|
9/27/2005 -- Many administrators and companies have stayed clear from Encrypting File System (EFS) due to the poor features that the EFS in Windows 2000 implementation provided. Although EFS has excellent potential, these restrictions ruled it out of most companies arsenal for helping to protect data stored on servers and client computers. The main restriction of EFS was the limit of only a single user having access to the encrypted data.
This limitation has been overcome with Windows XP and Server 2003, putting EFS back on the radar as a viable solution to help protect data as it sits on the hard drive. Here's a quick overview of what to expect from Multi-User EFS and how to implement it.
Leveraging Multi-user Access to Encrypted Files
Both Windows XP and Windows Server 2003 computers can take advantage of having multiple users access encrypted files. This is accomplished by configuring the encrypted file to view and refer to multiple certificates stored in the certificate store, as you can see by Figure 1, below. (Note: You can only add multiple user certificates at the file level, not the folder level).
Figure 1: Additional users can be added if their EFS certificate is in the certificate store.
If you attempt to view the certificates that are available from your encrypted file, you might find that there are no other user certificates in the list. To get other certificates in the list, you must first create the EFS certificate for the user, then import that certificate into the certificate store where the resource is located (or import into Active Directory, where the EFS certificate can be referenced by all users in the domain).
Autoenrolling EFS Certificates
If you have a Windows Server 2003 Active Directory and have a Certificate Authority installed, you can deploy EFS certificates to users seamlessly. Deploying EFS certificates to all users will enable you to configure EFS for multiple users for each user in the Active Directory.
To successfully deploy EFS certificates, follow these steps:
1. Duplicate the User template using the Certificate Templates snap-in.
2. Ensure the "Publish Certificate in Active Directory" check box is selected.
3. Ensure that Domain Users have the permission to Autoenroll and Enroll the certificate template.
4. Configure the CA to issue the new certificate.
5. Create and configure a new Group Policy Object to affect all users that need to receive the EFS certificate.
Now, when these affected users logon, or GPOs refresh, they will automatically enroll their EFS certificate. This certificate will be placed in their local certificate store and Active Directory.
Final Thoughts
With the limitation of only a single user having access to encrypted files, EFS was not an option for most companies. However, Windows XP and Windows Server 2003 eliminates this restriction, allowing multiple users to have access to the same encrypted file. There are some additional steps you need to make to get the EFS certificates created and into the correct certificate store, but this is a small price to pay for the power of multiple user access to encrypted files.
If you want to get more information on how EFS works under the hood or how to work with certificate templates, search in Microsoft's Help and Support Center on "autoenroll user certificate." 
|
