|
Posted by =?Utf-8?B?THBvZmZl?= on June 26, 2008, 1:20 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Hi,
We have more than 10.000 clients and the idea is to migrate to Vista in
2010, so that we can use bitlocker. Meantime management request that we
protect the data on our laptops, against data lost and if possible encrypted
and without spending money...
Therefore I is was thinking to implement EFS but then users should not have
the option to decrypt files...
Ludo
"Steve Riley [MSFT]" wrote:
> Daniel is correct. Until you can define which threats you want to mitigate,
> then you really can't design an appropriate encryption process.
>
> --
> Steve Riley
> steve.riley@microsoft.com
> http://blogs.technet.com/steriley
> http://www.protectyourwindowsnetwork.com
>
>
>
> > Sorry for asking, but what will they gain from this? If the laptop is
> > stolen, are they aware of the fact that unless it's encrypted with
> > BitLocker, it's most likely that the content of e:\data will be stolen as
> > well? Are they using some sort of Smart Cards or other method of
> > authentication?
> >
> > Unless something really sophisticated is going on that we're not aware of,
> > I'd suggest that you review your requirements, and that you ask a good
> > security expert to help you design your security solutions.
> >
> > --
> > Sincerely,
> >
> > Daniel Petri
> > MVP, Senior IT consultant, trainer
> > www.petri.co.il
> >
> >> Hi Steve,
> >>
> >> I also prefer Bitlocker but if you can convince my management to move on
> >> to
> >> Vista ...
> >> Unless there is Bitlocker version for XP.
> >>
> >> So what my management is requesting for our laptop users : keep win XP,
> >> create a second partition (e:\ drive) and a folder 'data'. (e:\data)
> >> Users don't have access to c:\ or to e:\ only to e:\data. So what we
> >> want
> >> is that if a user put's a file on e:\data it should be encrypted but he
> >> should not have the option to decrypt the files on e:\data. We always
> >> want
> >> to keep the files encrypted.
> >>
> >> Ludo
> >>
> >> "Steve Riley [MSFT]" wrote:
> >>
> >>> Why do you need all users to encrypt all files? What threats are you
> >>> trying
> >>> to mitigate? Do they use laptops (where encryption is good, and I prefer
> >>> BitLocker for this) or desktops? Tell us more.
> >>>
> >>> --
> >>> Steve Riley
> >>> steve.riley@microsoft.com
> >>> http://blogs.technet.com/steriley
> >>> http://www.protectyourwindowsnetwork.com
> >>>
> >>>
> >>>
> >>> > Hi Daniel,
> >>> >
> >>> > I agree but how can I force my users to encrypt always there files ?
> >>> >
> >>> >
> >>> >
> >>> > "Daniel Petri <MVP>" wrote:
> >>> >
> >>> >> A folder CANNOT be encrypted with EFS. Only files can.
> >>> >>
> >>> >> In any case, what's the point behind ENCRYPTING something (with EFS
> >>> >> in
> >>> >> this
> >>> >> case), if ANY user can remove the encryption??? Do you see a logic
> >>> >> here?
> >>> >> I
> >>> >> can't. Try doing the same to a FILE and not to a FOLDER, and you'll
> >>> >> see
> >>> >> that
> >>> >> only the original user and the Recovery Agent can decrypt the file.
> >>> >>
> >>> >> --
> >>> >> Sincerely,
> >>> >>
> >>> >> Daniel Petri
> >>> >> MVP, Senior IT consultant, trainer
> >>> >> www.petri.co.il
> >>> >>
> >>> >> > Hi,
> >>> >> >
> >>> >> > We have the following problem : we created on a partition a folder
> >>> >> > called
> >>> >> > data which has been encrypted with EFS. We always want to keep
> >>> >> > that
> >>> >> > folder
> >>> >> > encrypted.
> >>> >> > Unfortunaly a user can decrypt that folder via the 'Advanced
> >>> >> > Attributes'
> >>> >> > button under the folder properties.
> >>> >> >
> >>> >> > Question : Is there a way that we can disable that 'Advanced
> >>> >> > Attributes'
> >>> >> > button in such a way that the folder stays encrypted with EFS ?
> >>> >> >
> >>> >>
> >
| 
XML site map