Re: DRA is Decrypting Files when it shouldn't be!!!



Because one you logged on as the user and the RA was configured via Group
Policy then the user's EFS files can be updated automagically to reflect the
RA though that does not always reliably happen which is why it is a good
idea to use cipher /u to try to force it on all EFS for the user. This all
requires that the user has their EFS private key on the computer or the
update of the RA will fail which is why you can not create a RA after the
fact to attempt to decrypt EFS files for a user that does not have their EFS
private key due to export/delete, reinstall or corrupt user profile. ---
Steve


"DJ" <DJ@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:0EE7DC2E-B445-48DE-B450-B1FF797DB312@xxxxxxxxxxxxxxxx
> you didn't go far enough, after you log in as the built-in administrator
> and
> create the RA, don't check to see if you can decrypt a file, because your
> right, you won't be able to decrypt one.
>
> Now, log back in as the user and go to the "details" button and view who
> is
> the RA for one of the encrypted files, you will see that "Administrator"
> is
> the RA.
> Now log back out as the user, login as as the "Administrator" and you WILL
> be able to decrypt it any file you want.
>
> Now how can that be? You explain it to me. I don't get it.
>
> A previously encrypted file should not be able to be decrypted with a RA I
> created after the fact.
>
> -----------------------------------------------------------
>
> "Steven L Umbach" wrote:
>
>> I just reproduced what you did and was not able to access the files as
>> the
>> RA though I rebooted the computer after encrypting the files and before
>> logging on as the built in administrator account to create the RA. ---
>> Steve
>>
>>
>> "DJ" <DJ@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:C715850F-53CC-43A8-8EED-87F77BF49319@xxxxxxxxxxxxxxxx
>> > Let's go over this again...
>> >
>> > OS setup:
>> >
>> > Installed a fresh copy of XP. Forget about extra RA's. There is only
>> > one
>> > RA
>> > with this setup. I dedicated the Administrator's account as the RA.
>> >
>> > Problem:
>> >
>> > EFS is allowing the RA to decrypt 200 files that were encrypted BEFORE
>> > an
>> > RA
>> > was actually created on the XP OS. My question is Why?
>> >
>> > I was told by "many people" that you have to setup the RA BEFORE
>> > enabling
>> > encryption to get the RA to decrypt encrypted files.
>> >
>> > Steps I took:
>> >
>> > I created a user, encrypted 200 files. Logged off and logged on as
>> > Administrator and created a RA. Rebooted and logged in as Administrator
>> > and
>> > decrypted the 200 files.
>> >
>> > In this case here, I created the RA after the files were already
>> > encrypted,
>> > so why am I ABLE to decrypt the 200 files?
>> >
>> > Anyway, to resolve the problem, you asked me to do an experiment and
>> > told
>> > me
>> > to "export" & "delete" the user's private key, before creating the RA.
>> > I
>> > did
>> > this, and now the RA cannot delete the 200 files (which is the way it
>> > suppose
>> > to work)
>> >
>> > My question is, why did you suggest to "export" & "delete" the user's
>> > private key, then create the RA? And also why does this work and what
>> > did
>> > I
>> > do wrong?
>> >
>> > Thanks, Dave
>> >
>> > ---------------------------------------------------
>> >
>> >> So what did you exactly do? Create a user, encrypt some files, remove
>> >> the
>> >> user' EFS certificate private key, create an RA, and not be able to
>> >> decrypt
>> >> files as RA or did you use your current configuration where the RA
>> >> could
>> >> decrypt user's files, remove user's EFS certificate private key, and
>> >> RA
>> >> can
>> >> no longer decrypt files?? Did you look to see if RA had more then one
>> >> RA
>> >> certificate?? --- Steve
>> >>
>> >>
>> >> "DJ" <DJ@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> >> news:C7D62C3E-C1AA-46A1-93E1-D66DE97010B5@xxxxxxxxxxxxxxxx
>> >> > Steve, I did what you said (below) and "exported" & "deleted" the
>> >> > user's
>> >> > private key and now it's acting correctly. Why is this?
>> >> >
>> >> > I don't understand, please explain.
>> >> >
>> >> > Thanks, DJ
>> >> >
>> >> > "Steven L Umbach" wrote:
>> >> >
>> >> >> Hmm. Have you tried that first exporting/deleting the user's
>> >> >> private
>> >> >> key
>> >> >> before creating the RA to see what happens or rebooting the
>> >> >> computer
>> >> >> before
>> >> >> you created the RA with cipher /R with the user's private key
>> >> >> still
>> >> >> on
>> >> >> the
>> >> >> computer? XP is supposed to flush EFS cache at logoff. Did you
>> >> >> remove
>> >> >> any
>> >> >> old RA from the RA user certificate store via mmc snapin for
>> >> >> certificates
>> >> >> and then logoff as the RA? You can use efsinfo to see what RAs are
>> >> >> included
>> >> >> in a user's EFS file and examine the certificate thumbprint to see
>> >> >> exactly
>> >> >> what RA certificate is being used if there are more than one
>> >> >> available.
>> >> >> You
>> >> >> might also want to post in the Microsoft.public.security.crypto
>> >> >> wsgroup. --- Steve
>> >> >>
>> >> >>
>> >> >> "DJ" <DJ@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> >> >> news:583E06D2-2DEA-4BCE-AE5A-6B2590CD52A6@xxxxxxxxxxxxxxxx
>> >> >> >I setup a brand new XP install. Setup a new local user named Joe
>> >> >> >and
>> >> >> >logged
>> >> >> > in as Joe . Created a new directory and encrypted 200 files in
>> >> >> > this
>> >> >> > directory.
>> >> >> >
>> >> >> > Logged off and and logged in as Administrator. Created a DRA (ex:
>> >> >> > Cipher
>> >> >> > /r:Filename, imported certificate and private key into the local
>> >> >> > certificate
>> >> >> > store, Ran gpedit.msc and added DRA.). After this, I tried to
>> >> >> > unencrypt
>> >> >> > the
>> >> >> > directory while logged in as Administrator and it let me!!! Why
>> >> >> > is
>> >> >> > this?
>> >> >> > It
>> >> >> > shouldn't allow me to decrypt 200 files that were encrypted
>> >> >> > before a
>> >> >> > DRA
>> >> >> > was
>> >> >> > created.
>> >> >> >
>> >> >> > I don't get this crap. Many articles state that you have to
>> >> >> > create
>> >> >> > the
>> >> >> > DRA
>> >> >> > before encrypting the files so that the DRA can decrypt them. If
>> >> >> > you
>> >> >> > don't
>> >> >> > then, you need to run cipher /u to update the encrypted files so
>> >> >> > that
>> >> >> > the
>> >> >> > newly created DRA will work with older encrypted files.
>> >> >> >
>> >> >> > In my case, I created the DRA after the files were already
>> >> >> > encrypted
>> >> >> > and
>> >> >> > "never" ran a cipher /u. Does anybody know what could cause this?
>> >> >> >
>> >> >> > Thanks, DJ
>> >> >>
>> >> >>
>> >> >>
>> >>
>> >>
>> >>
>>
>>
>>


.



Relevant Pages

  • Re: DRA is Decrypting Files when it shouldnt be!!!
    ... creating the RA with the administrator account. ... > RA for that file and you will see that "Administrator is the RA. ... >> RA though I rebooted the computer after encrypting the files and before ... >>> EFS is allowing the RA to decrypt 200 files that were encrypted BEFORE ...
    (microsoft.public.windowsxp.security_admin)
  • Re: use Windows EFS to encrypt access .mdb file???
    ... Your backend database is MS Jet, ... I'm no expert on EFS, but I think that it causes data to be encrypted ... extra layers in the application (hence "Encrypting File System"). ... Finally, if your application needs a key in order to decrypt the data, ...
    (microsoft.public.access.security)
  • Re: Accessing Encrypted File
    ... EFS to encrypt your files. ... ID to decrypt the files assuming your EFS recovery agent is administrator ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: DRA is Decrypting Files when it shouldnt be!!!
    ... RA for that file and you will see that "Administrator is the RA. ... decrypt it. ... > RA though I rebooted the computer after encrypting the files and before ... >> private key, then create the RA? ...
    (microsoft.public.windowsxp.security_admin)
  • [Full-disclosure] Re: Windows XP Home LSA secrets storesXP loginpassphrase in plain text (John D
    ... you can decrypt the EFS for _all_ users on the computer. ... In Windows XP the EFS private key is encrypted using users passphrase and without the passphrase, you cannot decrypt it. ... Administrator is the recovery agent and can decrypt all EFS files anyway. ... Users private keys are not stored encrypted in the system and anyone who can simply sign in with that users credentials can decrypt users EFS files. ...
    (Full-Disclosure)