Re: EFS
From: Steven L Umbach (n9rou@attbi.com)
Date: 02/04/03
- Next message: Jeff Cochran: "Re: patches"
- Previous message: Stacey K.: "How do I break into a Win2000 PC"
- In reply to: Danny Sanders: "EFS"
- Next in thread: Danny Sanders: "Re: EFS"
- Reply: Danny Sanders: "Re: EFS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Steven L Umbach" <n9rou@attbi.com> Date: Tue, 04 Feb 2003 16:38:56 GMT
Hi Danny. The recovery agent private key also needs to be exported for
backup purposes in case of a disaster that causes it to be lost on the
computer. Probably more important in your case it needs to be
exported/deleted. If it remains on the laptop and someone steals it, then
they could use a program to crack the local administrator account/password.
After that they could log on as local administrator and be able to decrypt
any encrypted file from any user that was created since that recovery key
became the recovery agent. Instead of using secpol.msc did you try to export
it from a mmc console using the certificate snapin for the user while logged
on as local administrator?? If nothing works you could try creating a new
recovery certificate/private key by using the latest cipher utility with the
/r switch. The one that comes with XP Pro allows you to do this and works on
W2K. Of course the new key pair would not work on files already encrypted.
You could decrypt existing files, delete existing recovery certificate/key
from certificate store and remove it from local security policy/public key
policies/encrypted file system as recovery agent. Then you could log on as
local administrator and create new recovery key pair, install key pair to
certificate store (click on/install .pfx file created and check make private
key exportable), add it as recovery agent via local security policy to where
you deleted the old one - use add/search folder for .cer file created while
making new certificate with cipher /r. After doing that and rebooting you
could have users use efs to encrypt there files again. Your new recovery key
should now be exportable and work as recovery agent for files encrypted
since it was enabled as recovery agent. Of course backup and test all this
out for yourself before implementing. Also be sure to delete the files
created using cipher /r when you are done with them so that they are not a
security risk.Good luck. --- Steve
"Danny Sanders" <Danny.Sanders@cpcmed.org> wrote in message
news:e#jxY39yCHA.616@TK2MSFTNGP11...
> If I understand EFS correctly, one should export the private key along
with
> the certificate for recovery purposes. I'm only trying to set up EFS
locally
> on a couple of laptops that leave the office with sensitive data.
> What are the ramifications of not exporting the private key?
>
> Using the secpol.msc to export the certificate does not allow me to choose
> the private key.
> According to this article:
> http://support.microsoft.com/default.aspx?scid=kb;en-us;259732
>
> this is because the local administrators account was overwritten with
> another user's profile. Well this account was renamed but not overwritten.
>
> What are my options?
>
> TIA
> DDS
>
>
- Next message: Jeff Cochran: "Re: patches"
- Previous message: Stacey K.: "How do I break into a Win2000 PC"
- In reply to: Danny Sanders: "EFS"
- Next in thread: Danny Sanders: "Re: EFS"
- Reply: Danny Sanders: "Re: EFS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
