|
2.4.1.1 Encrypting Files Across the Network
File encryption and decryption requires the presence of EFS keys on the local computer where the files
reside. When a user encrypts a file on a local desktop or laptop, EFS works with the Microsoft Crypto
Provider to create EFS keys and to place those keys in the user's local profile. If the user attempts to encrypt
a file across the network, EFS running at the server looks for the user's local profile at the server. EFS
cannot access keys at a user's desktop because it does not have a security context anywhere except at the
machine where it's running. This means that the server must have a local profile for the user that contains
both the EFS public key to encrypt the file and the EFS private key to open the encrypted file. To build the
local private key, the Protected Storage service at the server must have a copy of the user's password hash so
it can encrypt the Master key that protects the user's private key. It obtains this information by "user
impersonation". This requires obtaining a Kerberos session ticket on behalf of the user to present when
requesting the user's security credentials from a domain controller. A server has two ways of obtaining this
session ticket:
•
It can ask the Kerberos client at the user's desktop to obtain the session ticket and pass it over to the
server. Such a ticket would be marked as forwardable; or
•
The server can ask the Kerberos client for a ticket-granting ticket (TGT) that it can use to obtain its
own session tickets as if the server were the user. The TGT would be flagged as proxiable.
However, before a server submitting forwardable and proxiable Kerberos tickets and TGTs to create
encrypted files for network users, it must be Trusted For Delegation. This option is configured in the
server's Computer object in Active Directory.
|