• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2590
  • Last Modified:

Having trouble Configuring EFS / Domain Account for Recovery Agent

Ladies and Gents,

I've recently tried to setup and Test EFS in test environement. I've got a couple questions that I've been unable to find answers to. I've seen a lot of links to aritcles that people have reccomended reading but I'm still missing the boat at this point. For my Test environment I've got two PCs XP sp3 and a Server Running 2003 R2 sp2. The server is a domain controller. Its got certificate services installed as an enterprise root CA. (second question about the best way to setup a CA later). I've got a domain controller cert installed on the DC, I've got computer certs installed on the PCs.

How do I create a recovery agent for the domain so that this one account and only this one account can recover data (I don't want to domain admin to be able to recover data, just the 1 recovery agent account) In group policy when I try to Add a Recovery Agent I get an error to the tune of "The selected user has no certificates suitable for Encrypted File System recovery adn cannot be added as a recovery Agent. Select another user."

The End goal is to create file shares on the server that can be made available offline and that are also encrypted with EFS, some shares will need to be accessed by all domain users, Other shares will need to access only by certain groups, and finally the profiles of users on thier desktops should also be encrypted. I want the domain wide recovery agent to be able to recovery these files in the event that we need to do a forced password reset or we lose the user's password, etc.

My Last questions is concerning the best more secure way to setup the CA structure. Should my DC be a enterprise Root CA, or should I create a Stand alone workgroup server to act as a root CA that can be turned off and put into a closet. And use that Root Ca to issue a Certificate to my DCs which can then issue EFS, Computer, User certificates and so forth.

 Thanks for the Tips and info eveyone,

  • 4
  • 2
2 Solutions
ParanormasticCryptographic EngineerCommented:
Re: EFS:
In the Certificate Templates MMC, locate the EFS Recovery Agent template and assign Enroll permissions to the desired user account, and only them.  Others may have the Read permission, etc., but Enroll should be restricted.
In the Certificate Authority MMC, right-click/Publish the Certificate Templates folder and publish the EFS Recovery Agent template.
Log in as the user (or Run As for iexplore.exe) to issue the certificate by going to http://server/certsrv and choose the first option on each page, then select the EFS template from the dropdown.  You can then use this cert in GPO.

RE: CA setup:
1) Set up a 2 tier CA infrastructure, keeping the root CA offline.  You can have it connected via small switch (e.g. netgear, linksys) over a 192.x network to the online CA to make scripting the publication of the root CRL easier.  Use the command 'certutil -crl' in the batch file and run as scheduled task every 1/2 time period that the CRL is valid for in the CA MMC.  This gives you time to recover in case of emergency.
2) Do not set up a CA on the DC.  It is best to use dedicated boxes for this.
3) For the offline root, do not join it to a domain so the admin and any other accounts do not expire.  Standard edition is fine for this, you can still configure as Enterprise CA.  For online issuing subordinate, use Enterprise Edition of the OS and create an Enterprise Subordinate CA.  Do not have the CA connected to the web.
4) After installing, go into the GUI and use the Backup CA option to backup all critical stuff for the CA.
5) If this is a larger environment (over 25,000 boxes) you might consider having 2 issuing CAs, one for machine certs and another for user certs.  This will keep the CA database down to a more manageable size.
6) After creating the root, deploy its certificate via GPO.  You can also set up a CRL distribution point to an externally accessible site so that you can send your root cert to 3rd party partners, etc., so they can validate your certs after they install your root cert in their environment.

If you have any more questions, let me know and I will get back tomorrow.
seanlabrieAuthor Commented:
Man, Am I glad I found you, I searched and searched but I couldn't find as clear answers as you've just given.

Some Follow ups:

1) on a 2 tier CA infrastructure you have to use Enterprise Edition of Windows for a CA to be a Enterprise Subordinate CA? If you don't have Enterprise Edition of windows, what are your options?

2) Am I right to assume that all Certificates that have been setup within a GPO are deployed out to each PC? Once the Recovery Agent's Cert is in a GPO, all PCs effected by that GPO will have everything necessary for a recovery if needed? (Meaning if a users quits and changes their password and I have to reset their password or disable their account can I log in as the recovery agent and then take ownership of their files or will i need to import a cert first, etc. Also if the Recovery Agent is no an admin, can I still use a domain admin account to give ownership of a set of files to the recovery agent even though the admin account can no open those file because they are encrypted)

3) I'm considering Running the CAs Both the offline root and the Enterprise Subordinate as VMs within virtual Server 2005. From what I gather above, I'd want to have the ES (Enterprise Subordinate) with two NICs, one connected to the production network and 1 connected to a virtual network and the Offline root will only have 1 NIC connect to just the virtual network right?  

4) Thanks for the info for the eternally published CRL, but I don't think I'll be using that, as for the normal CRL from the offline root, that should be located on a file server somewhere or do i locate it on the root ca itself, Also if it's moved to a file server, where to I configure the clients so they look back to that new location?

Thanks again for the help, Sorry for the 20 questions game, I'm pretty new to using the CA infrastructure and I'm going to need to be doing a lot of work with it soon so I'm really trying to get a grasp on how to setup this up correctly, I appreciate you help.

ParanormasticCryptographic EngineerCommented:
1) Technically you can still do an Enterprise Subordinate from Standard Edition, but some of the management features particularily relating to templates that are restricted and it will become annoying quickly.  For working with EFS, you need to work with Enterprise Edition.  Here is a nice article re: this - there is a table about 15% down from the top that goes into the differences between OS versions.

2) Sort of.  The GPO should be assigned to user groups, not PCs.  The encryption is tied to the user, not the box.  That being said if they do not have their cert on a smartcard, they would need to export the cert from machineA (including private key) and import it onto machineB in order to decrypt data from that box.  Smartcards (or smart USB tokens) are the best solution, although they do tend to get expensive quickly.
Once you assign the recovery agent in GPO that contains users, you're set for whatever that GPO is applied to.
In a recovery process, the domain admin would reset the user password or take ownership of filesand then assign minimum Write permissions for the EFS Data Recovery Agent (DRA) to decrypt it.  The DRA would then open it and resave it or open proerties and clear the encryption box, as desired.  Note that the data recovery process does not check the CRL for the validity of the DRA cert, but normal EFS certs will be checked.  This is because you can't really 'go back' to encrypt something after the fact and may need to decrypt something years later.  i.e. even though the DRA cert expired, it can still be used to decrypt, but would need to be replaced for future encryption processes.  When it expires, the next time the file gets encyrpted the DRA gets updated.

Here are some great articles - lengthy, but each has some very useful information.

3) Precisely.  Make sure to make multiple backups of those VM snapshots as VM stuff likely to get corrupted.  Big flash thumb drives are cheap now and are my current generalized recommendation.

4) The root CAs CRL must be in a network-accessible place for clients to validate that the issuing CA is still valid.  Likewise for the sub CA CRL, to validate that all the certs issued from it have not been revoked, or we revoked as the case may be.  When the certificate is issued, it contains the CRL Distribution Point (CDP) locations in it - places to check.  Plan this upfront to include locations accessible from WAN and LAN.  Like I mentioned, you could create a simple script to copy over the *.cr* files (CRL and CRT files) from system32\certsrv\certenroll directory from root to sub ca, then from sub ca to a file server, web server, etc. as desired - the CDP locations.  When run from script, you can make it so you give yourself plenty of overlap time so that a failure just before CRL publication does not cause dramatic issues.  Normally the CRL includes a very short overlap, I forget the % offhand but its normally just a few extra hours, maybe a day for a longer CRL.  With scripting you can dramatically increase the allowed recovery period so you can think.

5) No problem - always glad to help.  PKI is a tougher subject to really understand than most people expect when they first look into it, and most don't have the luxury of time to really get it in-depth.
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

seanlabrieAuthor Commented:
"Re: EFS:
In the Certificate Templates MMC, locate the EFS Recovery Agent template and assign Enroll permissions to the desired user account, and only them.  Others may have the Read permission, etc., but Enroll should be restricted.
In the Certificate Authority MMC, right-click/Publish the Certificate Templates folder and publish the EFS Recovery Agent template.
Log in as the user (or Run As for iexplore.exe) to issue the certificate by going to http://server/certsrv and choose the first option on each page, then select the EFS template from the dropdown.  You can then use this cert in GPO."

I can't right-click/Publish from the Certifcate Templates folder within the Certificate Authority MMC, there is no option to do that.

Also I can't get to http://server/certsrv, the page cannot be found. it also does not appear to be withing IIS.

ParanormasticCryptographic EngineerCommented:
Was your CA set up as an Enterprise CA or a Stand-Alone CA?  That might explain the publish issues.  For certsrv to not show up in IIS.... that's strange.  Normally during installation it prompts you if you do not have IIS with the needed componants installed.  I assume that you are pointing 'server' to the servername of the CA.  If it isn't showing up in IIS on the CA box, I would seriously consider reinstalling the CA if you don't have too many certificates issued already.  The only time this would be normal is if you had removed it after installing the CA - techinically it is not necessary for operation, but it is handy.  In our environment we moved it to a seperate web server to gain an additional level of obfuscation between the users and the CA, but this is not typical by any means - we run a few pretty high end PKI environments here and do things a little more heavy duty than most companies require.

You can still manage the CA manually with out certsrv, using the certreq and certutil utiltiies.
certreq -submit -attrib certificatetemplate:%templateName% -config %CA.Server.FQDN%\%CAName% -f %filename%.csr %filename%.cer >> SubmitCSR.log
ParanormasticCryptographic EngineerCommented:
I'm just checking in on old posts today... Are you still having this issue?  If so, please let me know so I can help some more, if not, please close accordingly..
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now