Re: bug with efs on server 2003



Inline...

"Goldorak-Go" <Goldorak-Go@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:6DC969F8-18AB-429C-AD2E-B6BD48E377AC@xxxxxxxxxxxxxxxx
Hi,
I can speek French or English.
My trouble is the following.

I want to use efs on my domain, so I'have created an efs self-signed
certificate for a recovery agent for the domain with the command Cipher /r.
This efs self-signed certificate is valid for 100 years.
I have imported this certificate in the policy of the domain and replicated
the policy with the "Active directory site and services" snap-in.

Now I want to encrypt a folder on a member server. Before doing that I have
just forced this server to apply the domain policy by typing the command
GPUPDATE /force and rebooted the server.

This is good, you have applied the recovery policy then.

I have created a user wich is called "BABY" on the domain. This user will
serve to encrypt my folder.
So when I encrypt the folder a new certificate and a private key are created
for this user.

[bk] As expected. SInce you do not mention a PKI, I have to assume it is self-signed.

I don't want the private key to stay on the local server, so I have exported
the certificate and the private key together in a *.PFX file and I've ask to
delete the private key localy during this export.

[bk] Big mistake. Since you have removed the certificate, the next encryption attempt will generate a new certificate. Also, the user has lost access to the previously encrypted file.

Now there is only the certificate of the user "BABY" profile on the local
machine. The private key has been removed as expected.

[bk] Mistake.,

My problem is the following: when I add a new file to the existing encrypted
directory, the user "BABY" get a new certificate and a new private key.
I try to think that this behaviour is not normal.
Can someone help me please ???
[bk] This is expected. How did you expect EFS to protect the new FEK created for the newly encrypted file.
Please read the whitepaper on how EFS works available at www.microsoft.com/pki


My infrastructure is based on Windows server 2003 R2 standard edition. I
have not updated the servers for the moment with any patches.

thanks a lot ....

.



Relevant Pages

  • RE: EFS File Share Help
    ... And your roaming profile cannot work properly. ... If user tries to encrypt a remote file/folder stored ... user, and subsequently requests, or generates a self-signed EFS ... The certificate and private key are loaded in a local profile ...
    (microsoft.public.windows.server.sbs)
  • RE: EFS rollout using Active Directory
    ... I just have something to add to the Final Thought regarding laptop users: ... You can implement EFS on systems running Windows 2000 and Windows XP ... Stand-alone workstations generate their own public key certificate that you ... encrypt the contents of their files or folders. ...
    (Focus-Microsoft)
  • EFS Trouble - External Drive
    ... I exported my EFS certificate AND private key from machine A and successfully imported it onto machine B. I can see the certificate AND private key of machine A in machine B's certificate store. ... Now, when I encrypt files on the USB drive using machine A, machine B cannot read them. ... I have spent more than three hours reading every technet article regarding EFS as well as other people's problems posted on various boards and in this group. ...
    (microsoft.public.windowsxp.security_admin)
  • RE: EFS Trouble - External Drive
    ... successfully imported it onto machine B. I can see the certificate AND ... private key of machine A in machine B's certificate store. ... Now, when I encrypt files on the USB drive using machine A, machine B ... regarding EFS as well as other people's problems posted on various ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Certificates, Keys, Mobile Users, Intended Usage
    ... Option that you think about uses self signed EFS certificates. ... Better then exporting user's private key as backup is to setup DRA (Data ... there is no EFS certificate and it will generate a new one. ... Mobile computer users benefit from encrypting sensitive ...
    (microsoft.public.win2000.security)