RE: EFS rollout using Active Directory
- From: "Stephen Tefu" <Stephen.Tefu@xxxxxxxxxxxx>
- Date: Wed, 26 Apr 2006 18:01:06 +0200
You can implement EFS on systems running Windows 2000 and Windows XP Professional Edition. Windows 95/98, Windows Millennium Edition, and Windows XP Home Edition do not support EFS.
Before implementing EFS to protect your corporate data, you need to create a recovery key. Make sure you keep a backup copy of the Encrypted Recovery Agent (ERA); this is your insurance policy to decrypt files throughout your domain.
Stand-alone workstations generate their own public key certificate that you can use for EFS. However, in a domain environment, you'll need to create an ERA before enabling EFS. After creating the ERA, back it up to a media format that you can protect under lock and key.
To create an ERA, follow these steps:
Go to Start | Programs | Administrative Tools | Active Directory Users And Computers. (If you have a stand-alone system, go to Start | Control Panel | Administrative Tools | Local Security Policy, and skip to Step 4.)
Right-click your domain, and select Properties.
On the Group Policy tab, select the Default Domain Policy, and click the Edit button.
Go to Computer Settings | Security Settings | Public Key Policies | Encrypted Data Recovery Agents.
Right-click the policy, and select New | Encrypted Recovery Agent.
Use the wizard to add the recovery agent certificates to the policy.
After creating the certificate, right-click the certificate, select Export, and use the Certificate Export Wizard to export your certificate to some other physically securable media (e.g., CD, floppy, etc.).
After the policy refreshes, all users on your domain will be able to safely encrypt the contents of their files or folders.
Encrypting a file or folder is relatively easy. Follow these steps:
In Windows Explorer, right-click the file or folder you want to encrypt, and select Properties.
In the Encrypted Files Properties dialog box, click Advanced on the General tab.
Select the Encrypt Contents To Secure Data check box, and click OK twice.
Make sure you have a copy of your users' certificates to use for emergency decryption in the event of workstation rebuilds.
Keep in mind that you can't encrypt compressed files or folders. Marking a file or folder for encryption will automatically uncompress the file or folder. In addition, copying or moving a file to a non-NTFS volume will automatically decrypt it.
Final thoughts
It's a good idea to implement EFS in phases after your users have a certificate and you have a good backup copy of that certificate locked in a drawer.
You can expect your biggest boost in security to come when you implement EFS for laptop users. If a user loses a laptop, but he or she encrypted data with the domain account, that data will remain secure.
-----Original Message-----
From: Larry [mailto:larry.chin@xxxxxxxxxxxx]
Sent: 26 April 2006 03:28 PM
To: focus-ms@xxxxxxxxxxxxxxxxx
Subject: EFS rollout using Active Directory
Greetings:
Does anyone have a procedure for implementing Microsoft EFS using Active
Directory ?
I have to roll EFS out to 2000+ laptops and would like to implement using
Active Directory, but I don't have a lot of experience with AD.
Thanks
/LC
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Follow-Ups:
- RE: EFS rollout using Active Directory
- From: Lee Clemens
- RE: EFS rollout using Active Directory
- Prev by Date: EFS rollout using Active Directory
- Next by Date: RE: EFS rollout using Active Directory
- Previous by thread: RE: EFS rollout using Active Directory
- Next by thread: RE: EFS rollout using Active Directory
- Index(es):
Relevant Pages
|
