Re: EFS master key recovery in AD environment

From: Joe Richards [MVP] (humorexpress@hotmail.com)
Date: 04/15/03 

From: "Joe Richards [MVP]" <humorexpress@hotmail.com>
Date: Mon, 14 Apr 2003 18:37:03 -0400

As I understand it, in a domain environment whomever controls the Domain
Recovery Agent ID can recover any encrypted files in the domain. By default
the DRA is the ADMIN ID that promoted the domain. Additionally the
administrators could add any other recovery agent ID's (and certs) they
wanted and then any files encrypted from that point on would be decryptable
via those agents as well. 

--
Joe Richards
www.joeware.net
---
"Rob Willis" <rob_willis@ev1.net> wrote in message
news:8647aa45.0304140826.49334fde@posting.google.com...
> I've found lots of information regarding how the master key is
> protected from a malicious administrator in a workgroup.  Basically,
> an admin changing the users password then logging on as that user
> won't give them access to EFS encrypted files because they can't get
> to the master key since it was encrypted with some combination of
> things including the users password.
>
> But what about in an AD environment?  The Win2K resource kit says
> there is also a backup/restore form of the master key stored so that
> it can be recovered if an admin resets the password.  Does this mean
> that an admin can change a users password, logon to that users
> computer, and access EFS encrypted files?  My testing shows that yes,
> they can.  Not very good.
>
> If so, how is EFS supposed to protect against a malicious admin?
>
> And is this behavior the same on Win2K and WinXP clients?
>
> Any info or insight would be greatly appreciated.
>
> Thanks!
> Rob

Relevant Pages

  • Re: EFS master key recovery in AD environment
    ... etc.W2K requires a efs recovery agent to encrypt files while XP does not. ... The only real way to protect encrypted files would be to use a W2K/XP ... > an admin changing the users password then logging on as that user ...
    (microsoft.public.win2000.security)
  • Re: where to get a recover agent certificate
    ... Export a certificate with the private key ... Importing and exporting certificates ... I want to have a Recovery Agent. ... > Currently, I have NO recovery agents listed on any of my encrypted files, ...
    (microsoft.public.windowsxp.security_admin)
  • Re: NTFS encryption problem
    ... To ensure that dormant encrypted files can be recovered, ... >maintain archives of the recovery agent certificates and private keys. ...
    (microsoft.public.security)
  • where to get a recover agent certificate
    ... When I was upgrading from XP Home to XP Pro, I changed my password on my ... Well, when I run the Add Recovery Agent Wizard, it asks for a certificate, ... Currently, I have NO recovery agents listed on any of my encrypted files, ... Until I can though, I backed up my efs certificate, which is something I ...
    (microsoft.public.windowsxp.security_admin)
  • Re: NTFS encryption problem
    ... This *might* be an issue with EFS dormancy? ... "Maintaining Archives of Recovery Keys For EFS encrypted files, ... maintain archives of the recovery agent certificates and private keys. ...
    (microsoft.public.security)