Solved

EFS Encrypted File System Question Windows 2003 AD

Posted on 2007-11-30
7
352 Views
Last Modified: 2012-05-05
I'm allowing EFS for certain users on our network. I'm wondering if the person leaves the company, would the files still be accessible to that username after a password change via the Active Directory Users and Computers tool.

Example.

Bob gets fired....I.T. staff does not have his password.  The Domain Admin changes his password so he can logon as bob and view all of his files....are EFS files still going to be viewable by that account or does that invalidate the certificate?

Yes I know I can use the Domain Admin account to decrypt the files but sometimes we like to just rename an account to the new user who inherits a position.

I could setup a test user account but it's less work usually just to ask the EE community.

Thanks - Spyder

Open in new window

0
Comment
Question by:spyder357
7 Comments
 
LVL 9

Expert Comment

by:Brugh
ID: 20385766
As with many MS Protocols, its apparantly hit or miss... hehe

Taken from Technet.
http://technet.microsoft.com/en-us/library/bb457065.aspx

"Resetting Local Passwords on Windows XP
Windows XP has new behavior regarding locally changed passwords and EFS. In Windows 2000, when a local user password was reset by an administrator, the administrator or third party could theoretically use the newly changed account to log on as the user and decrypt the encrypted files. In Windows XP, the changing of a local user password by an administrator, or through a method other than by the user, will block all access to previously encrypted files by the user.

In summary, the profile and keys of the user will be lost and will not be available to the account with the reset password. Windows XP gives the following warning when attempting to reset a user account password:

Warning Resetting this password might cause irreversible loss of information for this user account. For security reasons, Windows protects certain information by making it impossible to access if the user's password is reset.

This feature helps to guard against offline attacks and prevents rogue administrators from gaining access to encrypted files of other users. "

hth
 - brugh


0
 

Author Comment

by:spyder357
ID: 20385775
Now thats will local users....I'm talking about on domain accounts.

0
 
LVL 79

Expert Comment

by:David Johnson, CD, MVP
ID: 20385866
disable the account while the employee is being terminated.. then use the domain administrator account to decrypt the files .. check out this link for a simple explanation https://confluence.cornell.edu/display/FSCNS/EFS+-+Encrypted+File+System
0
Are end users causing IT problems again?

You’ve taken the time to design and update all your end user’s email signatures, only to find out they’re messing up the HTML, changing the font and ruining the imagery. What can you do to prevent this? Find out how you can save your signatures from end users today.

 

Author Comment

by:spyder357
ID: 20385885
I thiink everyone here is missing the point of the question.

I need to know if I, the admin, can change someone's password via AD and view their encrypted files while logged on as that user (with the new password).  

Thanks - Spyder
0
 
LVL 79

Accepted Solution

by:
David Johnson, CD, MVP earned 125 total points
ID: 20386053
YOu have to recover the files to an unencrypted state using the recovery agent (domain admin account) if you change the password the 'new user' as far as EFS is concerned cannot read the files, only the original user or the recovery agent can decrypt the files.  This is why you get the warning when you change the users password. Users are stored as 5-1-xxx-xxxx and not by name and changes to the user account will change the 5-1-xxx-xxx to something new.

it is poor policy to just change the password on employee termination.. one disables the account until a new user needs the account then you change the 'user info' fields then re-enable the account and set the password to 'user must change password on next logon'

I repeat once the password has been changed then the previous user cannot access the files but a domain admin can recover the files using the recovery agent.
0
 
LVL 3

Expert Comment

by:top_gizmo
ID: 20417395
1.  If you change the password and are using the SAME user account on the SAME computer, YES you can read the files.  The files were encrypted using a private key that was generated on that computer under that logon.  This is not a good practice.  If a user 'accidentally' deletes his private key - yes I have seen this done dozens of times, you will not be able to recover the files without a Recovery Agent.

2.  You do need to establish a recovery agent NOW.  You can not import the recover agents key into the users encrypted files after they delete their private key.  You must import the Recover Agent certificate into your GPO and run the cipher /u command in a logon script to update the users encrypted files with the RA certificate.

3.   User the cipher /r command to create your own certificates.  It will create two certificates, one is your public key that is imported into the GPO the other is the private key that you secure offline... I say again.. OFFLINE, in a secure place.  I actually have three keys in case any get compromised.

Here are some links to get you started:

http://articles.techrepublic.com.com/5100-6329_11-5034476.html

http://support.microsoft.com/kb/887414
0
 

Author Comment

by:spyder357
ID: 20419723
Actually the certs are not on the local computer.  We run a (microsoft) certificate infrastructure (for VPN, wireless, EFS, webmail,etc).  The recovery agent is the domain administrator account along with my Domain Admin account.  All keys are stored on the server and active directory.  





0

Featured Post

Do email signature updates give you a headache?

Are you constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now