| Author | Messages | |
bwatson
Posts:28
 | | 02/19/2008 4:32 PM |
| Hi all,
I was hoping I could get some input on anyone who has implemented a
method to EFS encrypt user's profile directories. If you have any
hurdles you had to jump to implement this, any interesting steps you had
to take, or things to watch out for, I'd greatly appreciate a response.
The one thing I am most worried about is what happens to any
files/folders that are rarely accessed and then the user's certificate
expires and needs to be renewed (same for the recovery agent's
certificate). I just want to avoid the situation where people are
locked out of their own data with no way to recover. From what I
understand, the certificates that grant access to the EFS encrypted data
is not updated with renewed certificates unless they are touched.
We are running a very simple single Enterprise CA server, no additional
CAs in the infrastructure at this point.
Thanks,
Ben
| | | |
| EZiots
Posts:31
| | 02/19/2008 5:38 PM |
| Just playing the devils advocate on this one.
Why would you want to encrypt with EFS the user profile directories ( I
am assuming you are using roaming profiles) what is the risk, that you
are looking to employ EFS encryption ( data at rest) to protect?
Z
Edward E. Ziots
Netwok Engineer
Lifespan Organization
MCSE,MCSA,MCP,Security+,Network+,CCA
Phone: 401-639-3505
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: Tuesday, February 19, 2008 4:29 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] [OT] EFS encrypt User Profile Directories
Hi all,
I was hoping I could get some input on anyone who has implemented a
method to EFS encrypt user's profile directories. If you have any
hurdles you had to jump to implement this, any interesting steps you had
to take, or things to watch out for, I'd greatly appreciate a response.
The one thing I am most worried about is what happens to any
files/folders that are rarely accessed and then the user's certificate
expires and needs to be renewed (same for the recovery agent's
certificate). I just want to avoid the situation where people are
locked out of their own data with no way to recover. From what I
understand, the certificates that grant access to the EFS encrypted data
is not updated with renewed certificates unless they are touched.
We are running a very simple single Enterprise CA server, no additional
CAs in the infrastructure at this point.
Thanks,
Ben
| | | |
| bwatson
Posts:28
| | 02/19/2008 5:58 PM |
| Well, I'm only referring to laptop user's profile directories. I'd like
to mitigate the risk of a user losing a laptop that contains sensitive
data while out on travel.
~Ben
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ziots, Edward
Sent: Tuesday, February 19, 2008 2:37 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] EFS encrypt User Profile Directories
Just playing the devils advocate on this one.
Why would you want to encrypt with EFS the user profile directories ( I
am assuming you are using roaming profiles) what is the risk, that you
are looking to employ EFS encryption ( data at rest) to protect?
Z
Edward E. Ziots
Netwok Engineer
Lifespan Organization
MCSE,MCSA,MCP,Security+,Network+,CCA
Phone: 401-639-3505
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: Tuesday, February 19, 2008 4:29 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] [OT] EFS encrypt User Profile Directories
Hi all,
I was hoping I could get some input on anyone who has implemented a
method to EFS encrypt user's profile directories. If you have any
hurdles you had to jump to implement this, any interesting steps you had
to take, or things to watch out for, I'd greatly appreciate a response.
The one thing I am most worried about is what happens to any
files/folders that are rarely accessed and then the user's certificate
expires and needs to be renewed (same for the recovery agent's
certificate). I just want to avoid the situation where people are
locked out of their own data with no way to recover. From what I
understand, the certificates that grant access to the EFS encrypted data
is not updated with renewed certificates unless they are touched.
We are running a very simple single Enterprise CA server, no additional
CAs in the infrastructure at this point.
Thanks,
Ben
| | | |
| robertsingers
Posts:147
| | 02/19/2008 6:33 PM |
| My gut feel is that is the wrong way to go about skinning that cat.
Limit the size of the profile so users are forced to store things on
their home drives, not their desktops. And encrypt the offline store.
If you enshrine their ability to use their desktops as storage you start
to loose valuable data.
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: Wednesday, 20 February 2008 11:53 a.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] EFS encrypt User Profile Directories
Well, I'm only referring to laptop user's profile directories. I'd like
to mitigate the risk of a user losing a laptop that contains sensitive
data while out on travel.
~Ben
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ziots, Edward
Sent: Tuesday, February 19, 2008 2:37 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] EFS encrypt User Profile Directories
Just playing the devils advocate on this one.
Why would you want to encrypt with EFS the user profile directories ( I
am assuming you are using roaming profiles) what is the risk, that you
are looking to employ EFS encryption ( data at rest) to protect?
Z
Edward E. Ziots
Netwok Engineer
Lifespan Organization
MCSE,MCSA,MCP,Security+,Network+,CCA
Phone: 401-639-3505
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: Tuesday, February 19, 2008 4:29 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] [OT] EFS encrypt User Profile Directories
Hi all,
I was hoping I could get some input on anyone who has implemented a
method to EFS encrypt user's profile directories. If you have any
hurdles you had to jump to implement this, any interesting steps you had
to take, or things to watch out for, I'd greatly appreciate a response.
The one thing I am most worried about is what happens to any
files/folders that are rarely accessed and then the user's certificate
expires and needs to be renewed (same for the recovery agent's
certificate). I just want to avoid the situation where people are
locked out of their own data with no way to recover. >From what I
understand, the certificates that grant access to the EFS encrypted data
is not updated with renewed certificates unless they are touched.
We are running a very simple single Enterprise CA server, no additional
CAs in the infrastructure at this point.
Thanks,
Ben
________________________________
This e-mail message has been scanned for Viruses and cleared by NetIQ
MailMarshal
________________________________
############################################################
PLEASE NOTE:
The information contained in this email message and any
attached files may be confidential and subject to privilege.
Any opinions expressed in this message are not necessarily
those of the Department of Building and Housing. All technical
opinions are offered on a ?no-liability? basis. This message
and any files transmitted with it are confidential and solely
for the use of the intended recipient. If you are not the
intended recipient, you are notified that any use, disclosure
or copying of this email is unauthorised. If you have received
this email in error, please notify us immediately by reply email
and delete the original and any attachment(s). Thank you.
############################################################
| | | |
| bwatson
Posts:28
| | 02/19/2008 6:53 PM |
| I can certainly appreciate your responses to try and take the approach
of work smarter not harder, that's my own motto as well. I'll just say
that these laptop users that I am referring to simply MUST carry the
data with them. They often go to sites in which an internet connection
is not available to work with customers. This is a technical hurdle
that I have to jump due to the nature of the business of the company I
work for.
So given that the data must travel with them, any suggestions then?
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Robert Singers
Sent: Tuesday, February 19, 2008 3:32 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] EFS encrypt User Profile Directories
My gut feel is that is the wrong way to go about skinning that cat.
Limit the size of the profile so users are forced to store things on
their home drives, not their desktops. And encrypt the offline store.
If you enshrine their ability to use their desktops as storage you start
to loose valuable data.
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: Wednesday, 20 February 2008 11:53 a.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] EFS encrypt User Profile Directories
Well, I'm only referring to laptop user's profile directories. I'd like
to mitigate the risk of a user losing a laptop that contains sensitive
data while out on travel.
~Ben
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ziots, Edward
Sent: Tuesday, February 19, 2008 2:37 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] EFS encrypt User Profile Directories
Just playing the devils advocate on this one.
Why would you want to encrypt with EFS the user profile directories ( I
am assuming you are using roaming profiles) what is the risk, that you
are looking to employ EFS encryption ( data at rest) to protect?
Z
Edward E. Ziots
Netwok Engineer
Lifespan Organization
MCSE,MCSA,MCP,Security+,Network+,CCA
Phone: 401-639-3505
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: Tuesday, February 19, 2008 4:29 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] [OT] EFS encrypt User Profile Directories
Hi all,
I was hoping I could get some input on anyone who has implemented a
method to EFS encrypt user's profile directories. If you have any
hurdles you had to jump to implement this, any interesting steps you had
to take, or things to watch out for, I'd greatly appreciate a response.
The one thing I am most worried about is what happens to any
files/folders that are rarely accessed and then the user's certificate
expires and needs to be renewed (same for the recovery agent's
certificate). I just want to avoid the situation where people are
locked out of their own data with no way to recover. >From what I
understand, the certificates that grant access to the EFS encrypted data
is not updated with renewed certificates unless they are touched.
We are running a very simple single Enterprise CA server, no additional
CAs in the infrastructure at this point.
Thanks,
Ben
________________________________
This e-mail message has been scanned for Viruses and cleared by NetIQ
MailMarshal
________________________________
________________________________
Please Note:
The information contained in this email message and any attached files
may be confidential and subject to privilege. Any opinions expressed in
this message are not necessarily those of the Department of Building and
Housing. All technical opinions are offered on a 'no-liability' basis.
This message and any files transmitted with it are confidential and
solely for the use of the intended recipient. If you are not the
intended recipient, you are notified that any use, disclosure or copying
of this email is unauthorised. If you have received this email in
error, please notify us immediately by reply email and delete the
original and any attachment(s). Thank you.
________________________________
| | | |
| gabriel/tfi
Posts:149
| | 02/19/2008 7:54 PM |
| AFAIK the certificate with file encryption purpose can be renewed
maintaining the same key-pair and autoenrollment will make the renewal
transparent for the users.
If not, I think cipher.exe can assist you in updating encrypted files with
the new private key.
I would suggest to drill down into this article:
http://www.codeplex.com/EFSAssistant, I personally havent done it yet, but
I think its worth of a reading (sooner or later
).
I understand youre nervous about encryption because of users being locked
out, thats why I suggest to build a virtual test env where you can have all
your doubts cleared and questions answered.
PKI and Encryption is always an irksome topic. J
Regards - Gabriele
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: martedì 19 febbraio 2008 22.29
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] [OT] EFS encrypt User Profile Directories
Hi all,
I was hoping I could get some input on anyone who has implemented a method
to EFS encrypt users profile directories. If you have any hurdles you had
to jump to implement this, any interesting steps you had to take, or things
to watch out for, Id greatly appreciate a response.
The one thing I am most worried about is what happens to any files/folders
that are rarely accessed and then the users certificate expires and needs
to be renewed (same for the recovery agents certificate). I just want to
avoid the situation where people are locked out of their own data with no
way to recover. From what I understand, the certificates that grant access
to the EFS encrypted data is not updated with renewed certificates unless
they are touched.
We are running a very simple single Enterprise CA server, no additional CAs
in the infrastructure at this point.
Thanks,
Ben
| | | |
| robertsingers
Posts:147
| | 02/19/2008 9:04 PM |
| In your User Config (GPO)
"Windows Settings | Folder Redirection | My Documents" redirected to the
home folder
"Administrative Templates | Network | Offline Files"
- "Administratively assigned offline files" set to home drives for lap
top users (on OU or WMI filter.
- "Encrypt the offline files cache" to on.
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: Wednesday, 20 February 2008 12:51 p.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] EFS encrypt User Profile Directories
I can certainly appreciate your responses to try and take the approach
of work smarter not harder, that's my own motto as well. I'll just say
that these laptop users that I am referring to simply MUST carry the
data with them. They often go to sites in which an internet connection
is not available to work with customers. This is a technical hurdle
that I have to jump due to the nature of the business of the company I
work for.
So given that the data must travel with them, any suggestions then?
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Robert Singers
Sent: Tuesday, February 19, 2008 3:32 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] EFS encrypt User Profile Directories
My gut feel is that is the wrong way to go about skinning that cat.
Limit the size of the profile so users are forced to store things on
their home drives, not their desktops. And encrypt the offline store.
If you enshrine their ability to use their desktops as storage you start
to loose valuable data.
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: Wednesday, 20 February 2008 11:53 a.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] EFS encrypt User Profile Directories
Well, I'm only referring to laptop user's profile directories. I'd like
to mitigate the risk of a user losing a laptop that contains sensitive
data while out on travel.
~Ben
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ziots, Edward
Sent: Tuesday, February 19, 2008 2:37 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] EFS encrypt User Profile Directories
Just playing the devils advocate on this one.
Why would you want to encrypt with EFS the user profile directories ( I
am assuming you are using roaming profiles) what is the risk, that you
are looking to employ EFS encryption ( data at rest) to protect?
Z
Edward E. Ziots
Netwok Engineer
Lifespan Organization
MCSE,MCSA,MCP,Security+,Network+,CCA
Phone: 401-639-3505
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: Tuesday, February 19, 2008 4:29 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] [OT] EFS encrypt User Profile Directories
Hi all,
I was hoping I could get some input on anyone who has implemented a
method to EFS encrypt user's profile directories. If you have any
hurdles you had to jump to implement this, any interesting steps you had
to take, or things to watch out for, I'd greatly appreciate a response.
The one thing I am most worried about is what happens to any
files/folders that are rarely accessed and then the user's certificate
expires and needs to be renewed (same for the recovery agent's
certificate). I just want to avoid the situation where people are
locked out of their own data with no way to recover. >From what I
understand, the certificates that grant access to the EFS encrypted data
is not updated with renewed certificates unless they are touched.
We are running a very simple single Enterprise CA server, no additional
CAs in the infrastructure at this point.
Thanks,
Ben
________________________________
This e-mail message has been scanned for Viruses and cleared by NetIQ
MailMarshal
________________________________
________________________________
Please Note:
The information contained in this email message and any attached files
may be confidential and subject to privilege. Any opinions expressed in
this message are not necessarily those of the Department of Building and
Housing. All technical opinions are offered on a 'no-liability' basis.
This message and any files transmitted with it are confidential and
solely for the use of the intended recipient. If you are not the
intended recipient, you are notified that any use, disclosure or copying
of this email is unauthorised. If you have received this email in
error, please notify us immediately by reply email and delete the
original and any attachment(s). Thank you.
________________________________
############################################################
PLEASE NOTE:
The information contained in this email message and any
attached files may be confidential and subject to privilege.
Any opinions expressed in this message are not necessarily
those of the Department of Building and Housing. All technical
opinions are offered on a ?no-liability? basis. This message
and any files transmitted with it are confidential and solely
for the use of the intended recipient. If you are not the
intended recipient, you are notified that any use, disclosure
or copying of this email is unauthorised. If you have received
this email in error, please notify us immediately by reply email
and delete the original and any attachment(s). Thank you.
############################################################
| | | |
| ken
Posts:58
| | 02/20/2008 12:01 AM |
| Unless you are using Windows Vista, then encrypting the offline files/folders cache doesn't really protect much. An attacker can reset the local Administrators password, and then get access to the offline file/folder cache. This is due to the cache being encrypted using a machine based key, not a user based key
Cheers
Ken
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Robert Singers
Sent: Wednesday, 20 February 2008 1:02 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] EFS encrypt User Profile Directories
In your User Config (GPO)
"Windows Settings | Folder Redirection | My Documents" redirected to the home folder
"Administrative Templates | Network | Offline Files"
- "Administratively assigned offline files" set to home drives for lap top users (on OU or WMI filter.
- "Encrypt the offline files cache" to on.
________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: Wednesday, 20 February 2008 12:51 p.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] EFS encrypt User Profile Directories
I can certainly appreciate your responses to try and take the approach of work smarter not harder, that's my own motto as well. I'll just say that these laptop users that I am referring to simply MUST carry the data with them. They often go to sites in which an internet connection is not available to work with customers. This is a technical hurdle that I have to jump due to the nature of the business of the company I work for.
So given that the data must travel with them, any suggestions then?
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Robert Singers
Sent: Tuesday, February 19, 2008 3:32 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] EFS encrypt User Profile Directories
My gut feel is that is the wrong way to go about skinning that cat. Limit the size of the profile so users are forced to store things on their home drives, not their desktops. And encrypt the offline store.
If you enshrine their ability to use their desktops as storage you start to loose valuable data.
________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: Wednesday, 20 February 2008 11:53 a.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] EFS encrypt User Profile Directories
Well, I'm only referring to laptop user's profile directories. I'd like to mitigate the risk of a user losing a laptop that contains sensitive data while out on travel.
~Ben
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ziots, Edward
Sent: Tuesday, February 19, 2008 2:37 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] EFS encrypt User Profile Directories
Just playing the devils advocate on this one.
Why would you want to encrypt with EFS the user profile directories ( I am assuming you are using roaming profiles) what is the risk, that you are looking to employ EFS encryption ( data at rest) to protect?
Z
Edward E. Ziots
Netwok Engineer
Lifespan Organization
MCSE,MCSA,MCP,Security+,Network+,CCA
Phone: 401-639-3505
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: Tuesday, February 19, 2008 4:29 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] [OT] EFS encrypt User Profile Directories
Hi all,
I was hoping I could get some input on anyone who has implemented a method to EFS encrypt user's profile directories. If you have any hurdles you had to jump to implement this, any interesting steps you had to take, or things to watch out for, I'd greatly appreciate a response.
The one thing I am most worried about is what happens to any files/folders that are rarely accessed and then the user's certificate expires and needs to be renewed (same for the recovery agent's certificate). I just want to avoid the situation where people are locked out of their own data with no way to recover. >From what I understand, the certificates that grant access to the EFS encrypted data is not updated with renewed certificates unless they are touched.
We are running a very simple single Enterprise CA server, no additional CAs in the infrastructure at this point.
Thanks,
Ben
| | | |
| ken
Posts:58
| | 02/20/2008 3:17 AM |
| Also, I believe (but haven’t tested) that Vista uses per-user keys for encrypting the cache, so resetting the password for some other account (e.g. Administrator) doesn’t help you get access to the cached files.
And there’s always the Bitlocker option as well, but that has maintenance requirements beyond what simply encrypting the offline cache does.
Cheers
Ken
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Albert
Sent: Wednesday, 20 February 2008 6:30 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] [OT] EFS encrypt User Profile Directories
Just like Ken mentioned, go Vista and start using Bitlocker :-)
Good news for Vista SP1 (and Windows Server 2008): it's now fully supported to encrypt data disks :-)
There are also hardware vendors like HP who build drive encryption options into their notebooks, so you cvan use these techniques even with older operating systems...
Regards,
Albert
On 2/20/08, Ken Schaefer <Ken@adopenstatic.com<mailto:Ken@adopenstatic.com>> wrote:
Unless you are using Windows Vista, then encrypting the offline files/folders cache doesn't really protect much. An attacker can reset the local Administrators password, and then get access to the offline file/folder cache. This is due to the cache being encrypted using a machine based key, not a user based key
Cheers
Ken
From: ActiveDir-owner@mail.activedir.org<mailto:ActiveDir-owner@mail.activedir.org> [mailto:ActiveDir-owner@mail.activedir.org<mailto:ActiveDir-owner@mail.activedir.org>] On Behalf Of Robert Singers
Sent: Wednesday, 20 February 2008 1:02 PM
To: ActiveDir@mail.activedir.org<mailto:ActiveDir@mail.activedir.org>
Subject: RE: [ActiveDir] [OT] EFS encrypt User Profile Directories
In your User Config (GPO)
"Windows Settings | Folder Redirection | My Documents" redirected to the home folder
"Administrative Templates | Network | Offline Files"
- "Administratively assigned offline files" set to home drives for lap top users (on OU or WMI filter.
- "Encrypt the offline files cache" to on.
________________________________
From: ActiveDir-owner@mail.activedir.org<mailto:ActiveDir-owner@mail.activedir.org> [mailto:ActiveDir-owner@mail.activedir.org<mailto:ActiveDir-owner@mail.activedir.org>] On Behalf Of WATSON, BEN
Sent: Wednesday, 20 February 2008 12:51 p.m.
To: ActiveDir@mail.activedir.org<mailto:ActiveDir@mail.activedir.org>
Subject: RE: [ActiveDir] [OT] EFS encrypt User Profile Directories
I can certainly appreciate your responses to try and take the approach of work smarter not harder, that's my own motto as well. I'll just say that these laptop users that I am referring to simply MUST carry the data with them. They often go to sites in which an internet connection is not available to work with customers. This is a technical hurdle that I have to jump due to the nature of the business of the company I work for.
So given that the data must travel with them, any suggestions then?
From: ActiveDir-owner@mail.activedir.org<mailto:ActiveDir-owner@mail.activedir.org> [mailto:ActiveDir-owner@mail.activedir.org<mailto:ActiveDir-owner@mail.activedir.org>] On Behalf Of Robert Singers
Sent: Tuesday, February 19, 2008 3:32 PM
To: ActiveDir@mail.activedir.org<mailto:ActiveDir@mail.activedir.org>
Subject: RE: [ActiveDir] [OT] EFS encrypt User Profile Directories
My gut feel is that is the wrong way to go about skinning that cat. Limit the size of the profile so users are forced to store things on their home drives, not their desktops. And encrypt the offline store.
If you enshrine their ability to use their desktops as storage you start to loose valuable data.
________________________________
From: ActiveDir-owner@mail.activedir.org<mailto:ActiveDir-owner@mail.activedir.org> [mailto:ActiveDir-owner@mail.activedir.org<mailto:ActiveDir-owner@mail.activedir.org>] On Behalf Of WATSON, BEN
Sent: Wednesday, 20 February 2008 11:53 a.m.
To: ActiveDir@mail.activedir.org<mailto:ActiveDir@mail.activedir.org>
Subject: RE: [ActiveDir] [OT] EFS encrypt User Profile Directories
Well, I'm only referring to laptop user's profile directories. I'd like to mitigate the risk of a user losing a laptop that contains sensitive data while out on travel.
~Ben
From: ActiveDir-owner@mail.activedir.org<mailto:ActiveDir-owner@mail.activedir.org> [mailto:ActiveDir-owner@mail.activedir.org<mailto:ActiveDir-owner@mail.activedir.org>] On Behalf Of Ziots, Edward
Sent: Tuesday, February 19, 2008 2:37 PM
To: ActiveDir@mail.activedir.org<mailto:ActiveDir@mail.activedir.org>
Subject: RE: [ActiveDir] [OT] EFS encrypt User Profile Directories
Just playing the devils advocate on this one.
Why would you want to encrypt with EFS the user profile directories ( I am assuming you are using roaming profiles) what is the risk, that you are looking to employ EFS encryption ( data at rest) to protect?
Z
Edward E. Ziots
Netwok Engineer
Lifespan Organization
MCSE,MCSA,MCP,Security+,Network+,CCA
Phone: 401-639-3505
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org<mailto:ActiveDir-owner@mail.activedir.org> [mailto:ActiveDir-owner@mail.activedir.org<mailto:ActiveDir-owner@mail.activedir.org>] On Behalf Of WATSON, BEN
Sent: Tuesday, February 19, 2008 4:29 PM
To: ActiveDir@mail.activedir.org<mailto:ActiveDir@mail.activedir.org>
Subject: [ActiveDir] [OT] EFS encrypt User Profile Directories
Hi all,
I was hoping I could get some input on anyone who has implemented a method to EFS encrypt user's profile directories. If you have any hurdles you had to jump to implement this, any interesting steps you had to take, or things to watch out for, I'd greatly appreciate a response.
The one thing I am most worried about is what happens to any files/folders that are rarely accessed and then the user's certificate expires and needs to be renewed (same for the recovery agent's certificate). I just want to avoid the situation where people are locked out of their own data with no way to recover. >From what I understand, the certificates that grant access to the EFS encrypted data is not updated with renewed certificates unless they are touched.
We are running a very simple single Enterprise CA server, no additional CAs in the infrastructure at this point.
Thanks,
Ben
| | | |
| bwatson
Posts:28
| | 02/20/2008 12:11 PM |
| Yeah, we are not yet ready to embrace Vista and deploy it and for now
are sticking to Windows XP. The option to encrypt the offline files
cache in XP seems to be nothing more than just an illusion of security.
~Ben
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ken Schaefer
Sent: Tuesday, February 19, 2008 8:59 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] EFS encrypt User Profile Directories
Unless you are using Windows Vista, then encrypting the offline
files/folders cache doesn't really protect much. An attacker can reset
the local Administrators password, and then get access to the offline
file/folder cache. This is due to the cache being encrypted using a
machine based key, not a user based key
Cheers
Ken
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Robert Singers
Sent: Wednesday, 20 February 2008 1:02 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] EFS encrypt User Profile Directories
In your User Config (GPO)
"Windows Settings | Folder Redirection | My Documents" redirected to the
home folder
"Administrative Templates | Network | Offline Files"
- "Administratively assigned offline files" set to home drives for lap
top users (on OU or WMI filter.
- "Encrypt the offline files cache" to on.
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: Wednesday, 20 February 2008 12:51 p.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] EFS encrypt User Profile Directories
I can certainly appreciate your responses to try and take the approach
of work smarter not harder, that's my own motto as well. I'll just say
that these laptop users that I am referring to simply MUST carry the
data with them. They often go to sites in which an internet connection
is not available to work with customers. This is a technical hurdle
that I have to jump due to the nature of the business of the company I
work for.
So given that the data must travel with them, any suggestions then?
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Robert Singers
Sent: Tuesday, February 19, 2008 3:32 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] EFS encrypt User Profile Directories
My gut feel is that is the wrong way to go about skinning that cat.
Limit the size of the profile so users are forced to store things on
their home drives, not their desktops. And encrypt the offline store.
If you enshrine their ability to use their desktops as storage you start
to loose valuable data.
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: Wednesday, 20 February 2008 11:53 a.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] EFS encrypt User Profile Directories
Well, I'm only referring to laptop user's profile directories. I'd like
to mitigate the risk of a user losing a laptop that contains sensitive
data while out on travel.
~Ben
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ziots, Edward
Sent: Tuesday, February 19, 2008 2:37 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] EFS encrypt User Profile Directories
Just playing the devils advocate on this one.
Why would you want to encrypt with EFS the user profile directories ( I
am assuming you are using roaming profiles) what is the risk, that you
are looking to employ EFS encryption ( data at rest) to protect?
Z
Edward E. Ziots
Netwok Engineer
Lifespan Organization
MCSE,MCSA,MCP,Security+,Network+,CCA
Phone: 401-639-3505
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: Tuesday, February 19, 2008 4:29 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] [OT] EFS encrypt User Profile Directories
Hi all,
I was hoping I could get some input on anyone who has implemented a
method to EFS encrypt user's profile directories. If you have any
hurdles you had to jump to implement this, any interesting steps you had
to take, or things to watch out for, I'd greatly appreciate a response.
The one thing I am most worried about is what happens to any
files/folders that are rarely accessed and then the user's certificate
expires and needs to be renewed (same for the recovery agent's
certificate). I just want to avoid the situation where people are
locked out of their own data with no way to recover. >From what I
understand, the certificates that grant access to the EFS encrypted data
is not updated with renewed certificates unless they are touched.
We are running a very simple single Enterprise CA server, no additional
CAs in the infrastructure at this point.
Thanks,
Ben
| | | |
| colemancraig1
Posts:40
| | 02/20/2008 12:21 PM |
| Agreed encrypted offline files is an illusion....although you could take
it step further with SYSKEY mode 2 or use encrypted thumbdrives for mode
3 (just don't lose it).
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: Wednesday, February 20, 2008 12:11 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] EFS encrypt User Profile Directories
Yeah, we are not yet ready to embrace Vista and deploy it and for now
are sticking to Windows XP. The option to encrypt the offline files
cache in XP seems to be nothing more than just an illusion of security.
~Ben
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ken Schaefer
Sent: Tuesday, February 19, 2008 8:59 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] EFS encrypt User Profile Directories
Unless you are using Windows Vista, then encrypting the offline
files/folders cache doesn't really protect much. An attacker can reset
the local Administrators password, and then get access to the offline
file/folder cache. This is due to the cache being encrypted using a
machine based key, not a user based key
Cheers
Ken
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Robert Singers
Sent: Wednesday, 20 February 2008 1:02 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] EFS encrypt User Profile Directories
In your User Config (GPO)
"Windows Settings | Folder Redirection | My Documents" redirected to the
home folder
"Administrative Templates | Network | Offline Files"
- "Administratively assigned offline files" set to home drives for lap
top users (on OU or WMI filter.
- "Encrypt the offline files cache" to on.
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: Wednesday, 20 February 2008 12:51 p.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] EFS encrypt User Profile Directories
I can certainly appreciate your responses to try and take the approach
of work smarter not harder, that's my own motto as well. I'll just say
that these laptop users that I am referring to simply MUST carry the
data with them. They often go to sites in which an internet connection
is not available to work with customers. This is a technical hurdle
that I have to jump due to the nature of the business of the company I
work for.
So given that the data must travel with them, any suggestions then?
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Robert Singers
Sent: Tuesday, February 19, 2008 3:32 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] EFS encrypt User Profile Directories
My gut feel is that is the wrong way to go about skinning that cat.
Limit the size of the profile so users are forced to store things on
their home drives, not their desktops. And encrypt the offline store.
If you enshrine their ability to use their desktops as storage you start
to loose valuable data.
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: Wednesday, 20 February 2008 11:53 a.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] EFS encrypt User Profile Directories
Well, I'm only referring to laptop user's profile directories. I'd like
to mitigate the risk of a user losing a laptop that contains sensitive
data while out on travel.
~Ben
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ziots, Edward
Sent: Tuesday, February 19, 2008 2:37 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] EFS encrypt User Profile Directories
Just playing the devils advocate on this one.
Why would you want to encrypt with EFS the user profile directories ( I
am assuming you are using roaming profiles) what is the risk, that you
are looking to employ EFS encryption ( data at rest) to protect?
Z
Edward E. Ziots
Netwok Engineer
Lifespan Organization
MCSE,MCSA,MCP,Security+,Network+,CCA
Phone: 401-639-3505
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: Tuesday, February 19, 2008 4:29 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] [OT] EFS encrypt User Profile Directories
Hi all,
I was hoping I could get some input on anyone who has implemented a
method to EFS encrypt user's profile directories. If you have any
hurdles you had to jump to implement this, any interesting steps you had
to take, or things to watch out for, I'd greatly appreciate a response.
The one thing I am most worried about is what happens to any
files/folders that are rarely accessed and then the user's certificate
expires and needs to be renewed (same for the recovery agent's
certificate). I just want to avoid the situation where people are
locked out of their own data with no way to recover. >From what I
understand, the certificates that grant access to the EFS encrypted data
is not updated with renewed certificates unless they are touched.
We are running a very simple single Enterprise CA server, no additional
CAs in the infrastructure at this point.
Thanks,
Ben
| | | |
|
|