• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 401
  • Last Modified:

Encryption Policy for Active Directory Member Laptops

I have been asked to look into an encryption policy for our Laptop users who are all using Windows XP. My IT Director believes that Windows XP encryption will probably do what we want. I have read the following Microsoft Documents:-


But I am a bit confused by it all. We are moving to Active Directory in the coming months so am happy to disregard settings for an NT4 Domain.

Which folders cannot be encrypted?
As a Domain Administrator how can I ensure that I can always access encrypted files?
How does encryption handle offline synchronised files, I don't mind if the files are not encrypted on the server?
How does encryption handle roaming profiles on the server, again I don't mind if the files are not encrypted on the server?
I would prefer to use Group Policy in Active Directory.

All I want to achieve is if the laptop is stolen that User Data cannot be accessed even if they reset the local administrator password.


  • 3
1 Solution
By default, the Recovery Agent in the domain is the domain administrator. After you install active directory, and after the XP laptops are joined to the Active Directory domain, any files that are encrypted after that point will be readable by the person who encrypted them plus the Recovery Agent.

The Recovery Agent's key resides only on domain controllers. If you logged onto the laptop as administrator you would still not be able to read the files. You would have to backup the files with the built-in Windows Backup program, restore them on the domain controller, and then be able to un-encrypt the files as Administrator.

There are ways around this but exporting the RA's key from the domain controllers is not a wise security practice.

Think of EFS this way: Who's NTFS is it? If the encrypted file is on the hard drive on the laptop, then the laptop will be doing the encrypt/decrypt. If the encrypted file is on the network server, then the file server is encrypt/decrypting it, and it is sent over the network unencrypted. If the user copies the file (because copying always creates a new file and inherits the destination folder's attributes including encrypted/decrypted flag), or moves it to a floppy or ZIP or USB disk, or to any FAT32 or FAT16 partition or e-mails the file as an attachment, it is no longer encrypted (unless the destination folder is an encrypted folder on NTFS).

If the user logs in to the laptop with a local account, the recovery agent will not be able to decrypt the files. To protect against that possibility, you should export the key for each local user to a secure file in the event that the user accounts database is ever damaged (due to a virus, a re-install of the OS, etc).
From your point of view, you tell the user that they have to always log in as their domain user account (which works with cached credentials even when they have no network connection). You set their profile directory to encrypted. Now their favorites, cookies, documents, etc are encrypted. You might want to exclude or redirect the internet temporary files folder from being encrypted, but maybe you prefer that all cached pages from the sites they browse also be encrypted. Be aware there is going to be a performance hit on encrypting and decrypting the files.

Now if they decide to log on as a local user and do their own thing, their local user accounts data folders could still be set to encrypted, but you may not be able to recover their files if a corruption of the user accounts database occurs. If they care about their data enough and you explain that only files saved as user domain\username are recoverable in the event of a problem, then they should comply.

If someone wants to badly enough, they can change the local administrator's password and log in as local administrator. They can put the drive in another 2000/XP machine. But they won't be able to read the encrypted files encrypted by the domain user's account.
GeeDoubleU-UKAuthor Commented:
Thats great, I understand this better now. I'm assumming that as long as you are in AD then the Domain Controller's are the RA so a Network Administrator can always recover encrypted details. Regarding the User Profile can this be encrypted when in AD using roaming profiles, my NT4 environment doesn't like it.
The User Profile is essentially the same as the Documents and Settings\username directory, plus of course the user's registry (HKEY_Current_User).

If you want parts or all of that directory encrypted, you would just encrypt it the same as any other directory, using Windows Explorer or CIPHER.EXE

I would limit the amount of data you encrypt for performance reasons. The directories that contain most of your user's data are: My Documents, Cookies, Favorites, and the Application Data and Local Settings\Application Data directories. Outlook already has a way to encrypt the .PST file with a password, and due to the size of this file (or your .ost file in the case of Exchange server) it might cause a big impact on performance if you try to encrypt it with EFS.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now