Re: DRA is Decrypting Files when it shouldn't be!!!

Well maybe we did something different as I used efsinfo to see if the newly
created RA [not by the user with cipher /R] was shown before logging onto
the user account and it was not as I expected. You indicated that the RA
could access the user's EFS files before logging on as the user after
creating the RA with the administrator account. --- Steve


"DJ" <DJ@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:B1BFCBD7-AA57-4C0D-B230-B3EDA55750CE@xxxxxxxxxxxxxxxx
> now log back in as the user and go to the "details" button and view who is
> a
> RA for that file and you will see that "Administrator is the RA.
>
> After you verify that the Administrator is the RA, log back out of the
> user
> account and log back in as the "Administrator" and you will be able to
> decrypt it.
>
> "Steven L Umbach" wrote:
>
>> I just reproduced what you did and was not able to access the files as
>> the
>> RA though I rebooted the computer after encrypting the files and before
>> logging on as the built in administrator account to create the RA. ---
>> Steve
>>
>>
>> "DJ" <DJ@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:C715850F-53CC-43A8-8EED-87F77BF49319@xxxxxxxxxxxxxxxx
>> > Let's go over this again...
>> >
>> > OS setup:
>> >
>> > Installed a fresh copy of XP. Forget about extra RA's. There is only
>> > one
>> > RA
>> > with this setup. I dedicated the Administrator's account as the RA.
>> >
>> > Problem:
>> >
>> > EFS is allowing the RA to decrypt 200 files that were encrypted BEFORE
>> > an
>> > RA
>> > was actually created on the XP OS. My question is Why?
>> >
>> > I was told by "many people" that you have to setup the RA BEFORE
>> > enabling
>> > encryption to get the RA to decrypt encrypted files.
>> >
>> > Steps I took:
>> >
>> > I created a user, encrypted 200 files. Logged off and logged on as
>> > Administrator and created a RA. Rebooted and logged in as Administrator
>> > and
>> > decrypted the 200 files.
>> >
>> > In this case here, I created the RA after the files were already
>> > encrypted,
>> > so why am I ABLE to decrypt the 200 files?
>> >
>> > Anyway, to resolve the problem, you asked me to do an experiment and
>> > told
>> > me
>> > to "export" & "delete" the user's private key, before creating the RA.
>> > I
>> > did
>> > this, and now the RA cannot delete the 200 files (which is the way it
>> > suppose
>> > to work)
>> >
>> > My question is, why did you suggest to "export" & "delete" the user's
>> > private key, then create the RA? And also why does this work and what
>> > did
>> > I
>> > do wrong?
>> >
>> > Thanks, Dave
>> >
>> > ---------------------------------------------------
>> >
>> >> So what did you exactly do? Create a user, encrypt some files, remove
>> >> the
>> >> user' EFS certificate private key, create an RA, and not be able to
>> >> decrypt
>> >> files as RA or did you use your current configuration where the RA
>> >> could
>> >> decrypt user's files, remove user's EFS certificate private key, and
>> >> RA
>> >> can
>> >> no longer decrypt files?? Did you look to see if RA had more then one
>> >> RA
>> >> certificate?? --- Steve
>> >>
>> >>
>> >> "DJ" <DJ@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> >> news:C7D62C3E-C1AA-46A1-93E1-D66DE97010B5@xxxxxxxxxxxxxxxx
>> >> > Steve, I did what you said (below) and "exported" & "deleted" the
>> >> > user's
>> >> > private key and now it's acting correctly. Why is this?
>> >> >
>> >> > I don't understand, please explain.
>> >> >
>> >> > Thanks, DJ
>> >> >
>> >> > "Steven L Umbach" wrote:
>> >> >
>> >> >> Hmm. Have you tried that first exporting/deleting the user's
>> >> >> private
>> >> >> key
>> >> >> before creating the RA to see what happens or rebooting the
>> >> >> computer
>> >> >> before
>> >> >> you created the RA with cipher /R with the user's private key
>> >> >> still
>> >> >> on
>> >> >> the
>> >> >> computer? XP is supposed to flush EFS cache at logoff. Did you
>> >> >> remove
>> >> >> any
>> >> >> old RA from the RA user certificate store via mmc snapin for
>> >> >> certificates
>> >> >> and then logoff as the RA? You can use efsinfo to see what RAs are
>> >> >> included
>> >> >> in a user's EFS file and examine the certificate thumbprint to see
>> >> >> exactly
>> >> >> what RA certificate is being used if there are more than one
>> >> >> available.
>> >> >> You
>> >> >> might also want to post in the Microsoft.public.security.crypto
>> >> >> wsgroup. --- Steve
>> >> >>
>> >> >>
>> >> >> "DJ" <DJ@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> >> >> news:583E06D2-2DEA-4BCE-AE5A-6B2590CD52A6@xxxxxxxxxxxxxxxx
>> >> >> >I setup a brand new XP install. Setup a new local user named Joe
>> >> >> >and
>> >> >> >logged
>> >> >> > in as Joe . Created a new directory and encrypted 200 files in
>> >> >> > this
>> >> >> > directory.
>> >> >> >
>> >> >> > Logged off and and logged in as Administrator. Created a DRA (ex:
>> >> >> > Cipher
>> >> >> > /r:Filename, imported certificate and private key into the local
>> >> >> > certificate
>> >> >> > store, Ran gpedit.msc and added DRA.). After this, I tried to
>> >> >> > unencrypt
>> >> >> > the
>> >> >> > directory while logged in as Administrator and it let me!!! Why
>> >> >> > is
>> >> >> > this?
>> >> >> > It
>> >> >> > shouldn't allow me to decrypt 200 files that were encrypted
>> >> >> > before a
>> >> >> > DRA
>> >> >> > was
>> >> >> > created.
>> >> >> >
>> >> >> > I don't get this crap. Many articles state that you have to
>> >> >> > create
>> >> >> > the
>> >> >> > DRA
>> >> >> > before encrypting the files so that the DRA can decrypt them. If
>> >> >> > you
>> >> >> > don't
>> >> >> > then, you need to run cipher /u to update the encrypted files so
>> >> >> > that
>> >> >> > the
>> >> >> > newly created DRA will work with older encrypted files.
>> >> >> >
>> >> >> > In my case, I created the DRA after the files were already
>> >> >> > encrypted
>> >> >> > and
>> >> >> > "never" ran a cipher /u. Does anybody know what could cause this?
>> >> >> >
>> >> >> > Thanks, DJ
>> >> >>
>> >> >>
>> >> >>
>> >>
>> >>
>> >>
>>
>>
>>


.

Loading