Re: DRA and access denied

Thanks.

--
Eric Logsdon
ELogsdon [at] cooperativetechnologies [dot] com
"Brian Komar [MVP]" <bkomar@xxxxxxxxxxxxxxxxx> wrote in message
news:MPG.1f8599eaebab550a9896c7@xxxxxxxxxxxxxxxxxxxxxxx
Some comments inline...

In article <#fqVJhw4GHA.1256@xxxxxxxxxxxxxxxxxxxx>, "Eric Logsdon"
<ELogsdon@
bugus1.cooperativetechnologies.com> says...
I am trying to set up a CA so we can use EFS for sensitive customer data.
My environment (I am using VirtualPC for testing):
Windows2003 Enterprise DC and EnterpriseCA (one virtual machine)
Windows/XP workstation that is member of the domain.

Three users are set up:
User - this is the guy who has encrypted the files.
BadGuy - Can not decrypt the files
Adminstrator (domain) - is the DRA of record.

I set up administrator as DRA before User encrypted his files. I run
EFSInfo /R and the adminstrator@xxxxxxxxxx shows up as the DRA for the
file.
I think this is how it should look. Administrator has NTFS permissions
to
the files and can read files that have been decrypted by User.

What this actually means is that the subject of the DRA's certificate is
the Administrator.
The actual certificate and private key is stored in the Administrator's
profile on the first
domain controller in the forest. This does *not* mean that the
Administrator can log on at
*any* computer in the network and magically decrypt files.

The Administrator (in your case) would have to:
1) Export the EFS DRA certifcate and private key into a PFX format
2) Log on at the workstation where they wish to perform the recovery
3) Import the PFX into that profile
4) Decrypt the file.

I log onto the workstation as the domain adminstrator, right click the
file,
select properties, advanced and un-check the encrypt button. I click OK,
then Apply and get an "Access Denied" message.

This is expected. It is not the account that is the DRA, it is the holder
of the certificate
and private key. To be honest, you do not even have to logon as
administrator in my previous
step 2. You could create *any* account at this time, and then import the
PFX file and act as
the DRA

I have seen references to this on standalone Windows/XP workstations
where
the issue seemed to be importing the DRA key onto the workstation. My
understanding is that in a domain environment with an Enterprise CA I
don't
have to import keys to the individual machines.

You understanding is wrong.

Any help or pointers would be appreciated.




.