none
Шифрование на удаленном сервере RRS feed

  • Вопрос

  • Здраствуйте Все!

    Стоит задача:

    При логоне в домене на Win2K3 у каждого пользователя подключается свой сетевой диск - папка на удаленном сервере. Необходимо что бы эта папка хранилась в зашифрованном виде и файлы туда помещаемые пользователем автоматически шифровались. Почитав материалы было решено использовать EFS, но дело в том что для того что бы шифровать папки и файлы на удаленном сервере надо каким -то образом настроить делегирования учетной записи пользователя, подскажите пожалуйста, как именно?

     

Ответы

Все ответы

  • Настроить нужно еще и сервер. Вообще написано вот что:

    Remote EFS Operations in a File Share Environment

    Remote EFS operations on files stored on network file shares are possible in Windows 2000 or later domain environments only. Domain users can remotely encrypt or decrypt files, but this capability is not enabled by default. The following are requirements for successful remote EFS operations in a file share environment:

    1. The files to be encrypted must be available to the user through a network share. Normal share-level security applies.

    2. The user must have Write or Modify permissions to encrypt or decrypt a file.

    3. The user must have either a local profile on the computer where EFS operations will occur or a roaming profile. If the user does not have a local profile on the remote computer or a roaming profile, EFS creates a local profile for the user on the remote computer.

      If the remote computer is a server in a cluster, the user must have a roaming profile.

    4. To encrypt a file, the user must have a valid EFS certificate. If EFS cannot locate a pre-existing certificate, EFS contacts a trusted enterprise certification authority for a certificate. If no trusted enterprise certification authorities are known, a self-signed certificate is created and used. The certificate and keys are stored in the user’s profile on the remote computer or in the user’s roaming profile if available.

      Note To verify a certificate’s authenticity, a certification authority signs the certificates that it issues with its private key. EFS creates and uses a self-signed certificate if no file encryption certificate is available from a certification authority. A self-signed certificate indicates that the issuer and subject in the certificate are identical, and that no certification authority has signed the certificate.

    5. To decrypt a file, the user’s profile must contain the private key associated with the public key used to encrypt the file encryption key (FEK).

    6. EFS must impersonate the user to obtain access to the necessary public or private key. This requires the following:

      1. The computer must be a domain member in a domain that uses Kerberos authentication because impersonation relies on Kerberos authentication and delegation.

      2. The computer must be trusted for delegation.

      3. The user must be logged on with a domain account that can be delegated.

        Note Use the Active Directory Users and Computers snap-in to configure delegation options for both users and computers. To trust a computer for delegation, open the computer’s Properties sheet and select Trusted for delegation. To allow a user account to be delegated, open the user’s Properties sheet. On the Account tab, under Account Options, clear the The account is sensitive and cannot be delegated check box. Do not select The account is trusted for delegation. This property is not used with EFS.

    Remote decryption is a potential security risk because files are decrypted prior to transmission and are transmitted unencrypted. EFS decrypts the file on the computer that stores the encrypted file, and the data is then transmitted over the network in plaintext. Organizations need to consider whether this level of risk is acceptable. You can greatly reduce or eliminate this risk by enabling IP Security to use Encapsulating Security Payload (ESP)—which will encrypt transmitted data, enabling another network layer security protocol—or by using Web folders. For more information about configuring IP Security, see “Internet Protocol Security” in the TCP/IP Core Networking Guide of the Microsoft Windows 2000 Server Resource Kit.

     

    В пункте 3 внизу цитаты написано то, что Вы желали знать.

    источник

  • а по русски документации нет? а то оказалось моих познаний английского недостаточно Sad
    7 июня 2007 г. 15:05
  • Английский рекомендую подтянуть просто потому что информации на нем больше и она не искажена переводом. =)

    Как сделать учетную запись компьютера и пользователя trusted for delegation:

    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/ru/library/ServerHelp/b207ee9c-a055-43f7-b9be-20599b694a31.mspx?mfr=true

    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/ru/library/ServerHelp/bef202b0-c8e9-4999-9af7-f56b991a4fd4.mspx?mfr=true

     

    Плюс чуть-чуть можно почитать тут и тут .

    Ну и последнее по порядку, но не по значению (я бы даже рекомендовал начать с этого):

    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/ru/library/ServerHelp/3eaa0062-4759-4b3e-bb7d-c2531e7452b9.mspx

    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/ru/library/ServerHelp/b0a19334-f911-4eaa-94da-37f6a875434c.mspx