Re: adding EFS Recovery agents - related question

From: D. Cross [MS] (vaq130@hotmail.com)
Date: 06/03/02

• Next message: Thomas Weber: "no certificate on smartcard"
• Previous message: D. Cross [MS]: "Re: Possible Security Flaw in Windows 2000"
• In reply to: Eduard Koller [MS]: "Re: adding EFS Recovery agents - related question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "D. Cross [MS]" <vaq130@hotmail.com>
Date: Mon, 3 Jun 2002 06:28:34 -0700

more information:

http://www.microsoft.com/windowsxp/pro/techinfo/administration/recovery/defa
ult.asp

--
David B. Cross [MS]
--
This posting is provided "AS IS" with no warranties, and confers no rights.
"Eduard Koller [MS]" <ek107129@hotmail.com> wrote in message
news:3cf7ec85$1@news.microsoft.com...
> The EFS recovery certificate is not really user-based, but rather machine
> based. Basically, if a user has the private key, they can decrypt. If hey
> haven't, they can't.
>
> If you move to WinXp or .Net servers, you can use cipher /R to get an EFS
> cert issued to the current user.
>
> Eddy Koller
> Public Key Security QA Team
> Microsoft Corporation
> --
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> Use of included script samples, if any, are subject to the terms specified
> at http://www.microsoft.com/info/cpyright.htm
>
> "Andrew" <foo@bar.com> wrote in message
news:uUKd#COCCHA.2072@tkmsftngp02...
> > OK, I did what you said and it appears that if a user installs the PFX
> into
> > their "personal" certificate store they are now recovery agents. The
only
> > thing I don't like about the process is that the certificate still says
> > administrator, and the user is not listed under the recovery agents in
the
> > security policies.
> >
> > Is this the best it can be without a domain and an Enterprise CA? I'm
not
> > really complaining, I was just hoping for a manageable list of recovery
> > agents.
> >
> > Thanks,
> >
> > Andrew
> >
> > "Eduard Koller" <ek107129@hotmail.com> wrote in message
> > news:3cf7bbde$1@news.microsoft.com...
> > > Is your machine Win2k, or is it XP?
> > >
> > >  - On win2k, you already have a EFS recovery certificate for the
> > > Administrator. You can export that certificate to a .PFX (including
the
> > > key), then to a .CER (with no key). Give the .PFX file to any user,
and
> > > after they install it, they will be able to decrypt the files.
> > >  - On XP, you can use the command line tool cipher (with /R) to
generate
> > an
> > > EFS recovery agent key and certificate. Then, you hand the PFX to the
> user
> > > to install it, and add the contents of the .CER to the EFS recovery
> > policy.
> > >
> > > Please let me know if this helps.
> > >
> > > Thanks,
> > >
> > > Eddy Koller
> > > Public Key Security QA Team
> > > Microsoft Corporation
> > >
> > > --
> > >
> > > This posting is provided "AS IS" with no warranties, and confers no
> > rights.
> > > Use of included script samples, if any, are subject to the terms
> specified
> > > at http://www.microsoft.com/info/cpyright.htm
> > >
> > >
> > >
> > > --
> > >
> > > This posting is provided "AS IS" with no warranties, and confers no
> > rights.
> > > Use of included script samples, if any, are subject to the terms
> specified
> > > at http://www.microsoft.com/info/cpyright.htm
> > > "Andrew" <foo@bar.com> wrote in message
> > news:O7H#EeMCCHA.1544@tkmsftngp02...
> > > > Has anyone had any luck or know how to add an EFS recovery agent on
a
> > > > stand-alone machine. MS makes it sound easy, but doesn't go into
> detail
> > > > except for a domain model. If I try to add a recovery agent the
wizard
> > > > prompts for an AD user or a cer file, but other users on the box
don't
> > > have
> > > > this capacity in their certs.
> > > >
> > > > Enterprise CAs can issue this type of cert, but I think only to
domain
> > > > accounts. I would like to add accounts other than the built in admin
> as
> > a
> > > > recovery agent but I am beginning to think it is not possible on  a
> > stand
> > > > alone machine.
> > > >
> > > > Thanks for any help,
> > > >
> > > > Andrew
> > > >
> > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>

• Next message: Thomas Weber: "no certificate on smartcard"
• Previous message: D. Cross [MS]: "Re: Possible Security Flaw in Windows 2000"
• In reply to: Eduard Koller [MS]: "Re: adding EFS Recovery agents - related question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Windows 2003 CA Server and Templates Do not work for EFS! ... Requirement is to have an EFS recovery certificate for the domain that has ... Create a policy for users designated as recovery agents by creating a group ... (microsoft.public.security) Re: adding EFS Recovery agents - related question ... The EFS recovery certificate is not really user-based, ... I did what you said and it appears that if a user installs the PFX into> their "personal" certificate store they are now recovery agents. ... >> EFS recovery agent key and certificate. ... (microsoft.public.win2000.security) Re: Encryption ... If someone backed up the recovery cert+keys before the DC disappear, ... This posting is provided "AS IS" with no warranties, and confers no rights. ... >> domain Administrator the default recovery agent? ... >> do EFS recovery just by using Administrators account, ... (microsoft.public.win2000.security) Re: EFS and recovery ploicy ... is it getting invalid policy ... rights. ... >> certificate. ... (microsoft.public.win2000.security) Re: Issues with SSL on Win CE 5.0 ... There is a Certificate in the HKCU under MY. ... This posting is provided "AS IS" with no warranties, and confers no rights. ... creating the .pfx file, the private keys need to be marked as exportable ... the server certificate you're trying to add is present under ... (microsoft.public.windowsce.embedded)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint