New EFS tool available - EFS Certificate Configuration Updater

M

mikesmithlonergan

Following on the heels of the recent release of the EFS Assistant
shared-source tool, I am proud to announce the release of another tool
to smooth the path for reliable recovery of EFS'd files:

EFS Certificate Configuration Updater (http://www.codeplex.com/
EFSCertUpdater/)

__Why should you care?__
- You'll be interested if you're using EFS, and
- You've tried to make sure that you (or your users) are using the EFS
certificate that was archived (with its private key) in your Microsoft
Certificate Server.

__What difference will it make?__
- When users need to recover access to *ALL* their EFS'd files, and
- When you want to make the process as fast and painless for the users
as possible
- The copy of the user's archived EFS keys that you extract from your
Certificate Server should be (almost) guaranteed to decrypt all the
user's encrypted files.

There are a number of my customers who expressed concerns that even if
they did everything right - enabling Autoenrollment policy, creating
"version 2" certificate templates for use with EFS, automatically
archiving the user's EFS keypair at enrollment time - there's still no
guarantee that the user's PCs were actually *using* those archived EFS
keys to encrypt files.

Most of the time it works fine, but they told me they'd seen cases
where:
- users had once tried using EFS, and abandoned it later, but the new
EFS certificate didn't replace the pre-existing (non-archived) EFS
certificate, so all files continued to be encrypted with an
unrecoverable key
- users had encrypted files before the PKI was in place, then upgraded
their certificate, but their existing encrypted files weren't updated
to be encrypted with the new keys

No, I'm not trying to panic anyone - like I said, this affects a small
fraction of the user population in most wide-scale EFS deployments.
However, it's an issue I've heard over and over again, and this tool
should help folks get on with their deployments.

__How does it work?__
- The tool works strictly at the command line - it presents no UI
- It searches through all the EFS certificates the user has in their
personal certificate store (aka the "MY store")
- It keeps searching until it finds a certificate that (a) is still
valid, (b) is not self-signed, (c) has an associated private key, and
(d) has the EFS EKU
- Once it identifies a suitable certificate, it checks whether that is
the currently-configured certificate; if not, then it updates the
CertificateHash registry setting and quits
- Oh, and it generates a log file of its activity

__What does it require?__
- .NET 2.0
- XP or Vista (only been tested on XP so far)
- it doesn't require Admin rights, but I bet it'd barf if it ran under
DropMyRights

__How often would I have to use this tool?__
- In theory, once
- All you really need is to get the user *off* their self-signed
certificate, and encrypting with the v2 certificate
- From there, Autoenrollment should be able to keep renewing EFS
certificates with no failures - unless the user's PC is off the
company network for months at a time

__What's next for the EFS Cert Updater?__
- Do some further robustness testing to see if there are any
circumstances under which non-v2 EFS certs could be selected
- Add a command-line parameter to specify an exact Certificate
Template from which the selected EFS cert must be enrolled
- Enable a capability to archive (i.e. hide) all other EFS
certificates except the selected one
- Add capability to write to the Application Event Log
- Enable a capability to select the "best" EFS certificate if multiple
are found


Please browse the web site, leave some feedback or questions, and give
it a spin. All assistance is greatly appreciated.

Cheers,
Mike Smith-Lonergan
http://www.codeplex.com/EFSCertUpdater
http://paranoidmike.blogspot.com/
 
S

Stefan Engelbert

Malke - you are talking BULL SHIT

I was exactly looking for such an EFS Tool!
 
P

Paul Adare

(e-mail address removed) wrote:

spam

You need to get a grip. Mike Smith-Longergan, until fairly recently, was
one of the security gurus at Microsoft and when it comes to EFS, he
definitely knows what he's talking about. As someone who deploys enterprise
PKI solutions, with a number of large scale EFS deployments under my belt,
I can tell you Malke that this is anything but SPAM. Did you even check the
link before you posted your knee-jerk reaction? AS the first sentence on
the CodePlex home page states; "CodePlex is Microsoft's open source project
hosting web site". Fixing mom and dad's computers for a living doesn't give
you the right to make these kind of judgement calls, especially when you
clearly don't know what you're talking about.
You owe Mike an apology.
 
G

Guest

Is advertising a free utility to an audience who might find a use for it
spam? No I wouldn't think so.

Only thing is, the bugs he mentions just tend to confirm my thoughts that
anyone who uses EFS is taking an insane risk.

Reliable security is that in which the key is tested regularly, by way of
actually and deliberately using that key. That way, you know if the key works
or not. Issue with EFS is that you never really know what key (if any key!)
is being used. Until it breaks, that is. Then, you get to keep both pieces.
 
V

Vanguard

in message
You need to get a grip. Mike Smith-Longergan
<snip - Mike's personal history - irrelevant to spam/ham
determination>
<snip - Paul's personal history - irrelevant to spam/ham
determination>
Did you even check the
link before you posted your knee-jerk reaction?

I did visit the page. That the tool is free and written or
[co]developed by a non-spammer is irrelevant regarding the spam/ham
determination of his *post*.
As the first sentence on
the CodePlex home page states; "CodePlex is Microsoft's open source
project
hosting web site".

I wouldn't want to see every open-sourced project on sourceforge.net
spammed here, either.
Fixing mom and dad's computers for a living doesn't give
you the right to make these kind of judgement calls,

Also irrelevant to the spam/ham determination of Mike's post. The
effectiveness and usability of the product is irrelevant to the actual
post. The post is not the product. Mike wanted to let the community
know about his new tool. Seems like putting it in his signature when
he actually is submitting a non-spam post would be just as effective
but would probably delay when he could announce it.
You owe Mike an apology.

So is the only consideration as to whether or not a post is spam based
solely on whether the product or service it attempts to proliferate is
free or not? I don't ever recall that the cost of a product or
service was a criteria to identify spam (in newsgroups). Repeated
off-topic fanatic religious posts are spam but are not begging for any
monies. Since what they proffer is free then it must not be spam?
Didn't think so.

Yes, it may be a good tool; however, would you want to see the
newsgroups littered with posts regarding every free utility from
Microsoft or every free utility that anyone anywhere has created?
There are newsgroups devoted for spewing out posts on free stuff. I
wasn't aware that this newsgroup was one of them.

Stop confusing spam as always having to do with someone trying to get
money. Every user of Teranews' free NNTP server is spamming due to
the signature that Tera slaps onto every one of those users' posts.
Every outbound e-mail sent through a free Hotmail or Yahoo Mail
account is spam because of a promotional signature that gets appended.
Just because those services are free doesn't magically alter that they
are spamifying every post or e-mail sent through them. Hawking your
product, especially when unsolicited, is also spam regardless that it
is free, regardless that it is useful, and regardless of who wrote it.
Would you really want to see this newsgroup inundated with posts for
every free [security] program out there?
 
G

Guest

Vanguard said:
So is the only consideration as to whether or not a post is spam based
solely on whether the product or service it attempts to proliferate is
free or not?

I agree, it's a gray area.
Fixing mom and dad's computers for a living doesn't give
you the right to make these kind of judgement calls..

Also agree that there can sometimes be too much big-network guy snobbery in
here. Fixing home computers for a living can be a very much more challenging
job than running a corporate helpdesk, which by comparison is a relatively
static, tightly-disciplined and predictable environment.
 
D

david.wozny

What are you trying to achieve here?

Lot's of people on this newsgroup genuinely appreciate the time and
attention that people like Paul Adare give to supporting us IT pros
who are sometimes just a little bit out of our depth and hugely
respect the experience and knowledge he imparts.

Your smug, schoolboy flame is enough to make us wanna puke.
 
S

Shenan Stanley

david.wozny said:
What are you trying to achieve here?

Lot's of people on this newsgroup genuinely appreciate the time and
attention that people like Paul Adare give to supporting us IT pros
who are sometimes just a little bit out of our depth and hugely
respect the experience and knowledge he imparts.

Your smug, schoolboy flame is enough to make us wanna puke.

This thread has many responders over the last 7 days.
We have *no idea* who your response is actually aimed at.
Please clarify whom you are addressing and for what.

Entire Thread:
http://groups.google.com/group/micr...c4f91335819?lnk=st&q=&rnum=2#83643c4f91335819
 
P

Paul Adare

This thread has many responders over the last 7 days.
We have *no idea* who your response is actually aimed at.
Please clarify whom you are addressing and for what.

Who is "we" exactly? I'd thought that given the threaded nature of NNTP
discussions groups it should be pretty obvious that Don's response was
aimed at the person to whose post he responded.
 
S

Shenan Stanley

Shenan said:
This thread has many responders over the last 7 days.
We have *no idea* who your response is actually aimed at.
Please clarify whom you are addressing and for what.

Paul said:
Who is "we" exactly? I'd thought that given the threaded nature of
NNTP discussions groups it should be pretty obvious that Don's
response was aimed at the person to whose post he responded.

I notice you included who you were responded to as well as WHAT you were
responding to...

Any reason?

Don't you normally reply in this manner - with some remnant of what you are
responding to *in* your response?

As for who the "we" is - as you may know - the newsgroups are replicated
across MANY MANY news servers across the globe. Some of these news servers
erase messages at a steady pace - so that a reply without any reference to
the original posting may exist on some newsgroups. There are many times
people will only see the reply to a post and not the original question on
the news server of their choice because of said replication - that is why it
is generally accepted that in a newsgroup post you maintain some remnants of
what you are responding to for such occurrences.

Therefore - it is likely that someplace on some new server - someone only
sees Don's response and NOTHING of the thread before that. Another reason
that I posted the Google groups link to the entire thread. So that it might
make sense to people who might not be using a news server where they see
everything OR they are using a newsreader whose settings might only get so
many days back of posts, etc.

Just because you are not a part of the "we" does not mean the "we" does not
exist. ;-)

Entire Thread:
http://groups.google.com/group/micr...c4f91335819?lnk=st&q=&rnum=2#83643c4f91335819
 
P

Paul Adare

Just because you are not a part of the "we" does not mean the "we" does not
exist. ;-)

The use of "we" in a forum like this is presumptuous and arrogant. You are
entitled to your opinion, you're not entitled to pass it off as that of
others.
 
S

Shenan Stanley

Shenan said:
This thread has many responders over the last 7 days.
We have *no idea* who your response is actually aimed at.
Please clarify whom you are addressing and for what.

Paul said:
Who is "we" exactly? I'd thought that given the threaded nature of
NNTP discussions groups it should be pretty obvious that Don's
response was aimed at the person to whose post he responded.

Shenan said:
I notice you included who you were responded to as well as WHAT you
were responding to...

Any reason?

Don't you normally reply in this manner - with some remnant of what
you are responding to *in* your response?

As for who the "we" is - as you may know - the newsgroups are
replicated across MANY MANY news servers across the globe. Some of
these news servers erase messages at a steady pace - so that a
reply without any reference to the original posting may exist on
some newsgroups. There are many times people will only see the
reply to a post and not the original question on the news server of
their choice because of said replication - that is why it is
generally accepted that in a newsgroup post you maintain some
remnants of what you are responding to for such occurrences.

Therefore - it is likely that someplace on some new server -
someone only sees Don's response and NOTHING of the thread before
that. Another reason that I posted the Google groups link to the
entire thread. So that it might make sense to people who might not
be using a news server where they see everything OR they are using
a newsreader whose settings might only get so many days back of
posts, etc.

Just because you are not a part of the "we" does not mean the "we"
does not exist. ;-)

Entire Thread:
http://groups.google.com/group/micr...c4f91335819?lnk=st&q=&rnum=2#83643c4f91335819

Paul said:
The use of "we" in a forum like this is presumptuous and arrogant.
You are entitled to your opinion, you're not entitled to pass it
off as that of others.

No.

I pointed out quite clearly that your assumption that there is not more than
one person who might not know what you are referring to is likely to be
incorrect. "We" is being used to represent the fact that more than one
person might not be able to see the entire thread and that *I* might just be
*one* of those *we*. I pointed out the facts of replication and deletion
of posts and how some newsreaders (people in this usage of the word) might
not be able to see the entire thread. My use of the word "we" was nothing
more than a shortening of "some people of which I might be one of" in this
case. If you took at as anything else - I apologize for the
misunderstanding.

But - as you said - you are entitled to your opinions... and
interpretations.
 
P

Paul Adare

If you took at as anything else - I apologize for the
misunderstanding.

Cool. Since we're (you and I) are so far off topic we (you and I) should
probably drop this now.
 
S

Shenan Stanley

Shenan said:
This thread has many responders over the last 7 days.
We have *no idea* who your response is actually aimed at.
Please clarify whom you are addressing and for what.

Paul said:
Who is "we" exactly? I'd thought that given the threaded nature of
NNTP discussions groups it should be pretty obvious that Don's
response was aimed at the person to whose post he responded.

Shenan said:
I notice you included who you were responded to as well as WHAT you
were responding to...

Any reason?

Don't you normally reply in this manner - with some remnant of what
you are responding to *in* your response?

As for who the "we" is - as you may know - the newsgroups are
replicated across MANY MANY news servers across the globe. Some of
these news servers erase messages at a steady pace - so that a
reply without any reference to the original posting may exist on
some newsgroups. There are many times people will only see the
reply to a post and not the original question on the news server of
their choice because of said replication - that is why it is
generally accepted that in a newsgroup post you maintain some
remnants of what you are responding to for such occurrences.

Therefore - it is likely that someplace on some new server -
someone only sees Don's response and NOTHING of the thread before
that. Another reason that I posted the Google groups link to the
entire thread. So that it might make sense to people who might not
be using a news server where they see everything OR they are using
a newsreader whose settings might only get so many days back of
posts, etc.

Just because you are not a part of the "we" does not mean the "we"
does not exist. ;-)

Entire Thread:
http://groups.google.com/group/micr...c4f91335819?lnk=st&q=&rnum=2#83643c4f91335819

Paul said:
The use of "we" in a forum like this is presumptuous and arrogant.
You are entitled to your opinion, you're not entitled to pass it
off as that of others.

Shenan said:
No.

I pointed out quite clearly that your assumption that there is not
more than one person who might not know what you are referring to
is likely to be incorrect. "We" is being used to represent the
fact that more than one person might not be able to see the entire
thread and that *I* might just be *one* of those *we*. I pointed
out the facts of replication and deletion of posts and how some
newsreaders (people in this usage of the word) might not be able to
see the entire thread. My use of the word "we" was nothing more
than a shortening of "some people of which I might be one of" in
this case. If you took at as anything else - I apologize for the
misunderstanding.

But - as you said - you are entitled to your opinions... and
interpretations.

Paul said:
Cool. Since we're (you and I) are so far off topic we (you and I)
should probably drop this now.

Agreed. Considering it dropped.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top