Certificates, Keys, Mobile Users, Intended Usage

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I am trying to devise a plan whereby my client can safely use encrypting file
system (EFS). Mobile computer users benefit from encrypting sensitive files.
In the event the computer is stolen, the data does not enter the public
domain. When mobile users return to the home office, they can use NTBACKUP
to make backup copies of encrypted files, which remain encrypted in backup
form. Were the computer lost, a new computer would be provided and sensitive
files would be restored from backup (NTBACKUP). In order to be able to read
the files, the mobile user would be required to provide a certificate and an
associated private key. The point of my question has to do with the private
key, which I know how to export and import. When on the road, should the
mobile user always logon using his cached domain credentials so that the
private key matches the private key that he would have at the home office
when he is actually logged on to the domain? I assume that the user's
private key when logged on to the domain is different from the private key
that he has when he is logged on locally to his mobile computer. For
recovery purposes, I suppose, the corporate system administrator should
export the local logon private key and the domain logon private key of each
mobile user and vault them to ensure the keys are available for decrypting
backed up data. Is there some official Microsoft guidance on this?
 
Hi William,

Option that you think about uses self signed EFS certificates. While this is
a valid option, you might want to setup own CA server and deploy EFS
certificates from your own CA.

Users should always use their domain profile (even on the laptops while out
of the office). Using local accounts doesn't add anything to security, but
adds a lot to complexity and you loose manageability...
Still with self signed certificates keys will probably be different on
office PC and laptop computer unless you create one key and export it and
then import it to another computer.

Better then exporting user's private key as backup is to setup DRA (Data
Recovery Agents) in domain (and) or OUs. Users assigned DRA role will be
able to decrypt any files encrypted by domain users that fall under the
policy where you setup DRA.
There could be a problem if you only rely on exported keys. E.g. user by
mistake deletes his profile and with this profile he deletes his private
keys. After successful logon new profile is created without any EFS keys
till user tries to encrypt something. Operating system will detect that
there is no EFS certificate and it will generate a new one. Now you don't
have a backup for this EFS certificate while you are still able to decrypt
the files using DRA.
If you setup your own CA, you can archive the keys automatically.

EFS:
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx

Very important with EFS implementation is to teach users to pick good --
hard to guess passwords. While private keys are encrypted in user's profile
in case the laptop is stolen and if I can easily guess the password I can
gain access to profile and private keys and consequently to the files.

Account Passwords and Policies
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx

Feel free to post back with any additional questions that you might have...

***

New features:
http://www.microsoft.com/technet/prodtechnol/winxppro/plan/pkienh.mspx
Operations guide:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03pkog.mspx
Managing PKI:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/mngpki.mspx
Best Practices:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx
Certificate templates -
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03crtm.mspx
Certificate Autoenrollment in Windows Server 2003
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/autoenro.mspx
Key archival -
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/kyacws03.mspx
Advanced certificate enrollment:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx
web enrollment:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/webenroll.mspx
CRLS: http://www.microsoft.com/technet/security/topics/crypto/tshtcrl.mspx

Mike
 
One thing to consider would be to define a Recovery Agent for the domain as
part of Group/security policy that applies to all these computers. Windows
2000 requires a RA while XP Pro does not. The RA would be able to recover
any EFS files that have been created or accessed since the RA was defined.
The RA is computer policy and would apply to EFS files for domain and local
accounts. It still would be good practice to archive the private keys of the
users just in case if the data is extremely important. I would also highly
recommend that the mobile users use cached domain credentials to logon to
their computers as their passwords will be safe that way where if the
computer was stolen an attacker could use an utility to crack the local
administrator account and then use a utility like LC5 to crack the local
users password to gain access to the EFS files if the user's EFS private key
is still on the computer. As far as I know there is no way to do such for
cached credentials - just be sure that the users are forced to use complex
passwords.

XP Pro is much more secure than W2K for using EFS because an RA is not
required and resetting a user's password will not allow access to their EFS
files. Keep in mind that if there is a local RA on the computer that an
attacker may be able to use it to access a users EFS files. So be sure to
check that the RA is working the way you expect it to. You can use the
efsinfo utility to see exactly what Recovery Agents and user can decrypt and
EFS file. The links below may help. --- Steve

http://labmice.techtarget.com/windows2000/FileMgmt/EFS.htm
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx
 
Back
Top