Re: EFS Recovery Agent

From: Steven Umbach (n9rou_at_n0spam-comcast.net)
Date: 02/24/05


Date: Thu, 24 Feb 2005 00:04:34 -0600

You can use the cipher /R command on an XP Pro computer to generate a Recovery
Agent certificate which would be the logged on user. I suggest however that you
create an enterprise CA for the domain even if you use it to issue that one
certificate. It really is not that hard to do. If you want to try the XP Pro
generated certificate be SURE to test it out first to make sure that it works
the way you expect for domain EFS file recovery so as to not lose permanent
access to any EFS files. You can use the efsinfo utility to then view the RA
associated with any EFS files. I believe that existing files will need to be
opened to update them with the new RA or that can be done via the cipher command
from the logged on user for XP Pro. Be sure to keep a couple of copies of the RA
certificate/private key stored in password protected .pfx files in safe
places. --- Steve

"Lee" <lee@nowehere.com> wrote in message
news:eRCLGMdGFHA.616@TK2MSFTNGP10.phx.gbl...
> Curtis,
>
> thanks for your reply, I had followed that document, however, when I try
> to add a recovery agent using the Add Recovery Agent Wizard, it tells me
> that "the selected user has no certificates suitable for EFS Recovery and
> cannot be selected as a recovery agent.
>
> So, I guess my question is, how do I create an EFS Recovery certificate for
> my user that I want to be a recovery agent
>
> TIA
>
> Lee
> "Curtis Koenig [MSFT]" <curtisko@online.microsoft.com> wrote in message
> news:fM5xOGdGFHA.1140@TK2MSFTNGXA02.phx.gbl...
> > The help file for Windows XP has a good set of steps for how to specify a
> > recovery agent:
> >
> > <<<<<<<<<<<<<>>>>>>>>>>>>>>
> > To add a recovery agent for a domain
> > Open Active Directory Users and Computers.
> > Right-click the domain whose recovery policy you want to change, and then
> > click Properties.
> > Click the Group Policy tab.
> > Right-click the recovery policy you want to change, and then click Edit.
> > In the console tree, click Encrypted Data Recovery Agents.
> > Where?
> >
> > Computer Configuration
> > Windows Settings
> > Security Settings
> > Public Key Policies
> > Encrypted Data Recovery Agents
> > In the details pane, right-click, then click Add, and follow the
> > instructions.
> > Notes
> >
> > You must be logged on as an administrator or a member of the
> > Administrators
> > group in order to complete this procedure. If your computer is connected
> > to
> > a network, network policy settings might also prevent you from completing
> > this procedure.
> > To start Active Directory Users and Computers, open a Remote Desktop
> > Connection to either a Windows 2000 domain controller or a member server
> > that has Windows 2000 Administration Tools installed. You must log on to
> > the server as a domain administrator in order to complete this procedure.
> > This operation can be performed on any sites, domains or organizational
> > units within an Active Directory forest.
> > Adding a recovery agent from a file identifies the user as USER_UNKNOWN.
> > This is because the name is not stored in the file.
> > Before you can add or create a recovery agent, you must configure Group
> > Policy on your computer. For more information about using Group Policy,
> > see
> > Related Topics.
> > <<<<<<<<<<<<<>>>>>>>>>>>>>>
> >
> > I would also suggest the following KB
> >
> > 223316 Best practices for the Encrypting File System
> > http://support.microsoft.com/?id=223316
> > --
> > Curtis Koenig
> > Security Support Engineer
> > Product Support Services, Security Team
> > MCSE, MCSES, CISSP
> >
> > This posting is provided "AS IS" with no warranties and confers no rights.
> > Please reply to the newsgroup so that others may benefit. Thanks!
> >
> > --------------------
> >>From: "Lee" <lee@nowehere.com>
> >>Subject: EFS Recovery Agent
> >>Date: Wed, 23 Feb 2005 16:49:50 -0000
> >>
> >>Hi,
> >>
> >>Hopefully someone can advise.
> >>
> >>I am trying to setup EFS in my domain, I would like to change the default
> >>EFS recovery agent from Administrator to a user. We do not currenlty
> > have
> >>a CA, however, from what I have read, this is not necessarily required.
> >>
> >>Could someone please advise whether a CA is required, and if not, point me
> >>in the direction of some help on how to do this.
> >>
> >>TIA
> >>
> >>Lee
> >>
> >>
> >>
> >
>
>



Relevant Pages

  • Re: Data Recovery Agent
    ... "The file contains no certificates suitable for EFS Recovery. ... >> Also, my current user account is already an Administrator, so is it still ... >>> make your administrator a recovery agent or you can create a new user ... >>> administrator has a certificate that will enable him EFS function. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: cracking Windows 2000 EFS
    ... "Four Simple EFS Hacks ... local Administrator account is the Data Recovery Agent, ... the recovery computer as the recovery agent account and then use Cipher to ...
    (Security-Basics)
  • Re: EFS Recovery Agent
    ... I used to Cipher to generate a recovery certificate on my PC. ... I edited my default domain policy adding myself as a recovery agent, ...
    (microsoft.public.windows.server.security)
  • Re: How to add a domain user as a Data Recovery Agent
    ... Did you verify that the certificate issued to the user is indeed a Recovery ... I'm trying to figure out how to add a non-privileged, domain user account ... sure that the EFS Recovery Agent certificate template is published by my ...
    (microsoft.public.windows.server.security)
  • Re: recovery agent keys/certs
    ... encrypted data otherwise you may be in trouble-- just ... >- After the new recovery agent is in place in group ... >> certificate for a recovery agent. ... >> Choose the 'Automatically Select The Certificate Store ...
    (microsoft.public.windowsxp.security_admin)