Re: EFS with no Administrator Certificate
From: Drew Cooper [MS] (dcoop@online.microsoft.com)
Date: 11/22/02
- Next message: Jupiter Jones: "Re: EFS with no Administrator Certificate"
- Previous message: Brett: "Re: EFS key recovery?"
- In reply to: Bob Sanders: "Re: EFS with no Administrator Certificate"
- Next in thread: Jupiter Jones: "Re: EFS with no Administrator Certificate"
- Reply: Jupiter Jones: "Re: EFS with no Administrator Certificate"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Drew Cooper [MS]" <dcoop@online.microsoft.com> Date: Thu, 21 Nov 2002 18:33:26 -0800
What you say makes sense. DPAPI protects the private key based on both the
user SID and a hash of the user's password.
For lots of info about EFS, check out the whitepaper:
http://www.microsoft.com/windowsxp/pro/techinfo/administration/recovery/defa
ult.asp
-- Drew Cooper [MS] This posting is provided "AS IS" with no warranties, and confers no rights. "Bob Sanders" <rsanders@eudoramail.com> wrote in message news:f98601c291cc$f80eca70$89f82ecf@TK2MSFTNGXA01... > An interesting note, I restored the original password to > the account in which I broke the key (by changing the > user password via the administrator account). Afterward, > surprisingly, the original key was restored and I could > access the files from within his account! > > Just FYI. > > > >-----Original Message----- > >Bob S wrote: > > > >> I am new to EFS; therefore, please excuse any > >> miscommunication or improper description. > >> > >> We a have a standalone system that multiple people use; > >> therefore, we implemented EFS to allow users A and B > to work on > >> the same document but not allow users C and D see it > contents. > >> > >> The problem, we needed a file that was created by user > A. > >> Unfortunately, user A did not set up the permissions > correctly, and > >> obviously, A was not available to log into the system. > >> > >> When the EFS system was setup, the administrator > account did > >> not have a certificate assigned. I am assume that > this is why > >> when I tried to log into the administrator account I > could not > >> recover the encrypted file; even though from reading > the net, the > >> administrator should have recovery authority by > default. > > > >For a Win2k computer this is correct, but this > functionality was removed for > >WinXP, it was defined as a security "hole" I guess. So > for standalone WinXP > >computers, it is *very* important to export the > certificates to a place outside > >the computer when you start using EFS, and if it is a > multiuser computer you > >should create a data recovery agent (DRA) as well. More > information here: > > > >http://www.microsoft.com/WINDOWSXP/pro/techinfo/administr > ation/recovery/default.asp > > > > > > > >> To complicate things, we changed User A's password > (before I > >> learned that this breaks the key by design) so that we > could log > >> into his account. > >> > >> We have recovered most of the information from other > sources; > >> however, it would be nice to recover some of the > original files. > > > >-- > >torgeir > >Microsoft MVP Scripting and WMI > >Porsgrunn Norway > > > > > >. > >
- Next message: Jupiter Jones: "Re: EFS with no Administrator Certificate"
- Previous message: Brett: "Re: EFS key recovery?"
- In reply to: Bob Sanders: "Re: EFS with no Administrator Certificate"
- Next in thread: Jupiter Jones: "Re: EFS with no Administrator Certificate"
- Reply: Jupiter Jones: "Re: EFS with no Administrator Certificate"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
