Solved

EFS Data Recovery Agent

Posted on 2011-03-08
6
1,497 Views
Last Modified: 2012-06-21
I am trying to setup EFS.  I need to create a data recovery agent in group policy.  When I try to create a data recovery agent I receive the following error:

Windows cannot create a data recovery agent.  The requested property value is empty.
0
Comment
Question by:RSUMarisa
  • 3
  • 2
6 Comments
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 35082395
http://technet.microsoft.com/en-us/library/cc776181%28WS.10%29.aspx
Sounds like you don't have a Certificate authority or are not part of the right group... As a consultant we try to get people to not use the EFS system as it suffers from some security flaws, easy recovery in most cases, but requires a very large laundry list of best practices to secure properly. In addition to that it is not an easy system to use. We recommend TrueCrypt and or password protected archives like 7zip or winzip.
-rich
0
 

Author Comment

by:RSUMarisa
ID: 35099963
Rich, thank you for your response.  

We do have a certificate authority and I am a member of the Domain Admins group so I should have the appropriate permissions.  

We did look into TrueCrypt and it seemed like a very user friendly product.  If we went with TrueCrypt how would we recover the files if the user was no longer employed here?  
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 500 total points
ID: 35101735
The often cited drawback to TC is that once mounted, the password/keyfile/token can be changed by the person using it.Also once mounted (password is given, keyfile is used or token is used) the volume is plain-text to anyone who is able to browse to that "drive". So if you don't make NTFS permissions in the containing folder or the "drives" NTFS permissions (make sure you format the container w/NTFS) then any person who can access the C$ will likely be able to access whatever drive-letter you assign to the volume.
Under the correct circumstances however this is an asset. I as the admin can control when the drive is open, and using NTFS permissions I can control who has access to it. When a user needs access, I open it up, when they don't I close it down. Documents can still be copied out, or the contents of the documents can be pasted into other documents, but this is true of EFS files that the user has access to. If your EFS file have to be portable, like on the users laptop then you would need to know the password, keyfiles or the tokens used to encrypt the volume as well as it's location. Physical tokens are typically easy to recover from term'd employee's but there is no hope of recovery in TC if any of those are lost or not backed up in some way, which for us is what we want, we make sure data in the container is backed up regularly, so even if someone locked us out or stole the data, we have our backups. EFS can be recovered by you and or badguys depending on the circumstances. If a LT is stolen the EFS data is theirs, plain and simple. If the HD is fully TC encrypted, or uses hardware encryption like the seagate momentus FDE drives.
-rich
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 63

Expert Comment

by:btan
ID: 35114892
Agree with richrumble, EFS has one key limitation which is if there is mapped network drive configured as EFS, it is actually in plain. See this
@ http://answers.microsoft.com/en-us/windows/forum/windows_7-security/why-is-a-shared-efs-file-transmitted-in-plain-text/3ced92ff-d7e4-428c-811f-7032a9dcdd79

but pertaining the EFS issue, suspecting that is either the template is not available or not CA reachable (try browsing to your CA e.g. http://issuingca/certsrv) @ http://www.teach-it.no/oppgaver/To%20create%20a%20recovery%20agent%20account.htm

0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 35121647
IT was TrueCrypt I was referring to, EFS may transmit in the clear when copying, or it used to in XP and prior unless webdav is used, there are a few other caveats to EFS that make it a poor choice in most situations. If files need to be portable for instance EFS is not a good choice over Zip/7zip password protected archives, or TrueCrypt like programs. I'm off topic now, sorry... I'm not sure I've seen the error before as I avoid EFS as much as possible and recommend others do the same.
-rich
0
 

Author Closing Comment

by:RSUMarisa
ID: 35351783
Thanks for the info richrumble.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As a financial services provider, your business is impacted by two of the strictest federal regulations on record: the Sarbanes-Oxley Act and the Gramm-Leach-Bliley Act. Correctly implementing faxing into your organization to provide secure, real-ti…
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question