Best practices when deploying PKI for simple EFS purposes in domain environment
Hello everyone, I'm attempting to set up a means to encrypt data on machines within our domain; I've installed the Certificate Services on our DCs and have configured the first DC as the root certificate server and have the two other DCs set up to issue certificates to the client machines. I can see that the lower CAs have requested certificates from the root CA and as a client I can request a CA based on the default templates.
Originally I couldn't encrypt files on a client machine due to an expired Recovery Agent certificate, but I have sorted that out by creating two new recovery agents (two existing admin accounts) and imported those certificates into the Default Domain Policy GPOs for:
Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Encrypting File System
Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Trusted Root Certificates
After that I am able to encrypt files on the client machines. Everything is great except when it comes time to decrypt files; I tried to take a file that was encrypted on a client machine, move it to another, and decrypt it as a recovery agent but no luck.
After a bunch of troubleshooting (see this open question: https://www.experts-exchange.com/questions/26897211/Help-with-GPO-not-applying-specific-to-Computer-Configuration-settings.html)
I believe I've traced the problem back to that GPO not applying on the client machines. There is no recovery agent defined in their computer policies when the files are encrypted so the files can only be decrypted with the user's original key (unique to that user account on that particular computer).
I'm trying to sort out why that group policy is not applying, but in the meantime I thought I'd ask if I'm missing something else or if I'm even going about this the right way. Everything else I do with group policy works fine except for this, so I'm beginning to wonder if I'm going about it wrong to begin with.
Thanks in advance!
Originally I couldn't encrypt files on a client machine due to an expired Recovery Agent certificate, but I have sorted that out by creating two new recovery agents (two existing admin accounts) and imported those certificates into the Default Domain Policy GPOs for:
Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Encrypting File System
Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Trusted Root Certificates
After that I am able to encrypt files on the client machines. Everything is great except when it comes time to decrypt files; I tried to take a file that was encrypted on a client machine, move it to another, and decrypt it as a recovery agent but no luck.
After a bunch of troubleshooting (see this open question: https://www.experts-exchange.com/questions/26897211/Help-with-GPO-not-applying-specific-to-Computer-Configuration-settings.html)
I believe I've traced the problem back to that GPO not applying on the client machines. There is no recovery agent defined in their computer policies when the files are encrypted so the files can only be decrypted with the user's original key (unique to that user account on that particular computer).
I'm trying to sort out why that group policy is not applying, but in the meantime I thought I'd ask if I'm missing something else or if I'm even going about this the right way. Everything else I do with group policy works fine except for this, so I'm beginning to wonder if I'm going about it wrong to begin with.
Thanks in advance!
Group Policy settings can be forced to refresh with the command gpupdate /force when run on the domain workstation.
see also this http://www.windowskb.com/Uwe/Forum.aspx/windows-xp-security/37035/Recovery-Agent-configured-in-GPO-but-cannot-see-it
see also this http://www.windowskb.com/Uwe/Forum.aspx/windows-xp-security/37035/Recovery-Agent-configured-in-GPO-but-cannot-see-it
ASKER
Hello breadtan, thank you for the info on how to confirm things at the client side (it appears that was a big part of my problem). I ran rsop at the client and confirmed that the GPOs were applied correctly (was running gpedit.msc which was not getting the whole picture). I also looked at the details of the encrypted files and confirmed that the Recovery Agents' certificates are listed as well as the client's certificate.
Earlier on I confirmed that I can export the user's cert. and use it do decrypt files on another machine in a recovery scenario, but I'd rather not have to gather everyone's certificate, so the last part of my project is to be able to recover files using the Recovery Agent (which I am still working on). I assumed that if I were to log on to a system as the recovery agent I would have access to the user's encrypted material. This is not working. I'll continue to search for the correct procedure but if you have it handy it would be a great help.
Earlier on I confirmed that I can export the user's cert. and use it do decrypt files on another machine in a recovery scenario, but I'd rather not have to gather everyone's certificate, so the last part of my project is to be able to recover files using the Recovery Agent (which I am still working on). I assumed that if I were to log on to a system as the recovery agent I would have access to the user's encrypted material. This is not working. I'll continue to search for the correct procedure but if you have it handy it would be a great help.
if the encrypted file is done on a machine with the recovery agent already well defined, the file exported should rightfully be able to be decrypted by the recovery agent.
check out this relevnt info
https://www.experts-exchange.com/questions/23858995/Having-trouble-Configuring-EFS-Domain-Account-for-Recovery-Agent.html
Once you assign the recovery agent in GPO that contains users , you ' re set for whatever that GPO is applied to.
check out this relevnt info
https://www.experts-exchange.com/questions/23858995/Having-trouble-Configuring-EFS-Domain-Account-for-Recovery-Agent.html
Once you assign the recovery agent in GPO that contains users , you ' re set for whatever that GPO is applied to.
ASKER
Success, sort of... Breadtan, I read through that other E-E post you linked and within there was a link to a Microsoft article going over EFS. For some reason which I have yet to discover, I am not able to simply sign onto a system with the EFS account and decrypt files, however I am able to import the archived recovery key (once I learned how to do it properly) and decrypt the test users files. Originally I was trying to import the key into the Personal Certificates, but no success. After reading the referenced article simply double-clicking the .pfx file and following the import wizard would import the certificate in a manor that would allow me to decrypt the files. So, misison sort of accomplished; user can request a key, use it to encrypt files, and as an admin I can retrieve the EFS key from a secure location and use it to decrypt the user's files without needing their key to do it.
strange though the user account should be able to login as being a domain user admin. nonetheless, having the pfx has the private keys installed into the machine to enable decryption too. pfx file in this case is exportable, for some in exporting this file, it is stated to be exportable. probably has to attempt other admin user or machine. a check on the personal store can help yo check if the user certificate is available too. more importantly, the availability of private keys...
ASKER
Hey breadtan thank you for your reply, unfortunatly I'm having a hard time understanding you last post, but I will do my best to respond;
I am able to login to windows using the admin (also the EFS Recovery Agent) but am not able to decrypt a user's file. What I tried to do was place a folder containing files on a USB flash drive, and encrypt them using from the test user's account. I then took that flash drive containing the encrypted files to another machine where I was signed in as the admin (EFS R.A.) and attempted to decrypt. Would not work until I opened the pfx file that I had previously exported when the GPO was created. I was trying to simulate recovering encrypted files from a hard drive on a non-booting system.
Could you explain a little more on how to check the personal store and to check the availability of private keys?
Thank you
I am able to login to windows using the admin (also the EFS Recovery Agent) but am not able to decrypt a user's file. What I tried to do was place a folder containing files on a USB flash drive, and encrypt them using from the test user's account. I then took that flash drive containing the encrypted files to another machine where I was signed in as the admin (EFS R.A.) and attempted to decrypt. Would not work until I opened the pfx file that I had previously exported when the GPO was created. I was trying to simulate recovering encrypted files from a hard drive on a non-booting system.
Could you explain a little more on how to check the personal store and to check the availability of private keys?
Thank you
For EFS to work, the file or folder must be located on an NTFS disk partition. By default , in XP Professional and later, EFS highlights encrypted files in green , but you can disable this behavior by choosing Tools, Folder Options in Windows Explorer , then clearing the Show encrypted or compressed NTFS files in color check box on the View tab. n a domain environment, the DRA is the domain administrator's account , not the local administrator account
try efsinfo to know more info of the efs file. also available in sysinternal
http://support.microsoft.com/kb/243026
see if this can help to know abt the key
http://www.stackoverflow.com/questions/657622/where-is-private-key
try efsinfo to know more info of the efs file. also available in sysinternal
http://support.microsoft.com/kb/243026
see if this can help to know abt the key
http://www.stackoverflow.com/questions/657622/where-is-private-key
ASKER
Hey breadtan, thank you for the further info. I am tied up with another project for a few days but when I get back at this next week I will be sure to report my progress.
ASKER
Finally, I'm able to get back to this. Breadtan I fooled around with EFSINFO a bit and it seems to be reporting the same thing that I am seeing under file properties -> advanced -> Encrypt Details. I see my User account under the Users category and my two recovery agents listed.
My guess is that my problem has to do with me not understanding how the EFS system works (or should work) in a domain environment. It seems as if the certificates are being tied to the local user account instead of the domain account, so when I logon to a machine as the recovery agent the key that was generated with that account is not coming with it and therefore cannot act as EFS RA. Also when I logon with a user account and request a certificate, that cert does not come with the user when I logon at another workstation.
I may be missunderstanding how things are supposed to work, but I feel I should also mention that I do not have any Enterprise operating systems on my CA's, they are all 2k3, 2k3 R2, 2k8 R2 Standard Edition servers. I'm not sure if this is causing issues with certificates being published to active directory perhaps?
My guess is that my problem has to do with me not understanding how the EFS system works (or should work) in a domain environment. It seems as if the certificates are being tied to the local user account instead of the domain account, so when I logon to a machine as the recovery agent the key that was generated with that account is not coming with it and therefore cannot act as EFS RA. Also when I logon with a user account and request a certificate, that cert does not come with the user when I logon at another workstation.
I may be missunderstanding how things are supposed to work, but I feel I should also mention that I do not have any Enterprise operating systems on my CA's, they are all 2k3, 2k3 R2, 2k8 R2 Standard Edition servers. I'm not sure if this is causing issues with certificates being published to active directory perhaps?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Breadtan, thank you for the detailed reply. I'm working my way through all the info (here and in the attached references) in between crisis here and will report back when complete.
not much comments from me as the various options are supplied for considerations, also if the best practice and requirement are adhered it would give more leads
ASKER
I must appologize as this project has been put on the back-burner for the moment. Based on what I'd learned before and after going through some of the material Breadtan suggested my feeling is that some of my issues are stemming from the fact that I'm not running an enterprise version of server as the main CA. That being said I should have budget to install a new server (which will run 2008 R2 Enterprise) and move the existing machine elsewhere in the company. I hope to get that rolling in the next month or so. Once that's installed I intend to revisit the EFS project. Breadtan I very much appreciate the time you've put into assisting me on this; my appologies for leaving things hanging.
please keep us informed. tks
The default ACL on the EFSRecovery template lets only members of the Domain Admins and Enterprise Admins groups
also understand that for win2k3 above server, EFS is not controlled by the inclusion of the data recovery agent certificate in the GPO as in old win2k server. therefore your steps should be correct.
hence, you may want to Run rsop.msc on a computer to see if it shows configured via your domain Group Policy and you can also examine the properties of an EFS file in properties /advanced - details [or use efsinfo] to see if a recovery agent is associated with the EFS file.
note the when EFS file are exported out into non ntfs format media the efs protection maybe removed inadvertently. applies if you send the EFS file over network too, it becomes plain.