EFS questions - service account and limit scope
I have a user who wants to pull photos from an encrypted folder as part of a oracle (hyperion) process. We have a 2003 domain with 2008 servers (except DC(s) of course). If I want to be able to encrypt a folder I need to create a couple recovery agents,
and idealy have a CA, with the EFS template defined.
Is it possible to limit the scope of EFS? I want encrypt a single folder, not enable EFS domain-wide.
May 31st, 2012 2:48pm
Hello,
EFS will be enabled on the folder or file, this is not a domain setting, it belongs to the machine where the folder is located. And if you enable the Recovery agent on domain level, which is always recommended if EFS is used, then this is domain-wide
and not possible for only one folder.
If that is a single user only and a singel machine you may think about together with the user to have only local EFS enabled and be sure to get the certificate as backup. But the domain option is the better way to be sure about recovery options.
More details about EFS see in
http://technet.microsoft.com/en-us/library/bb457116.aspx
http://technet.microsoft.com/en-us/library/cc875821.aspx
For EFS in detail please ask in
http://social.technet.microsoft.com/Forums/en/winserversecurity/threadsBest regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://msmvps.com/blogs/mweber/
Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
June 1st, 2012 5:12am
Hello,
EFS will be enabled on the folder or file, this is not a domain setting, it belongs to the machine where the folder is located. And if you enable the Recovery agent on domain level, which is always recommended if EFS is used, then this is domain-wide
and not possible for only one folder.
If that is a single user only and a singel machine you may think about together with the user to have only local EFS enabled and be sure to get the certificate as backup. But the domain option is the better way to be sure about recovery options.
More details about EFS see in
http://technet.microsoft.com/en-us/library/bb457116.aspx
http://technet.microsoft.com/en-us/library/cc875821.aspx
For EFS in detail please ask in
http://social.technet.microsoft.com/Forums/en/winserversecurity/threadsBest regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://msmvps.com/blogs/mweber/
Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
June 1st, 2012 5:21am
My concern is once we put recovery agents in place anyone can encrypt a folder. Right now, because our recovery agent is expired, the encryption processes fails before it starts.
It feels like VSS. Once its working anyone with modify rights can utilitze it, as a service per se. I only need to encrypt specific folders not enable a domain-wide service.
Does that make sense?
Free Windows Admin Tool Kit Click here and download it now
June 1st, 2012 11:11am
Hello,
ssems that you didn't configure the recovery agent correct, this should NOT be each user this is a dedicated account that is used from trusted persons with the required permissions.
Please use the mentioned security forum about the correct configuration for EFS.Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://msmvps.com/blogs/mweber/
Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
June 2nd, 2012 12:06pm