Ask the Expert

Do I need AD to use EFS?

I'm currently running a flat network with two Windows 2000 member servers. The PDC (primary domain controller) and BDC (backup domain controller) are NT4. The clients are Win2k Pro. We recently received a task order, whereby we need to encrypt some very sensitive data. The problem I have is that initially the network administrator attempted to create folders on the server allowing the users to transfer data to that member server and apply encryption. That did not seem to work. I told him to let them encrypt the data first and then move up to the server. I was under the impression that this had been resolved, but I then received an e-mail from him stating that Active Directory is required to perform this task. Is this correct?
To store EFS encrypted files on a server, the server must be trusted for delegation. This function is a function of Kerberos, and thus is only available in a Windows 2000 or Windows Server 2003 domain. Another issue will be that the data is decrypted and transported across the network in plain text. Should you wish a totally secure solution, you will need to encrypt the data during transport using SSL or IPSec.

Another solution, available in Windows XP Professional and Windows Server 2003 is the use of WebDAV folders. The computer does not have to be trusted for delegation, and the files do remain encrypted during network transport.

Please, however, tell me that users who are using EFS are exporting encryption keys for backup. In a Windows 2000 domain, a recovery agent role is assigned to the domain administrator account and this account can be used to recover encrypted files if the user's keys are damaged or lost. This is not true in a Windows NT domain, since Windows NT does not understand EFS. I do not have a Windows NT network to verify, but I am wondering if, without specific configuration, the local recovery agent is even present. There are risks either way. On the one hand, a local recovery agent can be easier to compromise; on the other, the lack of any recovery agent makes recovery dependent on the fact that each user keeps good archived keys.

There are significant issues when using EFS. Yes, it is an excellent file encryption process; however, like many security features, if not properly maintained it can give a false sense of security, or worse, result in the loss of data if user keys are destroyed or lost.

This was first published in April 2003

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: