Re: Certificates, Keys, Mobile Users, Intended Usage

From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 11/28/04

• Next message: Malcolm: "THEY CAN ACCESS MY HIDDEN DRIVES? - Local Policies and Star Office"
• Previous message: Miha Pihler: "Re: Certificates, Keys, Mobile Users, Intended Usage"
• In reply to: William McIlroy: "Certificates, Keys, Mobile Users, Intended Usage"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sun, 28 Nov 2004 18:57:29 GMT

One thing to consider would be to define a Recovery Agent for the domain as
part of Group/security policy that applies to all these computers. Windows
2000 requires a RA while XP Pro does not. The RA would be able to recover
any EFS files that have been created or accessed since the RA was defined.
The RA is computer policy and would apply to EFS files for domain and local
accounts. It still would be good practice to archive the private keys of the
users just in case if the data is extremely important. I would also highly
recommend that the mobile users use cached domain credentials to logon to
their computers as their passwords will be safe that way where if the
computer was stolen an attacker could use an utility to crack the local
administrator account and then use a utility like LC5 to crack the local
users password to gain access to the EFS files if the user's EFS private key
is still on the computer. As far as I know there is no way to do such for
cached credentials - just be sure that the users are forced to use complex
passwords.

XP Pro is much more secure than W2K for using EFS because an RA is not
required and resetting a user's password will not allow access to their EFS
files. Keep in mind that if there is a local RA on the computer that an
attacker may be able to use it to access a users EFS files. So be sure to
check that the RA is working the way you expect it to. You can use the
efsinfo utility to see exactly what Recovery Agents and user can decrypt and
EFS file. The links below may help. --- Steve

http://labmice.techtarget.com/windows2000/FileMgmt/EFS.htm
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx

"William McIlroy" <WilliamMcIlroy@discussions.microsoft.com> wrote in
message news:CF29E81B-7C73-4668-82EF-F7EE664AF7A8@microsoft.com...
>I am trying to devise a plan whereby my client can safely use encrypting
>file
> system (EFS). Mobile computer users benefit from encrypting sensitive
> files.
> In the event the computer is stolen, the data does not enter the public
> domain. When mobile users return to the home office, they can use
> NTBACKUP
> to make backup copies of encrypted files, which remain encrypted in backup
> form. Were the computer lost, a new computer would be provided and
> sensitive
> files would be restored from backup (NTBACKUP). In order to be able to
> read
> the files, the mobile user would be required to provide a certificate and
> an
> associated private key. The point of my question has to do with the
> private
> key, which I know how to export and import. When on the road, should the
> mobile user always logon using his cached domain credentials so that the
> private key matches the private key that he would have at the home office
> when he is actually logged on to the domain? I assume that the user's
> private key when logged on to the domain is different from the private key
> that he has when he is logged on locally to his mobile computer. For
> recovery purposes, I suppose, the corporate system administrator should
> export the local logon private key and the domain logon private key of
> each
> mobile user and vault them to ensure the keys are available for decrypting
> backed up data. Is there some official Microsoft guidance on this?
> --
> William McIlroy
>

• Next message: Malcolm: "THEY CAN ACCESS MY HIDDEN DRIVES? - Local Policies and Star Office"
• Previous message: Miha Pihler: "Re: Certificates, Keys, Mobile Users, Intended Usage"
• In reply to: William McIlroy: "Certificates, Keys, Mobile Users, Intended Usage"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Cannot open encrypted files ... The private key used to decrypt EFS files is stored in the user's profile ... 2000 clients require a Recovery Agent which can also decrypt the EFS files. ... (microsoft.public.win2000.security) Re: Encrypted Files from a formatted drive ... There is no backdoor way to access EFS files. ... If there are no user or RA private key available then the files are forever ... > not a recovery agent nor the account that created encrypted the files. ... (microsoft.public.windowsxp.security_admin) Re: Recovery Agent fails to recover Encrypted Data ... >> EFS Recovery Certificate for a user, ... >> Recovery Agent. ... also encrypt a file with ordinary user, ... it is the holder of the *private key* that can open the file as ... (microsoft.public.win2000.security) Re: recovery agent ... > To remove the private key, export the certificate and opt to also export ... If you've exported both cert and key into a .pfx file, ... > For lots of info about EFS, including recovery agent import/export, check ... (microsoft.public.windowsxp.security_admin) =?Utf-8?Q?Re:_EFS-_Verschl=C3=BCsselung_auf_ein?= =?Utf-8?Q?em_USB-Stick_nicht_mehr_ ... nein, den Recovery Agent habe ich nciht eingerichtet, wenn ich mich recht ... domänen und active directory ausgerichtet, ... Oder hast Du noch den private Key archiviert? ... lokaler Computer, kein Active Directory ... (microsoft.public.de.german.windowsxp.sonstiges)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint