Re: DRA and access denied

Some comments inline...

In article <#fqVJhw4GHA.1256@xxxxxxxxxxxxxxxxxxxx>, "Eric Logsdon" <ELogsdon@
bugus1.cooperativetechnologies.com> says...
I am trying to set up a CA so we can use EFS for sensitive customer data.
My environment (I am using VirtualPC for testing):
Windows2003 Enterprise DC and EnterpriseCA (one virtual machine)
Windows/XP workstation that is member of the domain.

Three users are set up:
User - this is the guy who has encrypted the files.
BadGuy - Can not decrypt the files
Adminstrator (domain) - is the DRA of record.

I set up administrator as DRA before User encrypted his files. I run
EFSInfo /R and the adminstrator@xxxxxxxxxx shows up as the DRA for the file.
I think this is how it should look. Administrator has NTFS permissions to
the files and can read files that have been decrypted by User.

What this actually means is that the subject of the DRA's certificate is the Administrator.
The actual certificate and private key is stored in the Administrator's profile on the first
domain controller in the forest. This does *not* mean that the Administrator can log on at
*any* computer in the network and magically decrypt files.

The Administrator (in your case) would have to:
1) Export the EFS DRA certifcate and private key into a PFX format
2) Log on at the workstation where they wish to perform the recovery
3) Import the PFX into that profile
4) Decrypt the file.

I log onto the workstation as the domain adminstrator, right click the file,
select properties, advanced and un-check the encrypt button. I click OK,
then Apply and get an "Access Denied" message.

This is expected. It is not the account that is the DRA, it is the holder of the certificate
and private key. To be honest, you do not even have to logon as administrator in my previous
step 2. You could create *any* account at this time, and then import the PFX file and act as
the DRA

I have seen references to this on standalone Windows/XP workstations where
the issue seemed to be importing the DRA key onto the workstation. My
understanding is that in a domain environment with an Enterprise CA I don't
have to import keys to the individual machines.

You understanding is wrong.

Any help or pointers would be appreciated.


.

Quantcast