Solved

EFS Encrypted File System Question Windows 2003 AD

Posted on 2007-11-30
7
354 Views
Last Modified: 2012-05-05
I'm allowing EFS for certain users on our network. I'm wondering if the person leaves the company, would the files still be accessible to that username after a password change via the Active Directory Users and Computers tool.

Example.

Bob gets fired....I.T. staff does not have his password.  The Domain Admin changes his password so he can logon as bob and view all of his files....are EFS files still going to be viewable by that account or does that invalidate the certificate?

Yes I know I can use the Domain Admin account to decrypt the files but sometimes we like to just rename an account to the new user who inherits a position.

I could setup a test user account but it's less work usually just to ask the EE community.

Thanks - Spyder

Open in new window

0
Comment
Question by:spyder357
7 Comments
 
LVL 9

Expert Comment

by:Brugh
ID: 20385766
As with many MS Protocols, its apparantly hit or miss... hehe

Taken from Technet.
http://technet.microsoft.com/en-us/library/bb457065.aspx

"Resetting Local Passwords on Windows XP
Windows XP has new behavior regarding locally changed passwords and EFS. In Windows 2000, when a local user password was reset by an administrator, the administrator or third party could theoretically use the newly changed account to log on as the user and decrypt the encrypted files. In Windows XP, the changing of a local user password by an administrator, or through a method other than by the user, will block all access to previously encrypted files by the user.

In summary, the profile and keys of the user will be lost and will not be available to the account with the reset password. Windows XP gives the following warning when attempting to reset a user account password:

Warning Resetting this password might cause irreversible loss of information for this user account. For security reasons, Windows protects certain information by making it impossible to access if the user's password is reset.

This feature helps to guard against offline attacks and prevents rogue administrators from gaining access to encrypted files of other users. "

hth
 - brugh


0
 

Author Comment

by:spyder357
ID: 20385775
Now thats will local users....I'm talking about on domain accounts.

0
 
LVL 80

Expert Comment

by:David Johnson, CD, MVP
ID: 20385866
disable the account while the employee is being terminated.. then use the domain administrator account to decrypt the files .. check out this link for a simple explanation https://confluence.cornell.edu/display/FSCNS/EFS+-+Encrypted+File+System
0
Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 

Author Comment

by:spyder357
ID: 20385885
I thiink everyone here is missing the point of the question.

I need to know if I, the admin, can change someone's password via AD and view their encrypted files while logged on as that user (with the new password).  

Thanks - Spyder
0
 
LVL 80

Accepted Solution

by:
David Johnson, CD, MVP earned 125 total points
ID: 20386053
YOu have to recover the files to an unencrypted state using the recovery agent (domain admin account) if you change the password the 'new user' as far as EFS is concerned cannot read the files, only the original user or the recovery agent can decrypt the files.  This is why you get the warning when you change the users password. Users are stored as 5-1-xxx-xxxx and not by name and changes to the user account will change the 5-1-xxx-xxx to something new.

it is poor policy to just change the password on employee termination.. one disables the account until a new user needs the account then you change the 'user info' fields then re-enable the account and set the password to 'user must change password on next logon'

I repeat once the password has been changed then the previous user cannot access the files but a domain admin can recover the files using the recovery agent.
0
 
LVL 3

Expert Comment

by:top_gizmo
ID: 20417395
1.  If you change the password and are using the SAME user account on the SAME computer, YES you can read the files.  The files were encrypted using a private key that was generated on that computer under that logon.  This is not a good practice.  If a user 'accidentally' deletes his private key - yes I have seen this done dozens of times, you will not be able to recover the files without a Recovery Agent.

2.  You do need to establish a recovery agent NOW.  You can not import the recover agents key into the users encrypted files after they delete their private key.  You must import the Recover Agent certificate into your GPO and run the cipher /u command in a logon script to update the users encrypted files with the RA certificate.

3.   User the cipher /r command to create your own certificates.  It will create two certificates, one is your public key that is imported into the GPO the other is the private key that you secure offline... I say again.. OFFLINE, in a secure place.  I actually have three keys in case any get compromised.

Here are some links to get you started:

http://articles.techrepublic.com.com/5100-6329_11-5034476.html

http://support.microsoft.com/kb/887414
0
 

Author Comment

by:spyder357
ID: 20419723
Actually the certs are not on the local computer.  We run a (microsoft) certificate infrastructure (for VPN, wireless, EFS, webmail,etc).  The recovery agent is the domain administrator account along with my Domain Admin account.  All keys are stored on the server and active directory.  





0

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
32bit v 64bit processes and impact on memory 7 71
Picture size 4 35
Windows mapped drive communications - Secure? 5 44
Extracting the model number from an Excel string 3 27
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup" or a blinking cursor with black screen. A loop for Auto repair will start but fix nothing.  You will be panic as there are no back…
In this article, I will show you HOW TO: Install VMware Tools for Windows on a VMware Windows virtual machine on a VMware vSphere Hypervisor 6.5 (ESXi 6.5) Host Server, using the VMware Host Client. The virtual machine has Windows Server 2016 instal…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question