Students using encrytion

[Wildebeaste]

Hello folks.

I'm after some advice really.

Our head of ICT wants students to be able to encrypt files and folders on the school network. I think this is a **very** bad idea, as I absolutely don't want 'little Jonny' to be able to stash away his dodgy file collection on my servers.

At the moment I've said a big NO to this, that I (Network Manager) need to be able to access all the files on the network, i.e. have copies of any passwords or keys or be able to gain access. But he seems to think that they will fail their course without showing evidence of this.

How have others managed to deal with this thorny problem?

Advice gratefully received.

Ta.

[MGSTech]

Not a lot of help But I'm with you on this one!

So little Johnny stores his MP3, doggy JPG's etc in an encrypted file that nobody can access eh?
Absolutly not!

Steve

[Edu-IT]

But he seems to think that they will fail their course without showing evidence of this.

How about having a standalone machine which they can use for this purpose?

[ICTNUT]

I would ask to see where it says that they have to encrypt files, he may have just misunderstood what has been asked of him!

I personally cannot see how they can request files and folders be encrypted, what type of encryption method should be used, how do you prove the file is indeed encrypted, where is the evidence.

It's non workable

[SYNACK]

Umm, if they use the built in Windows EFS encryption and you have your domain setup right then the Administrator account or another account that you specify has rights to decrypt any encrypted files created by EFS as this account is also given an encryption key. This should satisfy their course requirements as they are using encryption of the same kind that would be used in an enterprise setting. It also follows the same rules as an enterprise setting where the administrator has the power to override the lockouts if it is nessisary for the best interests of the company, ie employee leaves, legal stuff etc.

[pete]

Isn't this more a case of they need to make a presentation / publisher document where they show (screen-shotted) the process of them encrypting a file for their coursework, rather than actually needing to encrypt something?

[Wildebeaste]

Thanks for the replies so far.

Domain EFS, PKI stores, Certificate authorities. That sounds like a lot of work!

Can anyone recommend a book or website (I'll try Microsoft in a moment) which goes into these topics?

Can the password option in Word/Office be turned off?

Muchas gracias!

[Heebeejeebee]

Some backup programs used to have difficulty with encrypted files. Not sure on the state of play with EFS though.

HBJB

[somabc]

Why should students not be allowed to encrypt their files if they so choose. There is nothing you can do to stop them.

If a student uses strong encryption such as truecrypt at home and brings in files for example. You will not be able to open them. The most you could do is try and delete them but then you have the problem of hidden drives / partitions and stenography. Basically there is nothing you can do and it is not your responsibility. If they are doing anything illegal it will be a police matter.

[tom_newton]

I second the idea of a standalone PC or PCs which are NOT network connected and contain a bunch of files and a bunch of crypto tools.

Could network connect the machine as long as you take steps to prevent the files entering or leaving. you definitely don't want encrypted files on your net, it could be anything in there.

[Michael]

I think this is a bad idea too. Aren't NTFS permissions enough?

[SYNACK]

Thanks for the replies so far.

Domain EFS, PKI stores, Certificate authorities. That sounds like a lot of work!

Can anyone recommend a book or website (I'll try Microsoft in a moment) which goes into these topics?

Can the password option in Word/Office be turned off?

Muchas gracias!

Here are some sites that may help in understanding the workings of EFS:
Encrypting File System - Wikipedia, the free encyclopedia
http://www.microsoft.com/technet/pro....mspx?mfr=true
Microsoft Corporation
Microsoft Corporation
Encrypting File System (EFS) &middot Tutorial 2000Trainers.com

You should be able to turn off the password protected save mode by using the group policy ADM extensions for your version of Office (2007 or 2003)

I think this is a bad idea too. Aren't NTFS permissions enough?

NTFS permissions are stupidly easy to either take ownership of or simply ignore in most situations if you can get access to the files via an OS which you control. When it comes to file security it is like using a padlock, it will only keep out the honest people, the ones who are out to get the data will find ways around it easily.

[Hightower]

We had a one last year.... "The pupils need to access hotmail for their coursework"

Hotmail, along with 90% of MSN features are blocked. Everyone knows, full stop.

[bossman]

I am sorry but the criteria is to create a document which is password protected, we have been doing this for a couple of years.

I would say a big no to students having encrypted files on the network.

[Wildebeaste]

Why should students not be allowed to encrypt their files if they so choose. There is nothing you can do to stop them.

If a student uses strong encryption such as truecrypt at home and brings in files for example. You will not be able to open them. The most you could do is try and delete them but then you have the problem of hidden drives / partitions and stenography. Basically there is nothing you can do and it is not your responsibility. If they are doing anything illegal it will be a police matter.

As a Network Manager or responsible person, it is part of the job to know what is being stored on your network (as far as reasonably practicable) as it can impinge on you. Students can encrypt whatever they like on their own computers, but they will NOT do whatever they like on the school network.

If I cannot get into a folder or file, then they won't because it will quickly be an ex-file.