1. Welcome Guest! In order to create a new topic or reply to an existing one, you must register first. It is easy and free. Click here to sign up now!.
    Dismiss Notice

trusted for delegation; encrypt folder on file server

Discussion in 'Windows Home Server' started by techstress, Oct 10, 2009.

  1. techstress

    techstress Guest

    I created a folder in my user home folder and tried to set it to
    encrypt the contents (efs). This was performed from a xp workstation
    on a windows domain. The folder was created on the company's file
    server. An error messgae was displayed and research showed that the
    workstation should have trusted for delegation checked in Users and
    computers. I'm having a tough time finding out what the impact of
    setting trusted for delegation has for a workstation on the domain.

    Also, I'm wondering if our backup software will still be able to
    backup and recover this folder. The backup software uses a different
    user account.
     
    techstress, Oct 10, 2009
    #1
  3. DaveMills

    DaveMills Guest

    On Sat, 10 Oct 2009 14:57:29 -0700 (PDT), techstress <foscsamuels@gmail.com>
    wrote:
    <!--coloro:blue--><span style="color:blue <!--/coloro-->
    >I created a folder in my user home folder and tried to set it to
    >encrypt the contents (efs). This was performed from a xp workstation
    >on a windows domain. The folder was created on the company's file
    >server. An error messgae was displayed and research showed that the
    >workstation should have trusted for delegation checked in Users and
    >computers. I'm having a tough time finding out what the impact of
    >setting trusted for delegation has for a workstation on the domain.
    >
    >Also, I'm wondering if our backup software will still be able to
    >backup and recover this folder. The backup software uses a different
    >user account.<!--colorc--><!--/colorc-->

    The backup software should treat the file as a binary blob. It can copy it but
    not understand what is in it.
    --
    Dave Mills
    There are 10 types of people, those that understand binary and those that don't.
     
    DaveMills, Oct 11, 2009
    #2
  4. Anteaus

    Anteaus Guest

    You do not say if you are the network admin, but if not then I would have
    second thoughts about doing this kind of thing without permission.

    In any event, EFS is a very dangerous tool, and one which is responsible for
    numerous catastrophic data losses. One of the issues is (as you surmise)
    that it may not be possible to recover data from a backup unless special
    considerations are implemented regarding the encryption keys. Unless you have
    a genuine need for high security I'd leave it alone.

    "techstress" wrote:
    <!--coloro:blue--><span style="color:blue <!--/coloro-->
    > I created a folder in my user home folder and tried to set it to
    > encrypt the contents (efs). This was performed from a xp workstation
    > on a windows domain. The folder was created on the company's file
    > server. An error messgae was displayed and research showed that the
    > workstation should have trusted for delegation checked in Users and
    > computers. I'm having a tough time finding out what the impact of
    > setting trusted for delegation has for a workstation on the domain.
    >
    > Also, I'm wondering if our backup software will still be able to
    > backup and recover this folder. The backup software uses a different
    > user account.
    > <!--colorc--><!--/colorc-->
     
    Anteaus, Oct 11, 2009
    #3
  5. Marcin

    Marcin Guest

    The security implications of such approach are described quite eloquently by
    Bill Boswell in this article -

    Backed up files remain encrypted on the media - your backup simply needs to
    run in the security context of an account which is a member of local Backup
    Operators group...

    hth
    Marcin

    "techstress" <foscsamuels@gmail.com> wrote in message
    news:4bb39790-04d5-445a-b239-6ac27f3a7b7d@b15g2000yqd.googlegroups.com...<!--coloro:blue--><span style="color:blue <!--/coloro-->
    >I created a folder in my user home folder and tried to set it to
    > encrypt the contents (efs). This was performed from a xp workstation
    > on a windows domain. The folder was created on the company's file
    > server. An error messgae was displayed and research showed that the
    > workstation should have trusted for delegation checked in Users and
    > computers. I'm having a tough time finding out what the impact of
    > setting trusted for delegation has for a workstation on the domain.
    >
    > Also, I'm wondering if our backup software will still be able to
    > backup and recover this folder. The backup software uses a different
    > user account. <!--colorc--><!--/colorc-->
     
    Marcin, Oct 11, 2009
    #4
  6. techstress

    techstress Guest

    Thank you everyone for the replies. I'm the admin of these
    computersand am looking to test certain functionality. I was thinking
    to enhance access control by adding EFS. I've seen misconfigurations
    being made to ACLs that could expose data. I wanted to use EFS to
    only allow access to a particular user account. It seems risky
    though. I would be sure to create and regularly backup the recovery
    keys. But trusted for delegation sounds dangerous. I'd like to see
    additional measures in place as well.

    Once again thanks for the info. It's been a big help.
     
    techstress, Oct 12, 2009
    #5

Share This Page