the user passwords are actually account ID's for another program, and the management does not want to change this situation.  

Is there a third party program that can hide or encrypt a folder on a server share, that will allow simple access to one or two users when they enter a password?  TrueCrypt looks promising, but it appears that if one user has it mounted (now unencrypted) that any other user can see the contents.

We have also considered running TrueCrypt or similar software on one computer, then sharing it and granting access to the other two users.  The users are not very computer literate, and will panic if forced to jump through a number of screens, etc.  TrueCrypt looks good, because it can be invoked using command line statements that can be hidden behind a shortcut.

Any ideas?
0
Comment
Question by:4RunnerBob
  • 3
  • 2
6 Comments
 
LVL 5

Accepted Solution

by:
VortexAdmin earned 250 total points
Comment Utility
You can encrypt files and folders directly in Windows 2003.  If you right click on the folder and click Properties, then the Advanced button, there is an Encryption check box.  This will encrypt the folder (or file) so only the user that does this can view the contents (by default).  You can then share those keys with the other user who needs access too.  I clicked on the help for the checkbox and got the following:

Best practices
Ensure files intended for encryption are created and remain encrypted

Encrypt folders before creating sensitive files in them for maximum security. Doing this causes the files to be created as encrypted and their data is never written to the disk as plaintext.
Encrypt the My Documents folder if you save most of your documents to the My Documents folder. This ensures that your personal documents are encrypted by default. For Roaming User Profiles, this should only be done when the My Documents folder is redirected to a network location.
Encrypt folders instead of individual files so that, if a program creates temporary files during editing, these are encrypted as well.
Manage private keys to ensure file security
The designated recovery agent should export the data recovery certificate and private key to disk, secure them in a safe place, and delete the data recovery private key from the system. In this way, the only person who can recover data for the system is the person who has physical access to the data recovery private key.
The number of designated recovery agents should be kept to a minimum. This exposes fewer keys to cryptographic attack and provides a higher level of assurance that encrypted data will not be decrypted inappropriately.
Use Microsoft Certificate Services to manage Encrypting File System (EFS) and Data Recovery Agent (DRA) certificates and private keys.
 
Caution

When configuring Certificate Services and using a custom certificate template to issue EFS certificates, do not select the Prompt the user during enrollment and require user input when the private key is used option. This option prevents EFS from using the private key for encryption or decryption.
Provide security and reliability of data at all times
Encrypt sensitive data on computers that are members of a domain. This protects against compromise of data though offline cryptographic attacks.
Use Internet Protocol security (IPSec) to ensure that data remains encrypted as it is transmitted over the network. EFS can be used in conjunction with Web Distributed Authoring and Versioning (WebDAV) to store encrypted data on the Internet. In addition, EFS can be used with Server Message Block (SMB) signing to ensure that the transmission and reception of EFS files across a network is not altered in any way.
Back up the entire server that stores server-based encrypted data regularly. This ensures that, in case of data recovery, the profiles that include decryption keys can be restored.
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 250 total points
Comment Utility
There aren't many apps like EFS, where you can assign multiple users the ability to encrypt/decrypt the same data, and for good reason really...
It looks like TreCrypt is planning something like this in the future http://www.truecrypt.org/future.php
See also the FAQ
Q: It is possible to mount a single TrueCrypt volume from multiple operating systems (for example, a volume shared over network)?
A: Yes, but the volume must be mounted in read-only mode under each of the systems (see the section Mount Options in the documentation). Note that this requirement is not related to TrueCrypt but, for example, to the fact that data read from a conventional file system under one OS while the file system is being modified by another OS might be inconsistent.
 So if the volume is open on one pc, they make their changes, and someone else had it open and they make theirs, the latest cahnges will be the saved ones.
http://www.truecrypt.org/user-guide/multi-user-environment.php

Command line options http://www.truecrypt.org/user-guide/command-line-usage.php
-rich
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 250 total points
Comment Utility
Also keyfiles allow multiple users to access data
http://www.truecrypt.org/user-guide/keyfiles.php
-rich
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:4RunnerBob
Comment Utility
EFS would work great, but there are other users who know the passwords for the specific user accounts; we are not allowed to change the passwords to something different (and unknown to others).  Don't get me started on "we never change our passwords, it is too hard to learn new ones"....  (It appears that there are scripts which use the existing passwords, and they do not want to update them.

That said, we need to provide a specific password to open up two files.  At this point it looks like TrueCrypt will work, since it blocks the second user from accessing the files until the first user has dismounted the TrueCrypt volume.

Split points awarded, since the EFS suggestion would be valid in most cases, and the TrueCrypt information was very helpful.  Thanks to both VortexAdmin and richrumble for your help.
0
 
LVL 5

Expert Comment

by:VortexAdmin
Comment Utility
You're welcome. Thanks for the points.  Good luck to you.
0
 
LVL 38

Expert Comment

by:Rich Rumble
Comment Utility
EFS suffers from the same thing, if one user updated the file, while someone else was too, the latest changes would over-write the others. Thanks and Good Luck!
-rich
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Suggested Solutions

Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now