Can EFS be set on a per group basis?

windows security encryption encrypting-file-system
5,563

Solution 1

It is possible to give multiple users access to an EFS encrypted file, so long as you are using windows XP or above on clients, and server 2003 or above on the server. You cannot do it for a group, you will need to add each individual user.

The main point to be aware of with this is that the user(s) you want to give access to the EFS encrypted file must have a valid EFS certificate stored in Active Directory. You can then add multiple users to the access rights to the EFS encrypted file:

EFS image

Solution 2

Has anyone else been tasked with a similar request, and if so, how did you deal with it?

If they don't want the sysadmins to have access, it doesn't truly matter if you use EFS or NTFS permissions - the short answer is that if you want the data to be backed up, admins need access. It's impossible to have access to what you can't read - so if they're that concerned about what you can get to... it might be time for a chat about what they're actually afraid of.

Or... they're not going to understand anyway, so you can dazzle them with a new acronym, EFS will take care of that, and Sam's answer is the fix. ;)

Share:
5,563

Related videos on Youtube

Kcmamu
Author by

Kcmamu

Developer, Systems Admin, Geek, Gadget lover, etc. etc. I started programming in BASIC at the age of 11 on a Sinclair ZX81, advanced to a BBC Model B, where I learned 6502 assembly language programming. I never really worked with PCs until the early 90s. In the late 90s, I joined a higher educational institution as a desktop technician, a quickly got promoted to be a systems admin, working predominantly on Windows systems, but also had a keen interest in Linux systems. I later got involved in software development, working in C#, PHP, C. In my current employment, I'm the manager of the company's Information Systems department. The primary focus of our business is industrial control systems (mostly legacy systems). The work isn't exclusively legacy/control systems though, as we also support modern systems for a number of business customers.

Updated on September 17, 2022

Comments

  • Kcmamu
    Kcmamu over 1 year

    I've been asked to create some file store for our directors that will contain sensitive information. They have asked that it not be possible for other admins to read the data.

    I immediately thought of EFS, but I seem to recall this can only be done on a per-user basis.

    We are currently running Server 2003, however we are likely to migrate to Server 2008 (possibly R2) in the near future.

    Has anyone else been tasked with a similar request, and if so, how did you deal with it?

  • Kcmamu
    Kcmamu almost 15 years
    EFS is one of the technologies I've been trying to steer clear of, so it was only a matter of time before it was requested :) I'm pretty sure the fact that the data will be encrypted will suffice. They have been asking for a USB disk stored in a locked container for storing their sensitive data on. I did manage to explain why this was a bad idea, and they are no longer pursuing that idea at least. Thanks.
  • raja
    raja almost 15 years
    admins do not need permissions to read the file to back up a server.
  • Spence
    Spence almost 15 years
    @Kara: I disagree with the re: "if you want the data to be backed up". EFS has a backup API that decouples decryption from backup and allows properly-written backup software to read the ciphertext directly for backup purposes. You absolutely can use EFS to exclude "admins" (really, anyone w/o the right credentails) access to files. If you've followed best-practices and exported the recovery agent keys and removed them from the domain, only those with the right keys to decrypt the file are going to be able to decrypt it. If an "admin" changes passwords to gain access it'll leave an audit trail.
  • Kara Marfia
    Kara Marfia almost 15 years
    If you're using corporate-managed PKI, you've got an override certificate (at least with MS CA) - so you HAVE access, whether or not you choose to use it. Keeping all admins out of your data is cutting off your nose to spite your face.
  • Spence
    Spence almost 15 years
    Have you actually used EFS? I was not arguing the point re: it being a good idea not to have "admins" w/ access to data. You absolutely can take the recovery agent private key offline and secure it physically. It's considered best practice to do so. To argue the point, though: I am glad it can be shown that EFS prevents my access to data for one of my Customers (a court). I could be put in jail for accessing sealed cases, for example. With EFS, there's no way for me to access that data w/o leaving an audit trail. The data is backed-up in its encrypted state and is still fully recoverable.
  • Spence
    Spence almost 15 years
    I'm guessing that there are quite a number of applications where network administrators should have access to backup / restore data files that they, otherwise, shouldn't have access to the contents of. Just because you haven't worked in such an environment, that doesn't mean that they don't exist. Working in environments where access to confidential data could make me a suspect in a breach, I'd rather have EFS sitting between me and that data such that any number of experts could testify to my inability to access that data w/o leaving an audit trail.
  • Kara Marfia
    Kara Marfia almost 15 years
    You're talking about an audit trail. The question (and my comments) were about access. It's a shame that the distinction confused you, leading to all this hostility.
  • Spence
    Spence almost 15 years
    @Kara: There no hostility at all! We have a difference of opinion re: this feature. I see many valid applications for it, and consider it a "good thing" that there is a mechanism to allow backup / restore of data w/o providing access to the data and you don't. Regardless, the feature is what it is, and your original comment "if you want the data to be backed up, admins need access" is untrue in the context of how EFS works. In the end, that untruth is the "grain of sand" that's causing the irritation for me. I don't particuarly love Microsoft's software, but I love misinformation much less.
  • Spence
    Spence almost 15 years
    I'm not just talking about an audit trail, though. In the context of backups, a mechanism audits access only won't "cut the mustard" for the kind of data I'm talking about. When that data is "at rest" on backups, it still needs to be inaccessible to "admins". Just auditing the access in the operating system, as you're suggesting, doesn't audit the access when I make an illict copy of that tape, sneak it out of the data center, and mount it up at home. I'd rather have EFS than being searched at the door every day. (Yes, yes-- I know I should stop trying to "sell" you on the feature.)
  • Kara Marfia
    Kara Marfia almost 15 years
    I probably should've done a better job of separating the two thoughts, and you're right - if you have backup & PKI handled by different admins/groups - you HAVE effectively kept them both out of your data. I suppose it seems churlish to me to be that mistrustful of admins... but that's not the issue. ;) I agree EFS has great applications, and I should TRULY not post first thing in the AM after a holiday (owwww) weekend! (thanks for being patient)
  • Spence
    Spence almost 15 years
    smile No worries. It makes for great conversation, and keeps me from doing the work I'm supposed to be doing this morning. Keep up the good work w/ Server Fault-- I'm really enjoying it. (Bonus points for making me look up a word in the dictionary, too...) I actually like my Customers being distrustful of me. Anything that keeps me from being a suspect in a potential breach and limits my potential liability makes me happy. I know where you're coming from, though.
  • Kara Marfia
    Kara Marfia almost 15 years
    Yes, I remember my naive expectation that once I became in-house sysadmin, I wouldn't have to contend with mistrustful customers. Hah! I'll be the first to say I'm one of the less knowledgeable folks here, so I'm happy to do what I can to make it a fun and useful place, so I can keep learning from you guys! (sorry for making a mess on your question, Bryan!) ;)

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Can I pause the running encryption of BitLocker?
Is IPSec the only way to encrypt Microsoft SMB (CIFS) traffic?
Reason for TPM lockout
How to detect Dell TPM from inside Windows?
Locally encrypt Dropbox folder
Is windows remote desktop secure?
Is there some sort of secure local storage on Windows?
Can windows viruses affect my encrypted linux partition on the same disk?
How to list all openssl ciphers available in statically linked python releases?
Check if Android filesystem is encrypted