It is good that you hold a sane attitude toward the strictures you
seek over the admins actions. Basically, at some level you must
place trust in the persons you empower to run the IT infrastructure.
The best advise I can give to you is to hire a quality, relative to
Windows and this aspect of security in it, IT consultant to set
this up for you and to show you the few critical watch points.
That might be a hard sell, both cost wise and with regards to
you current IT staff's feelings. On the other hand, it would make
clear to them that you are indeed serious about this, and enabled;
plus, staff come and go, so you would be set in the face of future
changes.
There are a few issues you are facing.
First, to be clear, EFS allows for one account (inital encryptor) to
transparently access an encrypted file, for access by the recovery
agent (DRA) if one is defined, and then also for other account to
have the same transparent access if the inital encryptor take manual
action to allow this (and that granted account can then do the same,
allowing further accounts).
So, you said you want a hands-free, so to speak, solution; and you
also indicated you need for two individual to have access.
Either the CFO would need to make sure to remember to grant the
CEO access (a manual step you want to avoid), or for the EFS docs
the two of them would need to use a shared account, or one of them
would need to be the DRA. It might make sense in you case for the
CEO's account to be the DRA, which would mean that nothing could
be stored in the IT infrastructure with EFS that would be inaccessible
to that account. If the administrator could get the password of that
account (not set, but get it as it is) then the water has passed through
the sieve. If the administrator set the password the true owner of
that account would, I would hope, notice that there password was
not as it should be. If the admin cracked the dumped password
hashes, and the account's password was not very strong, they would
have access to all and it would look like the access was done by the
owner of that account.
Anyway, yes, any NTFS area of storage can be audited. This can
be set up for all types of accesses, successful and/or failed, by any
account or by only some defined groups of accounts.
Administrators can clear event logs where these audition records
are written, but that clearing caused an event to be written into the
cleared log. If no one is watching the logs the auditing is close to
useless. Auditing can be very verbose. One needs to have auditing
defined so it generates what is of interest but a minimum of other,
by only auditing what parts of the filesystem really need the coverage.
The DRA is defined by having its cert available in the system. To
decrypt an encrypted file the matching key needs to be available.
It is this part, the key, that must be kept out of the hands of the
admin. Any account into which the key is imported can function
as DRA, and hence access any EFS encrypted file.
A normal use would be to have a DRA defined, to have the
cert/key saved safely, such as on come CDs locked away.
There would be no account with the key imported into it.
That would happen only when there was need to recover some
otherwise inaccessible EFS encrypted files.
This is getting long already and we still have not looked at issues
related to the config of the storage server to support remote EFS
file storage, safe transfer over the network, the types of profiles
used by the domain accounts, monitoring the storage area to make
sure no one has unset the requirement on the folders that files stored
in them will be encrypted (or changed the auditing settings for that
matter), etc..
Perhaps that indicates why I suggested hiring a quality consultant.
It is really not that hard to set up, but it surely is involved to try to
explain the main aspects and (what I mostly focused on) the in use
vulnerabilities to breach of the privacy you would believe is in effect.
In the final analysis, Karl's suggestions, although rejected by yourself
as needing manual actions, may be the shortest route for maintaining
a relatively small amount of data.
It is quite ironic, Microsoft released a free tool that would have been
just about exactly what you are after, back in July, call Private Folders,
but corps pretty much forced MS to withdraw it in almost no time.
http://news.com.com/Microsoft+shutters+Windows+private+folders/2100-1012_3-6094481.html
Go figure ey?
Roger
