A user who has permissions to change the folder attributes can now change the folder encryption attribute (821737)


The information in this article applies to:

  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows XP Professional
  • Microsoft Windows Small Business Server 2003, Premium Edition
  • Microsoft Windows Small Business Server 2003, Standard Edition

SUMMARY

In Microsoft Windows, the Windows shell (Explorer.exe) handles the encryption attribute of a folder. This article describes the differences between the way that Microsoft Windows 2000 handles the encryption attribute of a folder and the way that Microsoft Windows XP (and later) handles the encryption attribute of a folder.

MORE INFORMATION

In Microsoft Windows 2000, only the user who holds a valid decryption or recovery key and who set the encryption attribute of a folder (the Encrypt contents to secure data check box in the Properties of the folder) can remove that attribute.

In Microsoft Windows XP and later (for example, Windows Server 2003), a design change that more accurately reflects the underlying file system now permits any user who has permissions to change the attributes of the folder to clear the Encrypt contents to secure data check box in the folder properties. By default, the Write Attributes permission for a folder is granted to Creator Owner, Administrators, and System or inherited from the parent folder.

In the Encrypting File System (EFS), folders are not encrypted. Only the files contained in the folders are encrypted. The Encrypt contents to secure data check box in the folder's properties only set an attribute of the folder (FILE_ATTRIBUTE_ENCRYPTED) that informs the file system that EFS must encrypt any file located in this folder.

Because the Encrypt contents to secure data check box is just an attribute of a folder, the correct behavior of the operating system is to permit a user who has permissions to change the attributes of a folder to change this check box. When a user with the Write attributes permission removes the encryption attribute of a folder, none of the existing files in the folder that were encrypted by another user are decrypted. Only the attribute of the folder is changed.

To emulate the behavior of Windows 2000 in Windows XP and later, you can deny Write attributes permissions to users who do not have a valid decryption or recovery key to the folder. To do this, follow these steps:
  1. Right-click Start, and then click Explore.
  2. Locate and right-click the folder whose permissions you want to change.
  3. Click Sharing and Security, click the Security tab, and then click Advanced.
  4. In the Permission entries: window, click to select the account whose permissions you want to modify, and then click Edit.
  5. In the Permission entry for foldername window, click to select Deny next to Write Attributes, and then click OK.
  6. Click Apply, and then click OK.
For more information about the Encrypting File System (EFS), visit the following Microsoft Web sites:

Microsoft Windows XP and Windows Server 2003
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx

Microsoft Windows 2000
http://www.microsoft.com/technet/security/prodtech/windows2000/w2kccadm/dataprot/w2kadm21.mspx

Modification Type:MajorLast Reviewed:7/12/2006
Keywords:kbinfo KB821737 kbAudEndUser kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.