EFS questions - service account and limit scope
I have a user who wants to pull photos from an encrypted folder as part of a oracle (hyperion) process. We have a 2003 domain with 2008 servers (except DC(s) of course). If I want to be able to encrypt a folder I need to create a couple recovery agents, and idealy have a CA, with the EFS template defined. Is it possible to limit the scope of EFS? I want encrypt a single folder, not enable EFS domain-wide.
May 31st, 2012 2:48pm

Hello, EFS will be enabled on the folder or file, this is not a domain setting, it belongs to the machine where the folder is located. And if you enable the Recovery agent on domain level, which is always recommended if EFS is used, then this is domain-wide and not possible for only one folder. If that is a single user only and a singel machine you may think about together with the user to have only local EFS enabled and be sure to get the certificate as backup. But the domain option is the better way to be sure about recovery options. More details about EFS see in http://technet.microsoft.com/en-us/library/bb457116.aspx http://technet.microsoft.com/en-us/library/cc875821.aspx For EFS in detail please ask in http://social.technet.microsoft.com/Forums/en/winserversecurity/threadsBest regards Meinolf Weber MVP, MCP, MCTS Microsoft MVP - Directory Services My Blog: http://msmvps.com/blogs/mweber/ Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
June 1st, 2012 5:12am

Hello, EFS will be enabled on the folder or file, this is not a domain setting, it belongs to the machine where the folder is located. And if you enable the Recovery agent on domain level, which is always recommended if EFS is used, then this is domain-wide and not possible for only one folder. If that is a single user only and a singel machine you may think about together with the user to have only local EFS enabled and be sure to get the certificate as backup. But the domain option is the better way to be sure about recovery options. More details about EFS see in http://technet.microsoft.com/en-us/library/bb457116.aspx http://technet.microsoft.com/en-us/library/cc875821.aspx For EFS in detail please ask in http://social.technet.microsoft.com/Forums/en/winserversecurity/threadsBest regards Meinolf Weber MVP, MCP, MCTS Microsoft MVP - Directory Services My Blog: http://msmvps.com/blogs/mweber/ Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
June 1st, 2012 5:21am

My concern is once we put recovery agents in place anyone can encrypt a folder. Right now, because our recovery agent is expired, the encryption processes fails before it starts. It feels like VSS. Once its working anyone with modify rights can utilitze it, as a service per se. I only need to encrypt specific folders not enable a domain-wide service. Does that make sense?
Free Windows Admin Tool Kit Click here and download it now
June 1st, 2012 11:11am

Hello, ssems that you didn't configure the recovery agent correct, this should NOT be each user this is a dedicated account that is used from trusted persons with the required permissions. Please use the mentioned security forum about the correct configuration for EFS.Best regards Meinolf Weber MVP, MCP, MCTS Microsoft MVP - Directory Services My Blog: http://msmvps.com/blogs/mweber/ Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
June 2nd, 2012 12:06pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics