efs questions

B

Bill B

Im a bit confused on EFS...

1. In order to set up additional recovery agents for a domain (other than
administrator) , is it necessary to install an enterprise certificate
authority on the first domain controller?

2. If this is the case, does the certificate authority have to be on the
first domain controller? The first DC in this domain is going to be a
temporary box that will eventually go away. Will this prevent me from
setting up recovery agents on the eventual domain controller that will have
all the "primary" roles?

3. finally should the EFS recovery agents be designated in the local,
domain, or domain controller security policies?



I basically want to set up an additional account as a recovery agent in case
people encrypt files, dont back up their keys, and either lose thier profile
or leave. But i dont want to tie myself to the temporary DC, i want the role
to be taken over by the permanant DC with all the "primary" roles, and
possible a second DC for redundancy

Thanks.
 
S

Steven L Umbach

I believe that there other ways to create more recovery agents. One
being the latest cipher utility [XP, 2003, and I think SP4 - but not 100
percent sure]. However I think creating a CA would be the best way and not
really that hard. You may also find you want certificates for things like
l2tp down the road.

No, your CA does not have to be on the first domain controller. Be sure to
back it up often including the System State and keep it physically secure as
all domain controllers should be.

Recovery agents are generally designated at the domain level, but you can
also do it at OU level if you have special needs or possibly want certain
computers to not be able to encrypt files - a W2K computer can not use EFS
if a recovery agent is not available.

Please have a thorough understanding of the risks involved with EFS before
implementing. EFS encrypted data is not safe as long as the user private key
or recovery agent key is still on the computer. If you have a computer with
very sensitive data, you also need to "wipe" that hard drive on a regular
basis. Temporary files are created while a file is encrypted and deleted EFS
files may be recoverable. Use something like East - Tec Eraser to wipe drive
and scramble deleted file names. The cipher /w command is supposed to also
permanently delete EFS file remnants. See KB articles for more info. ---
Steve

http://www.microsoft.com/WINDOWS2000/techinfo/planning/security/catruststeps
..asp
http://www.microsoft.com/windows2000/techinfo/planning/security/efssteps.asp
http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316
http://support.microsoft.com/default.aspx?scid=kb;en-us;255742
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

EFS recovery agents 3
Domain EFS Recovery Agent 2
DRA Problem w/ Windows XP Pro in Workgroup 4
EFS recovery agent in Default Domain Policy with a self signed cer 5
EFS Auto enroll 0
bug with efs on server 2003 5
EFS - setting up Recovery Agent 4
Recovery Agent fails to recover Encrypted Data 2

Top