Re: Cannot add accounts to EFS, cannot create a recovery agent

From: *Vanguard* (no-email_at_post-reply-in-newsgroup.invalid)
Date: 04/13/04 

Date: Tue, 13 Apr 2004 04:28:55 -0500

"Brian Komar" said in
news:MPG.1ae528f582822d439896c7@msnews.microsoft.com:
> You need to use the correct certificates. You are working with EFS
> encryption certificates not recovery certifciates.
>
> Under Windows XP, run "cipher /r:recovery"
>
> This will create two files recovery.pfx (with the private key needed
> for recovery) and recovery.cer, which is the file you designate as
> the EFS recovery agent.
>
> I also recommend that you read the EFS whitepaper, as you have several
> errors in your understanding of how EFS works.
>
> Encrypting File System in Windows XP and Windows Server 2003
> (www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx)
>
> And the following KB articles:
> 308991: HOW TO: Share Access to an Encrypted File in Windows XP
> 313365: HOW TO: Configure a Domain EFS Recovery Policy in Windows 2000
> 324897: HOW TO: Manage the Encrypting File System in Windows Server
> 2003
>
> Brian

Thanks for the info. If my understanding is flawed, well, that's
because the help is punctuated with references that it doesn't provide
links to and misleading information; i.e., my understanding is a
reflection of the provided help.

When you read the Windows XP included help, it describes how to add a
recovery agent. It doesn't say how to create one; i.e., it doesn't tell
you how to create the File Recovery certificate needed for use in its
one-sided description on importing one when defining a DRA (data
recovery agent). A search on "recovery agent" never tells you about
using "cipher /r:<filename>". For example,
ITS:C:\WINDOWS\Help\encrypt.chm::/encrypt_recovery_overview.htm says,
"Each recovery agent has a special certificate" but doesn't tell you how
to create it.

I noticed when looking at the Certificates snap-in under "Certificates
(Local Computer)", I see 2 certificates listed that both say Issued To
"|" (yep, a single vertical bar), Issued By "|", and with a Subject of
"|". Oh, yeah, like that's informative and indicative of a good
certificate. These are both enabled to support 31 purposes of which
Encrypting File System and File Recovery are included.

By the way, KB article 308991 plus looking in Help (which mostly just
refers to this KB article) regarding how to share *access* to the
contents of an EFS-protected file does NOT work for me. As mentioned,
the Details button is grayed out so there is no way for me to add more
accounts to permit access. So, if I encrypt a file then I am the only
one allowed to access it contents. Under Windows 2000, I was able to
also add Administrator and/or any other account that I wanted to share
access but keep private to only those accounts. The dialog looks just
like the one shown at
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx#XSLTsection125121120120
that to which you referred. Notice the Details button is disabled. I
have long exited the Properties dialog and reentered it (many times) and
I have yet to see the Details button become enabled. I have also tried
to disable EFS (on all subfolders and files, too) and then reenable EFS
and still the Details button is always grayed out. "Also, additional
users may not be added until the file has been encrypted by the first
user." Okay, so I've encrypted it. I've exited Properties, reentered
Properties, click Advanced, and still the Details button is disabled.
Administrator *is* listed under the Trusted People category for
certificates yet the Details button is still disabled.

In your first link, it makes statements like, "The default recovery
policy is configured locally for standalone computers." It then
describes how to manually use the cipher command to create the necessary
File Recovery certificate to use for a DRA (data recovery agent) but
neglects to tell you that this must be done while logged in under each
account for which you want to make a DRA. Microsoft couldn't put this
in the included Help?

Also, this is one of the articles from Microsoft that tell you to switch
from AES to FIPS to harden encryption. Doing such will render it
impossible to connect to most SSL secured web sites (see my post at
http://snipurl.com/5o7s). Yet another Microsoft recommendation that can
screw you royal. 

-- 
____________________________________________________________
*** Post replies to newsgroup.  Share with others.
*** Email: domain = ".com" and append "=news=" to Subject.
____________________________________________________________