-2

For a proof of concept I am building a server which will host 2 users.

Both users are local admin, and both users are domain users.

User1 will encrypt the files with EFS so he can get transparent access.

Is it possible to for User2 to get access to those files?

If so, are there other ways to prevent access to those files?

Thanks!

Anemoia
  • 306
  • 1
  • 5
  • 15

2 Answers2

5

No.

  • EFS encryption doesn't occur at the application level but rather at the file-system level; therefore, the encryption and decryption process is transparent to the user and to the application. If a folder is marked for encryption, every file created in or moved to the folder will be encrypted. Applications don't have to understand EFS or manage EFS-encrypted files any differently than unencrypted files. If a user attempts to open a file and possesses the key to do so, the file opens without additional effort on the user's part. If the user doesn't possess the key, they receive an "Access denied" error message.

  • File encryption uses a symmetric key, which is then itself encrypted with the public key of a public key encryption pair. The related private key must be available in order for the file to be decrypted. This key pair is bound to a user identity and made available to the user who has possession of the user ID and password. If the private key is damaged or missing, even the user that encrypted the file cannot decrypt it. If a recovery agent exists, then the file may be recoverable. If key archival has been implemented, then the key may be recovered, and the file decrypted. If not, the file may be lost. EFS is an excellent file encryption system—there is no "back door."

Sort of.

  • EFS keys are protected by the user's password. Any user who can obtain the user ID and password can log on as that user and decrypt that user's files. Therefore, a strong password policy as well as strong user education must be a component of each organization's security practices to ensure the protection of EFS-encrypted files.

  • EFS-encrypted files don't remain encrypted during transport if saved to or opened from a folder on a remote server. The file is decrypted, traverses the network in plaintext, and, if saved to a folder on the local drive that's marked for encryption, is encrypted locally. EFS-encrypted files can remain encrypted while traversing the network if they're being saved to a Web folder using WebDAV. This method of remote storage isn't available for Windows 2000.

Yes.

Rubber hose cryptography.

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
3

I can't believe this answer has been up-voted, with out anyone correcting it.

YES. EFS on Server 2008 R2 supports multiple users accessing an encrypted file.

http://windowsitpro.com/security/efs-and-encrypted-file-sharing

frank419
  • 31
  • 1
  • I think the sense of the answer is if User2 can access the files without authorization. Not if is possible to share files with another user. – ThoriumBR Oct 09 '14 at 14:42
  • Your point is understood, but I personally understood the OP's question to imply "without the owner intentionally sharing access". – squillman Oct 09 '14 at 14:43
  • I see that but the title of the post is about gaining access to other people's encrypted files. To me it seems OP wants to protect the files, but also allow multi-user access. edit:: I see the context I may be missing now. He wants to know if another admin will be able to access the encrypted file without his permission. I assumed he wanted to grant permission. – frank419 Oct 09 '14 at 14:52