M
mikesmithlonergan
Following on the heels of the recent release of the EFS Assistant
shared-source tool, I am proud to announce the release of another tool
to smooth the path for reliable recovery of EFS'd files:
EFS Certificate Configuration Updater (http://www.codeplex.com/
EFSCertUpdater/)
__Why should you care?__
- You'll be interested if you're using EFS, and
- You've tried to make sure that you (or your users) are using the EFS
certificate that was archived (with its private key) in your Microsoft
Certificate Server.
__What difference will it make?__
- When users need to recover access to *ALL* their EFS'd files, and
- When you want to make the process as fast and painless for the users
as possible
- The copy of the user's archived EFS keys that you extract from your
Certificate Server should be (almost) guaranteed to decrypt all the
user's encrypted files.
There are a number of my customers who expressed concerns that even if
they did everything right - enabling Autoenrollment policy, creating
"version 2" certificate templates for use with EFS, automatically
archiving the user's EFS keypair at enrollment time - there's still no
guarantee that the user's PCs were actually *using* those archived EFS
keys to encrypt files.
Most of the time it works fine, but they told me they'd seen cases
where:
- users had once tried using EFS, and abandoned it later, but the new
EFS certificate didn't replace the pre-existing (non-archived) EFS
certificate, so all files continued to be encrypted with an
unrecoverable key
- users had encrypted files before the PKI was in place, then upgraded
their certificate, but their existing encrypted files weren't updated
to be encrypted with the new keys
No, I'm not trying to panic anyone - like I said, this affects a small
fraction of the user population in most wide-scale EFS deployments.
However, it's an issue I've heard over and over again, and this tool
should help folks get on with their deployments.
__How does it work?__
- The tool works strictly at the command line - it presents no UI
- It searches through all the EFS certificates the user has in their
personal certificate store (aka the "MY store")
- It keeps searching until it finds a certificate that (a) is still
valid, (b) is not self-signed, (c) has an associated private key, and
(d) has the EFS EKU
- Once it identifies a suitable certificate, it checks whether that is
the currently-configured certificate; if not, then it updates the
CertificateHash registry setting and quits
- Oh, and it generates a log file of its activity
__What does it require?__
- .NET 2.0
- XP or Vista (only been tested on XP so far)
- it doesn't require Admin rights, but I bet it'd barf if it ran under
DropMyRights
__How often would I have to use this tool?__
- In theory, once
- All you really need is to get the user *off* their self-signed
certificate, and encrypting with the v2 certificate
- From there, Autoenrollment should be able to keep renewing EFS
certificates with no failures - unless the user's PC is off the
company network for months at a time
__What's next for the EFS Cert Updater?__
- Do some further robustness testing to see if there are any
circumstances under which non-v2 EFS certs could be selected
- Add a command-line parameter to specify an exact Certificate
Template from which the selected EFS cert must be enrolled
- Enable a capability to archive (i.e. hide) all other EFS
certificates except the selected one
- Add capability to write to the Application Event Log
- Enable a capability to select the "best" EFS certificate if multiple
are found
Please browse the web site, leave some feedback or questions, and give
it a spin. All assistance is greatly appreciated.
Cheers,
Mike Smith-Lonergan
http://www.codeplex.com/EFSCertUpdater
http://paranoidmike.blogspot.com/
shared-source tool, I am proud to announce the release of another tool
to smooth the path for reliable recovery of EFS'd files:
EFS Certificate Configuration Updater (http://www.codeplex.com/
EFSCertUpdater/)
__Why should you care?__
- You'll be interested if you're using EFS, and
- You've tried to make sure that you (or your users) are using the EFS
certificate that was archived (with its private key) in your Microsoft
Certificate Server.
__What difference will it make?__
- When users need to recover access to *ALL* their EFS'd files, and
- When you want to make the process as fast and painless for the users
as possible
- The copy of the user's archived EFS keys that you extract from your
Certificate Server should be (almost) guaranteed to decrypt all the
user's encrypted files.
There are a number of my customers who expressed concerns that even if
they did everything right - enabling Autoenrollment policy, creating
"version 2" certificate templates for use with EFS, automatically
archiving the user's EFS keypair at enrollment time - there's still no
guarantee that the user's PCs were actually *using* those archived EFS
keys to encrypt files.
Most of the time it works fine, but they told me they'd seen cases
where:
- users had once tried using EFS, and abandoned it later, but the new
EFS certificate didn't replace the pre-existing (non-archived) EFS
certificate, so all files continued to be encrypted with an
unrecoverable key
- users had encrypted files before the PKI was in place, then upgraded
their certificate, but their existing encrypted files weren't updated
to be encrypted with the new keys
No, I'm not trying to panic anyone - like I said, this affects a small
fraction of the user population in most wide-scale EFS deployments.
However, it's an issue I've heard over and over again, and this tool
should help folks get on with their deployments.
__How does it work?__
- The tool works strictly at the command line - it presents no UI
- It searches through all the EFS certificates the user has in their
personal certificate store (aka the "MY store")
- It keeps searching until it finds a certificate that (a) is still
valid, (b) is not self-signed, (c) has an associated private key, and
(d) has the EFS EKU
- Once it identifies a suitable certificate, it checks whether that is
the currently-configured certificate; if not, then it updates the
CertificateHash registry setting and quits
- Oh, and it generates a log file of its activity
__What does it require?__
- .NET 2.0
- XP or Vista (only been tested on XP so far)
- it doesn't require Admin rights, but I bet it'd barf if it ran under
DropMyRights
__How often would I have to use this tool?__
- In theory, once
- All you really need is to get the user *off* their self-signed
certificate, and encrypting with the v2 certificate
- From there, Autoenrollment should be able to keep renewing EFS
certificates with no failures - unless the user's PC is off the
company network for months at a time
__What's next for the EFS Cert Updater?__
- Do some further robustness testing to see if there are any
circumstances under which non-v2 EFS certs could be selected
- Add a command-line parameter to specify an exact Certificate
Template from which the selected EFS cert must be enrolled
- Enable a capability to archive (i.e. hide) all other EFS
certificates except the selected one
- Add capability to write to the Application Event Log
- Enable a capability to select the "best" EFS certificate if multiple
are found
Please browse the web site, leave some feedback or questions, and give
it a spin. All assistance is greatly appreciated.
Cheers,
Mike Smith-Lonergan
http://www.codeplex.com/EFSCertUpdater
http://paranoidmike.blogspot.com/