RE: Decrypt File

From: Jason Normanton (netprouk_at_netprouk.com)
Date: 05/17/03

  • Next message: Jim Barrett: "RE: Decrypt File"
    To: <guanghuyang@yahoo.com.cn>
    Date: Sat, 17 May 2003 20:45:43 +0100
    
    

    Hi guys,
                    There is a way around this with EFS if you have
    "accidentally" reinstalled the machine without saving the recovery agent. I
    have had to save lots of data this way :

    For a non domain or domain member system:

    1 if o/s has been re-installed re-boot machine into safe mode
    2 in properties for the encrypted data re-assign the new local admin account
    certificate to the files as the recovery agent and take ownership of the
    files
    3 reboot the machine as normal the data will now be recoverable from the
    admin account.

    Regards,

    Jason Normanton
    Senior Consultant (Directory Services Security)
    http://www.Netprouk.com

    -----Original Message-----
    From: David Gillett [mailto:gillettdavid@fhda.edu]
    Sent: 15 May 2003 20:22
    To: 'James Yang'; security-basics@securityfocus.com

    > -----Original Message-----
    > From: James Yang [mailto:guanghuyang@yahoo.com.cn]
    > Sent: May 14, 2003 20:39
    > To: security-basics@securityfocus.com
    > Subject: Decrypt File
    >
    > My system occurred problem yesterday. I backuped my files
    > and then reinstalled my W2K system. After I copied back my
    > files I found I couldn't open the encrypted files. How
    > can I open, could anyone give me a tip. Thanks.

      I'm assuming that by "encrypted" you mean you've been using
    EFS (Encrypted File System), and that by "reinstalled" you mean
    something like "did a clean format and brand new installation".

      EFS files can be decrypted and re-encrypted by the owner, or
    decrypted (only) by a designated recovery agent -- by default,
    the administrator account.
      If you did a clean installation, the new installation has its
    own administrator account and (probably) personal account for
    you. None of the accounts from the previous installation exists
    any more.

      I recommend, when people ask me, that EFS only be used in a
    *domain* context. That way, the default recovery agent is the
    domain administrator account, which will survive reinstalls of
    individual client machines, and even (if there are multiple
    domain controllers) reinstalls of any single domain controller.
      I do not recommend its use on single stand-alone machines,
    because if neither the owner nor recovery agent account exists
    any more, your third alternative is to try to convince the FBI
    that Al Qaeda has hidden data in your encrypted files -- allegedly
    they've cracked EFS (although I suspect that what they actually
    did in Afghanistan was crack the administrator password, and that
    won't help you now).

    David Gillett

    ---------------------------------------------------------------------------
    Thinking About Security Training? You Can't Afford Not To!

    Vigilar's industry leading curriculum includes: Security +, Check Point,
    Hacking & Assessment, Cisco Security, Wireless Security & more! Register
    Now!
    --UP TO 30% off classes in select cities--
    http://www.securityfocus.com/Vigilar-security-basics
    ----------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    Thinking About Security Training? You Can't Afford Not To!

    Vigilar's industry leading curriculum includes: Security +, Check Point,
    Hacking & Assessment, Cisco Security, Wireless Security & more! Register Now!
    --UP TO 30% off classes in select cities--
    http://www.securityfocus.com/Vigilar-security-basics
    ----------------------------------------------------------------------------


  • Next message: Jim Barrett: "RE: Decrypt File"

    Relevant Pages

    • Re: EFS, certificates etc
      ... I backed up system state then created a certificate ... for the Admin account, which I have designated as the data recovery agent. ...
      (microsoft.public.windowsxp.security_admin)
    • Re: EFS, certificates etc
      ... created a certificate ... >for the Admin account, which I have designated as the ... >data recovery agent cannot. ... >>> encryption. ...
      (microsoft.public.windowsxp.security_admin)
    • Re: How to add a domain user as a Data Recovery Agent
      ... Recovery Agent certificate and when you examined the certificate are the ... I'm trying to figure out how to add a non-privileged, domain user account ... I add the users as data recovery agents. ...
      (microsoft.public.windows.server.security)
    • Re: File Encryption Help Needed
      ... The machine's previous domain has no AD, which means NT4 server, right? ... If you have no recovery agent and no keys exported earlier, ... get back your files are logon as the old account assuming that DC is still ... > Let us be sure this is about encryption, ...
      (microsoft.public.windowsxp.security_admin)
    • Re: Cannot access encrypted files.
      ... Unfortunately, i never write down, or tell anyone my passwords. ... security thing. ... What kind of recovery agent would work? ... Maeldruin's Profile: http://forums.techarena.in/member.php?userid=21614 ...
      (microsoft.public.windowsxp.security_admin)