Click here to get back home

WebDav, https and Encrypted file system
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
WebDav, https and Encrypted file system Jiriki 09-20-2006
Get Chitika Premium
Posted by Karl Levinson, mvp on September 25, 2006, 12:55 am
Please log in for more thread options

>> EFS encryption is applied per folder.
>
> No, EFS can be applied at the file or folder level.

Yes, I know.

>> EFS encryption does not encrypt files during network transfer. It is
>> encryption for files on disk only.
>
> Perhaps you should read up on how EFS works when it is used
> on a remote file server. When using SMB/CIFS the EFS file
> is decrypted when it is sent over the wire and then is re-
> encrypted on the remote server. When using WebDAV the EFS
> file is sent over the wire in its raw, encrypted state.

I did not know that. My experience with EFS is back with Windows 2000,
where this feature does not appear to exist.



Posted by Roger Abell [MVP] on September 25, 2006, 10:07 am
Please log in for more thread options
> Hello,
>
> I have a question about WebDav and EFS. I understand that when using
> WebDav, encrypted files are send as raw file to the server sharing the
> Web folder. This works as far as you use http to connect to the web
> folder. Whenever you use https, the server will store the file
> unencrypted.
>
> Is this a bug or does this happen by design?
>
> I appreciate your help,
> Jiriki
>

To my awareness that is not by design.
I am wondering whether your test environment does correctly
reflect the requirements of the WebDav scenario.

Roger



Posted by Jiriki on October 2, 2006, 7:11 am
Please log in for more thread options

Thanks to everybody for your reply. Unfortunately I was occupied the
last weeks and could follow the discussion.

The test equipment was three virtual machines provided by Microsoft for
the classroom course 2823: Implementing and Administering Security in a
Microsoft Windows Server 2003 Network". EFS is one topic of the course
and the combination of EFS and WebDAV are discussed.

However, our instructor changed the configuration of the Web Server the
day befor so that the Web server required 128-bit encrypted
communication. When our instructor tried to show the advantages of
WebDAV later, he couldn't. When the file reached the server is was not
encrypted any more. It took a while to figure out that the https
connection was the reason for this behaviour. After we changed the
configuration of the Web server again the problem was gone and the file
was encryted as expected.

Our instructor claimed this to be a bug in the operating system.
Although I cannot believe that I wasn't able to get this working in the
classroom.

So far so good (or bad). Today I tried to reproduce the problem using
two virtual machines:

1. Windows XP Professional, Service Pack 2
- Member of the Active Directory domain
2. Windows Server 2003 Enterprise Edition, Service Pack 1
- Active Directory Server
- Internet Information Server
- WebDAV enabled
- Enterprise Root CA

I used the default settings whenever possible and didn't change any
GPO.

At the server I created a folder and shared it as Web Sharing (not a
normal Windows share) and allowed read, write and directory browsing
access. The NTFS permissions were set to read and write for domain
users.

I logged on to the client as domain user and requested a certificate
(based on a version 1 template) for "Basic EFS". Then I created a
simple text document and encrypted the file. In Internet Explorer I
opend the shared folder as WebDAV folder (using http) and copied the
encrypted file to the folder. This way it works.

So I requested and installed a Web Server certificate for the "Default
Web Site" and connected to the shared web folder again. This time I
used a https connection. Now the GUI looks more like the Internet
Explorer than the Windows Explorer. Also, the encrypted file was not
shown in green color. However, I can open the file but don't get any
useful information. The text is encrypted and the client doesn't
decrypte it. Now I stored a copy of the encrypted file in the WebDAV
folder. Checking the file at the server proofs that the first text
document is encrypted and the second is not.

Going back to a http connection the first text document is shown in
green, the second in black. Just to proof what is already obvious, I
log on as a different domain user and I'm able to open and read the
second document.

So what is wrong with my configuration?

- Jiriki


Similar ThreadsPosted
OpenRowset : DSN : file-system permissions : Local System March 14, 2008, 10:23 am
recover encrypted file in windows XP after change password September 1, 2006, 2:07 am
File System / Directory Security August 17, 2007, 1:38 pm
Extract ACL's from Windows NTFS file system July 14, 2005, 9:07 pm
Minimum File System Access Needed for a Service? December 6, 2005, 3:14 am
Giving a device access to EFS (Encrypting File System) April 28, 2006, 8:01 pm
Access to NT4 File Ressources denied from Windows 2003 System April 7, 2006, 2:49 am
IIS 6.0 HTTPS Upload May 31, 2007, 10:25 am
EFS and WebDAV - Secure Solution?! - Part 2 October 6, 2006, 3:44 am
Hiding folders that a user does not have rights to access - WebDAV January 2, 2008, 2:37 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap