Improve company productivity with a Business Account.Sign Up

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1450
  • Last Modified:

Basic EFS template from Enterprise CA running on our DC

I have an enterprise CA runnign on one of my DC's which is issueing certificates based on Basic EFS and Domain Controller templates. I can't quite figure out how/why the reqiests are coming in from. Doe sanyone know how to pursue determining this? I can tell you that we also run Radius on this box for VPN clients and also for Wireless authentication. Possibly related? Thanks so much.
  • 3
  • 3
1 Solution
ParanormasticCryptographic EngineerCommented:
If that's all that is running, I'm going to guess that this is a win2k box?  Usually there would be 3 certs issued for DCs on a 2003 CA.

Domain Controller gets advertised normally on an Enterprise CA.  Basic EFS would have been added at some point by someone.  This and the DC template are probably running as Automatic Certificate Request Settings (ACRS) - ACRS was the windows 2000 way of handling autoenrollment before 2003 came around and did it better.

Anyways, are you just wondering how it got there, or do you want to get rid of them or what exactly are you hoping to get out of this?

If you just want to know how it goes about things:
Certificate Templates MMC (certtmpl.msc) - all of the templates in AD, regardless of which CA uses them, if any.  Check here to find the template and view the security permissions.  Note that it may take a few minutes for AD to replicate changes.

Certification Authority MMC (certsrv.msc) - the CA management console.  Check here to view issued & revoked certs, and also the Certificate Templates folder for which templates are associated with this CA.  To add another template from the Cert Templates area - right click the cert templates folder here - all tasks - new template to issue... and select from list.  To remove one, highlight it and delete (this only deletes from the CA, but will remain unchanged in AD, even if no CA servers are using it.  Again, note that it may take a few minutes for AD to replicate changes.

For EFS - I advise caution if you are using EFS.  It can be a fine technology, but it does have a number of caveats (which is why some people that have been bit by it swear against it).  First and formost would be if you have an EFS DRA (data recovery agent) certificate created and deployed though GPO.  If you do not then I recommend against removing EFS from your enterprise if any EFS certificates have been issued - you may render important or sensitive data unusable.  If you need more information on how to go about this, please ask.
marksheeksAuthor Commented:
Well, I'm running 2k3 but see only hte 2 certs and a few web certs. I'm very new to certificates. It was a surpise to find this and I'd honestly like to stop usign certs since I'm not aware of a specific deliberate reason that we are usign them. There's no EFS recovery agent that I'm aware of. Are EFS certs used for anythign else? IT's hard for me to believe that all the people who recieved them actualyl tried to encrypt something on their hard disk (because of who these users are.) I want to determine why they exist basically. Our forest has been raised to a native 2003 functional level. Should CA be runnign on our GC and do domain services need it at all or can it just go away unless we prove that it's in use? Thanks much.
ParanormasticCryptographic EngineerCommented:
Normally you should be issuing domain controller, domain controller authentication, and directory email replication certificates for all of your DCs for 2003 - I'm guessing that the functional level was increased to 2003 after the CA was installed.  Not a huge thing if it isn't that way unless you start to run into problems - many smaller companies have their DCs at one site and don't need to worry about the rest.

Normally it is advisable to not run your CA on your DC.  There are many reasons for this, but usually the main stickler is that it makes running dcpromo a very messy process since you have to uninstall and reinstall the CA at that point - this gets in the way of demoting a DC and running service packs, for example.

The DC certs are easy enough to get rid of if done properly.  This is just automatic stuff and will revert to self signed certs like the CA was never installed if you decom properly.  I will provide a link at the end if you wish to decommission your CA.

EFS, however, will require some research on your part before getting rid of it.  If you get rid of this without proper preparation it can have negative repercussions.  Whoever set up the CA may have done more, like setting up something to encrypt My Documents or something.  EFS is usually done as a response to SOX and HIPAA preparation by an admin, so the general knowledge level of the users may not necessarily be a factor here.

First you can determine what EFS certificates have been issued.  In the Certification Authority MMC (certsrv.msc) you can select the Issued Certificates folder - right click - View - Filter.  Define the filter to narrow by Certificate Template = EFS  (not Basic EFS which is the friendly name, but EFS which is the template identifier), you can narrow by dates if you wish.  You can then right-click the Issued Certificates folder and Export List and save it as .csv for excel.  It is easier to search in excel than figuring out the nuances of the filtering in the CA MMC.

Next, determine a user account (see if yours happens to be one of them...) and then while they are logged in run this from a cmd line:
CIPHER /U /N > c:\temp\EFS.log

This will search the entire hard drive (can be run from any directory) for EFS encrypted files and will save a log file in the directory specified for you to look at.  You could also set this to run as part of a logon script and save the log file to a network share for easy retreival.  Use the log file to get an idea for how EFS is actually being used to determine if you need to keep it.

Next, you can create an EFS data recovery agent.  This can be done through the CA, but you may find it easier to do it outside of the CA as there is less maintenance involved over time.  The CA issued DRA cert can be revoked, which makes it more secure, but must be updated every couple of years.  The cipher issued DRA cert will have a very long validity period, but cannot be revoked.  If you take proper precautions to protect the private key for the DRA cert, then this is not normally an issue.

To create outside of the CA:
cipher /r
Define a filename and very secure password.
This will create two files in the folder it ran in - %filename%.cer and %filename%.pfx.  The .cer file you can put into GPO to enforce usage of the DRA for all your users.

Afterwards, you can script the cipher /u  to run on all EFS systems and this will force all EFS encrypted files to get updated to actually use the EFS DRA - otherwise it would only happen when/if they open the file next time so is not guaranteed.

Make at least 2 copies of the .pfx file and then delete it from your hard drive.  Keep them on a flash drive or other removable media that you can keep locked up.  You will need this to decrypt files when needed, so don't loose the password - seal it in an envelope with the flash drive or somethng to make it tamper evident.
NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

marksheeksAuthor Commented:
So far, no results from the log File. Thank you for the education. This is invaluable to me.
From the client perspective. I tried attempting to encrypt a file but the error stated that there was no valid recovery certificate. WE have not had a recovery cert in some time as far as I can tell and so I'm thinking that our users can't use EFS on the netowrk. Their My Docs redirect GPO does not appear to include any EFS stuff. How might these users be pulling certs and would they even notice if I expired them all? I may establish a test case but I can't seem to do anythign that forces a new cert to be issued. AS far as the DC's, yes we came from a Win2k domain that was upgraded. If I removed the CA, is it possible that life would continue as usual and the DC's would self-issue whatever they needed to communicate with each other as you eluded to? Thanks
ParanormasticCryptographic EngineerCommented:
It may have been that there was a recovery certificate issued from the CA that was put into GPO and used at one point in time.  Basically, old files can still be opened and modified, but you just couldn't create new ones.  So it is possible that an old encrypted file has just been getting updated occasionally for the last 5 years or whatever.

Revoking all the certs is risky until you complete the assessment.  I would suggest backing up the CA first, in case you need to roll back and restore the database to a prior unrevoked state.  Expired certs will not cause as many issues to the user as a revoked cert.

Yes, if you properly decom the CA then the DC's would revert to operating as if the CA was never installed.  I would still recommend off hours on this one to be on the safe side, but it should go pretty smooth.

How to decom a CA server properly from AD:
marksheeksAuthor Commented:
You rock dude. Thank you! My journey continues.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Building an Effective Phishing Protection Program

Join Director of Product Management Todd OBoyle on April 26th as he covers the key elements of a phishing protection program. Whether you’re an old hat at phishing education or considering starting a program -- we'll discuss critical components that should be in any program.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now