Encrypting File System (EFS)

The most important thing you need to understand about EFS as a System Admin is how to recover an encrypted file if necessary. This ability does not have to be limited to the Administrator, although this account is the only recovery agent b y default. Before going in to too much detail, you should first understand that on a non-domain system, the local Administrator account is the recovery agent. However, once a system is joined to a domain, the domain Administrator account is then the default recovery agent (with settings found in the default domain policy). Recovery agents are configured via Group policy, in the following location:

Computer Configuration – Windows Settings – Security Settings – Public Key Policies – Encrypted Data Recovery Agents.

You can add or delete recovery agents as necessary, as long as they have a valid certificate. The certificate for the administrator account is created automatically, but you would need to create (or already have in Active Directory) ones for other users you wish to add as recovery agents.

But as a recovery agent, how do I actually open a file I need to recover? Well, if the user sends you the file, or you’re using roaming profiles and log on to their machine, then all you need to do is double-click the file and it will open normally. However, if you are not using roaming profiles, and the user cannot send you the file because of security concerns, then you will need to transfer your certificate and private key to the target machine in order to decrypt the FEK and ultimately the file. What you’ll first need to so is export your recovery certificate and private key to a file, probably on a floppy disk. If you export your private key, it must be password protected. To do this, you need to use the ‘Certificates’ snap-in in the MMC, then find your recovery certificate under Personal Certificates, and choose Export from the shortcut menu. To install the certificate on the target system, simply double click the file, and follow the instructions provided by the Certificate Import Wizard. Finally, for security reasons you should choose to export and your certificate and delete your private key from the target machine once you have decrypted the necessary files. This ensures that should your account be compromised, the user would not be able to decrypt files on the system using the recovery agent private key.

Author: Dan DiNicolo

Dan DiNicolo is a freelance author, consultant, trainer, and the managing editor of 2000Trainers.com. He is the author of the CCNA Study Guide found on this site, as well as many books including the PC Magazine titles Windows XP Security Solutions and Windows Vista Security Solutions. Click here to contact Dan.