DRA is Decrypting Files when it shouldn't be!!!

[Steven L Umbach]

Comments inline.

Ok, i'm understanding what your saying, but...

This is why I think you really never have to create a DRA before you start
encrypting files. You can create that DRA way after the fact (after you've
encrypted 10,000 files) and that same DRA will decrypt everyone of them
with
no problems.

That is only the case if the user still has his EFS private key in his user
profile. The problem is if the user ever loses access to his private key due
to
corruption of his user profile, deleting his user profile, forgetting his
password on a non domain computer, or reinstalling the operating system to a
formatted system drive then the user has lost permanent access to his EFS
files unless a RA had been previously configured [assumimng no other user
could decrypt the files, he did not backup his private key to a password
protected .pfx file, their was not a backup of his user profile that
contained his EFS private key, or as a domain user his EFS private key was
not archived].

Because if you follow what i'm saying in a "test lab" and you encrypt
files
under a user account, then create a DRA, logoff the Administrator once the
DRA is implemented, Logon as the user that encypted the files, then logoff
as
the user, log back on as Administrator, you can decrypt every pre-DRA
encrypted file that was encrypted by the user.

That is standard operating procedure when a RA has been defined in the
security policy of the computer assuming the user has his EFS private key
in his user profile/certificate store though cipher /u is best practice to
make sure all files have been updated with new RA.

Remember something...before the first logoff as Administrator (after the
DRA
is implemented), you cannot decrypt anything, but once you logon for the
second time as Administrator, you can copy or open any pre-DRA encrypted
file
that you want.

Again that is normal with the key being that you logged on as the user that
encrypted the EFS files with his EFS private key in his profile and the
RA was configured in security policy before you logged on as the RA
ain. --- Steve

 

[Guest]

Steve, I think i'm getting it...

In order for a file to be assigned a DRA (especially, an encrypted file that
is created before a Windows XP DRA is setup), I need to complete the
following steps:

Logon as the user that encrypted the file so that the user's private key
will be able to open the file to create a DRF in the header. Once the DRF is
created and updated with the DRA and I logoff as the user, I can then logon
as the Administrator that is designated as the DRA and open the encrypted
file that I once could not open as the Administrator,

Is this right?

Thanks, Dave

 

[Steven L Umbach]

That is pretty much it and the link below may help if you have not seen it.
Once access to the EFS file is allowed by the user's EFS private key then
the RA is added and the RA's public key is also used to encrypt a copy of
the FEK that can decrypt the EFS file. --- Steve

http://www.microsoft.com/technet/pr...Ref/997fdd99-73ec-4041-9cf4-1370739a5920.mspx