Users without File Share Encryption can create files in File Share protected network shares

book

Article ID: 221659

calendar_today

Updated On:

Products

File Share Encryption

Issue/Introduction

Users who do not have Encryption Desktop installed on their machines with File Share Encryption enabled can create files in File Share protected network shares.

This can result in the File Share protected network shares containing a mixture of encrypted and unencrypted files.

Environment

Symantec Encryption Desktop 10.5 and above.

Resolution

File Share Encryption does not affect shared folder security permissions. If a user has the necessary security permissions over a shared folder they can create files within that folder regardless of whether the folder is protected by File Share Encryption.

Broadcom recommends the following:

  1. Only grant modify permissions to folders protected with File Share Encryption to users who have Encryption Desktop with File Share Encryption enabled on their machines.
  2. When users are issued with new machines, try to ensure that if they require File Share Encryption then it is installed as part of the build process.
  3. Educate users that if they find they cannot open a file stored in a File Share protected folder because the file appears to be corrupt, then they need to ensure that they have Encryption Desktop with File Share Encryption installed and running. 

From time to time it is advisable to audit the files stored in folders protected by File Share Encryption. The pgpnetshare.exe utility can be used to do this:

  • From the command prompt, change directory to "C:\Program Files (x86)\PGP Corporation\PGP Desktop".
  • Run the following command where folder1 is protected by File Share Encryption:
pgpnetshare -v --verbose z:\share\folder1
  • In the above example, pgpnetshare will generate a warning like this if a file is unencrypted:
Warning: Is unencrypted [z:\share\folder1\confidential.docx]