21. EFS with remote files Client side encryption Local EFS encryption [Keys and certificates live on the client] Client connects to remote server share SMB protocol No need to enable Trust For Delegation Encrypted file sent to server File Share
33. But...there’s more than Technology... All must enter through electronic mantrap Fence ends here Sign says, “road is for cars only”
34.
35. Technology comparison BDE EFS RMS Encryption AES 128 (RSA32.LIB) AES 128 (Crypt32.DLL) AES 128 (Crypt32.DLL) Data Awareness Blocks Files App defined; docs/email Master Key TPM + SW Identity, Dongle, File SW, Smart-card Obfuscated SW (lockbox) Content Key Same as root key Same as root key Server Protects What? Windows and Data Directories and Files Documents (including use) Protects Who? Machine Owner, User Users Document Owners Protection Local, removable media Local, removable media, remote Remote, removable media Who is god? Local admin, net admin Local admin, net admin Document owner, RMS admin Supports other security systems? Yes Yes (ISV’s only) No (RMS is a security platform for applications) Data Recovery Mechanism Dongle, File, Network; Manual Key Entry Local or AD based policy RMS server policy Killer Client Scenario Lost or Stolen laptop Multi-user PC Protected Document Sharing Killer Server Scenario Branch-Office Server Protect Documents on File Shares from Admin RMS support in Sharepoint and Exchange Killer Admin Scenario Just switch it on. (also Force Recovery) My Documents encrypted by default Establish corporate information policy