Troubleshooting Encryption In Vista Part III

EFS protects data from being read, not deleted. Because attempts to copy an EFS-encrypted file fail, many assume that an unauthorized user cannot delete the file either; however, it can be deleted.

EFS protects data stored on a local NTFS partition. It does not protect data when it is sent across a network. This is a big issue. Because EFS was designed to be transparent to end users, when the user who encrypted the file copies it across the network or sends it via e-mail, the file is automatically decrypted before it is sent across the network so that it can be readable on the target system. For a user who does not understand this, and believes that his or her sensitive data is secure, the mistake can be costly.

EFS is not usable across the network on mapped drives unless the server and client operate within the same Active Directory forest and the server has been trusted for delegation. Only domain controllers in an ADS environment are trusted for delegation by default. Understanding these limitations is important for EFS to be used effectively. As Microsoft had intended, EFS is easy to use, but using it still requires proper end-user training. How many users on your network understand these concepts? Or possibly more important: How many users on your network have access to the use of
EFS, yet do not understand it?

One of the first things that should concern any support tech or network admin is the fact that any users with modify permission (the ability to write) to a file or folder can encrypt it. This can certainly be applied to files they did not create. Could this cause a problem in your environment? Do multiple users share the same system? If so, problems can certainly arise. Do you have domain controllers that also act as file servers in your Active Directory environment? If so, a user could encrypt a file that many people are allowed to modify and accidentally make it inaccessible to everyone else. Having EFS enabled by default gives end users the roundabout ability to make such a problematic change.

Used properly and with the right preparation, EFS can add the additional security you may need on your network. Hopefully, making that decision is easier after reading this article. If you do decide that EFS is needed, definitely take a look at Microsoft’s white papers on the subject and review its best practices. Microsoft makes EFS sound easy in its ads, but the white papers will give you a much better idea on what is needed for proper implementation.

• Edge Z30 Midsize Desktop
• Aspire AO751h-1279 Netbook
• Studio 15 Notebook
• VAIO VGN-TZ295N/XC Notebook
• ThinkPad T400 Notebook
• P-7805u FX Notebook
• TouchSmart IQ524 Desktop
• VAIO VGN-NS230E/W Notebook
• Compaq Presario CQ60-420US Notebook
• K50IJ-RX05 Notebook
• Studio XPS 16 Notebook
• Aspire AS4810TZ-4011 Timeline Notebook
• Satellite L555-S7916 Notebook
• Inspiron 11z Notebook
• ThinkPad X200 Tablet PC
• ThinkPad T400 Notebook
• Satellite A505-S6975 Notebook
• Pavilion Dv6-1030us Notebook
• Inspiron 15 Notebook
• ThinkPad T400 Notebook
• UL50AG-A1 Notebook
• IdeaPad U330 Notebook
• Windows Vista Home Premium
• Extensa EX5230E-2913 Notebook
• Aspire AS1410-8414 Notebook