Q
Problem solve Get help with specific problems with your technologies, process and projects.

Do I need AD to use EFS?

Published: 22 Apr 2003
I'm currently running a flat network with two Windows 2000 member servers. The PDC (primary domain controller) and BDC (backup domain controller) are NT4. The clients are Win2k Pro. We recently received a task order, whereby we need to encrypt some very sensitive data. The problem I have is that initially the network administrator attempted to create folders on the server allowing the users to transfer data to that member server and apply encryption. That did not seem to work. I told him to let them encrypt the data first and then move up to the server. I was under the impression that this had been resolved, but I then received an e-mail from him stating that Active Directory is required to perform this task. Is this correct?
To store EFS encrypted files on a server, the server must be trusted for delegation. This function is a function of Kerberos, and thus is only available in a Windows 2000 or Windows Server 2003 domain. Another issue will be that the data is decrypted and transported across the network in plain text. Should you wish a totally secure solution, you will need to encrypt the data during transport using SSL or IPSec.

Another solution, available in Windows XP Professional and Windows Server 2003 is the use of WebDAV folders. The computer does not have to be trusted for delegation, and the files do remain encrypted during network transport.

Please, however, tell me that users who are using EFS are exporting encryption keys for backup. In a Windows 2000 domain, a recovery agent role is assigned to the domain administrator account and this account can be used to recover encrypted files if the user's keys are damaged or lost. This is not true in a Windows NT domain, since Windows NT does not understand EFS. I do not have a Windows NT network to verify, but I am wondering if, without specific configuration, the local recovery agent is even present. There are risks either way. On the one hand, a local recovery agent can be easier to compromise; on the other, the lack of any recovery agent makes recovery dependent on the fact that each user keeps good archived keys.

There are significant issues when using EFS. Yes, it is an excellent file encryption process; however, like many security features, if not properly maintained it can give a false sense of security, or worse, result in the loss of data if user keys are destroyed or lost.

Dig Deeper on Enterprise desktop management

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Meet all of our Enterprise Desktop experts

View all Enterprise Desktop questions and answers

Start the conversation

Send me notifications when other members comment.

Register

Please create a username to comment.

-ADS BY GOOGLE

SearchVirtualDesktop

SearchWindowsServer

Close