Tips and Tricks

Encryption All Around

With Windows 2003, you can use the Encryption File Systems to give multiple users access to the same encrypted files.

If you've held off using the Encrypting File System (EFS) because Windows 2000 only allows access to an encrypted file to the person who encrypted it, you'll be happy to know that Windows Server 2003 fixes this limitation. Now you can give multiple users access to the same encrypted files, or give end users permission to do it themselves—if you know how.

First introduced with Win2K, EFS encrypts files as they're stored on desktops and servers throughout the enterprise. EFS uses a symmetric key, called the File Encryption Key (FEK), to encrypt the data portion of a file. The FEK is then encrypted using an EFS public key issued to the person who encrypted the file—the requestor. The requestor's copy of the FEK is stored along with the file in an NTFS-named data stream called the Data Decryption Field (DDF). An encrypted file has one and only one DDF.

If a Data Recovery Agent (DRA) is configured at the computer where the encrypted file resides, an additional copy of the FEK is encrypted using the File Recovery (FR) public key issued to the DRA. The DRA's copy of the FEK is stored along with the file in an NTFS-named data stream called the Data Recovery Field (DRF). A computer can have multiple DRAs, so there can be more than one DRF per encrypted file.

With Win2K, if no DRA is configured, encryption fails. With Windows XP and Windows 2003, no DRA is required for encryption to succeed. Therefore, it's possible for an encrypted file on an XP or Windows 2003 computer to have no DRF.

Tip Box

DRAs and their certificates are handled in a similar manner to providing users access to encrypted files. After the EFS Recovery Agent certificate is generated, it can be published with the user object in AD or imported from a file. The DRA is then created in the GPO, under the Computer Configuration|Windows Settings| Security Settings|Public Key Policies|Encrypting File System node of the GPO.

Best practice dictates that encryption be enabled at the folder level so that all new files created under the folder and its subfolders get encrypted as they are created. This avoids leaving clear-text temp files on the drive. However, giving multiple users access to an encrypted file requires configuring each individual file.

To enable additional users to access an encrypted file, each user's public key must be available at the local computer. The best way to organize and store these public keys is through Active Directory. Otherwise, you'd need to enable any user who needs your public key to be able to log on to your computer—not a palatable solution.

After you get all of the certificates for encrypting files into AD, go to the encrypted file that you want to make available to multiple users and follow these steps:

1. Go to the Properties of the file

2. Select the Advanced button on the General tab

3. Select the Details button on the Advanced Attributes screen

4. Select the Add button under the User Name text area

5. Select the certificates for each user that needs access and select the OK button. At this point, only certificates in the local repository are listed. To pull certificates from AD, you'll need to click Find User and search for the user in AD.

Once you've added multiple user certificates to the file, you'll be able to view who has access to the encrypted file, as shown in Figure 1.

Figure 1. The Details of the encrypted file indicates which users have access.
Figure 1. The Details of the encrypted file indicates which users have access. (Click image to view larger version.)

If this sounds like a lot of work to provide multi-user access to encrypted files, keep in mind that you'll typically only use encryption for a few highly sensitive files. Also keep in mind that users who have the proper permission to the encrypted files will have the ability to control the list of users who have access to those files.

About the Author

Derek Melber (MCSE, MVP, CISM) is president of BrainCore.Net AZ, Inc., as well as an independent consultant and speaker, as well as author of many IT books. Derek educates and evangelizes Microsoft technology, focusing on Active Directory, Group Policy, security and desktop management. As one of only 8 MVPs in the world on Group Policy, Derek’s company is often called upon to develop end-to-end solutions regarding Group Policy for companies. Derek is the author of the The Group Policy Resource Kit by MSPress, which is the defacto book on the subject.


  • Microsoft Intune Gets Role-Based Access Control

  • Microsoft Intune Can Now Deploy Office 365 ProPlus Apps

  • Microsoft To Block EMET in Windows 10 Fall Creators Update

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.