• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2594
  • Last Modified:

how to set up efs in windows 2003 domain environment

I need to set up efs in domain environment.

It would be great if you could tell me steps to configure efs in domain.
0
CMORAZA
Asked:
CMORAZA
2 Solutions
 
BusbarCommented:
0
 
Rich RumbleSecurity SamuraiCommented:
I'd suggest using something other than EFS if you want an easy to manage solution that is secure by default. You must complete all these steps to even think that EFS might be secure: http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx#E5KAE
If you can remember to do all those things and train users to follow those instructions (decrypting/encrypting files in an encrypted folder only) then there is little hope of recovering EFS data.
TrueCrypt or PGP are secure out of the gate, and they don't decrypt files on the HD and create a plain-text version that can be recovered, they decrypt in memory, so if power is lost, there is no plain-text copy on the HD as there is with EFS.
make sure you back up all keys also if using EFS
http://support.microsoft.com/kb/241201
Get to know EFS as best you can if you really want to use it http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/deploy/dgch_pki_rjxf.mspx?mfr=true
http://technet2.microsoft.com/WindowsServer/en/library/288af14d-66e3-4cee-bc3d-38795b046c251033.mspx?mfr=true
http://www.microsoft.com/technet/security/prodtech/windows2000/w2kccadm/dataprot/w2kadm21.mspx
-rich
0
 
CMORAZAAuthor Commented:
Thank you for your help.

I am having difficulty to share encrypted files with the other user on a domain environment.

encrypted files are on a file server.
The file server is trusted for delegation.
the other user has permission to open encrypted files.

Any tips would be appreciated.
0
 
Rich RumbleSecurity SamuraiCommented:
They need to be a DA, look here for adding users to the decryption agents: http://www.microsoft.com/windowsxp/using/security/expert/sharefilesefs.mspx
http://support.microsoft.com/kb/308991 If all that is in-line, try using efsinfo.exe to see if they are indeed allowed or not: efsinfo /u c:\path\to\file.txt   (or efsinfo /u \\server\sharename\file )
http://www.microsoft.com/technet/technetmag/issues/2006/05/HowITWorks/?topics=y

search tip for google, type site:site-example.com term you want to search for     like this:
http://www.google.com/search?hl=en&q=site%3Amicrosoft.com+efs+share+files&btnG=Google+Search

-rich
0
 
Computer101Commented:
Forced accept.

Computer101
EE Admin
0

Featured Post

Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now