When EFS goes bad

[David H. Lipman]

We are on an Active Directory Domain.

Recently, through Group Policy enforcement, EFS has been pushed to our users on notebooks.

Generally speaking things have gone well. However one of my users has run into a negative
consequence.

One of my users complained that he could no longer access one of his MS Outlook Archive
folders.

Examination found the 1.38GB to exist and Outlook was properly pointing to it. At first
it was thought that it was damaged so I ran the InBox Repair Tool. It indicated the PST
was Read-Only. When I examined the PST it did not have the Read-Only attribute but it was
encrypted. Under the end-user's account I tried to decrypt the file but I got "Access
Denied". All other PST files in the same folder (and all other data files for that
matter) were encrypted but the end-user had no problems opening any of them EXCEPT this
one 1.38GB PST file. [ a high crucial file! ]

Further examination showed a Domain service account attached to the file as
"svc.EFSRecovery.locale" (name obfuscated). I contacted the central organization
responsible for the Domain and they sent someone out to look at the end-user's PC and that
person spent 3 hours with no progress.

What went wrong with this one file ?
Can it be recovered ?
Can it be decrypted/re-encrypted using the user's account based certificate ?

 

[Dobromir Todorov]

What exectly did you configure in your Group Policy?

Did you remove any user certificates and associated private keys from that
user's computer?

--
---
HTH,
Dobromir

Learn more about Security and Identity Management:
Visit http://www.iamechanics.com

 

[David H. Lipman]

From: "Dobromir Todorov" <[email protected]>

| What exectly did you configure in your Group Policy?

| Did you remove any user certificates and associated private keys from that
| user's computer?

I no longer control the OU of our Domain. This is now done by a centralized organization.
Due to privacy issues, I can not elaborate.

We all use Smart Cards and all three Certs for his Smart Card were in his personal
Certificate Store. All current, none expired or revoked. He still had his Domain Account
cert in his store set to expire on 6/27/2108.

All other encrypted files can be decrypted w/o any problems. It is only this ONE PST that
he gets "access denied" on. :-(

 

[Dobromir Todorov]

Well, don't think anyone can help much without the details. The important
thing is that the File Encryption Key (FEK) used to actually encrypt the PST
file is encrypted in the user's and the Data Recovery Agent's (DRA) public
keys and is attached as metadata to the file. If the user has ALL the
private keys and associated certificates/public keys availalable, EFS will
use them all to try and decrypt the FEK, and access the content of the file.
If the private/public(certificate) key pair that was used to originally
encrypt the FEK is missing, the user will fail to open the file. Make sure
that the orginial set of certificates and associated keys is there.

Also, it may turn out that this user was say a local computer admin and was
able to open the file as a Data Recovery Agent (DRA), rather than as a user.
When you applied the policy, you may have set a new DRA for this file, and
the old one is now lost - hence the reason why he's not able to access the
file anymore.

--
---
HTH,
Dobromir

Learn more about Security and Identity Management:
Visit http://www.iamechanics.com

 

[Adam Stasiniewicz]

When you looked the properties of the file, from the General tab select
Advanced then Details. You will see all the certificates which can decrypt
the file. If you see a certificate in the top window that is not belonging
to the user, check with the maintainer of your CA if they key archival
enabled. If they do, have them provide you with the key pair for the
certificate so that you can decrypted the file. Otherwise, check the bottom
window. If there is a cert listed there (i.e. the DRA), ask your CA
maintainer to provide that certificate.

Either way, once you get the needed cert: import the cert (with private key)
into the local user store of a computer and copy the PST to a local drive.
Then you should be able to decrypt the file.

Hope that helps,
Adam Stasiniewicz

 

[David H. Lipman]

From: "Adam Stasiniewicz" <nospam@nospam>

| When you looked the properties of the file, from the General tab select
| Advanced then Details. You will see all the certificates which can decrypt
| the file. If you see a certificate in the top window that is not belonging
| to the user, check with the maintainer of your CA if they key archival
| enabled. If they do, have them provide you with the key pair for the
| certificate so that you can decrypted the file. Otherwise, check the bottom
| window. If there is a cert listed there (i.e. the DRA), ask your CA
| maintainer to provide that certificate.

| Either way, once you get the needed cert: import the cert (with private key)
| into the local user store of a computer and copy the PST to a local drive.
| Then you should be able to decrypt the file.

| Hope that helps,
| Adam Stasiniewicz

Thanx.

The "certificate in the top window" did belong to the end-user.

 

[Dobromir Todorov]

....and there was a private key in the user's profile that corresponded to
that certificate?

--
---
HTH,
Dobromir

Learn more about Security and Identity Management:
Visit http://www.iamechanics.com

 

[David H. Lipman]

From: "Dobromir Todorov" <[email protected]>

| ...and there was a private key in the user's profile that corresponded to
| that certificate?

| --
| ---
| HTH,
| Dobromir


Yes. As I stated previously...

"We all use Smart Cards and all three Certs for his Smart Card were in his personal
Certificate Store. All current, none expired or revoked. He still had his Domain Account
cert in his store set to expire on 6/27/2108."

There were four certificates in his personal cert. store.

Three for his Smart Card and one matching the "certificate in the top window" also noted
previously in this thread.

 

[Brian Komar \(MVP\)]

Actually, that was not clear.

If you have the "correct" certificate, and in the properties of the
certificate it states that you have the private key associated with the
certificate the file should open. Here are my questions:

1) Is the svc.EFSRecovery.locale account listed as the user account able to
access the file?
2) Was a proper attempt performed to recover the file with a EFS Recovery
agent listed as the DRA for the file? I mean by this that an adminstrator
logged on to the system, imported the recovery certificate from the archived
PFX file, and then attempted the decryption.
3) No mention of OS in the thread. What OS is the client running?
4) If the client is running XP, then the EFS cert and the EFS REcovery agent
certificate *must* be in software. XP/2003 do not support the use of EFS or
EFS recovery agent certificates on smart cards.
5) Have you established a custom EFS certificate that archives the private
key in the CA database.
6) Did you prevent the use of self-signed certificates at clients. You can
accomplish this at XP/2003 with 912761 - Encrypting File System (EFS)
generates a self-signed certificate when you try to encrypt an EFS file on a
Windows XP-based computer. For Vista, this is accomplished through GPO.

HTH,
Brian

 

[David H. Lipman]

From: "Brian Komar (MVP)" <[email protected]>

| Actually, that was not clear.


My apologies :-(


| If you have the "correct" certificate, and in the properties of the
| certificate it states that you have the private key associated with the
| certificate the file should open. Here are my questions:

| 1) Is the svc.EFSRecovery.locale account listed as the user account able to
| access the file?

Yes.


| 2) Was a proper attempt performed to recover the file with a EFS Recovery
| agent
| listed as the DRA for the file? I mean by this that an adminstrator
| logged on to the
| system, imported the recovery certificate from the archived
| PFX file, and then
| attempted the decryption.


My userstanding is that was attempted.


| 3) No mention of OS in the thread. What OS is the client
| running?

WinXP >= SP2


| 4) If the client is running XP, then the EFS cert and the EFS REcovery agent
| certificate *must* be in software. XP/2003 do not support the use of EFS or
| EFS recovery agent certificates on smart cards.


Right. Got it.


| 5) Have you established a custom EFS certificate that archives the private
| key in the CA database.


I have NO control over this and I don't know.



| 6) Did you prevent the use of self-signed certificates at clients. You can
| accomplish
| this at XP/2003 with 912761 - Encrypting File System (EFS)
| generates a self-signed
| certificate when you try to encrypt an EFS file on a
| Windows XP-based computer. For
| Vista, this is accomplished through GPO.


We do not use Self Signed certs. as this was pushed through GPO and EFSAssistant.

 

[Brian Komar \(MVP\)]

So based on your answers, the certificates on the smart card and are not
used as the OS does not support smart card based EFS.
The recovery may be possible if a password is available for the
svc.EFSRecover.locale account, and you log on locally as that account. Once
logged in, remove the encryption from the file
Brian

 

[David H. Lipman]

From: "Brian Komar (MVP)" <[email protected]>

| So based on your answers, the certificates on the smart card and are not
| used as the OS does not support smart card based EFS.
| The recovery may be possible if a password is available for the
| svc.EFSRecover.locale account, and you log on locally as that account. Once
| logged in, remove the encryption from the file
| Brian

The notebook was taken away by the central IT group.

We'll see what happens.

 

[David H. Lipman]

From: "David H. Lipman" <[email protected]>

| From: "Brian Komar (MVP)" <[email protected]>

|| So based on your answers, the certificates on the smart card and are not
|| used as the OS does not support smart card based EFS.
|| The recovery may be possible if a password is available for the
|| svc.EFSRecover.locale account, and you log on locally as that account. Once
|| logged in, remove the encryption from the file
|| Brian

| The notebook was taken away by the central IT group.

| We'll see what happens.


Failed ! :-(

Ticket has been opened with Microsoft.