Solved

EFS Encrypted File System Question Windows 2003 AD

Posted on 2007-11-30
7
351 Views
Last Modified: 2012-05-05
I'm allowing EFS for certain users on our network. I'm wondering if the person leaves the company, would the files still be accessible to that username after a password change via the Active Directory Users and Computers tool.

Example.

Bob gets fired....I.T. staff does not have his password.  The Domain Admin changes his password so he can logon as bob and view all of his files....are EFS files still going to be viewable by that account or does that invalidate the certificate?

Yes I know I can use the Domain Admin account to decrypt the files but sometimes we like to just rename an account to the new user who inherits a position.

I could setup a test user account but it's less work usually just to ask the EE community.

Thanks - Spyder

Open in new window

0
Comment
Question by:spyder357
7 Comments
 
LVL 9

Expert Comment

by:Brugh
ID: 20385766
As with many MS Protocols, its apparantly hit or miss... hehe

Taken from Technet.
http://technet.microsoft.com/en-us/library/bb457065.aspx

"Resetting Local Passwords on Windows XP
Windows XP has new behavior regarding locally changed passwords and EFS. In Windows 2000, when a local user password was reset by an administrator, the administrator or third party could theoretically use the newly changed account to log on as the user and decrypt the encrypted files. In Windows XP, the changing of a local user password by an administrator, or through a method other than by the user, will block all access to previously encrypted files by the user.

In summary, the profile and keys of the user will be lost and will not be available to the account with the reset password. Windows XP gives the following warning when attempting to reset a user account password:

Warning Resetting this password might cause irreversible loss of information for this user account. For security reasons, Windows protects certain information by making it impossible to access if the user's password is reset.

This feature helps to guard against offline attacks and prevents rogue administrators from gaining access to encrypted files of other users. "

hth
 - brugh


0
 

Author Comment

by:spyder357
ID: 20385775
Now thats will local users....I'm talking about on domain accounts.

0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 20385866
disable the account while the employee is being terminated.. then use the domain administrator account to decrypt the files .. check out this link for a simple explanation https://confluence.cornell.edu/display/FSCNS/EFS+-+Encrypted+File+System
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Author Comment

by:spyder357
ID: 20385885
I thiink everyone here is missing the point of the question.

I need to know if I, the admin, can change someone's password via AD and view their encrypted files while logged on as that user (with the new password).  

Thanks - Spyder
0
 
LVL 78

Accepted Solution

by:
David Johnson, CD, MVP earned 125 total points
ID: 20386053
YOu have to recover the files to an unencrypted state using the recovery agent (domain admin account) if you change the password the 'new user' as far as EFS is concerned cannot read the files, only the original user or the recovery agent can decrypt the files.  This is why you get the warning when you change the users password. Users are stored as 5-1-xxx-xxxx and not by name and changes to the user account will change the 5-1-xxx-xxx to something new.

it is poor policy to just change the password on employee termination.. one disables the account until a new user needs the account then you change the 'user info' fields then re-enable the account and set the password to 'user must change password on next logon'

I repeat once the password has been changed then the previous user cannot access the files but a domain admin can recover the files using the recovery agent.
0
 
LVL 3

Expert Comment

by:top_gizmo
ID: 20417395
1.  If you change the password and are using the SAME user account on the SAME computer, YES you can read the files.  The files were encrypted using a private key that was generated on that computer under that logon.  This is not a good practice.  If a user 'accidentally' deletes his private key - yes I have seen this done dozens of times, you will not be able to recover the files without a Recovery Agent.

2.  You do need to establish a recovery agent NOW.  You can not import the recover agents key into the users encrypted files after they delete their private key.  You must import the Recover Agent certificate into your GPO and run the cipher /u command in a logon script to update the users encrypted files with the RA certificate.

3.   User the cipher /r command to create your own certificates.  It will create two certificates, one is your public key that is imported into the GPO the other is the private key that you secure offline... I say again.. OFFLINE, in a secure place.  I actually have three keys in case any get compromised.

Here are some links to get you started:

http://articles.techrepublic.com.com/5100-6329_11-5034476.html

http://support.microsoft.com/kb/887414
0
 

Author Comment

by:spyder357
ID: 20419723
Actually the certs are not on the local computer.  We run a (microsoft) certificate infrastructure (for VPN, wireless, EFS, webmail,etc).  The recovery agent is the domain administrator account along with my Domain Admin account.  All keys are stored on the server and active directory.  





0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Healthcare providers, insurance companies and other covered entities trust eFax Corporate to transmit their most sensitive documents. eFax Corporate can help your organization implement a HIPAA compliant cloud faxing solution.
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now