Encrypting server folders/files in a non-domain workgroup network environment so clients can see them
I have a home network file server running Server 2003 and multiple computers running Vista networked via Workgroups. I have no problems accessing network shares on the server from clients. I'd like to encrypt the server files/folder. When I encrypt a folder on the server using EFS, I can see the folders and files on the clients with Explorer but am given an "access denied" message if I try to open them. Anyone have any thoughts about why this is? I have a feeling I'll need to create a domain if I want to encrypt these server files and see them with the clients. I'm hesitant to do this because some of the client computers are work laptops that are already on a work domain.Thanks in advance.
January 5th, 2010 5:27am

The problem you're seeing is because EFS, by default, generates a local, self-signed certificate when you first encrypt a file (as an aside, with EFS you can only encrypt files, not folders. You can configure the folder such that all new or existing files within the folder are encrypted but it is the files that are encrypted, not the folder). Because you're performing the encryption on the server, the certificate and private key are created and stored in the profile of the user that was logged on to the server when the files were encrypted. When you attempt to access those files from a client computer, the local user doesn't have access to the required certificate and private key, hence the Accessed Denied message. In order to access those files you'll need to do the following:1. On the server that hosts the encrypted files, log on with the account used to encrypt them.2. Run certmgr.msc.3. Locate the EFS certificate and export it, along with the private key, saving both into a PFX file.4. Take the PFX file to each client from which you want to access the encrypted files, log on with an account with the same name and password as the one on the server.5. Import the PFX file.This should now provide you with access to the encrypted files.You should also store the PFX file in a secure location as a backup. If you lose access to the certificate and private key and don't have access to a data recovery agent certificate as well, you run the very real risk of permanently losing access to the encrypted files.Personally, and no offense intended, but I am not a big proponent of EFS for home users. I've had to answer too many "I rebuilt my computer and now have no access to thousands of very meaningful family pictures/documents/etc that I encrypted using EFS" posts over the years. I just don't see that the risk/reward ratio being high enough for home users to justify the use of EFS. If you really need/want to use EFS then I think that it is critical that you read up as much as you can about EFS on TechNet and make sure that you thoroughly understand how it works, and what the recovery methods are before attempting to use it in a home environment.Paul Adare CTO IdentIT Inc. ILM MVP
Free Windows Admin Tool Kit Click here and download it now
January 5th, 2010 2:10pm

Thank you, Paul. Your response is extremely helpful! The security best practices you recommend are well taken.Cheers,Tri
January 6th, 2010 7:06am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics