Re: EFS, Active Setup and Desktop Folder by Al
Al
Mon Sep 17 19:02:53 PDT 2007
"MikeD" <MikeD@discussions.microsoft.com> wrote in message
news:BD43DA69-F863-4EDB-A7BE-4235E7FC4AF0@microsoft.com...
> Al,
>
> Thanks for your reply. Requirement: My Security organization has deemed
> the Desktop Folder as a critical location where users can place work
> files.
> As such, they have determined that the Deskop Folder and its contents must
> be
> encrrypted with EFS. So the question remains as to how I can accomplilsh
> this task. If the user tries to encrypt the Desktop Folder, they receive
> an
> error that it is in use. If I try to do it using a script in Active Setup
> it
> works sometimes, not evry time as I would expect.
Unless CPAWEL@gmail.com's suggestion works for you or you find some other
solution, I would respectfully suggest that there is very little value in
having a security organization dictate technical solutions which are not
possible. Next they will be telling you that it is a requirement that nobody
ever share their password with anyone else, and that a technical solution
needs to be found to that problem.
I would also ask if your security department was actually evaluating the
risk, or just trying to avoid it regardless of the risk and the cost.
On XP, each user's desktop folder is generally protected against access by
others through NTFS permissions. I acknowledge that that is may not be as
strong a protection as full encryption would be, but what attack mechanisms
are they concerned with?
If the workstations are in areas that are physically restricted against
access by the unauthorized, and/or if the premises are watched by cameras,
for example, and if the user community is generally considered to be
reliable, then NTFS protection might suffice. This works for us, along with
a policy that corporate data is not supposed to be stored on local hard
drives because these are not backed up.
/Al
> "Al Dunbar" wrote:
>
>>
>> "MikeD" <MikeD@discussions.microsoft.com> wrote in message
>> news:7155D51F-7B4B-4859-A6B3-A34980CCCF91@microsoft.com...
>> >I have a requirement to Encrypt the Desktop Folder. Since it is Locked
>> >Open
>> > I cannot do so via normal mechanisms. I have written a VB script that
>> > I
>> > run
>> > during Active Setup to mark the Folder for encryption and to Encrypt
>> > its
>> > files and sub-Folders. The script works about 70% of the time. The
>> > result
>> > is that the Files under Desktop get encrypted at the time the script
>> > runs,
>> > but the Desktop Folder itslef does not have the attribute set. So new
>> > Files
>> > added to the Desktop Folder are not encrypted. Is there some sample
>> > code
>> > out
>> > there to help me on my way? I need to prevent the Desktop Folder from
>> > getting locked, then Mark it for Encryption, then continue on with the
>> > user
>> > login process. I thought Active Sertup would do this, but apparently,
>> > it
>> > doesn't seem to work every time. I am hoping there is something
>> > explicit
>> > I
>> > can do in my code to handle this. Thanks for your help.
>>
>> I suspect that there may be a technical reason why the desktop folder
>> itself
>> cannot be encrypted, based perhaps on whether or not EFS itself is
>> available
>> at the point when the desktop is activated. If so, then what you see as a
>> "requirement" may be a misinterpretation of what your actual requirement
>> is.
>> Perhaps if you were to explain why you feel this is a requirement,
>> someone
>> here may suggest a suitable alternative that falls outside of the
>> "impossible" zone.
>>
>> /Al