Re: DRA is Decrypting Files when it shouldn't be!!!

Steve, I think i'm getting it...

In order for a file to be assigned a DRA (especially, an encrypted file that
is created before a Windows XP DRA is setup), I need to complete the
following steps:

Logon as the user that encrypted the file so that the user's private key
will be able to open the file to create a DRF in the header. Once the DRF is
created and updated with the DRA and I logoff as the user, I can then logon
as the Administrator that is designated as the DRA and open the encrypted
file that I once could not open as the Administrator,

Is this right?

Thanks, Dave

"Steven L Umbach" wrote:

> As I mentioned previously it is possible for an RA to decrypt files older
> than it. But my experience is that if I create a new RA and specify it in
> security policy via an account that is not the user that encrypted the files
> I can not use it to decrypt the user's EFS files and it does not show as a
> RA in the EFS files properties until I logon as that user with the EFS
> private key in the user profile. The RA is an all or nothing deal as you can
> not specify which EFS files you want it to be RA for. Not that is should
> matter but I am using XP SP2, the user and RA both have unique passwords,
> and am using classic logon requiring control - alt -delete that does not
> allow fast user switching. However you can not create a RA after the fact
> to decrypt a user's past EFS files when the user's EFS private key is not
> available if that is your concern as the user's EFS private key is needed to
> allow the EFS files to be updated with the new RA. --- Steve
>
>
> "DJ" <DJ@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:18909DF3-F0D1-4F5D-9BA2-6DF595DD862D@xxxxxxxxxxxxxxxx
> > The "Details button to see the RA is just that, another way to see that
> > your
> > local policy is working. The problem i want to resolve is the RA
> > decrypting
> > files that that are older than it.
> >
> > "Steven L Umbach" wrote:
> >
> >> Because one you logged on as the user and the RA was configured via Group
> >> Policy then the user's EFS files can be updated automagically to reflect
> >> the
> >> RA though that does not always reliably happen which is why it is a good
> >> idea to use cipher /u to try to force it on all EFS for the user. This
> >> all
> >> requires that the user has their EFS private key on the computer or the
> >> update of the RA will fail which is why you can not create a RA after the
> >> fact to attempt to decrypt EFS files for a user that does not have their
> >> EFS
> >> private key due to export/delete, reinstall or corrupt user profile. ---
> >> Steve
> >>
> >>
> >> "DJ" <DJ@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> >> news:0EE7DC2E-B445-48DE-B450-B1FF797DB312@xxxxxxxxxxxxxxxx
> >> > you didn't go far enough, after you log in as the built-in
> >> > administrator
> >> > and
> >> > create the RA, don't check to see if you can decrypt a file, because
> >> > your
> >> > right, you won't be able to decrypt one.
> >> >
> >> > Now, log back in as the user and go to the "details" button and view
> >> > who
> >> > is
> >> > the RA for one of the encrypted files, you will see that
> >> > "Administrator"
> >> > is
> >> > the RA.
> >> > Now log back out as the user, login as as the "Administrator" and you
> >> > WILL
> >> > be able to decrypt it any file you want.
> >> >
> >> > Now how can that be? You explain it to me. I don't get it.
> >> >
> >> > A previously encrypted file should not be able to be decrypted with a
> >> > RA I
> >> > created after the fact.
> >> >
> >> > -----------------------------------------------------------
> >> >
> >> > "Steven L Umbach" wrote:
> >> >
> >> >> I just reproduced what you did and was not able to access the files as
> >> >> the
> >> >> RA though I rebooted the computer after encrypting the files and
> >> >> before
> >> >> logging on as the built in administrator account to create the
> >> >> . ---
> >> >> Steve
> >> >>
> >> >>
> >> >> "DJ" <DJ@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> >> >> news:C715850F-53CC-43A8-8EED-87F77BF49319@xxxxxxxxxxxxxxxx
> >> >> > Let's go over this again...
> >> >> >
> >> >> > OS setup:
> >> >> >
> >> >> > Installed a fresh copy of XP. Forget about extra RA's. There is only
> >> >> > one
> >> >> > RA
> >> >> > with this setup. I dedicated the Administrator's account as the RA.
> >> >> >
> >> >> > Problem:
> >> >> >
> >> >> > EFS is allowing the RA to decrypt 200 files that were encrypted
> >> >> > BEFORE
> >> >> > an
> >> >> > RA
> >> >> > was actually created on the XP OS. My question is Why?
> >> >> >
> >> >> > I was told by "many people" that you have to setup the RA BEFORE
> >> >> > enabling
> >> >> > encryption to get the RA to decrypt encrypted files.
> >> >> >
> >> >> > Steps I took:
> >> >> >
> >> >> > I created a user, encrypted 200 files. Logged off and logged on as
> >> >> > Administrator and created a RA. Rebooted and logged in as
> >> >> > Administrator
> >> >> > and
> >> >> > decrypted the 200 files.
> >> >> >
> >> >> > In this case here, I created the RA after the files were already
> >> >> > encrypted,
> >> >> > so why am I ABLE to decrypt the 200 files?
> >> >> >
> >> >> > Anyway, to resolve the problem, you asked me to do an experiment and
> >> >> > told
> >> >> > me
> >> >> > to "export" & "delete" the user's private key, before creating the
> >> >> > RA.
> >> >> > I
> >> >> > did
> >> >> > this, and now the RA cannot delete the 200 files (which is the way
> >> >> > it
> >> >> > suppose
> >> >> > to work)
> >> >> >
> >> >> > My question is, why did you suggest to "export" & "delete" the
> >> >> > user's
> >> >> > private key, then create the RA? And also why does this work and
> >> >> > what
> >> >> > did
> >> >> > I
> >> >> > do wrong?
> >> >> >
> >> >> > Thanks, Dave
> >> >> >
> >> >> > ---------------------------------------------------
> >> >> >
> >> >> >> So what did you exactly do? Create a user, encrypt some files,
> >> >> >> remove
> >> >> >> the
> >> >> >> user' EFS certificate private key, create an RA, and not be able to
> >> >> >> decrypt
> >> >> >> files as RA or did you use your current configuration where the RA
> >> >> >> could
> >> >> >> decrypt user's files, remove user's EFS certificate private key,
> >> >> >> and
> >> >> >> RA
> >> >> >> can
> >> >> >> no longer decrypt files?? Did you look to see if RA had more then
> >> >> >> one
> >> >> >> RA
> >> >> >> certificate?? --- Steve
> >> >> >>
> >> >> >>
> >> >> >> "DJ" <DJ@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> >> >> >> news:C7D62C3E-C1AA-46A1-93E1-D66DE97010B5@xxxxxxxxxxxxxxxx
> >> >> >> > Steve, I did what you said (below) and "exported" & "deleted" the
> >> >> >> > user's
> >> >> >> > private key and now it's acting correctly. Why is this?
> >> >> >> >
> >> >> >> > I don't understand, please explain.
> >> >> >> >
> >> >> >> > Thanks, DJ
> >> >> >> >
> >> >> >> > "Steven L Umbach" wrote:
> >> >> >> >
> >> >> >> >> Hmm. Have you tried that first exporting/deleting the user's
> >> >> >> >> private
> >> >> >> >> key
> >> >> >> >> before creating the RA to see what happens or rebooting the
> >> >> >> >> computer
> >> >> >> >> before
> >> >> >> >> you created the RA with cipher /R with the user's private key
> >> >> >> >> still
> >> >> >> >> on
> >> >> >> >> the
> >> >> >> >> computer? XP is supposed to flush EFS cache at logoff. Did you
> >> >> >> >> remove
> >> >> >> >> any
> >> >> >> >> old RA from the RA user certificate store via mmc snapin for
> >> >> >> >> certificates
> >> >> >> >> and then logoff as the RA? You can use efsinfo to see what RAs
> >> >> >> >> are
> >> >> >> >> included
> >> >> >> >> in a user's EFS file and examine the certificate thumbprint to
> >> >> >> >> see
> >> >> >> >> exactly
> >> >> >> >> what RA certificate is being used if there are more than one
> >> >> >> >> available.
> >> >> >> >> You
> >> >> >> >> might also want to post in the Microsoft.public.security.crypto
> >> >> >> >> wsgroup. --- Steve
> >> >> >> >>
> >> >> >> >>
> >> >> >> >> "DJ" <DJ@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> >> >> >> >> news:583E06D2-2DEA-4BCE-AE5A-6B2590CD52A6@xxxxxxxxxxxxxxxx
> >> >> >> >> >I setup a brand new XP install. Setup a new local user named
> >> >> >> >> >Joe
> >> >> >> >> >and
> >> >> >> >> >logged
> >> >> >> >> > in as Joe . Created a new directory and encrypted 200 files
> >> >> >> >> > in
> >> >> >> >> > this
> >> >> >> >> > directory.
> >> >> >> >> >
> >> >> >> >> > Logged off and and logged in as Administrator. Created a DRA
> >> >> >> >> > (ex:
> >> >> >> >> > Cipher
> >> >> >> >> > /r:Filename, imported certificate and private key into the
> >> >> >> >> > local
> >> >> >> >> > certificate
> >> >> >> >> > store, Ran gpedit.msc and added DRA.). After this, I tried to
> >> >> >> >> > unencrypt
> >> >> >> >> > the
> >> >> >> >> > directory while logged in as Administrator and it let me!!!
> >> >> >> >> > Why
> >> >> >> >> > is
> >> >> >> >> > this?
> >> >> >> >> > It
> >> >> >> >> > shouldn't allow me to decrypt 200 files that were encrypted
> >> >> >> >> > before a
> >> >> >> >> > DRA
> >> >> >> >> > was
> >> >> >> >> > created.
> >> >> >> >> >
> >> >> >> >> > I don't get this crap. Many articles state that you have to
> >> >> >> >> > create
> >> >> >> >> > the
> >> >> >> >> > DRA
> >> >> >> >> > before encrypting the files so that the DRA can decrypt them.
> >> >> >> >> > If
> >> >> >> >> > you
> >> >> >> >> > don't
> >> >> >> >> > then, you need to run cipher /u to update the encrypted files
> >> >> >> >> > so
> >> >> >> >> > that
> >> >> >> >> > the
> >> >> >> >> > newly created DRA will work with older encrypted files.
> >> >> >> >> >
> >> >> >> >> > In my case, I created the DRA after the files were already
> >> >> >> >> > encrypted
> >> >> >> >> > and
> >> >> >> >> > "never" ran a cipher /u. Does anybody know what could cause
> >> >> >> >> > this?
> >> >> >> >> >
> >> >> >> >> > Thanks, DJ
> >> >> >> >>
> >> >> >> >>
> >> >> >> >>
> >> >> >>
> >> >> >>
> >> >> >>
> >> >>
> >> >>
> >> >>
> >>
> >>
> >>
>
>
>
.