Troubleshooting Encryption In Vista Part III

EFS protects data from being read, not deleted. Because attempts to copy an EFS-encrypted file fail, many assume that an unauthorized user cannot delete the file either; however, it can be deleted.

EFS protects data stored on a local NTFS partition. It does not protect data when it is sent across a network. This is a big issue. Because EFS was designed to be transparent to end users, when the user who encrypted the file copies it across the network or sends it via e-mail, the file is automatically decrypted before it is sent across the network so that it can be readable on the target system. For a user who does not understand this, and believes that his or her sensitive data is secure, the mistake can be costly.

EFS is not usable across the network on mapped drives unless the server and client operate within the same Active Directory forest and the server has been trusted for delegation. Only domain controllers in an ADS environment are trusted for delegation by default. Understanding these limitations is important for EFS to be used effectively. As Microsoft had intended, EFS is easy to use, but using it still requires proper end-user training. How many users on your network understand these concepts? Or possibly more important: How many users on your network have access to the use of
EFS, yet do not understand it?

One of the first things that should concern any support tech or network admin is the fact that any users with modify permission (the ability to write) to a file or folder can encrypt it. This can certainly be applied to files they did not create. Could this cause a problem in your environment? Do multiple users share the same system? If so, problems can certainly arise. Do you have domain controllers that also act as file servers in your Active Directory environment? If so, a user could encrypt a file that many people are allowed to modify and accidentally make it inaccessible to everyone else. Having EFS enabled by default gives end users the roundabout ability to make such a problematic change.

Used properly and with the right preparation, EFS can add the additional security you may need on your network. Hopefully, making that decision is easier after reading this article. If you do decide that EFS is needed, definitely take a look at Microsoft’s white papers on the subject and review its best practices. Microsoft makes EFS sound easy in its ads, but the white papers will give you a much better idea on what is needed for proper implementation.

• Edge Z30 Midsize Desktop
• Aspire AO751h-1279 Netbook
• Compaq Presario CQ60-420US Notebook
• P-7805u FX Notebook
• Studio 15 Notebook
• Aspire AS4810TZ-4011 Timeline Notebook
• Pavilion G60 Notebook
• K50IJ-RX05 Notebook
• VAIO VGNNW180J/S Notebook
• Satellite A505-S6975 Notebook
• UL50AG-A1 Notebook
• ThinkPad T400 Notebook
• Wind Top AE2010-02SUS All-In-One Desktop
• TouchSmart IQ524 Desktop
• Satellite L505-S6959 Notebook
• Studio XPS 16 Notebook
• Windows Vista Ultimate w/ SP1
• VAIO VGC-JS250J/B Desktop
• ThinkPad X200 Tablet PC
• Windows Vista Home Premium
• G51VX-RX05 Notebook
• Aspire AS8930-6442 Notebook
• Compaq Presario CQ5110f Desktop
• Latitude E5400 Notebook
• eTrex Vista HCx GPS