Advanced Atrributes Tab under folder properties

>> http://blogs.technet.com/steriley

>

> "Lpoffe" <Lpoffe@discussions.microsoft.com> wrote in message

> news:A1F6E244-C950-4590-87F6-5CA59F94BA04@microsoft.com...

> > Hi Daniel,

> >

> > I agree but how can I force my users to encrypt always there files ?

> >

> > "Daniel Petri <MVP>" wrote:

> >

> >> A folder CANNOT be encrypted with EFS. Only files can.

> >>

> >> In any case, what's the point behind ENCRYPTING something (with EFS in

> >> this

> >> case), if ANY user can remove the encryption??? Do you see a logic here?

> >> I

> >> can't. Try doing the same to a FILE and not to a FOLDER, and you'll see

> >> that

> >> only the original user and the Recovery Agent can decrypt the file.

> >>

> >> --

> >> Sincerely,

> >>

> >> Daniel Petri

> >> MVP, Senior IT consultant, trainer

> >> www.petri.co.il

> >>

> >> "Lpoffe" <Lpoffe@discussions.microsoft.com> wrote in message

> >> news:5514CAD3-54B8-472A-A688-7546000ACBD4@microsoft.com...

> >> > Hi,

> >> >

> >> > We have the following problem : we created on a partition a folder

> >> > called

> >> > data which has been encrypted with EFS. We always want to keep that

> >> > folder

> >> > encrypted.

> >> > Unfortunaly a user can decrypt that folder via the 'Advanced

> >> > Attributes'

> >> > button under the folder properties.

> >> >

> >> > Question : Is there a way that we can disable that 'Advanced

> >> > Attributes'

> >> > button in such a way that the folder stays encrypted with EFS ?

> >> >

> >>

June 25, 2008

Sorry for asking, but what will they gain from this? If the laptop is

stolen, are they aware of the fact that unless it's encrypted with

BitLocker, it's most likely that the content of e:\data will be stolen as

well? Are they using some sort of Smart Cards or other method of

authentication?

Unless something really sophisticated is going on that we're not aware of,

I'd suggest that you review your requirements, and that you ask a good

security expert to help you design your security solutions.

--

Sincerely,

Daniel Petri

MVP, Senior IT consultant, trainer

www.petri.co.il

"Lpoffe" <Lpoffe@discussions.microsoft.com> wrote in message

news:866D7408-6E0B-455B-8260-34903D82811D@microsoft.com...

> Hi Steve,

>

> I also prefer Bitlocker but if you can convince my management to move on

> to

> Vista ...

> Unless there is Bitlocker version for XP.

>

> So what my management is requesting for our laptop users : keep win XP,

> create a second partition (e: drive) and a folder 'data'. (e:data)

> Users don't have access to c: or to e: only to e:data. So what we want

> is that if a user put's a file on e:data it should be encrypted but he

> should not have the option to decrypt the files on e:data. We always

> want

> to keep the files encrypted.

>

> Ludo

>

> "Steve Riley [MSFT]" wrote:

>

>> Why do you need all users to encrypt all files? What threats are you

>> trying

>> to mitigate? Do they use laptops (where encryption is good, and I prefer

>> BitLocker for this) or desktops? Tell us more.

>>

>> --

>> Steve Riley

>> steve.riley@microsoft.com

>> http://www.protectyourwindowsnetwork.com

>>

>> "Lpoffe" <Lpoffe@discussions.microsoft.com> wrote in message

>> news:A1F6E244-C950-4590-87F6-5CA59F94BA04@microsoft.com...

>> > Hi Daniel,

>> >

>> > I agree but how can I force my users to encrypt always there files ?

>> >

>> > "Daniel Petri <MVP>" wrote:

>> >

>> >> A folder CANNOT be encrypted with EFS. Only files can.

>> >>

>> >> In any case, what's the point behind ENCRYPTING something (with EFS in

>> >> this

>> >> case), if ANY user can remove the encryption??? Do you see a logic

>> >> here?

>> >> I

>> >> can't. Try doing the same to a FILE and not to a FOLDER, and you'll

>> >> see

>> >> that

>> >> only the original user and the Recovery Agent can decrypt the file.

>> >>

>> >> --

>> >> Sincerely,

>> >>

>> >> Daniel Petri

>> >> MVP, Senior IT consultant, trainer

>> >> www.petri.co.il

>> >>

>> >> "Lpoffe" <Lpoffe@discussions.microsoft.com> wrote in message

>> >> news:5514CAD3-54B8-472A-A688-7546000ACBD4@microsoft.com...

>> >> > Hi,

>> >> >

>> >> > We have the following problem : we created on a partition a folder

>> >> > called

>> >> > data which has been encrypted with EFS. We always want to keep that

>> >> > folder

>> >> > encrypted.

>> >> > Unfortunaly a user can decrypt that folder via the 'Advanced

>> >> > Attributes'

>> >> > button under the folder properties.

>> >> >

>> >> > Question : Is there a way that we can disable that 'Advanced

>> >> > Attributes'

>> >> > button in such a way that the folder stays encrypted with EFS ?

>> >> >

>> >>

June 25, 2008

Daniel is correct. Until you can define which threats you want to mitigate,

then you really can't design an appropriate encryption process.

--

Steve Riley

steve.riley@microsoft.com

http://blogs.technet.com/steriley

http://www.protectyourwindowsnetwork.com

"Daniel Petri <MVP>" <daniel@petri.co.il.removethis> wrote in message

news:F21C3892-A865-461D-86F8-14834B16851A@microsoft.com...

> Sorry for asking, but what will they gain from this? If the laptop is

> stolen, are they aware of the fact that unless it's encrypted with

> BitLocker, it's most likely that the content of e:data will be stolen as

> well? Are they using some sort of Smart Cards or other method of

> authentication?

>

> Unless something really sophisticated is going on that we're not aware of,

> I'd suggest that you review your requirements, and that you ask a good

> security expert to help you design your security solutions.

>

> --

> Sincerely,

>

> Daniel Petri

> MVP, Senior IT consultant, trainer

> www.petri.co.il

>

> "Lpoffe" <Lpoffe@discussions.microsoft.com> wrote in message

> news:866D7408-6E0B-455B-8260-34903D82811D@microsoft.com...

>> Hi Steve,

>>

>> I also prefer Bitlocker but if you can convince my management to move on

>> to

>> Vista ...

>> Unless there is Bitlocker version for XP.

>>

>> So what my management is requesting for our laptop users : keep win XP,

>> create a second partition (e: drive) and a folder 'data'. (e:data)

>> Users don't have access to c: or to e: only to e:data. So what we

>> want

>> is that if a user put's a file on e:data it should be encrypted but he

>> should not have the option to decrypt the files on e:data. We always

>> want

>> to keep the files encrypted.

>>

>> Ludo

>>

>> "Steve Riley [MSFT]" wrote:

>>

>>> Why do you need all users to encrypt all files? What threats are you

>>> trying

>>> to mitigate? Do they use laptops (where encryption is good, and I prefer

>>> BitLocker for this) or desktops? Tell us more.

>>>

>>> --

>>> Steve Riley

>>> steve.riley@microsoft.com

>>> http://blogs.technet.com/steriley

>>> http://www.protectyourwindowsnetwork.com

>>>

>>> "Lpoffe" <Lpoffe@discussions.microsoft.com> wrote in message

>>> news:A1F6E244-C950-4590-87F6-5CA59F94BA04@microsoft.com...

>>> > Hi Daniel,

>>> >

>>> > I agree but how can I force my users to encrypt always there files ?

>>> >

>>> > "Daniel Petri <MVP>" wrote:

>>> >

>>> >> A folder CANNOT be encrypted with EFS. Only files can.

>>> >>

>>> >> In any case, what's the point behind ENCRYPTING something (with EFS

>>> >> in

>>> >> this

>>> >> case), if ANY user can remove the encryption??? Do you see a logic

>>> >> here?

>>> >> I

>>> >> can't. Try doing the same to a FILE and not to a FOLDER, and you'll

>>> >> see

>>> >> that

>>> >> only the original user and the Recovery Agent can decrypt the file.

>>> >>

>>> >> --

>>> >> Sincerely,

>>> >>

>>> >> Daniel Petri

>>> >> MVP, Senior IT consultant, trainer

>>> >> www.petri.co.il

>>> >>

>>> >> "Lpoffe" <Lpoffe@discussions.microsoft.com> wrote in message

>>> >> news:5514CAD3-54B8-472A-A688-7546000ACBD4@microsoft.com...

>>> >> > Hi,

>>> >> >

>>> >> > We have the following problem : we created on a partition a folder

>>> >> > called

>>> >> > data which has been encrypted with EFS. We always want to keep

>>> >> > that

>>> >> > folder

>>> >> > encrypted.

>>> >> > Unfortunaly a user can decrypt that folder via the 'Advanced

>>> >> > Attributes'

>>> >> > button under the folder properties.

>>> >> >

>>> >> > Question : Is there a way that we can disable that 'Advanced

>>> >> > Attributes'

>>> >> > button in such a way that the folder stays encrypted with EFS ?

>>> >> >

>>> >>

>

June 26, 2008

Hi,

We have more than 10.000 clients and the idea is to migrate to Vista in

2010, so that we can use bitlocker. Meantime management request that we

protect the data on our laptops, against data lost and if possible encrypted

and without spending money...

Therefore I is was thinking to implement EFS but then users should not have

the option to decrypt files...

Ludo

"Steve Riley [MSFT]" wrote:

> Daniel is correct. Until you can define which threats you want to mitigate,

> then you really can't design an appropriate encryption process.

>

> --

> Steve Riley

>

> "Daniel Petri <MVP>" <daniel@petri.co.il.removethis> wrote in message

> news:F21C3892-A865-461D-86F8-14834B16851A@microsoft.com...

> > Sorry for asking, but what will they gain from this? If the laptop is

> > stolen, are they aware of the fact that unless it's encrypted with

> > BitLocker, it's most likely that the content of e:data will be stolen as

> > well? Are they using some sort of Smart Cards or other method of

> > authentication?

> >

> > Unless something really sophisticated is going on that we're not aware of,

> > I'd suggest that you review your requirements, and that you ask a good

> > security expert to help you design your security solutions.

> >

> > --

> > Sincerely,

> >

> > Daniel Petri

> > MVP, Senior IT consultant, trainer

> > www.petri.co.il

> >

> > "Lpoffe" <Lpoffe@discussions.microsoft.com> wrote in message

> > news:866D7408-6E0B-455B-8260-34903D82811D@microsoft.com...

> >> Hi Steve,

> >>

> >> I also prefer Bitlocker but if you can convince my management to move on

> >> to

> >> Vista ...

> >> Unless there is Bitlocker version for XP.

> >>

> >> So what my management is requesting for our laptop users : keep win XP,

> >> create a second partition (e: drive) and a folder 'data'. (e:data)

> >> Users don't have access to c: or to e: only to e:data. So what we

> >> want

> >> is that if a user put's a file on e:data it should be encrypted but he

> >> should not have the option to decrypt the files on e:data. We always

> >> want

> >> to keep the files encrypted.

> >>

> >> Ludo

> >>

> >> "Steve Riley [MSFT]" wrote:

> >>

> >>> Why do you need all users to encrypt all files? What threats are you

> >>> trying

> >>> to mitigate? Do they use laptops (where encryption is good, and I prefer

> >>> BitLocker for this) or desktops? Tell us more.

> >>>

> >>> --

> >>> Steve Riley

> >>> steve.riley@microsoft.com

> >>> http://blogs.technet.com/steriley

> >>> http://www.protectyourwindowsnetwork.com

> >>>

> >>> "Lpoffe" <Lpoffe@discussions.microsoft.com> wrote in message

> >>> news:A1F6E244-C950-4590-87F6-5CA59F94BA04@microsoft.com...

> >>> > Hi Daniel,

> >>> >

> >>> > I agree but how can I force my users to encrypt always there files ?

> >>> >

> >>> > "Daniel Petri <MVP>" wrote:

> >>> >

> >>> >> A folder CANNOT be encrypted with EFS. Only files can.

> >>> >>

> >>> >> In any case, what's the point behind ENCRYPTING something (with EFS

> >>> >> in

> >>> >> this

> >>> >> case), if ANY user can remove the encryption??? Do you see a logic

> >>> >> here?

> >>> >> I

> >>> >> can't. Try doing the same to a FILE and not to a FOLDER, and you'll

> >>> >> see

> >>> >> that

> >>> >> only the original user and the Recovery Agent can decrypt the file.

> >>> >>

> >>> >> --

> >>> >> Sincerely,

> >>> >>

> >>> >> Daniel Petri

> >>> >> MVP, Senior IT consultant, trainer

> >>> >> www.petri.co.il

> >>> >>

> >>> >> "Lpoffe" <Lpoffe@discussions.microsoft.com> wrote in message

> >>> >> news:5514CAD3-54B8-472A-A688-7546000ACBD4@microsoft.com...

> >>> >> > Hi,

> >>> >> >

> >>> >> > We have the following problem : we created on a partition a folder

> >>> >> > called

> >>> >> > data which has been encrypted with EFS. We always want to keep

> >>> >> > that

> >>> >> > folder

> >>> >> > encrypted.

> >>> >> > Unfortunaly a user can decrypt that folder via the 'Advanced

> >>> >> > Attributes'

> >>> >> > button under the folder properties.

> >>> >> >

> >>> >> > Question : Is there a way that we can disable that 'Advanced

> >>> >> > Attributes'

> >>> >> > button in such a way that the folder stays encrypted with EFS ?

> >>> >> >

> >>> >>

> >

June 26, 2008

Hi,

We have more than 10.000 clients and the idea is to migrate to Vista in

2010, so that we can use bitlocker. Meantime management request that we

protect the data on our laptops, against data lost and if possible encrypted

and without spending money...

Therefore I is was thinking to implement EFS but then users should not have

the option to decrypt files...

Ludo

"Steve Riley [MSFT]" wrote:

> Daniel is correct. Until you can define which threats you want to mitigate,

> then you really can't design an appropriate encryption process.

>

> --

> Steve Riley

steve.riley@microsoft.com

>

> "Daniel Petri <MVP>" <daniel@petri.co.il.removethis> wrote in message

> news:F21C3892-A865-461D-86F8-14834B16851A@microsoft.com...

> > Sorry for asking, but what will they gain from this? If the laptop is

> > stolen, are they aware of the fact that unless it's encrypted with

> > BitLocker, it's most likely that the content of e:data will be stolen as

> > well? Are they using some sort of Smart Cards or other method of

> > authentication?

> >

> > Unless something really sophisticated is going on that we're not aware of,

> > I'd suggest that you review your requirements, and that you ask a good

> > security expert to help you design your security solutions.

> >

> > --

> > Sincerely,

> >

> > Daniel Petri

> > MVP, Senior IT consultant, trainer

> > www.petri.co.il

> >

> > "Lpoffe" <Lpoffe@discussions.microsoft.com> wrote in message

> > news:866D7408-6E0B-455B-8260-34903D82811D@microsoft.com...

> >> Hi Steve,

> >>

> >> I also prefer Bitlocker but if you can convince my management to move on

> >> to

> >> Vista ...

> >> Unless there is Bitlocker version for XP.

> >>

> >> So what my management is requesting for our laptop users : keep win XP,

> >> create a second partition (e: drive) and a folder 'data'. (e:data)

> >> Users don't have access to c: or to e: only to e:data. So what we

> >> want

> >> is that if a user put's a file on e:data it should be encrypted but he

> >> should not have the option to decrypt the files on e:data. We always

> >> want

> >> to keep the files encrypted.

> >>

> >> Ludo

> >>

> >> "Steve Riley [MSFT]" wrote:

> >>

> >>> Why do you need all users to encrypt all files? What threats are you

> >>> trying

> >>> to mitigate? Do they use laptops (where encryption is good, and I prefer

> >>> BitLocker for this) or desktops? Tell us more.

> >>>

> >>> --

> >>> Steve Riley

> >>> steve.riley@microsoft.com

> >>> http://blogs.technet.com/steriley

> >>> http://www.protectyourwindowsnetwork.com

> >>>

> >>> "Lpoffe" <Lpoffe@discussions.microsoft.com> wrote in message

> >>> news:A1F6E244-C950-4590-87F6-5CA59F94BA04@microsoft.com...

> >>> > Hi Daniel,

> >>> >

> >>> > I agree but how can I force my users to encrypt always there files ?

> >>> >

> >>> > "Daniel Petri <MVP>" wrote:

> >>> >

> >>> >> A folder CANNOT be encrypted with EFS. Only files can.

> >>> >>

> >>> >> In any case, what's the point behind ENCRYPTING something (with EFS

> >>> >> in

> >>> >> this

> >>> >> case), if ANY user can remove the encryption??? Do you see a logic

> >>> >> here?

> >>> >> I

> >>> >> can't. Try doing the same to a FILE and not to a FOLDER, and you'll

> >>> >> see

> >>> >> that

> >>> >> only the original user and the Recovery Agent can decrypt the file.

> >>> >>

> >>> >> --

> >>> >> Sincerely,

> >>> >>

> >>> >> Daniel Petri

> >>> >> MVP, Senior IT consultant, trainer

> >>> >> www.petri.co.il

> >>> >>

> >>> >> "Lpoffe" <Lpoffe@discussions.microsoft.com> wrote in message

> >>> >> news:5514CAD3-54B8-472A-A688-7546000ACBD4@microsoft.com...

> >>> >> > Hi,

> >>> >> >

> >>> >> > We have the following problem : we created on a partition a folder

> >>> >> > called

> >>> >> > data which has been encrypted with EFS. We always want to keep

> >>> >> > that

> >>> >> > folder

> >>> >> > encrypted.

> >>> >> > Unfortunaly a user can decrypt that folder via the 'Advanced

> >>> >> > Attributes'

> >>> >> > button under the folder properties.

> >>> >> >

> >>> >> > Question : Is there a way that we can disable that 'Advanced

> >>> >> > Attributes'

> >>> >> > button in such a way that the folder stays encrypted with EFS ?

> >>> >> >

> >>> >>

> >

June 26, 2008

What kind of data loss? Do you mean theft of a laptop? If so, then BitLocker

is better suited to this, so perhaps you can accelerate your upgrade plans.

Properly configured, EFS can also be used to mitigate this threat, but it's

more work. Follow the guidance in the Data Encryption Toolkit for Mobile PCs

(search our web site for it).

--

Steve Riley

http://blogs.technet.com/steriley

http://www.protectyourwindowsnetwork.com

"Lpoffe" <Lpoffe@discussions.microsoft.com> wrote in message

news:A7D84739-425E-4712-9B6B-086EC6F9D773@microsoft.com...

> Hi,

> We have more than 10.000 clients and the idea is to migrate to Vista in

> 2010, so that we can use bitlocker. Meantime management request that we

> protect the data on our laptops, against data lost and if possible

> encrypted

> and without spending money...

> Therefore I is was thinking to implement EFS but then users should not

> have

> the option to decrypt files...

>

> Ludo

>

> "Steve Riley [MSFT]" wrote:

>

>> Daniel is correct. Until you can define which threats you want to

>> mitigate,

>> then you really can't design an appropriate encryption process.

>>

>> --

>> Steve Riley

>> steve.riley@microsoft.com

>> http://blogs.technet.com/steriley

>> http://www.protectyourwindowsnetwork.com

>>

>> "Daniel Petri <MVP>" <daniel@petri.co.il.removethis> wrote in message

>> news:F21C3892-A865-461D-86F8-14834B16851A@microsoft.com...

>> > Sorry for asking, but what will they gain from this? If the laptop is

>> > stolen, are they aware of the fact that unless it's encrypted with

>> > BitLocker, it's most likely that the content of e:data will be stolen

>> > as

>> > well? Are they using some sort of Smart Cards or other method of

>> > authentication?

>> >

>> > Unless something really sophisticated is going on that we're not aware

>> > of,

>> > I'd suggest that you review your requirements, and that you ask a good

>> > security expert to help you design your security solutions.

>> >

>> > --

>> > Sincerely,

>> >

>> > Daniel Petri

>> > MVP, Senior IT consultant, trainer

>> > www.petri.co.il

>> >

>> > "Lpoffe" <Lpoffe@discussions.microsoft.com> wrote in message

>> > news:866D7408-6E0B-455B-8260-34903D82811D@microsoft.com...

>> >> Hi Steve,

>> >>

>> >> I also prefer Bitlocker but if you can convince my management to move

>> >> on

>> >> to

>> >> Vista ...

>> >> Unless there is Bitlocker version for XP.

>> >>

>> >> So what my management is requesting for our laptop users : keep win

>> >> XP,

>> >> create a second partition (e: drive) and a folder 'data'. (e:data)

>> >> Users don't have access to c: or to e: only to e:data. So what we

>> >> want

>> >> is that if a user put's a file on e:data it should be encrypted but

>> >> he

>> >> should not have the option to decrypt the files on e:data. We always

>> >> want

>> >> to keep the files encrypted.

>> >>

>> >> Ludo

>> >>

>> >> "Steve Riley [MSFT]" wrote:

>> >>

>> >>> Why do you need all users to encrypt all files? What threats are you

>> >>> trying

>> >>> to mitigate? Do they use laptops (where encryption is good, and I

>> >>> prefer

>> >>> BitLocker for this) or desktops? Tell us more.

>> >>>

>> >>> --

>> >>> Steve Riley

>> >>> steve.riley@microsoft.com

>> >>> http://blogs.technet.com/steriley

>> >>> http://www.protectyourwindowsnetwork.com

>> >>>

>> >>> "Lpoffe" <Lpoffe@discussions.microsoft.com> wrote in message

>> >>> news:A1F6E244-C950-4590-87F6-5CA59F94BA04@microsoft.com...

>> >>> > Hi Daniel,

>> >>> >

>> >>> > I agree but how can I force my users to encrypt always there files

>> >>> > ?

>> >>> >

>> >>> > "Daniel Petri <MVP>" wrote:

>> >>> >

>> >>> >> A folder CANNOT be encrypted with EFS. Only files can.

>> >>> >>

>> >>> >> In any case, what's the point behind ENCRYPTING something (with

>> >>> >> EFS

>> >>> >> in

>> >>> >> this

>> >>> >> case), if ANY user can remove the encryption??? Do you see a logic

>> >>> >> here?

>> >>> >> I

>> >>> >> can't. Try doing the same to a FILE and not to a FOLDER, and

>> >>> >> you'll

>> >>> >> see

>> >>> >> that

>> >>> >> only the original user and the Recovery Agent can decrypt the

>> >>> >> file.

>> >>> >>

>> >>> >> --

>> >>> >> Sincerely,

>> >>> >>

>> >>> >> Daniel Petri

>> >>> >> MVP, Senior IT consultant, trainer

>> >>> >> www.petri.co.il

>> >>> >>

>> >>> >> "Lpoffe" <Lpoffe@discussions.microsoft.com> wrote in message

>> >>> >> news:5514CAD3-54B8-472A-A688-7546000ACBD4@microsoft.com...

>> >>> >> > Hi,

>> >>> >> >

>> >>> >> > We have the following problem : we created on a partition a

>> >>> >> > folder

>> >>> >> > called

>> >>> >> > data which has been encrypted with EFS. We always want to keep

>> >>> >> > that

>> >>> >> > folder

>> >>> >> > encrypted.

>> >>> >> > Unfortunaly a user can decrypt that folder via the 'Advanced

>> >>> >> > Attributes'

>> >>> >> > button under the folder properties.

>> >>> >> >

>> >>> >> > Question : Is there a way that we can disable that 'Advanced

>> >>> >> > Attributes'

>> >>> >> > button in such a way that the folder stays encrypted with EFS ?

>> >>> >> >

>> >>> >>

>> >

June 27, 2008

Thanks Steve will give it a tray.

"Steve Riley [MSFT]" wrote:

> What kind of data loss? Do you mean theft of a laptop? If so, then BitLocker

> is better suited to this, so perhaps you can accelerate your upgrade plans.

>

> Properly configured, EFS can also be used to mitigate this threat, but it's

> more work. Follow the guidance in the Data Encryption Toolkit for Mobile PCs

> (search our web site for it).

>

> --

> Steve Riley