Advanced Atrributes Tab under folder properties

L

Lpoffe

Hi,

We have the following problem : we created on a partition a folder called
data which has been encrypted with EFS. We always want to keep that folder
encrypted.
Unfortunaly a user can decrypt that folder via the 'Advanced Attributes'
button under the folder properties.

Question : Is there a way that we can disable that 'Advanced Attributes'
button in such a way that the folder stays encrypted with EFS ?
 
D

Daniel Petri

A folder CANNOT be encrypted with EFS. Only files can.

In any case, what's the point behind ENCRYPTING something (with EFS in this
case), if ANY user can remove the encryption??? Do you see a logic here? I
can't. Try doing the same to a FILE and not to a FOLDER, and you'll see that
only the original user and the Recovery Agent can decrypt the file.

--
Sincerely,

Daniel Petri
MVP, Senior IT consultant, trainer
www.petri.co.il

"Lpoffe" <Lpoffe@discussions.microsoft.com> wrote in message
news:5514CAD3-54B8-472A-A688-7546000ACBD4@microsoft.com...
> Hi,
>
> We have the following problem : we created on a partition a folder called
> data which has been encrypted with EFS. We always want to keep that
> folder
> encrypted.
> Unfortunaly a user can decrypt that folder via the 'Advanced Attributes'
> button under the folder properties.
>
> Question : Is there a way that we can disable that 'Advanced Attributes'
> button in such a way that the folder stays encrypted with EFS ?
>
 
L

Lpoffe

Hi Daniel,

I agree but how can I force my users to encrypt always there files ?



"Daniel Petri <MVP>" wrote:

> A folder CANNOT be encrypted with EFS. Only files can.
>
> In any case, what's the point behind ENCRYPTING something (with EFS in this
> case), if ANY user can remove the encryption??? Do you see a logic here? I
> can't. Try doing the same to a FILE and not to a FOLDER, and you'll see that
> only the original user and the Recovery Agent can decrypt the file.
>
> --
> Sincerely,
>
> Daniel Petri
> MVP, Senior IT consultant, trainer
> www.petri.co.il
>
> "Lpoffe" <Lpoffe@discussions.microsoft.com> wrote in message
> news:5514CAD3-54B8-472A-A688-7546000ACBD4@microsoft.com...
> > Hi,
> >
> > We have the following problem : we created on a partition a folder called
> > data which has been encrypted with EFS. We always want to keep that
> > folder
> > encrypted.
> > Unfortunaly a user can decrypt that folder via the 'Advanced Attributes'
> > button under the folder properties.
> >
> > Question : Is there a way that we can disable that 'Advanced Attributes'
> > button in such a way that the folder stays encrypted with EFS ?
> >
>
 
S

Steve Riley [MSFT]

Why do you need all users to encrypt all files? What threats are you trying
to mitigate? Do they use laptops (where encryption is good, and I prefer
BitLocker for this) or desktops? Tell us more.

--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com



"Lpoffe" <Lpoffe@discussions.microsoft.com> wrote in message
news:A1F6E244-C950-4590-87F6-5CA59F94BA04@microsoft.com...
> Hi Daniel,
>
> I agree but how can I force my users to encrypt always there files ?
>
>
>
> "Daniel Petri <MVP>" wrote:
>
>> A folder CANNOT be encrypted with EFS. Only files can.
>>
>> In any case, what's the point behind ENCRYPTING something (with EFS in
>> this
>> case), if ANY user can remove the encryption??? Do you see a logic here?
>> I
>> can't. Try doing the same to a FILE and not to a FOLDER, and you'll see
>> that
>> only the original user and the Recovery Agent can decrypt the file.
>>
>> --
>> Sincerely,
>>
>> Daniel Petri
>> MVP, Senior IT consultant, trainer
>> www.petri.co.il
>>
>> "Lpoffe" <Lpoffe@discussions.microsoft.com> wrote in message
>> news:5514CAD3-54B8-472A-A688-7546000ACBD4@microsoft.com...
>> > Hi,
>> >
>> > We have the following problem : we created on a partition a folder
>> > called
>> > data which has been encrypted with EFS. We always want to keep that
>> > folder
>> > encrypted.
>> > Unfortunaly a user can decrypt that folder via the 'Advanced
>> > Attributes'
>> > button under the folder properties.
>> >
>> > Question : Is there a way that we can disable that 'Advanced
>> > Attributes'
>> > button in such a way that the folder stays encrypted with EFS ?
>> >
>>
 
L

Lpoffe

Hi Steve,

I also prefer Bitlocker but if you can convince my management to move on to
Vista ...
Unless there is Bitlocker version for XP.

So what my management is requesting for our laptop users : keep win XP,
create a second partition (e:\ drive) and a folder 'data'. (e:\data)
Users don't have access to c:\ or to e:\ only to e:\data. So what we want
is that if a user put's a file on e:\data it should be encrypted but he
should not have the option to decrypt the files on e:\data. We always want
to keep the files encrypted.

Ludo

"Steve Riley [MSFT]" wrote:

> Why do you need all users to encrypt all files? What threats are you trying
> to mitigate? Do they use laptops (where encryption is good, and I prefer
> BitLocker for this) or desktops? Tell us more.
>
> --
> Steve Riley
> steve.riley@microsoft.com
> http://blogs.technet.com/steriley
> http://www.protectyourwindowsnetwork.com
>
>
>
> "Lpoffe" <Lpoffe@discussions.microsoft.com> wrote in message
> news:A1F6E244-C950-4590-87F6-5CA59F94BA04@microsoft.com...
> > Hi Daniel,
> >
> > I agree but how can I force my users to encrypt always there files ?
> >
> >
> >
> > "Daniel Petri <MVP>" wrote:
> >
> >> A folder CANNOT be encrypted with EFS. Only files can.
> >>
> >> In any case, what's the point behind ENCRYPTING something (with EFS in
> >> this
> >> case), if ANY user can remove the encryption??? Do you see a logic here?
> >> I
> >> can't. Try doing the same to a FILE and not to a FOLDER, and you'll see
> >> that
> >> only the original user and the Recovery Agent can decrypt the file.
> >>
> >> --
> >> Sincerely,
> >>
> >> Daniel Petri
> >> MVP, Senior IT consultant, trainer
> >> www.petri.co.il
> >>
> >> "Lpoffe" <Lpoffe@discussions.microsoft.com> wrote in message
> >> news:5514CAD3-54B8-472A-A688-7546000ACBD4@microsoft.com...
> >> > Hi,
> >> >
> >> > We have the following problem : we created on a partition a folder
> >> > called
> >> > data which has been encrypted with EFS. We always want to keep that
> >> > folder
> >> > encrypted.
> >> > Unfortunaly a user can decrypt that folder via the 'Advanced
> >> > Attributes'
> >> > button under the folder properties.
> >> >
> >> > Question : Is there a way that we can disable that 'Advanced
> >> > Attributes'
> >> > button in such a way that the folder stays encrypted with EFS ?
> >> >
> >>
 
D

Daniel Petri

Sorry for asking, but what will they gain from this? If the laptop is
stolen, are they aware of the fact that unless it's encrypted with
BitLocker, it's most likely that the content of e:\data will be stolen as
well? Are they using some sort of Smart Cards or other method of
authentication?

Unless something really sophisticated is going on that we're not aware of,
I'd suggest that you review your requirements, and that you ask a good
security expert to help you design your security solutions.

--
Sincerely,

Daniel Petri
MVP, Senior IT consultant, trainer
www.petri.co.il

"Lpoffe" <Lpoffe@discussions.microsoft.com> wrote in message
news:866D7408-6E0B-455B-8260-34903D82811D@microsoft.com...
> Hi Steve,
>
> I also prefer Bitlocker but if you can convince my management to move on
> to
> Vista ...
> Unless there is Bitlocker version for XP.
>
> So what my management is requesting for our laptop users : keep win XP,
> create a second partition (e:\ drive) and a folder 'data'. (e:\data)
> Users don't have access to c:\ or to e:\ only to e:\data. So what we want
> is that if a user put's a file on e:\data it should be encrypted but he
> should not have the option to decrypt the files on e:\data. We always
> want
> to keep the files encrypted.
>
> Ludo
>
> "Steve Riley [MSFT]" wrote:
>
>> Why do you need all users to encrypt all files? What threats are you
>> trying
>> to mitigate? Do they use laptops (where encryption is good, and I prefer
>> BitLocker for this) or desktops? Tell us more.
>>
>> --
>> Steve Riley
>> steve.riley@microsoft.com
>> http://blogs.technet.com/steriley
>> http://www.protectyourwindowsnetwork.com
>>
>>
>>
>> "Lpoffe" <Lpoffe@discussions.microsoft.com> wrote in message
>> news:A1F6E244-C950-4590-87F6-5CA59F94BA04@microsoft.com...
>> > Hi Daniel,
>> >
>> > I agree but how can I force my users to encrypt always there files ?
>> >
>> >
>> >
>> > "Daniel Petri <MVP>" wrote:
>> >
>> >> A folder CANNOT be encrypted with EFS. Only files can.
>> >>
>> >> In any case, what's the point behind ENCRYPTING something (with EFS in
>> >> this
>> >> case), if ANY user can remove the encryption??? Do you see a logic
>> >> here?
>> >> I
>> >> can't. Try doing the same to a FILE and not to a FOLDER, and you'll
>> >> see
>> >> that
>> >> only the original user and the Recovery Agent can decrypt the file.
>> >>
>> >> --
>> >> Sincerely,
>> >>
>> >> Daniel Petri
>> >> MVP, Senior IT consultant, trainer
>> >> www.petri.co.il
>> >>
>> >> "Lpoffe" <Lpoffe@discussions.microsoft.com> wrote in message
>> >> news:5514CAD3-54B8-472A-A688-7546000ACBD4@microsoft.com...
>> >> > Hi,
>> >> >
>> >> > We have the following problem : we created on a partition a folder
>> >> > called
>> >> > data which has been encrypted with EFS. We always want to keep that
>> >> > folder
>> >> > encrypted.
>> >> > Unfortunaly a user can decrypt that folder via the 'Advanced
>> >> > Attributes'
>> >> > button under the folder properties.
>> >> >
>> >> > Question : Is there a way that we can disable that 'Advanced
>> >> > Attributes'
>> >> > button in such a way that the folder stays encrypted with EFS ?
>> >> >
>> >>
 
S

Steve Riley [MSFT]

Daniel is correct. Until you can define which threats you want to mitigate,
then you really can't design an appropriate encryption process.

--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com



"Daniel Petri <MVP>" <daniel@petri.co.il.removethis> wrote in message
news:F21C3892-A865-461D-86F8-14834B16851A@microsoft.com...
> Sorry for asking, but what will they gain from this? If the laptop is
> stolen, are they aware of the fact that unless it's encrypted with
> BitLocker, it's most likely that the content of e:\data will be stolen as
> well? Are they using some sort of Smart Cards or other method of
> authentication?
>
> Unless something really sophisticated is going on that we're not aware of,
> I'd suggest that you review your requirements, and that you ask a good
> security expert to help you design your security solutions.
>
> --
> Sincerely,
>
> Daniel Petri
> MVP, Senior IT consultant, trainer
> www.petri.co.il
>
> "Lpoffe" <Lpoffe@discussions.microsoft.com> wrote in message
> news:866D7408-6E0B-455B-8260-34903D82811D@microsoft.com...
>> Hi Steve,
>>
>> I also prefer Bitlocker but if you can convince my management to move on
>> to
>> Vista ...
>> Unless there is Bitlocker version for XP.
>>
>> So what my management is requesting for our laptop users : keep win XP,
>> create a second partition (e:\ drive) and a folder 'data'. (e:\data)
>> Users don't have access to c:\ or to e:\ only to e:\data. So what we
>> want
>> is that if a user put's a file on e:\data it should be encrypted but he
>> should not have the option to decrypt the files on e:\data. We always
>> want
>> to keep the files encrypted.
>>
>> Ludo
>>
>> "Steve Riley [MSFT]" wrote:
>>
>>> Why do you need all users to encrypt all files? What threats are you
>>> trying
>>> to mitigate? Do they use laptops (where encryption is good, and I prefer
>>> BitLocker for this) or desktops? Tell us more.
>>>
>>> --
>>> Steve Riley
>>> steve.riley@microsoft.com
>>> http://blogs.technet.com/steriley
>>> http://www.protectyourwindowsnetwork.com
>>>
>>>
>>>
>>> "Lpoffe" <Lpoffe@discussions.microsoft.com> wrote in message
>>> news:A1F6E244-C950-4590-87F6-5CA59F94BA04@microsoft.com...
>>> > Hi Daniel,
>>> >
>>> > I agree but how can I force my users to encrypt always there files ?
>>> >
>>> >
>>> >
>>> > "Daniel Petri <MVP>" wrote:
>>> >
>>> >> A folder CANNOT be encrypted with EFS. Only files can.
>>> >>
>>> >> In any case, what's the point behind ENCRYPTING something (with EFS
>>> >> in
>>> >> this
>>> >> case), if ANY user can remove the encryption??? Do you see a logic
>>> >> here?
>>> >> I
>>> >> can't. Try doing the same to a FILE and not to a FOLDER, and you'll
>>> >> see
>>> >> that
>>> >> only the original user and the Recovery Agent can decrypt the file.
>>> >>
>>> >> --
>>> >> Sincerely,
>>> >>
>>> >> Daniel Petri
>>> >> MVP, Senior IT consultant, trainer
>>> >> www.petri.co.il
>>> >>
>>> >> "Lpoffe" <Lpoffe@discussions.microsoft.com> wrote in message
>>> >> news:5514CAD3-54B8-472A-A688-7546000ACBD4@microsoft.com...
>>> >> > Hi,
>>> >> >
>>> >> > We have the following problem : we created on a partition a folder
>>> >> > called
>>> >> > data which has been encrypted with EFS. We always want to keep
>>> >> > that
>>> >> > folder
>>> >> > encrypted.
>>> >> > Unfortunaly a user can decrypt that folder via the 'Advanced
>>> >> > Attributes'
>>> >> > button under the folder properties.
>>> >> >
>>> >> > Question : Is there a way that we can disable that 'Advanced
>>> >> > Attributes'
>>> >> > button in such a way that the folder stays encrypted with EFS ?
>>> >> >
>>> >>
>
 
L

Lpoffe

Hi,
We have more than 10.000 clients and the idea is to migrate to Vista in
2010, so that we can use bitlocker. Meantime management request that we
protect the data on our laptops, against data lost and if possible encrypted
and without spending money...
Therefore I is was thinking to implement EFS but then users should not have
the option to decrypt files...

Ludo


"Steve Riley [MSFT]" wrote:

> Daniel is correct. Until you can define which threats you want to mitigate,
> then you really can't design an appropriate encryption process.
>
> --
> Steve Riley
> steve.riley@microsoft.com
> http://blogs.technet.com/steriley
> http://www.protectyourwindowsnetwork.com
>
>
>
> "Daniel Petri <MVP>" <daniel@petri.co.il.removethis> wrote in message
> news:F21C3892-A865-461D-86F8-14834B16851A@microsoft.com...
> > Sorry for asking, but what will they gain from this? If the laptop is
> > stolen, are they aware of the fact that unless it's encrypted with
> > BitLocker, it's most likely that the content of e:\data will be stolen as
> > well? Are they using some sort of Smart Cards or other method of
> > authentication?
> >
> > Unless something really sophisticated is going on that we're not aware of,
> > I'd suggest that you review your requirements, and that you ask a good
> > security expert to help you design your security solutions.
> >
> > --
> > Sincerely,
> >
> > Daniel Petri
> > MVP, Senior IT consultant, trainer
> > www.petri.co.il
> >
> > "Lpoffe" <Lpoffe@discussions.microsoft.com> wrote in message
> > news:866D7408-6E0B-455B-8260-34903D82811D@microsoft.com...
> >> Hi Steve,
> >>
> >> I also prefer Bitlocker but if you can convince my management to move on
> >> to
> >> Vista ...
> >> Unless there is Bitlocker version for XP.
> >>
> >> So what my management is requesting for our laptop users : keep win XP,
> >> create a second partition (e:\ drive) and a folder 'data'. (e:\data)
> >> Users don't have access to c:\ or to e:\ only to e:\data. So what we
> >> want
> >> is that if a user put's a file on e:\data it should be encrypted but he
> >> should not have the option to decrypt the files on e:\data. We always
> >> want
> >> to keep the files encrypted.
> >>
> >> Ludo
> >>
> >> "Steve Riley [MSFT]" wrote:
> >>
> >>> Why do you need all users to encrypt all files? What threats are you
> >>> trying
> >>> to mitigate? Do they use laptops (where encryption is good, and I prefer
> >>> BitLocker for this) or desktops? Tell us more.
> >>>
> >>> --
> >>> Steve Riley
> >>> steve.riley@microsoft.com
> >>> http://blogs.technet.com/steriley
> >>> http://www.protectyourwindowsnetwork.com
> >>>
> >>>
> >>>
> >>> "Lpoffe" <Lpoffe@discussions.microsoft.com> wrote in message
> >>> news:A1F6E244-C950-4590-87F6-5CA59F94BA04@microsoft.com...
> >>> > Hi Daniel,
> >>> >
> >>> > I agree but how can I force my users to encrypt always there files ?
> >>> >
> >>> >
> >>> >
> >>> > "Daniel Petri <MVP>" wrote:
> >>> >
> >>> >> A folder CANNOT be encrypted with EFS. Only files can.
> >>> >>
> >>> >> In any case, what's the point behind ENCRYPTING something (with EFS
> >>> >> in
> >>> >> this
> >>> >> case), if ANY user can remove the encryption??? Do you see a logic
> >>> >> here?
> >>> >> I
> >>> >> can't. Try doing the same to a FILE and not to a FOLDER, and you'll
> >>> >> see
> >>> >> that
> >>> >> only the original user and the Recovery Agent can decrypt the file.
> >>> >>
> >>> >> --
> >>> >> Sincerely,
> >>> >>
> >>> >> Daniel Petri
> >>> >> MVP, Senior IT consultant, trainer
> >>> >> www.petri.co.il
> >>> >>
> >>> >> "Lpoffe" <Lpoffe@discussions.microsoft.com> wrote in message
> >>> >> news:5514CAD3-54B8-472A-A688-7546000ACBD4@microsoft.com...
> >>> >> > Hi,
> >>> >> >
> >>> >> > We have the following problem : we created on a partition a folder
> >>> >> > called
> >>> >> > data which has been encrypted with EFS. We always want to keep
> >>> >> > that
> >>> >> > folder
> >>> >> > encrypted.
> >>> >> > Unfortunaly a user can decrypt that folder via the 'Advanced
> >>> >> > Attributes'
> >>> >> > button under the folder properties.
> >>> >> >
> >>> >> > Question : Is there a way that we can disable that 'Advanced
> >>> >> > Attributes'
> >>> >> > button in such a way that the folder stays encrypted with EFS ?
> >>> >> >
> >>> >>
> >
 
L

Lpoffe

Hi,
We have more than 10.000 clients and the idea is to migrate to Vista in
2010, so that we can use bitlocker. Meantime management request that we
protect the data on our laptops, against data lost and if possible encrypted
and without spending money...
Therefore I is was thinking to implement EFS but then users should not have
the option to decrypt files...

Ludo


"Steve Riley [MSFT]" wrote:

> Daniel is correct. Until you can define which threats you want to mitigate,
> then you really can't design an appropriate encryption process.
>
> --
> Steve Riley
> steve.riley@microsoft.com
> http://blogs.technet.com/steriley
> http://www.protectyourwindowsnetwork.com
>
>
>
> "Daniel Petri <MVP>" <daniel@petri.co.il.removethis> wrote in message
> news:F21C3892-A865-461D-86F8-14834B16851A@microsoft.com...
> > Sorry for asking, but what will they gain from this? If the laptop is
> > stolen, are they aware of the fact that unless it's encrypted with
> > BitLocker, it's most likely that the content of e:\data will be stolen as
> > well? Are they using some sort of Smart Cards or other method of
> > authentication?
> >
> > Unless something really sophisticated is going on that we're not aware of,
> > I'd suggest that you review your requirements, and that you ask a good
> > security expert to help you design your security solutions.
> >
> > --
> > Sincerely,
> >
> > Daniel Petri
> > MVP, Senior IT consultant, trainer
> > www.petri.co.il
> >
> > "Lpoffe" <Lpoffe@discussions.microsoft.com> wrote in message
> > news:866D7408-6E0B-455B-8260-34903D82811D@microsoft.com...
> >> Hi Steve,
> >>
> >> I also prefer Bitlocker but if you can convince my management to move on
> >> to
> >> Vista ...
> >> Unless there is Bitlocker version for XP.
> >>
> >> So what my management is requesting for our laptop users : keep win XP,
> >> create a second partition (e:\ drive) and a folder 'data'. (e:\data)
> >> Users don't have access to c:\ or to e:\ only to e:\data. So what we
> >> want
> >> is that if a user put's a file on e:\data it should be encrypted but he
> >> should not have the option to decrypt the files on e:\data. We always
> >> want
> >> to keep the files encrypted.
> >>
> >> Ludo
> >>
> >> "Steve Riley [MSFT]" wrote:
> >>
> >>> Why do you need all users to encrypt all files? What threats are you
> >>> trying
> >>> to mitigate? Do they use laptops (where encryption is good, and I prefer
> >>> BitLocker for this) or desktops? Tell us more.
> >>>
> >>> --
> >>> Steve Riley
> >>> steve.riley@microsoft.com
> >>> http://blogs.technet.com/steriley
> >>> http://www.protectyourwindowsnetwork.com
> >>>
> >>>
> >>>
> >>> "Lpoffe" <Lpoffe@discussions.microsoft.com> wrote in message
> >>> news:A1F6E244-C950-4590-87F6-5CA59F94BA04@microsoft.com...
> >>> > Hi Daniel,
> >>> >
> >>> > I agree but how can I force my users to encrypt always there files ?
> >>> >
> >>> >
> >>> >
> >>> > "Daniel Petri <MVP>" wrote:
> >>> >
> >>> >> A folder CANNOT be encrypted with EFS. Only files can.
> >>> >>
> >>> >> In any case, what's the point behind ENCRYPTING something (with EFS
> >>> >> in
> >>> >> this
> >>> >> case), if ANY user can remove the encryption??? Do you see a logic
> >>> >> here?
> >>> >> I
> >>> >> can't. Try doing the same to a FILE and not to a FOLDER, and you'll
> >>> >> see
> >>> >> that
> >>> >> only the original user and the Recovery Agent can decrypt the file.
> >>> >>
> >>> >> --
> >>> >> Sincerely,
> >>> >>
> >>> >> Daniel Petri
> >>> >> MVP, Senior IT consultant, trainer
> >>> >> www.petri.co.il
> >>> >>
> >>> >> "Lpoffe" <Lpoffe@discussions.microsoft.com> wrote in message
> >>> >> news:5514CAD3-54B8-472A-A688-7546000ACBD4@microsoft.com...
> >>> >> > Hi,
> >>> >> >
> >>> >> > We have the following problem : we created on a partition a folder
> >>> >> > called
> >>> >> > data which has been encrypted with EFS. We always want to keep
> >>> >> > that
> >>> >> > folder
> >>> >> > encrypted.
> >>> >> > Unfortunaly a user can decrypt that folder via the 'Advanced
> >>> >> > Attributes'
> >>> >> > button under the folder properties.
> >>> >> >
> >>> >> > Question : Is there a way that we can disable that 'Advanced
> >>> >> > Attributes'
> >>> >> > button in such a way that the folder stays encrypted with EFS ?
> >>> >> >
> >>> >>
> >
 
S

Steve Riley [MSFT]

What kind of data loss? Do you mean theft of a laptop? If so, then BitLocker
is better suited to this, so perhaps you can accelerate your upgrade plans.

Properly configured, EFS can also be used to mitigate this threat, but it's
more work. Follow the guidance in the Data Encryption Toolkit for Mobile PCs
(search our web site for it).

--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com



"Lpoffe" <Lpoffe@discussions.microsoft.com> wrote in message
news:A7D84739-425E-4712-9B6B-086EC6F9D773@microsoft.com...
> Hi,
> We have more than 10.000 clients and the idea is to migrate to Vista in
> 2010, so that we can use bitlocker. Meantime management request that we
> protect the data on our laptops, against data lost and if possible
> encrypted
> and without spending money...
> Therefore I is was thinking to implement EFS but then users should not
> have
> the option to decrypt files...
>
> Ludo
>
>
> "Steve Riley [MSFT]" wrote:
>
>> Daniel is correct. Until you can define which threats you want to
>> mitigate,
>> then you really can't design an appropriate encryption process.
>>
>> --
>> Steve Riley
>> steve.riley@microsoft.com
>> http://blogs.technet.com/steriley
>> http://www.protectyourwindowsnetwork.com
>>
>>
>>
>> "Daniel Petri <MVP>" <daniel@petri.co.il.removethis> wrote in message
>> news:F21C3892-A865-461D-86F8-14834B16851A@microsoft.com...
>> > Sorry for asking, but what will they gain from this? If the laptop is
>> > stolen, are they aware of the fact that unless it's encrypted with
>> > BitLocker, it's most likely that the content of e:\data will be stolen
>> > as
>> > well? Are they using some sort of Smart Cards or other method of
>> > authentication?
>> >
>> > Unless something really sophisticated is going on that we're not aware
>> > of,
>> > I'd suggest that you review your requirements, and that you ask a good
>> > security expert to help you design your security solutions.
>> >
>> > --
>> > Sincerely,
>> >
>> > Daniel Petri
>> > MVP, Senior IT consultant, trainer
>> > www.petri.co.il
>> >
>> > "Lpoffe" <Lpoffe@discussions.microsoft.com> wrote in message
>> > news:866D7408-6E0B-455B-8260-34903D82811D@microsoft.com...
>> >> Hi Steve,
>> >>
>> >> I also prefer Bitlocker but if you can convince my management to move
>> >> on
>> >> to
>> >> Vista ...
>> >> Unless there is Bitlocker version for XP.
>> >>
>> >> So what my management is requesting for our laptop users : keep win
>> >> XP,
>> >> create a second partition (e:\ drive) and a folder 'data'. (e:\data)
>> >> Users don't have access to c:\ or to e:\ only to e:\data. So what we
>> >> want
>> >> is that if a user put's a file on e:\data it should be encrypted but
>> >> he
>> >> should not have the option to decrypt the files on e:\data. We always
>> >> want
>> >> to keep the files encrypted.
>> >>
>> >> Ludo
>> >>
>> >> "Steve Riley [MSFT]" wrote:
>> >>
>> >>> Why do you need all users to encrypt all files? What threats are you
>> >>> trying
>> >>> to mitigate? Do they use laptops (where encryption is good, and I
>> >>> prefer
>> >>> BitLocker for this) or desktops? Tell us more.
>> >>>
>> >>> --
>> >>> Steve Riley
>> >>> steve.riley@microsoft.com
>> >>> http://blogs.technet.com/steriley
>> >>> http://www.protectyourwindowsnetwork.com
>> >>>
>> >>>
>> >>>
>> >>> "Lpoffe" <Lpoffe@discussions.microsoft.com> wrote in message
>> >>> news:A1F6E244-C950-4590-87F6-5CA59F94BA04@microsoft.com...
>> >>> > Hi Daniel,
>> >>> >
>> >>> > I agree but how can I force my users to encrypt always there files
>> >>> > ?
>> >>> >
>> >>> >
>> >>> >
>> >>> > "Daniel Petri <MVP>" wrote:
>> >>> >
>> >>> >> A folder CANNOT be encrypted with EFS. Only files can.
>> >>> >>
>> >>> >> In any case, what's the point behind ENCRYPTING something (with
>> >>> >> EFS
>> >>> >> in
>> >>> >> this
>> >>> >> case), if ANY user can remove the encryption??? Do you see a logic
>> >>> >> here?
>> >>> >> I
>> >>> >> can't. Try doing the same to a FILE and not to a FOLDER, and
>> >>> >> you'll
>> >>> >> see
>> >>> >> that
>> >>> >> only the original user and the Recovery Agent can decrypt the
>> >>> >> file.
>> >>> >>
>> >>> >> --
>> >>> >> Sincerely,
>> >>> >>
>> >>> >> Daniel Petri
>> >>> >> MVP, Senior IT consultant, trainer
>> >>> >> www.petri.co.il
>> >>> >>
>> >>> >> "Lpoffe" <Lpoffe@discussions.microsoft.com> wrote in message
>> >>> >> news:5514CAD3-54B8-472A-A688-7546000ACBD4@microsoft.com...
>> >>> >> > Hi,
>> >>> >> >
>> >>> >> > We have the following problem : we created on a partition a
>> >>> >> > folder
>> >>> >> > called
>> >>> >> > data which has been encrypted with EFS. We always want to keep
>> >>> >> > that
>> >>> >> > folder
>> >>> >> > encrypted.
>> >>> >> > Unfortunaly a user can decrypt that folder via the 'Advanced
>> >>> >> > Attributes'
>> >>> >> > button under the folder properties.
>> >>> >> >
>> >>> >> > Question : Is there a way that we can disable that 'Advanced
>> >>> >> > Attributes'
>> >>> >> > button in such a way that the folder stays encrypted with EFS ?
>> >>> >> >
>> >>> >>
>> >
 
L

Lpoffe

Thanks Steve will give it a tray.

"Steve Riley [MSFT]" wrote:

> What kind of data loss? Do you mean theft of a laptop? If so, then BitLocker
> is better suited to this, so perhaps you can accelerate your upgrade plans.
>
> Properly configured, EFS can also be used to mitigate this threat, but it's
> more work. Follow the guidance in the Data Encryption Toolkit for Mobile PCs
> (search our web site for it).
>
> --
> Steve Riley
> steve.riley@microsoft.com
> http://blogs.technet.com/steriley
> http://www.protectyourwindowsnetwork.com
>
>
>
> "Lpoffe" <Lpoffe@discussions.microsoft.com> wrote in message
> news:A7D84739-425E-4712-9B6B-086EC6F9D773@microsoft.com...
> > Hi,
> > We have more than 10.000 clients and the idea is to migrate to Vista in
> > 2010, so that we can use bitlocker. Meantime management request that we
> > protect the data on our laptops, against data lost and if possible
> > encrypted
> > and without spending money...
> > Therefore I is was thinking to implement EFS but then users should not
> > have
> > the option to decrypt files...
> >
> > Ludo
> >
> >
> > "Steve Riley [MSFT]" wrote:
> >
> >> Daniel is correct. Until you can define which threats you want to
> >> mitigate,
> >> then you really can't design an appropriate encryption process.
> >>
> >> --
> >> Steve Riley
> >> steve.riley@microsoft.com
> >> http://blogs.technet.com/steriley
> >> http://www.protectyourwindowsnetwork.com
> >>
> >>
> >>
> >> "Daniel Petri <MVP>" <daniel@petri.co.il.removethis> wrote in message
> >> news:F21C3892-A865-461D-86F8-14834B16851A@microsoft.com...
> >> > Sorry for asking, but what will they gain from this? If the laptop is
> >> > stolen, are they aware of the fact that unless it's encrypted with
> >> > BitLocker, it's most likely that the content of e:\data will be stolen
> >> > as
> >> > well? Are they using some sort of Smart Cards or other method of
> >> > authentication?
> >> >
> >> > Unless something really sophisticated is going on that we're not aware
> >> > of,
> >> > I'd suggest that you review your requirements, and that you ask a good
> >> > security expert to help you design your security solutions.
> >> >
> >> > --
> >> > Sincerely,
> >> >
> >> > Daniel Petri
> >> > MVP, Senior IT consultant, trainer
> >> > www.petri.co.il
> >> >
> >> > "Lpoffe" <Lpoffe@discussions.microsoft.com> wrote in message
> >> > news:866D7408-6E0B-455B-8260-34903D82811D@microsoft.com...
> >> >> Hi Steve,
> >> >>
> >> >> I also prefer Bitlocker but if you can convince my management to move
> >> >> on
> >> >> to
> >> >> Vista ...
> >> >> Unless there is Bitlocker version for XP.
> >> >>
> >> >> So what my management is requesting for our laptop users : keep win
> >> >> XP,
> >> >> create a second partition (e:\ drive) and a folder 'data'. (e:\data)
> >> >> Users don't have access to c:\ or to e:\ only to e:\data. So what we
> >> >> want
> >> >> is that if a user put's a file on e:\data it should be encrypted but
> >> >> he
> >> >> should not have the option to decrypt the files on e:\data. We always
> >> >> want
> >> >> to keep the files encrypted.
> >> >>
> >> >> Ludo
> >> >>
> >> >> "Steve Riley [MSFT]" wrote:
> >> >>
> >> >>> Why do you need all users to encrypt all files? What threats are you
> >> >>> trying
> >> >>> to mitigate? Do they use laptops (where encryption is good, and I
> >> >>> prefer
> >> >>> BitLocker for this) or desktops? Tell us more.
> >> >>>
> >> >>> --
> >> >>> Steve Riley
> >> >>> steve.riley@microsoft.com
> >> >>> http://blogs.technet.com/steriley
> >> >>> http://www.protectyourwindowsnetwork.com
> >> >>>
> >> >>>
> >> >>>
> >> >>> "Lpoffe" <Lpoffe@discussions.microsoft.com> wrote in message
> >> >>> news:A1F6E244-C950-4590-87F6-5CA59F94BA04@microsoft.com...
> >> >>> > Hi Daniel,
> >> >>> >
> >> >>> > I agree but how can I force my users to encrypt always there files
> >> >>> > ?
> >> >>> >
> >> >>> >
> >> >>> >
> >> >>> > "Daniel Petri <MVP>" wrote:
> >> >>> >
> >> >>> >> A folder CANNOT be encrypted with EFS. Only files can.
> >> >>> >>
> >> >>> >> In any case, what's the point behind ENCRYPTING something (with
> >> >>> >> EFS
> >> >>> >> in
> >> >>> >> this
> >> >>> >> case), if ANY user can remove the encryption??? Do you see a logic
> >> >>> >> here?
> >> >>> >> I
> >> >>> >> can't. Try doing the same to a FILE and not to a FOLDER, and
> >> >>> >> you'll
> >> >>> >> see
> >> >>> >> that
> >> >>> >> only the original user and the Recovery Agent can decrypt the
> >> >>> >> file.
> >> >>> >>
> >> >>> >> --
> >> >>> >> Sincerely,
> >> >>> >>
> >> >>> >> Daniel Petri
> >> >>> >> MVP, Senior IT consultant, trainer
> >> >>> >> www.petri.co.il
> >> >>> >>
> >> >>> >> "Lpoffe" <Lpoffe@discussions.microsoft.com> wrote in message
> >> >>> >> news:5514CAD3-54B8-472A-A688-7546000ACBD4@microsoft.com...
> >> >>> >> > Hi,
> >> >>> >> >
> >> >>> >> > We have the following problem : we created on a partition a
> >> >>> >> > folder
> >> >>> >> > called
> >> >>> >> > data which has been encrypted with EFS. We always want to keep
> >> >>> >> > that
> >> >>> >> > folder
> >> >>> >> > encrypted.
> >> >>> >> > Unfortunaly a user can decrypt that folder via the 'Advanced
> >> >>> >> > Attributes'
> >> >>> >> > button under the folder properties.
> >> >>> >> >
> >> >>> >> > Question : Is there a way that we can disable that 'Advanced
> >> >>> >> > Attributes'
> >> >>> >> > button in such a way that the folder stays encrypted with EFS ?
> >> >>> >> >
> >> >>> >>
> >> >
 
You must log in or register to reply here.

Similar threads

E
Cant decrypt my game folder
Replies
0
Views
28
erfan hosseini
E
S
Cannot open some files on USB drive. Need to change permissions.
Replies
0
Views
21
Sandusky Baptist Church
S
K
Decrypting files from a rebooted computer?
Replies
0
Views
47
Kimberly HQ
K
C
How to set Folder permission on Windows Exchange Server 2016
Replies
0
Views
25
CCC_5544
C
D
I need to access my WindowsApps folder that is stored on a external hardrive.
Replies
0
Views
47
Daniel Erby
D
Back
Top Bottom