Securing offline files


Written on January 31, 2007 – 7:33 pm | by Sahmeepee



Let me start by saying, “Aaaaaargh!”. Now, on with the esoteric technorant!

I’ve spent nearly a day’s effort trying to get offline files to encrypt as they are supposed to in Windows XP. The advantage of doing this is that any data which has synchronised to a laptop from your network is protected when the laptop is offsite. Even removing the hard drive and connecting it up to another computer won’t yield access to the offline files. The only sure way of getting access to the files is to get the user’s password.

It seems that the only way to get the encryption of offline files working is to manually log on to each laptop as an administrator and turn the option on:

Windows Explorer > Tools > Folder Options > Offline Files tab > Encrypt offline files to secure data (tick)

This works quite nicely thank you and when connecting to \\testcomputer\c$\windows\CSC (the real location of your offline files) the files all show up with green filenames – cryptography applied! Unfortunately, doing that on each of 100 laptops sounds like as much fun as a Daniel O’Donnell concert and undoubtedly longer. I also have my doubts about whether the laptops would Ghost nicely afterwards.

Luckily there is a Group Policy setting at:

Computer Configuration > Admin Templates > Network > Offline Files > Encrypt the Offline Files Cache

(enabled|disabled|not configured)

On the downside, the setting doesn’t work. At all. In fact, all it does is greys-out the Encrypt offline files to secure data checkbox in the Windows XP GUI. I have verified that even with the above GPO setting in place and the testcomputer’s Resultant Set of Policy (rsop.msc) report showing as much, the files on disk are not encrypted at all.

There are several reports on the web from people suffering the identical problem, but seemingly none with a satisfactory resolution. Suggested resolutions include:

Make sure the first user to log on after the policy is put in place is a member of the Administrators group

Tried it, made no difference.

Reset the offline files cache:

Windows Explorer > Tools > Folder Options > Offline Files tab > Ctrl+Shift+Click on Delete Files…
Tried it, the client-side cache was reset, but the encryption problem was unaffected.

Contact Microsoft Product Support Services for proof that the data is encrypted:

Ahem, no. I can prove that it isn’t with only a few minutes work and zero cost.

Make sure the partition is NTFS:

Yup!

And not compressed:

Nope!

Try applying the fix from MS KB810859 (The “Encrypt the Offline Files cache” Group Policy setting does not take effect when a user logs on to a Windows XP-based computer):

I don’t get the event specified in the event logs so it doesn’t seem to be relevant. I’m also using an admin account which should prevent the scenario described. On top of that you need to contact PSS for the fix, apply it to each of your workstations (not via WSUS) and then do some rather nasty looking ADSIedit manoeuvres! Nopety nope.

Quite a crap effort there Microsoft! Maybe if I just use Vista instead….

Create a free edublog to get your own comment avatar (and more!)

Post a Comment

*
To prove you're a person (not a spam script), type the security word shown in the picture.
Anti-Spam Image