EFS Recovery Agent

[hw]

hi all security people,
I face the problem that I can not recover files with the designated RA at
the Domain level.
I have set up an CA W2k Server. Assign EFS Recovery certificate to domain
Administrator.
When I try to decrypt an backup-ed (bkf) file on a computer where I put the
Local Policy the designated RA key I can not.
I followed the MS documetation-help about this.
It could be that I have encrypted the files on an XP prof and then try to
decrypt on W2k? (Perhaps CryptoAPI differs?).
Any clues about to setting up a Domain RA thanks!

C.

 

[Steven L Umbach]

It could be an issue with the encryption method. See the link below for
information on that. Try doing it on an XP SP1 domain computer by restoring
the file and importing the RA .pfx file that contains the private key.
Efsinfo may also be helpful in determining if you are using the right RA as
it can display thumbprint ifo on the certificates which would need to
atch. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;329741
http://support.microsoft.com/default.aspx?scid=kb;en-us;243026

 

[hw]

I find out with efsinfo.exe that there are no RA, only the user that
encrypted has the rights to decrypt. I do not see why it is not visible the
RA in the system?
Thanks.

 

[Steven L Umbach]

Maybe that file was encrypted before the RA policy was in effect. XP Pro
does not have to have a RA while W2K does. --- Steve

 

[hw]

You're right, the policy wasn't in effect.
So, if I have files encrypted before a new policy I can not decrypt with the
new one. Obvious the keys are different...
Also, in order that Dom Admin to decrypt files on local computers I have to
define a policy at the local machine as I saw. When this is not defined the
files can not be decrypted.

Isn't possible (how?) to only define at DNS a policy to affect local
policies? So I do not have to change for every PC.

Thanks for your time.
C.

 

[Steven L Umbach]

You can define a RA for the domain machines via Group Policy/computer
configuration, but it will only take effect on files encrypted after that RA
is in force or possibly if a EFS file has been modified - I am not 100
percent sure but you could test out. The cipher command on the XP boxes has
a /U switch to update an EFS files RA which you could try to use to see if
it will then include the domain RA on those previously encrypted files. If
that works, you could use the cipher /U as a startup script on your XP boxes
to update their EFS files to the domain RA. See info below on different
types of recovery policies and how to change them. --- Steve

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/cipher.mspx
http://www.microsoft.com/windows200...0/en/advanced/help/sag_SEconceptsUnRecPol.htm
http://tinyurl.com/2lo2w -- same link as above, shorter in case of wrap.

Types of recovery policies
Administrators can define one of three kinds of policies: a no-recovery
policy, an empty recovery policy, or a recovery policy with one or more
recovery agents.

a.. Recovery-agent policy. When an administrator adds one or more recovery
agents, a recovery-agent policy is in effect. These agents are responsible
for recovering any encrypted data within their scope of administration. This
is the most common type of recovery policy.
b.. Empty recovery policy. When an administrator deletes all recovery
agents and their public-key certificates, an empty recovery policy is in
effect. An empty recovery policy means that no one is a recovery agent, and
that users cannot encrypt data on computers within the scope of influence of
the recovery policy. The effect of an empty recovery policy is to turn off
EFS altogether.
c.. No-recovery policy. When an administrator deletes the group recovery
policy, a no-recovery policy is in effect. Because there is no group
recovery policy, the default local policy on individual computers is used
for data recovery. This means that local administrators control the recovery
of data on their computers.

 

[Steven L Umbach]

I may have been in error. I just tested on my home domain - W2K DC and XP Pro
workstation domain member. .

I encrypted a file while logged on the XP box as a local user with no RA and efs info
verified that. I then add RA to the domain. After I rebooted the XP computer and
logged on as the user who encrypted the file, the domain RA showed as a RA via
efsinfo on the encrypted file that previously did not have a RA. So apparently after
you define a RA for the domain/OU policy, it should show up on EFS files that are
already encrypted on domain machines after the user who created the files has logged
on. After further thought my previous comment on using cipher/ U as a startup script
would not work due to the nature of how EFS protects files. Sorry for any
confusion. --- Steve

 

[Guest]

Greetings

Well I have similar kind of problem. but slightly different. like i have windows XP Pro and my office documents are encrypted. i was on a Domain when i encrypted them and no RA was installed on the domain, so my local computer gentrates a Encryption certificated and it added a Recovery agent as Administrator. But Problem is this that 2 weeks back our server gets crashed and due to some reson we are unable to recover the old domain. so we install new domain and i transfered my windws XP to new domain. so now problem is this that i cant access my Data. it give me error of access denied.

Is there some one who can help me here

Farhan

 

[hw]

I do not think you would be able to recover them unless you have put the old
local RA with the old keys on the system where were encrypted.

Greetings,

Well I have similar kind of problem. but slightly different. like i have

windows XP Pro and my office documents are encrypted. i was on a Domain when
i encrypted them and no RA was installed on the domain, so my local computer
gentrates a Encryption certificated and it added a Recovery agent as
Administrator. But Problem is this that 2 weeks back our server gets crashed
and due to some reson we are unable to recover the old domain. so we install
new domain and i transfered my windws XP to new domain. so now problem is
this that i cant access my Data. it give me error of access denied.