?
Solved

EFS Encrypted File System Question Windows 2003 AD

Posted on 2007-11-30
7
Medium Priority
?
359 Views
Last Modified: 2012-05-05
I'm allowing EFS for certain users on our network. I'm wondering if the person leaves the company, would the files still be accessible to that username after a password change via the Active Directory Users and Computers tool.

Example.

Bob gets fired....I.T. staff does not have his password.  The Domain Admin changes his password so he can logon as bob and view all of his files....are EFS files still going to be viewable by that account or does that invalidate the certificate?

Yes I know I can use the Domain Admin account to decrypt the files but sometimes we like to just rename an account to the new user who inherits a position.

I could setup a test user account but it's less work usually just to ask the EE community.

Thanks - Spyder

Open in new window

0
Comment
Question by:spyder357
7 Comments
 
LVL 9

Expert Comment

by:Brugh
ID: 20385766
As with many MS Protocols, its apparantly hit or miss... hehe

Taken from Technet.
http://technet.microsoft.com/en-us/library/bb457065.aspx

"Resetting Local Passwords on Windows XP
Windows XP has new behavior regarding locally changed passwords and EFS. In Windows 2000, when a local user password was reset by an administrator, the administrator or third party could theoretically use the newly changed account to log on as the user and decrypt the encrypted files. In Windows XP, the changing of a local user password by an administrator, or through a method other than by the user, will block all access to previously encrypted files by the user.

In summary, the profile and keys of the user will be lost and will not be available to the account with the reset password. Windows XP gives the following warning when attempting to reset a user account password:

Warning Resetting this password might cause irreversible loss of information for this user account. For security reasons, Windows protects certain information by making it impossible to access if the user's password is reset.

This feature helps to guard against offline attacks and prevents rogue administrators from gaining access to encrypted files of other users. "

hth
 - brugh


0
 

Author Comment

by:spyder357
ID: 20385775
Now thats will local users....I'm talking about on domain accounts.

0
 
LVL 84

Expert Comment

by:David Johnson, CD, MVP
ID: 20385866
disable the account while the employee is being terminated.. then use the domain administrator account to decrypt the files .. check out this link for a simple explanation https://confluence.cornell.edu/display/FSCNS/EFS+-+Encrypted+File+System
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 

Author Comment

by:spyder357
ID: 20385885
I thiink everyone here is missing the point of the question.

I need to know if I, the admin, can change someone's password via AD and view their encrypted files while logged on as that user (with the new password).  

Thanks - Spyder
0
 
LVL 84

Accepted Solution

by:
David Johnson, CD, MVP earned 375 total points
ID: 20386053
YOu have to recover the files to an unencrypted state using the recovery agent (domain admin account) if you change the password the 'new user' as far as EFS is concerned cannot read the files, only the original user or the recovery agent can decrypt the files.  This is why you get the warning when you change the users password. Users are stored as 5-1-xxx-xxxx and not by name and changes to the user account will change the 5-1-xxx-xxx to something new.

it is poor policy to just change the password on employee termination.. one disables the account until a new user needs the account then you change the 'user info' fields then re-enable the account and set the password to 'user must change password on next logon'

I repeat once the password has been changed then the previous user cannot access the files but a domain admin can recover the files using the recovery agent.
0
 
LVL 3

Expert Comment

by:top_gizmo
ID: 20417395
1.  If you change the password and are using the SAME user account on the SAME computer, YES you can read the files.  The files were encrypted using a private key that was generated on that computer under that logon.  This is not a good practice.  If a user 'accidentally' deletes his private key - yes I have seen this done dozens of times, you will not be able to recover the files without a Recovery Agent.

2.  You do need to establish a recovery agent NOW.  You can not import the recover agents key into the users encrypted files after they delete their private key.  You must import the Recover Agent certificate into your GPO and run the cipher /u command in a logon script to update the users encrypted files with the RA certificate.

3.   User the cipher /r command to create your own certificates.  It will create two certificates, one is your public key that is imported into the GPO the other is the private key that you secure offline... I say again.. OFFLINE, in a secure place.  I actually have three keys in case any get compromised.

Here are some links to get you started:

http://articles.techrepublic.com.com/5100-6329_11-5034476.html

http://support.microsoft.com/kb/887414
0
 

Author Comment

by:spyder357
ID: 20419723
Actually the certs are not on the local computer.  We run a (microsoft) certificate infrastructure (for VPN, wireless, EFS, webmail,etc).  The recovery agent is the domain administrator account along with my Domain Admin account.  All keys are stored on the server and active directory.  





0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this post we will be converting StringData saved within a text file into a hash table. This can be further used in a PowerShell script for replacing settings that are dynamic in nature from environment to environment.
This article is about my experience upgrading my consulting machine to Windows 10 Version 1709 (The Fall 2017 Creator Update)
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question