Re-Add Support for encrypting data even if user has Roaming profile

Jul 13, 2007 at 12:10 AM
DELIMA
So it looks like there is a catch 22 here. While this tool looks very promising for encrypting files there is the need to store user’s data (offline folders or other) on servers. If you want to copy data to a server and keep it EFS encrypted on the server then the server needs to have the user’s key information first in order to encrypt the files.

POSSIBLE SOLUTION 1 (avoiding roaming profiles)
One thought is to use Credential Roaming to store the user’s keys in AD but this scenario doesn’t help because this only works through interactive logon, not network logon. The server will instead create a self-signed cert for the user or request one from the CA. This will lead to problems with recovery or further encryption of the files

MS RECOMMENDED SOLUTION (reduced roaming profile)
The other option was to use Roaming Profiles and only roam the “Application Data” folder so the file server will get the correct keys when the user connects through the network and creates or copies encrypted folders to the server. This can be achieved via GPO by filtering all the other folders in the profile out.

CONUMDRUM
So now that we need to have a reduced or limited roaming profile the EFS Assistant application will not work with roaming profiles. My request is to have the application work with a limited roaming profile where only the “application data” directory is roamed and not encrypted.

It seems MS has not given much thought into this issue because even with Vista and Longhorn the problem would still be resident. Both solutions, credential roaming and limited roaming profiles, still have their issues in relation to EFS files being copied to or created on Servers.

Any ideas on how to solve this problem???
Coordinator
Jul 19, 2007 at 12:29 AM
OK, so let me see if I understand your goals correctly:
  1. want to encrypt the same sensitive data both on the client and on the server to which Roaming User Profiles will ultimately copy User Profile data
  2. want to encrypt the files in both places using the same keypair so that recovery on any host uses the same centrally-archived keys

However, I don't understand the problem you're trying to solve:
  • What does it help to prevent roaming other RUP folders?
  • Do you want to roam %APPDATA% but not encrypt it, or do you want to roam and encrypt %APPDATA%?

And I should point out that the plan (as I last saw documented) was that Vista SP1 + Windows Server 2008 would support copying encrypted files to 2008 shares without decrypting the files in transit - so that the files remain encrypted with the same keys on the server as they're encrypted on the client. That probably doesn't solve your problem today, but it may in fact resolve part or all of the problem in "Vista and Longhorn" (as you may have implied).
Jul 19, 2007 at 3:35 PM
Edited Jul 19, 2007 at 4:45 PM
Hello Mike,

The answers to bullets 1 and 2 are yes. We found that credential roaming does not solve these issues because it requires interactive logons. The other solution provided to us was roaming profiles, even though this presents new problems for users who logon to multiple platforms such as Win2k, XP and Vista because of different encryption key support (AES, 3DES vs. DESx) which we have in our environment.

The reason it helps to roam only the %APPDATA% is because you are looking at far less data that needs to be copied up to the server. In our environment people have very large profiles and would be looking at excessive storage and traffic issues if we roamed the entire profile.

We would LOVE to roam and encrypt the %APPDATA% as well but currently roaming profiles does not support roaming any encrypted data.

One other solution is for MS to back-port code to support using EFS to encrypt files on file servers using the same keys. Similar to how they back-ported Credential Roaming support for XP SP2 and Win2k3.

Ultimately we would like to start using EFS now and really would not want to wait another year for Sever 2008 to become stable and Vista SP1 to be released.

Thanks for the response. A hope a solution can be provided, we would really like to use EFS but are struggling with how to implement and support it in our heterogeneous environment.

-Eric


MikeSL wrote:
OK, so let me see if I understand your goals correctly:
  1. want to encrypt the same sensitive data both on the client and on the server to which Roaming User Profiles will ultimately copy User Profile data
  2. want to encrypt the files in both places using the same keypair so that recovery on any host uses the same centrally-archived keys

However, I don't understand the problem you're trying to solve:
  • What does it help to prevent roaming other RUP folders?
  • Do you want to roam %APPDATA% but not encrypt it, or do you want to roam and encrypt %APPDATA%?

And I should point out that the plan (as I last saw documented) was that Vista SP1 + Windows Server 2008 would support copying encrypted files to 2008 shares without decrypting the files in transit - so that the files remain encrypted with the same keys on the server as they're encrypted on the client. That probably doesn't solve your problem today, but it may in fact resolve part or all of the problem in "Vista and Longhorn" (as you may have implied).

Coordinator
Jul 19, 2007 at 11:00 PM
Hi Eric, I'm not sure but it almost sounds like you're asking for a feature to be implemented in EFS, rather than something that would be implemented in EFS Assistant. (Note that EFS Assistant doesn't replace any pre-existing EFS functionality - it merely automates the decision of which folders and files will be encrypted using CIPHER.EXE.)

Your original request was to "...have the application work with a limited roaming profile where only the “application data” directory is roamed and not encrypted." Unfortunately, I'm still not sure what "work with a limited roaming profile" means:
  • Do you want EFS Assistant to be able to skip encryption of everything under %APPDATA%, so that you're able to successfully roam that folder and its contents?

... oh heck, I think I see what you're talking about now: I keep forgetting ('cause it happened after I left the project) that someone added the following code to DET.CS to cause EFS Assistant to halt if it detects that the user has any sort of Roaming User Profile:

           // 
           // We don't support roaming user profiles since
           // EFS encryption generally doesn't work in 
           // that scenario
           //
           if (User.UserProfileType == ProfileType.Roaming)
           {
               Log.WriteToSystemApplicationLog("RoamingProfile");
               Log.EFSAsstTrace("RoamingProfile");
               return;
           }

SO: are you simply asking that we allow EFS Assistant to encrypt stuff even if it detects that the user's profile is Roaming?


Aside: this appears to be Microsoft's guidance where RUP and related data mirroring issues are concerned (2000, XP and 2003):
http://technet2.microsoft.com/windowsserver/en/library/5ed71b3a-bcfd-41aa-af86-c7faaf97c4a51033.mspx

And here's a reference to RUP & Folder Redirection guidance for environments that mix XP & Vista clients (but doesn't mention 2000):
http://smallbusiness.itworld.com/4379/nlswindows070327/page_1.html

However, here's a really comprehensive white paper that discusses how to manage these issues in much greater detail (but which probably doesn't include 2000 guidance):
http://technet2.microsoft.com/WindowsVista/en/library/fb3681b2-da39-4944-93ad-dd3b6e8ca4dc1033.mspx
Jul 23, 2007 at 3:43 PM


  • Do you want EFS Assistant to be able to skip encryption of everything under %APPDATA%, so that you're able to successfully roam that folder and its contents?


YES!


... oh heck, I think I see what you're talking about now: I keep forgetting ('cause it happened after I left the project) that someone added the following code to DET.CS to cause EFS Assistant to halt if it detects that the user has any sort of Roaming User Profile:

           // 
           // We don't support roaming user profiles since
           // EFS encryption generally doesn't work in 
           // that scenario
           //
           if (User.UserProfileType == ProfileType.Roaming)
           {
               Log.WriteToSystemApplicationLog("RoamingProfile");
               Log.EFSAsstTrace("RoamingProfile");
               return;
           }

SO: are you simply asking that we allow EFS Assistant to encrypt stuff even if it detects that the user's profile is Roaming?


Yes, however I think this should be a switch configurable in GPO. Most people are probably not aware that you are capable of just roaming the %APPDATA% directory while excluding all other folders in the profile. This way we could still encrypt 90% of the profile while still roaming the keys.

I still think MS should back-port the technolgy used to allow Vista/2008 to use the same encryption key for remote EFS on file servers to Win2k3 and XP.

BTW, do you know if MS plans on supporting remote EFS on DFS Servers in Windows Server 2008?

-Eric
Coordinator
Jul 24, 2007 at 6:48 PM
Edited Jul 24, 2007 at 6:49 PM
OK, I've updated the title of this discussion to reflect my current understanding of the issue.

Last month I added a work item to add support back for RUP-enabled users:
http://www.codeplex.com/EFSAssistant/WorkItem/View.aspx?WorkItemId=2673

Now, help me understand the second half of your proposal: what would a configurable switch do?
  • Would it simply enable or disable the EFS Assistant when it detects a RUP (as it currently behaves)?
  • Would it enable or disable the behaviour to (NOT) encrypt folders that are currently configured to roam?
  • or something else?

I agree that Microsoft ought to back-port support for using the same keys on clients and file servers - personally, I would be just as happy with either (a) support for network-logon driven Credential Roaming (aka DIMS) or (b) support for the "client-side encryption" that is planned for inclusion with SMB2 in Windows Server 2008 & Vista SP1 (at least, last I heard).

I don't know what the technical limitations are that hinder (a), but I can tell you that Microsoft has historically been reticent to back-port major rewrites to protocols or technologies (such as they'd have to do to implement SMB2 + EFS "client-side encryption" into 2003, XP or 2000). I would imagine the interop testing alone would be almost prohibitive on those downlevel versions of Windows.

However, I encourage you to contact Microsoft to make your desires known - that's how planning for all product development is influenced, and there's no better way than to make a business case for the proposal. I would suggest contacting your Microsoft account representative or Technical Account Manager, or putting a well-thought-out message on one of the Microsoft community sites/newgroups (e.g. I know that historically there have been EFS team members monitoring and responding on the http://groups.google.com/group/microsoft.public.security.crypto newsgroup).

That's also a great place to ask the question on EFS/DFS/2008 - I personally have no idea.
Jul 25, 2007 at 1:01 AM
Edited Jul 25, 2007 at 1:04 AM

Now, help me understand the second half of your proposal: what would a configurable switch do?
  • Would it simply enable or disable the EFS Assistant when it detects a RUP (as it currently behaves)?
  • Would it enable or disable the behaviour to (NOT) encrypt folders that are currently configured to roam?
  • or something else?


Mike,

That is a good question. This is how I envision the application behaving with RUP:

GPO ADM Configuration:

I think the settings that allow the EFS Assistant to work with RUP should work in conjunction with the “exclude directories in roaming profiles” section in the User Configuration GPO. You could either have those settings duplicated in the EFS Assistant ADM File (in one section or place so it is convenient for the admin) so they are apparent in one place, they would then work in conjunction with the RUP detection.

Agent Behavior:

The agent would detect if the user has a RUP. If so it would then determine what folders are being roamed, those folders would be excluded from EFS encryption. Or it could only allow folders that are excluded from the RUP to be encrypted in the User’s Profile. Whatever would be easier from a coding perspective.

Does this make sense?


However, I encourage you to contact Microsoft to make your desires known - that's how planning for all product development is influenced, and there's no better way than to make a business case for the proposal. I would suggest contacting your Microsoft account representative or Technical Account Manager, or putting a well-thought-out message on one of the Microsoft community sites/newgroups (e.g. I know that historically there have been EFS team members monitoring and responding on the http://groups.google.com/group/microsoft.public.security.crypto newsgroup).



I have been working with our TAM here and have successfully put through DCRs in the past. However I find that I will sometimes run into resistance from the product group or other at MS unless we have enough backing from other organizations. This is usually not an easy process to go through and should be made easier.

On a sidenote, I am very surprised at how little EFS has changed in the past 7 years since it was originally available. I think this is why a lot of organizations are not implementing EFS or find it very difficult to do so; there really is a disconnect between the management of that service and other centralized services provided by MS which tend to be more easily manageable with corporate deployment and support in mind.

-Eric

Coordinator
Jul 25, 2007 at 3:04 AM

GPO ADM Configuration:

I think the settings that allow the EFS Assistant to work with RUP should work in conjunction with the “exclude directories in roaming profiles” section in the User Configuration GPO. You could either have those settings duplicated in the EFS Assistant ADM File (in one section or place so it is convenient for the admin) so they are apparent in one place, they would then work in conjunction with the RUP detection.

Agent Behavior:

The agent would detect if the user has a RUP. If so it would then determine what folders are being roamed, those folders would be excluded from EFS encryption. Or it could only allow folders that are excluded from the RUP to be encrypted in the User’s Profile. Whatever would be easier from a coding perspective.

Does this make sense?


Yep, and that's almost line-for-line how we'd originally implemented RUP support. (I wish I knew what the bug was that cause this feature to be dropped - I have a feeling we're going to get bitten once again.) I've updated Work Item #2673 to explicitly reflect this description.

I am biased against duplicating any existing functionality (including ADM entries), as it can get confusing and challenging to troubleshoot problems in such settings when there's multiple places they could be configured. We could certainly provide a cross-link in the ADM file's description of the relevant EFS Assistant configuration, though, so that the Admin knows where to look to determine the current list of Excluded folders.



I have been working with our TAM here and have successfully put through DCRs in the past. However I find that I will sometimes run into resistance from the product group or other at MS unless we have enough backing from other organizations. This is usually not an easy process to go through and should be made easier.


Agreed - I've worked both sides of that process in my former career at Microsoft, and it should be easier. It's not for lack of trying on their part, but sometimes even the best-laid plans of mice and men...