EFS not working (network share, cannot share with other users)


We have configured EFS with our CA and can encrypt and decrypt files on network shares, but when we try to add additional users to the encryption security we get "Access Denied" error.

Windows 2003 AD
Windows 2008 file server
Windows 2003 CA

All test users are enrolled into EFS.
Who is Participating?
Rich RumbleConnect With a Mentor Security SamuraiCommented:
There are some caveats to EFS that make it a poor choice as well, for example when you copy a document over the network it's copied in plain-text (decrypted on the remote share, then copied). If you have the proper keys, and you copy an EFS file to media like a USB stick, or onto a CD, EFS again decrypts the file. The encryption in EFS is only local, once the data is in motion, or placed on any NON-NTFS media, it's decrypted.
http://technet.microsoft.com/en-us/magazine/2006.05.howitworks.aspx <---just above Sharing files it says:
However, if a user has the permission to decrypt a file, and that user copies or moves an encrypted file to a file allocation table (FAT) or FAT32 partition, the destination file will be unencrypted.
That article may help with EFS when you're sharing, I forgot you may have to enable Web-dav for it to work...

So to keep a Word document encrypted, you'd want to password protect it using office's native "password to open" encryption. Office 2010 has the strongest crypto, but office 2007 isn't too bad, anything before that is very weak. Sharing passwords however isn't looked upon well, so there is that.

You may look into PGP/GPG file encryption, pgp being the commercial and largest user base. GPG is pretty clunky, but just as secure technically. Both require software to be installed.

There are self-extracting archives you can password protect, but they too require a password to be shared, and don't typically let you re-compress them once they are edited.

Another solution could be share point, or some other file management system, even SVN/GIT or CVS can be used to collaborate mange files securely.

Do you need secure document sharing/editing? Or is it some other file type?
The question is who is we? Administrators?
Only the original user who created the file can add the additional users/certificates that can access the file.


There might be ways, but that will depend on company policy on who can access/control access to efs data.
Rich RumbleSecurity SamuraiCommented:
You have to add people to the DRA's for that to work, and it has to be FILE level not the FOLDER level. So if you have 100 files in the folder, you need to do this 100 times for each user that will need access!!
    To allow a user to encrypt or decrypt a file
        Right-click the encrypted file that you want to change, and then click Properties.
        On the General tab, click Advanced. In Advanced Attributes, click Details.
        To add a user to this file, click Add, and then do one of the following:
            To add a user whose EFS encryption certificate is on this computer, click the certificate and then click OK.
            To view a certificate on this computer before adding it to the file, click the certificate and then click View Certificate.
            To add a user from Active Directory, click Find User, then locate the user in the list and click OK.
            To remove a user from this file, click the user name and then click Remove.

EFS is nice, but it's not always the best encryption product to use, see my articles here and here.
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

NHATechAuthor Commented:
Thank you RichRumble, your links are very informative.

I have added the users to the encryption through AD, but I still get access denied. I can see both users in the window allowed to decrypt and read, I have also granted the appropriate rights.
Rich RumbleSecurity SamuraiCommented:
Make sure the Certificates are present using certmgr.msc, you can use cipher.exe to examine the files further from the command line. "cipher.exe path\to\file"
I'll do a few examples and see if I missed any steps, it's been a few years since I gave up on using EFS.
NHATechAuthor Commented:
What are you using now? What would you recommend using as an enterprise solution?

Rich RumbleSecurity SamuraiCommented:
What sort of files, how much do others need shared access? For the most part we don't have users accessing the same files, most collaboration is done in our Database. We use file permissions more than anything important data again is accessed via the web (https)and stored in a DB (encrypted).
It all depends on your situation, if you want to explain the dilemma perhaps there are other ways than EFS.
NHATechAuthor Commented:
The part that makes this difficult is the requirement to share the same files with multiple users.

I will continue to test hopefully we can get this working in the interim.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.