H 
		
								
				
				
			
		Howard
I've been reading up on EFS, but still have many questions.  If anyone
knows the answer, I'd appreciate their help!
My set-up: Win2K with AD environment (CA is present). I made myself
the file recovery agent (FRA). The Domain Group Policy lists my
certificate as the recovery agent and has the "no override" switch so
local policies can't interfere with Domain policies. My account is
part of the Domain Administrators Group.
Questions:
1. If someone encrypts files on their local computer (in a domain
based environment) and later needs to be decrypted by the FRA,
Microsoft recommends backing up the encrypted file/directory, and then
restoring it to my own computer (since my private key as the FRA is on
my local machine). Then I'm able to decrypt the files. Can I just
map a drive to the other persons computer and decrypt? Do I have to
backup and restore? Why not just copy or move - or better still, map
a drive and decrypt remotely?
2. EFS on a file server: Let's say someone encrypts their shared
drive on a file server. Can I decrypt it if I map a drive?
3. Can my recovery agent certificate be copied and installed to
multiple computers? (ya, I know the security risks) For example, I
use two computers right next to each other. I'd like to be able to
decrypt from either PC. Can I export (without deleting keys) and then
import to another computer?
4. The FRA can view and decrypt other people's encrypted files. If
they just view it, will the user know? In our company, the HR Dept.
and Execes don't even want the administrators to have access to their
files. Will EFS give them a piece of mind knowing that if the FRA
decrypts or views their files, they will know about it. After all,
pretty much any domain admin can add themselves as the File Recovery
Agents.
Thanks,
Howard
				
			knows the answer, I'd appreciate their help!
My set-up: Win2K with AD environment (CA is present). I made myself
the file recovery agent (FRA). The Domain Group Policy lists my
certificate as the recovery agent and has the "no override" switch so
local policies can't interfere with Domain policies. My account is
part of the Domain Administrators Group.
Questions:
1. If someone encrypts files on their local computer (in a domain
based environment) and later needs to be decrypted by the FRA,
Microsoft recommends backing up the encrypted file/directory, and then
restoring it to my own computer (since my private key as the FRA is on
my local machine). Then I'm able to decrypt the files. Can I just
map a drive to the other persons computer and decrypt? Do I have to
backup and restore? Why not just copy or move - or better still, map
a drive and decrypt remotely?
2. EFS on a file server: Let's say someone encrypts their shared
drive on a file server. Can I decrypt it if I map a drive?
3. Can my recovery agent certificate be copied and installed to
multiple computers? (ya, I know the security risks) For example, I
use two computers right next to each other. I'd like to be able to
decrypt from either PC. Can I export (without deleting keys) and then
import to another computer?
4. The FRA can view and decrypt other people's encrypted files. If
they just view it, will the user know? In our company, the HR Dept.
and Execes don't even want the administrators to have access to their
files. Will EFS give them a piece of mind knowing that if the FRA
decrypts or views their files, they will know about it. After all,
pretty much any domain admin can add themselves as the File Recovery
Agents.
Thanks,
Howard
