Planning Encrypted File Storage

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Windows 2000, Windows XP, and Windows Server 2003 support storing files that are encrypted using EFS. However, remote decryption is a potential security risk, because files are decrypted before transmission on the local server, and they are transmitted unencrypted over the network in plaintext. Therefore, before you allow encrypted files to be stored on file servers, decide whether the risk associated with transmitting unencrypted files over the network is acceptable.

You can greatly reduce or eliminate this risk by enabling Internet Protocol security (IPSec) policies, which encrypts data that is transmitted between servers, or by using Web Distributed Authoring and Versioning (WebDAV) folders. WebDAV folders have many advantages compared to shared folders, so you should use them whenever possible for remote storage of encrypted files. WebDAV folders require less administrative effort and provide greater security than shared folders. WebDAV folders can also securely store and deliver files that are encrypted with EFS over the Internet by means of Hypertext Transfer Protocol (HTTP).

Before users can encrypt files that reside on a remote file server, you must designate the file server as trusted for delegation. Doing so allows all users with files on that server to encrypt their files. For more information about enabling encryption on a file server, see "Enable a remote server for file encryption" in Help and Support Center for Windows Server 2003. Note that when encrypting files on a WebDAV server, the server does not need to be trusted for delegation.

Important

  • To enable EFS on a clustered file server, you must perform a number of steps to configure the environment correctly. For more information about enabling EFS on server clusters, see "Create a cluster-managed encrypted file share" in Help and Support Center for Windows Server 2003.

If you allow users to store encrypted files on file servers, review the following issues:

  • Users can encrypt files on remote NTFS volumes only when both the user’s computer and the file server are members of the same Windows Server 2003 forest. (This restriction does not apply to WebDAV folders.)

  • Users must have Write or Modify permissions to encrypt or decrypt a file.

  • Users cannot encrypt files that are compressed. If users encrypt a compressed file or folder, the file or folder is uncompressed.

For more information about EFS and using WebDAV folders to store encrypted files, see "Encrypting and decrypting data" and "Internet Information Services (IIS) 6.0 overview" in Help and Support Center for Windows Server 2003. For more information about configuring IPSec, see the Networking Guide of the Windows Server 2003 Resource Kit (or see the Networking Guide on the Web at https://www.microsoft.com/reskit).