To make things easier, a user should set a folder to use encryption, and then save all security sensitive files to this folder. This will automatically encrypt the files, and avoid the user having to encrypt files individually. To encrypt a number of files at once, consider using the command line tool Cipher.exe, which does bulk encryption using the parameters (including wildcards) that you specify. Other important things you should know about EFS:
- If a user attempts to open (or copy) a file encrypted by another user, they will receive an ‘Access Denied’ message.
- If the user who encrypts the file moves it to a non-NTFS volume, the file will no longer be encrypted
- EFS is strictly file-system (not transport) encryption. If you encrypt a file on a server and then open it on your workstation, the file moves across the network unencrypted.
- When you move an unencrypted file into an encrypted folder, it does not become encrypted (retains attribute). However, when you copy an unencrypted file into an encrypted folder, it will be encrypted (inherits attribute).
As far as compression is concerned, you still need to know what happens when you copy or move compressed files within and between volumes. The table below outlines what happens to the compression attribute on a file in the different scenarios. Remember, both copying and moving a file to a FAT or FAT32 volume results in all compression settings being lost. Incidentally, you can also use the items below to describe what happens to NTFS permissions when a file is moved or copied to a folder.
- Copy a File Within Same NTFS Volume = Inherits Compression attribute of target folder
- Copy a File Between NTFS Volumes = Inherits Compression attribute of target folder
- Move a File Within Same NTFS Volume = Retains Compression attribute
- Move a File Between NTFS Volumes = Inherits Compression attribute of target folder
Next lets explore NTFS permissions. Although many concepts remain similar to those in NT 4.0, some of the implementation details have changed. NTFS permissions are still cumulative in nature. That is, if multiple permissions apply to you, the combination of permissions is your effective permission. If you were given Read access to a folder as a member of Sales, and Modify on the same folder as a member of Managers, your effective permission would be Modify. There is an exception, of course. Any permissions that are explicitly denied always override those explicitly allowed.
