EFS not working (network share, cannot share with other users)


We have configured EFS with our CA and can encrypt and decrypt files on network shares, but when we try to add additional users to the encryption security we get "Access Denied" error.

Windows 2003 AD
Windows 2008 file server
Windows 2003 CA

All test users are enrolled into EFS.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

The question is who is we? Administrators?
Only the original user who created the file can add the additional users/certificates that can access the file.


There might be ways, but that will depend on company policy on who can access/control access to efs data.
Rich RumbleSecurity SamuraiCommented:
You have to add people to the DRA's for that to work, and it has to be FILE level not the FOLDER level. So if you have 100 files in the folder, you need to do this 100 times for each user that will need access!!
    To allow a user to encrypt or decrypt a file
        Right-click the encrypted file that you want to change, and then click Properties.
        On the General tab, click Advanced. In Advanced Attributes, click Details.
        To add a user to this file, click Add, and then do one of the following:
            To add a user whose EFS encryption certificate is on this computer, click the certificate and then click OK.
            To view a certificate on this computer before adding it to the file, click the certificate and then click View Certificate.
            To add a user from Active Directory, click Find User, then locate the user in the list and click OK.
            To remove a user from this file, click the user name and then click Remove.

EFS is nice, but it's not always the best encryption product to use, see my articles here and here.
NHATechAuthor Commented:
Thank you RichRumble, your links are very informative.

I have added the users to the encryption through AD, but I still get access denied. I can see both users in the window allowed to decrypt and read, I have also granted the appropriate rights.
Cloud Class® Course: Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

Rich RumbleSecurity SamuraiCommented:
Make sure the Certificates are present using certmgr.msc, you can use cipher.exe to examine the files further from the command line. "cipher.exe path\to\file"
I'll do a few examples and see if I missed any steps, it's been a few years since I gave up on using EFS.
NHATechAuthor Commented:
What are you using now? What would you recommend using as an enterprise solution?

Rich RumbleSecurity SamuraiCommented:
What sort of files, how much do others need shared access? For the most part we don't have users accessing the same files, most collaboration is done in our Database. We use file permissions more than anything important data again is accessed via the web (https)and stored in a DB (encrypted).
It all depends on your situation, if you want to explain the dilemma perhaps there are other ways than EFS.
NHATechAuthor Commented:
The part that makes this difficult is the requirement to share the same files with multiple users.

I will continue to test hopefully we can get this working in the interim.
Rich RumbleSecurity SamuraiCommented:
There are some caveats to EFS that make it a poor choice as well, for example when you copy a document over the network it's copied in plain-text (decrypted on the remote share, then copied). If you have the proper keys, and you copy an EFS file to media like a USB stick, or onto a CD, EFS again decrypts the file. The encryption in EFS is only local, once the data is in motion, or placed on any NON-NTFS media, it's decrypted.
http://technet.microsoft.com/en-us/magazine/2006.05.howitworks.aspx <---just above Sharing files it says:
However, if a user has the permission to decrypt a file, and that user copies or moves an encrypted file to a file allocation table (FAT) or FAT32 partition, the destination file will be unencrypted.
That article may help with EFS when you're sharing, I forgot you may have to enable Web-dav for it to work...

So to keep a Word document encrypted, you'd want to password protect it using office's native "password to open" encryption. Office 2010 has the strongest crypto, but office 2007 isn't too bad, anything before that is very weak. Sharing passwords however isn't looked upon well, so there is that.

You may look into PGP/GPG file encryption, pgp being the commercial and largest user base. GPG is pretty clunky, but just as secure technically. Both require software to be installed.

There are self-extracting archives you can password protect, but they too require a password to be shared, and don't typically let you re-compress them once they are edited.

Another solution could be share point, or some other file management system, even SVN/GIT or CVS can be used to collaborate mange files securely.

Do you need secure document sharing/editing? Or is it some other file type?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.