It is good that you hold a sane attitude toward the strictures you
seek over the admins actions. Basically, at some level you must
place trust in the persons you empower to run the IT infrastructure.
The best advise I can give to you is to hire a quality, relative to
Windows and this aspect of security in it, IT consultant to set
this up for you and to show you the few critical watch points.
That might be a hard sell, both cost wise and with regards to
you current IT staff's feelings. On the other hand, it would make
clear to them that you are indeed serious about this, and enabled;
plus, staff come and go, so you would be set in the face of future
There are a few issues you are facing.
First, to be clear, EFS allows for one account (inital encryptor) to
transparently access an encrypted file, for access by the recovery
agent (DRA) if one is defined, and then also for other account to
have the same transparent access if the inital encryptor take manual
action to allow this (and that granted account can then do the same,
allowing further accounts).
So, you said you want a hands-free, so to speak, solution; and you
also indicated you need for two individual to have access.
Either the CFO would need to make sure to remember to grant the
CEO access (a manual step you want to avoid), or for the EFS docs
the two of them would need to use a shared account, or one of them
would need to be the DRA. It might make sense in you case for the
CEO's account to be the DRA, which would mean that nothing could
be stored in the IT infrastructure with EFS that would be inaccessible
to that account. If the administrator could get the password of that
account (not set, but get it as it is) then the water has passed through
the sieve. If the administrator set the password the true owner of
that account would, I would hope, notice that there password was
not as it should be. If the admin cracked the dumped password
hashes, and the account's password was not very strong, they would
have access to all and it would look like the access was done by the
owner of that account.
Anyway, yes, any NTFS area of storage can be audited. This can
be set up for all types of accesses, successful and/or failed, by any
account or by only some defined groups of accounts.
Administrators can clear event logs where these audition records
are written, but that clearing caused an event to be written into the
cleared log. If no one is watching the logs the auditing is close to
useless. Auditing can be very verbose. One needs to have auditing
defined so it generates what is of interest but a minimum of other,
by only auditing what parts of the filesystem really need the coverage.
The DRA is defined by having its cert available in the system. To
decrypt an encrypted file the matching key needs to be available.
It is this part, the key, that must be kept out of the hands of the
admin. Any account into which the key is imported can function
as DRA, and hence access any EFS encrypted file.
A normal use would be to have a DRA defined, to have the
cert/key saved safely, such as on come CDs locked away.
There would be no account with the key imported into it.
That would happen only when there was need to recover some
otherwise inaccessible EFS encrypted files.
This is getting long already and we still have not looked at issues
related to the config of the storage server to support remote EFS
file storage, safe transfer over the network, the types of profiles
used by the domain accounts, monitoring the storage area to make
sure no one has unset the requirement on the folders that files stored
in them will be encrypted (or changed the auditing settings for that
Perhaps that indicates why I suggested hiring a quality consultant.
It is really not that hard to set up, but it surely is involved to try to
explain the main aspects and (what I mostly focused on) the in use
vulnerabilities to breach of the privacy you would believe is in effect.
In the final analysis, Karl's suggestions, although rejected by yourself
as needing manual actions, may be the shortest route for maintaining
a relatively small amount of data.
It is quite ironic, Microsoft released a free tool that would have been
just about exactly what you are after, back in July, call Private Folders,
but corps pretty much forced MS to withdraw it in almost no time.
Go figure ey?
Post by email@example.com
And I've just discovered that the administrator still has access to the
Is there a logging agent on an AD file server? I would be happy to use
EFS if I could just review logs... This way I could have the employee
sign a declaration stating they will not access employee data and also
state that we are able to monitor this...
I really just want to protect files against trusted users... I'm not
looking for a water tight solution that no-one can break - I just want
a) the administrator is clear that they will be reprimanded if caught
snooping through employee folders & files (mainly the CEO & CFO)
b) there is basic encryption meaning the administrator can't just
double click and view any files..
I know if someone wants access, and they know what they are doing, then
they will end up getting it but I would like to think I can place some
trust in the employee not to do that...
Post by Roger Abell [MVP] Post by firstname.lastname@example.org
I guess my problem lies in the fact that I need a solution that is easy
to use or the people that I need the most support from (managers &
directors) wont use it and wont support it...
If they are required to encrypt every file before transferring to the
file server using a cumbersome program then they will just not do it...
1. Save the file on server
2. Right click to activate encryption
And the files need to be re-accessible by a simple double click and
then a password prompt.
Microsoft EFS is the best solution I have seen but it is not activated
on AD yet and the administrator was a little hesitant to allow user
acces to this facility...
I might have a look into PGP...
- Folder Security Guard
- Hide Folders
- Folder Password
- Universal Shield
All had their advantages but none worked over a network on a file
Thanks for the feedback
EFS can come close to what you outline as a need, if your environment
is correctly set up to use it in remote scenario. However, depending on
your situation the file may be unencrypted while on the wire, and in order
to meet the requirement that no one except the doc owner can access it
while on the server tight control would have to be taken over the EFS
default recovery agent (or, again depending on your environment, over
key escrow, etc.).