encryption and administration question....

Hello!

I have machines I lease that contain copyrighted media files. I do not want anyone stealing my media files, so I've taken the time to encrypt about a terabyte of media using the encryption built into windows XP. Here's the question. What stops the user from just un encrypting them?

I created a user account, and selected limited, but that still allows the user to change the encryption properties.

is there a way to administer certain functions? for example, is there a way to choose whether I want this user to be able to change files from read only, or disable the checkbox for encryption, etc?

all I want is to keep people from stealing my valuable collection of media files. this seems to be a daunting task.

I've encrypted files, hid the drives in the registry, and make all of the files hidden. Granted, most users would never figure out how to copy the files, but the more savvy guys like the folks here, would laugh at my feeble attempt at securing my files..

any suggestions?

I hope you don't mind, but I posted this in The XP forum also...

 

Do other people need to access your files ?

 

only the person leasing the machine needs access.. they do not need to be available over a network or anything....

 

Encryption does not bar a copy, it that was your goal.

Only the original username and password combination (in non-Domain settings) can unencrypt the contents of those files.

No body else can do so (with the exceptions noted below).

Their Administrative or Limited User status has no consequence with EFS.

It does not matter what the limited or other user does to the checkbox under the Properties sheet for an EFS folder or file. Access to the file is restricted to the original encrypter, or to those the original encrypter has provided a security certificate sufficient to allow de-encryption. If the EFS security was set appropriately, the limited user would receive an access denied error in trying to change the encrypted status of a file or folder.

Thus the dilemma:

How can a non-security token holding user read your files?
They cannot -- unless you have permitted it.

Obviously, as the EFS does not bar a copy, and EFS will prevent a non-encrypter user from reading the files (unless you give them the security token), using EFS in this instance is not the solution you are seeking. The user obviously needs to decrypt the files to use them.

Only the following people can decrypt an encrypted file.

• The user who encrypted the file
• Any user who was designated as a recovery agent before the file was encrypted
• Any user who has the public key or private key for the recovery agent or the user that originally encrypted the file
• Any user who has been granted access to the file

For additional information about how to grant access to an encrypted file, click the article number below to view the article in the Microsoft Knowledge Base:
308991 How To Share Access to an Encrypted File
http://support.microsoft.com/kb/308991/EN-US/

 

Ok, after a ton of net reading today, i think I figured it out..

I
#1) Created a second user account (Limited)
#2) Encrypted all of the files using EFS
#3) switched back over to the admin profile, and Set folder permissions so that the other login couldn't modify files.

This in essence made it so they cannot de-encrypt the files.... it says "no access allowed to the selected file" when you try to change the file properties...

You can copy the files all day long, but they don't work on other machines...

Have I forgotten anything, or have I solved my problem?

I'm sure a hard core hacker type could possibly find a way around, but the average joe is gonna' be shut down if he tries to copy my encrypted media.

it appears to be working, does anyone see any holes in this?

-Steve

 

EFS does not need any support from NTFS permissions to do its job. In addition, the Modify permission applies to a file contents change, not an attribute change. In any case, the only way in which the limited user in your instance would be able to unencrypt the contents of an EFS file would be set under EFS itself, not under NTFS.

1. Right-click the encrypted file, and then click Properties.
2. Click the General tab (if it is not already selected), and then click Advanced.
3. Click Details, and then click Add.

This is the only way to add a user other than its owner the permission to unencrypt the file other than a security certificate exchange.

Therefore, you could have quit after creating the limited user.

As for the security of the Microsoft EFS encryption scheme, to my knowledge it has never been broken. (This is one of the reasons that XP cannot be exported without the feature removed).

Not to discourage you, but the way you now have it setup it would take me less than two minutes to unencrypt your files.

I will give you a hint: The EFS security token is held by the default Administrator.

 

I always have 2 backups mirrored, so that's not an issue, but here's what I found...


If I encrypted under the admin profile, I was not able to make the files usable to any other profile than admin. this is why I encrypted under the other user login.

how would I make the files encrypted under admin accessable to the other users? I could not make that work.

also, it took over 10 hours to encrypt my files, so it would take you at least 10 hours and two minutes to unencrypt my files!

-Steve

 

Let say the limited user is Steve.

Logon as Administrator.
Encrypt a file as a test.

1. Right-click the encrypted file, and then click Properties.
2. Click the General tab (if it is not already selected), and then click Advanced.
3. Click Details, and then click Add.
4. Select the user you want to share access to the encrypted file with (Steve), and then click OK.
5. When you are finished adding users, click OK three times.

Remember the users must exist before they can be added to the list of users allowed to unencrypt the file.

 

ok, another question about your method....

I have 84,762 files I encrypted. I cannot seem to allow transparent access to the whole folder, I can only do it one file at a time....

how do I get around this? If i select more than one at once, details is grayed out...

surely I don't have to perform this process 84 thousand times..... do I?


also, when i try to add users, I click on add, then It asks me what certificate to share with, the only option is steve (administrator) (however there are two existing other users on the computer too) i click on that... nothing happens, except the window closes...

the find user button is grayed out, and I can't add anything.... any suggestions?

man, what a pain! I just want this to work.......... I've read all of the windows support documents, but they say the exact same thing you did. This simply isn't working for me.

thanks again!

-Steve

 

One would hope not.

Create a new folder.
Encrypt the folder using Properties, General tab, Advanced.
Move the existing encrypted files (or Folder) to the new encrypted Folder. There is no reason for a copy operation.
Remove encryption from the folder. When you hit apply, be sure to choose to decrypt the Folder and all subdirectories and files.

For Adding users:

The users must exist.
The users must have a certificate.
The locally defined users on a computer will have their certificates stored in a Common folder by XP -- Locally Stored Certificates. This is what the Add function will enumerate.