Hello,
we decided to theft-protect our workstations by using EFS encryption on some important documents and directories.
Just to be sure: I hope that data will not be readable in the case that someone physically gains access to the disk or computer with encrypted data and does not know user's name & password to log in or does not have the right encryption certificate with private key. Please correct me, if I'm wrong.
All workstations are Windows 7 Professional joined to the domain controlled by Windows 2008R2 DC. We are a bit lazy, so we have generated a local, self-signed EFS certificate on a single workstation and installed this (the same) certificate on all workstations. Now, we are able to share EFS encrypted files for example via a NTFS formatted flash drive.
Later, we have setup a Certificate authority (we can potentially issue new EFS personal, domain-based certificates that are published in AD), and established DRA as well (published DRA via a Group Policy).
All logged-in users have the same (non-domain) certificate installed in their "My User Account" certificate store, cipher /y command shows the same thumbprint value.
However, we would like to be able access files remotely, in a "lazy" way using an administrative share like\\workstation\c$\users\bob\document.txt. We all are Domain Admins, so NTFS and SMB privileges should be OK, unencrypted files are accessible OK.
I have tried to issue a new certificates via the Cert Authority, putting them into "Trusted People" container etc., adding them to the "Users who can access this file:" list on the encrypted file and nothing worked.
So is it possible to share EFS encrypted files over a workstation's share (i.e.\\workstation\something)?
What should I do to get it working? :-)
Thank you for any ideas.
Jan