Re: EFS
From: Danny Sanders (Danny.Sanders@cpcmed.org)
Date: 02/05/03
- Next message: Craig: "Local Secutiry Templates"
- Previous message: Craig: "Local Security Templates"
- In reply to: Steven L Umbach: "Re: EFS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Danny Sanders" <Danny.Sanders@cpcmed.org> Date: Wed, 5 Feb 2003 08:32:15 -0700
Thanks I will give that a try.
DDS
"Steven L Umbach" <n9rou@attbi.com> wrote in message
news:A0S%9.166284$6G4.17379@sccrnsc02...
> Hi Danny. The recovery agent private key also needs to be exported for
> backup purposes in case of a disaster that causes it to be lost on the
> computer. Probably more important in your case it needs to be
> exported/deleted. If it remains on the laptop and someone steals it, then
> they could use a program to crack the local administrator
account/password.
> After that they could log on as local administrator and be able to decrypt
> any encrypted file from any user that was created since that recovery key
> became the recovery agent. Instead of using secpol.msc did you try to
export
> it from a mmc console using the certificate snapin for the user while
logged
> on as local administrator?? If nothing works you could try creating a new
> recovery certificate/private key by using the latest cipher utility with
the
> /r switch. The one that comes with XP Pro allows you to do this and works
on
> W2K. Of course the new key pair would not work on files already encrypted.
> You could decrypt existing files, delete existing recovery certificate/key
> from certificate store and remove it from local security policy/public key
> policies/encrypted file system as recovery agent. Then you could log on as
> local administrator and create new recovery key pair, install key pair to
> certificate store (click on/install .pfx file created and check make
private
> key exportable), add it as recovery agent via local security policy to
where
> you deleted the old one - use add/search folder for .cer file created
while
> making new certificate with cipher /r. After doing that and rebooting you
> could have users use efs to encrypt there files again. Your new recovery
key
> should now be exportable and work as recovery agent for files encrypted
> since it was enabled as recovery agent. Of course backup and test all this
> out for yourself before implementing. Also be sure to delete the files
> created using cipher /r when you are done with them so that they are not a
> security risk.Good luck. --- Steve
>
>
> "Danny Sanders" <Danny.Sanders@cpcmed.org> wrote in message
> news:e#jxY39yCHA.616@TK2MSFTNGP11...
> > If I understand EFS correctly, one should export the private key along
> with
> > the certificate for recovery purposes. I'm only trying to set up EFS
> locally
> > on a couple of laptops that leave the office with sensitive data.
> > What are the ramifications of not exporting the private key?
> >
> > Using the secpol.msc to export the certificate does not allow me to
choose
> > the private key.
> > According to this article:
> > http://support.microsoft.com/default.aspx?scid=kb;en-us;259732
> >
> > this is because the local administrators account was overwritten with
> > another user's profile. Well this account was renamed but not
overwritten.
> >
> > What are my options?
> >
> > TIA
> > DDS
> >
> >
>
>
- Next message: Craig: "Local Secutiry Templates"
- Previous message: Craig: "Local Security Templates"
- In reply to: Steven L Umbach: "Re: EFS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
