EFS Questions

  • Thread starter Thread starter Howard
  • Start date Start date
H

Howard

I've been reading up on EFS, but still have many questions. If anyone
knows the answer, I'd appreciate their help!

My set-up: Win2K with AD environment (CA is present). I made myself
the file recovery agent (FRA). The Domain Group Policy lists my
certificate as the recovery agent and has the "no override" switch so
local policies can't interfere with Domain policies. My account is
part of the Domain Administrators Group.

Questions:

1. If someone encrypts files on their local computer (in a domain
based environment) and later needs to be decrypted by the FRA,
Microsoft recommends backing up the encrypted file/directory, and then
restoring it to my own computer (since my private key as the FRA is on
my local machine). Then I'm able to decrypt the files. Can I just
map a drive to the other persons computer and decrypt? Do I have to
backup and restore? Why not just copy or move - or better still, map
a drive and decrypt remotely?

2. EFS on a file server: Let's say someone encrypts their shared
drive on a file server. Can I decrypt it if I map a drive?

3. Can my recovery agent certificate be copied and installed to
multiple computers? (ya, I know the security risks) For example, I
use two computers right next to each other. I'd like to be able to
decrypt from either PC. Can I export (without deleting keys) and then
import to another computer?

4. The FRA can view and decrypt other people's encrypted files. If
they just view it, will the user know? In our company, the HR Dept.
and Execes don't even want the administrators to have access to their
files. Will EFS give them a piece of mind knowing that if the FRA
decrypts or views their files, they will know about it. After all,
pretty much any domain admin can add themselves as the File Recovery
Agents.

Thanks,

Howard
 
1. that would require that the remote computer be trusted for delegation
and that the DRA have a roaming user profile. EFS:
http://www.microsoft.com/WindowsXP/pro/techinfo/administration/recovery/default.asp

2. same answer as above

3. yes, you can do this. EFS:
http://www.microsoft.com/WindowsXP/pro/techinfo/administration/recovery/default.asp

4. you have would to emable file object access auditing - that is about the
only way.

--


David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com

Howard said:
I've been reading up on EFS, but still have many questions. If anyone
knows the answer, I'd appreciate their help!

My set-up: Win2K with AD environment (CA is present). I made myself
the file recovery agent (FRA). The Domain Group Policy lists my
certificate as the recovery agent and has the "no override" switch so
local policies can't interfere with Domain policies. My account is
part of the Domain Administrators Group.

Questions:

1. If someone encrypts files on their local computer (in a domain
based environment) and later needs to be decrypted by the FRA,
Microsoft recommends backing up the encrypted file/directory, and then
restoring it to my own computer (since my private key as the FRA is on
my local machine). Then I'm able to decrypt the files. Can I just
map a drive to the other persons computer and decrypt? Do I have to
backup and restore? Why not just copy or move - or better still, map
a drive and decrypt remotely?

2. EFS on a file server: Let's say someone encrypts their shared
drive on a file server. Can I decrypt it if I map a drive?

3. Can my recovery agent certificate be copied and installed to
multiple computers? (ya, I know the security risks) For example, I
use two computers right next to each other. I'd like to be able to
decrypt from either PC. Can I export (without deleting keys) and then
import to another computer?

4. The FRA can view and decrypt other people's encrypted files. If
they just view it, will the user know? In our company, the HR Dept.
and Execes don't even want the administrators to have access to their
files. Will EFS give them a piece of mind knowing that if the FRA
decrypts or views their files, they will know about it. After all,
pretty much any domain admin can add themselves as the File Recovery
Agents.

Thanks,

Howard
 
I know it sounds confusing, but when the files exist on a remote machine,
the encryption.decryption is always performed on the remote machine, even if
you have a mapped drive. Hence the requirement that the remote machine be
trusted for delegation and that you have a RUP that contains the DRA key and
cert.

Refer back to this whitepaper:
http://www.microsoft.com/WindowsXP/pro/techinfo/administration/recovery/default.asp

--


David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com

Howard said:
David, thank your for your response to all my questions. However, I'm
still confused about question #1.

Let's say I'm the designated DRA for a Win2K Domain. My file recovery
certificate and keys are on my local machine. If a user encrypts a
file on their own local computer - or on a shared drive on a file
server, could I decrypt by just mapping a drive from my local machine
(where my cert is installed) to either the file server or the user's
local machine (where the encrypted files are located) and decrypt? Or
do I HAVE TO back-up their encrypted files and restore it to my own
local machine in order to decrypt? Can I just copy of move the files
to my own local computer instead of using back-up and restore (yes, I
have NTFS on my local machine as well)?

I believe your response of using roaming profiles applies only if I
(as the DRA) use other computers to decrypt files. My question is
that I'll use my own local machine, I just want to map a drive to
other machines - and not sure if this would work.

Thanks for your help,

Howard

1. that would require that the remote computer be trusted for delegation
and that the DRA have a roaming user profile. EFS:

My original question:
 
Back
Top