Solved

EFS Data Recovery Agent

Posted on 2011-03-08
6
1,416 Views
Last Modified: 2012-06-21
I am trying to setup EFS.  I need to create a data recovery agent in group policy.  When I try to create a data recovery agent I receive the following error:

Windows cannot create a data recovery agent.  The requested property value is empty.
0
Comment
Question by:RSUMarisa
  • 3
  • 2
6 Comments
 
LVL 38

Expert Comment

by:Rich Rumble
Comment Utility
http://technet.microsoft.com/en-us/library/cc776181%28WS.10%29.aspx
Sounds like you don't have a Certificate authority or are not part of the right group... As a consultant we try to get people to not use the EFS system as it suffers from some security flaws, easy recovery in most cases, but requires a very large laundry list of best practices to secure properly. In addition to that it is not an easy system to use. We recommend TrueCrypt and or password protected archives like 7zip or winzip.
-rich
0
 

Author Comment

by:RSUMarisa
Comment Utility
Rich, thank you for your response.  

We do have a certificate authority and I am a member of the Domain Admins group so I should have the appropriate permissions.  

We did look into TrueCrypt and it seemed like a very user friendly product.  If we went with TrueCrypt how would we recover the files if the user was no longer employed here?  
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 500 total points
Comment Utility
The often cited drawback to TC is that once mounted, the password/keyfile/token can be changed by the person using it.Also once mounted (password is given, keyfile is used or token is used) the volume is plain-text to anyone who is able to browse to that "drive". So if you don't make NTFS permissions in the containing folder or the "drives" NTFS permissions (make sure you format the container w/NTFS) then any person who can access the C$ will likely be able to access whatever drive-letter you assign to the volume.
Under the correct circumstances however this is an asset. I as the admin can control when the drive is open, and using NTFS permissions I can control who has access to it. When a user needs access, I open it up, when they don't I close it down. Documents can still be copied out, or the contents of the documents can be pasted into other documents, but this is true of EFS files that the user has access to. If your EFS file have to be portable, like on the users laptop then you would need to know the password, keyfiles or the tokens used to encrypt the volume as well as it's location. Physical tokens are typically easy to recover from term'd employee's but there is no hope of recovery in TC if any of those are lost or not backed up in some way, which for us is what we want, we make sure data in the container is backed up regularly, so even if someone locked us out or stole the data, we have our backups. EFS can be recovered by you and or badguys depending on the circumstances. If a LT is stolen the EFS data is theirs, plain and simple. If the HD is fully TC encrypted, or uses hardware encryption like the seagate momentus FDE drives.
-rich
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 61

Expert Comment

by:btan
Comment Utility
Agree with richrumble, EFS has one key limitation which is if there is mapped network drive configured as EFS, it is actually in plain. See this
@ http://answers.microsoft.com/en-us/windows/forum/windows_7-security/why-is-a-shared-efs-file-transmitted-in-plain-text/3ced92ff-d7e4-428c-811f-7032a9dcdd79

but pertaining the EFS issue, suspecting that is either the template is not available or not CA reachable (try browsing to your CA e.g. http://issuingca/certsrv) @ http://www.teach-it.no/oppgaver/To%20create%20a%20recovery%20agent%20account.htm

0
 
LVL 38

Expert Comment

by:Rich Rumble
Comment Utility
IT was TrueCrypt I was referring to, EFS may transmit in the clear when copying, or it used to in XP and prior unless webdav is used, there are a few other caveats to EFS that make it a poor choice in most situations. If files need to be portable for instance EFS is not a good choice over Zip/7zip password protected archives, or TrueCrypt like programs. I'm off topic now, sorry... I'm not sure I've seen the error before as I avoid EFS as much as possible and recommend others do the same.
-rich
0
 

Author Closing Comment

by:RSUMarisa
Comment Utility
Thanks for the info richrumble.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Healthcare providers, insurance companies and other covered entities trust eFax Corporate to transmit their most sensitive documents. eFax Corporate can help your organization implement a HIPAA compliant cloud faxing solution.
Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now