Hi there I have a Windows 2003 SP2 server....we have an application that writes log files to a location on the D: drive (simple .txt file). Management now want to know if there is any way to encrypt these files to make them more secure whilst they are on the server. I know if you go to the Folder Properties, you can encrypt the data but does anyone know how this will work? The thing is that the files need to be transferred off every week and stored on another server for safe-keeping. Will this affect their ability to be read on that other server? I plan on testing, but would there also be any problem with even writing to the folder in the first place if we enable this encryption? Secondly, what does encrypting the files achieve that, say, locking the folder permissions down using NTFS doesn't?

Hi, The following steps explain how EFS works generally. 1. EFS uses a public-private key pair and a per-file encryption key to encrypt and decrypt data. When a user encrypts a file, EFS generates a file encryption key (FEK) to encrypt the data. The FEK is encrypted with the user’s public key, and the encrypted FEK is then stored with the file. 2. Files can be marked for encryption in a variety of ways. The user can set the encryption attribute for a file by using Advanced Properties for the file in My Computer, storing the file in a file folder set for encryption, or by using the Cipher.exe command-line utility. EFS can also be configured so that users can encrypt or decrypt a file from the shortcut menu accessed by right-clicking the file. 3. To decrypt files, the user opens the file, removes the encryption attribute, or decrypts the file by using the cipher command. EFS decrypts the FEK by using the user’s private key, and then decrypts the data by using the FEK. As long as EFS certificate or Data recovery agents certificate is available, file operations are not restricted. Please read the following article be to understand EFS better before deploying it. Encrypting File System in Windows XP and Windows Server 2003 http://technet.microsoft.com/en-us/library/bb457065.aspx Using Encrypting File System http://technet.microsoft.com/en-us/library/bb457116.aspx Data Recovery and Encrypting File System (EFS) http://technet.microsoft.com/en-us/library/cc512680.aspx Thanks.This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Thanks Mervin. One point we would like to look at is giving multiple users access to the encrypted folder (the files are created each day automatically by the application). However, from what I understand this is not possible for us since: i) It is not possible in Windows 2003 SP2 to give multiple users access to an encrypted folder - it is only possible on the file level (which won't work for us since a new file is created daily by the application) ii) In order to give multiple users access to a file (or folder in case I was wrong with the above assertion), then each user needs to encrypt a seperate file in order to generate a certificate for their user ID. Could you confirm my understanding is correct - and we can only really use EFS in this situation with one account (e.g. a service account). Many thanks

Hi, As far as I know, we can give multiple user access to an encrypted folder. Yes, the Details button is grayed out, we still can assign DRA via Group Policy if necessary, so that DRA still could access encrypted folders. Please refer to the following policy: [Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Encryption File System] We can also configure Auto-Enrollment policy so that users get EFS certificate automatically. To allow program create, modify files in encrypted folder, you may right-click the application, choose Run As option and then type the user name and password. Thanks.This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.