Do I need AD to use EFS?
Another solution, available in Windows XP Professional and Windows Server 2003 is the use of WebDAV folders. The computer does not have to be trusted for delegation, and the files do remain encrypted during network transport.
Please, however, tell me that users who are using EFS are exporting encryption keys for backup. In a Windows 2000 domain, a recovery agent role is assigned to the domain administrator account and this account can be used to recover encrypted files if the user's keys are damaged or lost. This is not true in a Windows NT domain, since Windows NT does not understand EFS. I do not have a Windows NT network to verify, but I am wondering if, without specific configuration, the local recovery agent is even present. There are risks either way. On the one hand, a local recovery agent can be easier to compromise; on the other, the lack of any recovery agent makes recovery dependent on the fact that each user keeps good archived keys.
There are significant issues when using EFS. Yes, it is an excellent file encryption process; however, like many security features, if not properly maintained it can give a false sense of security, or worse, result in the loss of data if user keys are destroyed or lost.
Dig Deeper on Enterprise desktop management
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.
Meet all of our Enterprise Desktop experts
Start the conversation
0 comments