Re: Certificates, Keys, Mobile Users, Intended Usage
From: Miha Pihler (mihap-news_at_atlantis.si)
Date: 11/28/04
- Previous message: Steven L Umbach: "Re: RUNDLL Error"
- In reply to: William McIlroy: "Certificates, Keys, Mobile Users, Intended Usage"
- Next in thread: Steven L Umbach: "Re: Certificates, Keys, Mobile Users, Intended Usage"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 28 Nov 2004 19:48:34 +0100
Hi William,
Option that you think about uses self signed EFS certificates. While this is
a valid option, you might want to setup own CA server and deploy EFS
certificates from your own CA.
Users should always use their domain profile (even on the laptops while out
of the office). Using local accounts doesn't add anything to security, but
adds a lot to complexity and you loose manageability...
Still with self signed certificates keys will probably be different on
office PC and laptop computer unless you create one key and export it and
then import it to another computer.
Better then exporting user's private key as backup is to setup DRA (Data
Recovery Agents) in domain (and) or OUs. Users assigned DRA role will be
able to decrypt any files encrypted by domain users that fall under the
policy where you setup DRA.
There could be a problem if you only rely on exported keys. E.g. user by
mistake deletes his profile and with this profile he deletes his private
keys. After successful logon new profile is created without any EFS keys
till user tries to encrypt something. Operating system will detect that
there is no EFS certificate and it will generate a new one. Now you don't
have a backup for this EFS certificate while you are still able to decrypt
the files using DRA.
If you setup your own CA, you can archive the keys automatically.
EFS:
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx
Very important with EFS implementation is to teach users to pick good --
hard to guess passwords. While private keys are encrypted in user's profile
in case the laptop is stolen and if I can easily guess the password I can
gain access to profile and private keys and consequently to the files.
Account Passwords and Policies
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx
Feel free to post back with any additional questions that you might have...
***
New features:
http://www.microsoft.com/technet/prodtechnol/winxppro/plan/pkienh.mspx
Operations guide:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03pkog.mspx
Managing PKI:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/mngpki.mspx
Best Practices:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx
Certificate templates -
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03crtm.mspx
Certificate Autoenrollment in Windows Server 2003
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/autoenro.mspx
Key archival -
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/kyacws03.mspx
Advanced certificate enrollment:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx
web enrollment:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/webenroll.mspx
CRLS: http://www.microsoft.com/technet/security/topics/crypto/tshtcrl.mspx
Mike
"William McIlroy" <WilliamMcIlroy@discussions.microsoft.com> wrote in
message news:CF29E81B-7C73-4668-82EF-F7EE664AF7A8@microsoft.com...
>I am trying to devise a plan whereby my client can safely use encrypting
>file
> system (EFS). Mobile computer users benefit from encrypting sensitive
> files.
> In the event the computer is stolen, the data does not enter the public
> domain. When mobile users return to the home office, they can use
> NTBACKUP
> to make backup copies of encrypted files, which remain encrypted in backup
> form. Were the computer lost, a new computer would be provided and
> sensitive
> files would be restored from backup (NTBACKUP). In order to be able to
> read
> the files, the mobile user would be required to provide a certificate and
> an
> associated private key. The point of my question has to do with the
> private
> key, which I know how to export and import. When on the road, should the
> mobile user always logon using his cached domain credentials so that the
> private key matches the private key that he would have at the home office
> when he is actually logged on to the domain? I assume that the user's
> private key when logged on to the domain is different from the private key
> that he has when he is logged on locally to his mobile computer. For
> recovery purposes, I suppose, the corporate system administrator should
> export the local logon private key and the domain logon private key of
> each
> mobile user and vault them to ensure the keys are available for decrypting
> backed up data. Is there some official Microsoft guidance on this?
> --
> William McIlroy
>
- Previous message: Steven L Umbach: "Re: RUNDLL Error"
- In reply to: William McIlroy: "Certificates, Keys, Mobile Users, Intended Usage"
- Next in thread: Steven L Umbach: "Re: Certificates, Keys, Mobile Users, Intended Usage"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
