EFS - setting up Recovery Agent

  • Thread starter Thread starter barabba
  • Start date Start date
B

barabba

Hi all,

I have another question re the EFS Recovery Agent.

I need to use EFS in a specific server that belongs to a Windows 2k
domain. This domain (which uses a PKI - users logon to their XP
stations using smart cards)has an EFS policy using the default domain
administrator (Administrator).

Unfortunately, when I tried as a test to encrypt a file the system
denies to do so. Upon investigating, I found out that the
Administrator certificate for EFS purposes has already expired.

My questions at this point are:

1- can I define a local EFS policy for that particular server, using
cipher.exe utility allowing me to bypass the domain policy ?

2- how should I proceed in order to renew the expired certificate in
order to "repair" the domain wide EFS policy ? In my opinion, I should
proceed as follows but I would like a confirmation from someone how is
more knowlegeable about this issue:

a- setup in AD a domain account to be designated as Recovery Agent (or
use an existing one)
b- logon to a workstation using this account
c- create recovery key pair using cypher /r
d- import the certificate into the account's personal store (should I
select the .cer file or the pfx file ?)
e- add the recovery agent in the domain EFS policy

Thank you very much for your time !
Bar
 
Your situation is a little unusual, so I hope D Cross picks up
your posting. As I replied to your prior thread, the reference
for EFS is
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx
although this is W2k3 specific now.

One thing I do not understand is how the DRA EFS cert is
expired as the default is to create it to be valid for 100 years.

On your 2), that would be how to get things working, but I am
concerned that this would invalidate recovery of earlier encrypted
files (such as on backups) until they are re-encryped/touched by
their owners.
 
If you are sure about the integrity of the EFS Recovery Agents private key,
then have that RA logon to the computer where the certificate/private key is
and have him use the certificates mmc snapin for user and find his RA
certificate in the personal folder and request that it be renewed using the
same private key. I don't recommend configuring a different RA at the local
level [which can be done] as that can cause problems down the road. ---
Steve
 
From what I have seen the RA requested from a CA expires in two years. The
100 years must be for a self signed certificate?? A certificate issued from
a CA can never have a lifetime longer then the CA's certificate life.---
Steve
 
Yes, you are right Steve, the 100 years I noted is for self-signed
in absence of an enterprise CA.
 
Back
Top