Solved

Best practices when deploying PKI for simple EFS purposes in domain environment

Posted on 2011-03-21
16
650 Views
Last Modified: 2012-05-11
Hello everyone, I'm attempting to set up a means to encrypt data on machines within our domain; I've installed the Certificate Services on our DCs and have configured the first DC as the root certificate server and have the two other DCs set up to issue certificates to the client machines. I can see that the lower CAs have requested certificates from the root CA and as a client I can request a CA based on the default templates.

Originally I couldn't encrypt files on a client machine due to an expired Recovery Agent certificate, but I have sorted that out by creating two new recovery agents (two existing admin accounts) and imported those certificates into the Default Domain Policy GPOs for:

Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Encrypting File System

Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Trusted Root Certificates

After that I am able to encrypt files on the client machines. Everything is great except when it comes time to decrypt files; I tried to take a file that was encrypted on a client machine, move it to another, and decrypt it as a recovery agent but no luck.

After a bunch of troubleshooting (see this open question: http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_26897211.html)
I believe I've traced the problem back to that GPO not applying on the client machines. There is no recovery agent defined in their computer policies when the files are encrypted so the files can only be decrypted with the user's original key (unique to that user account on that particular computer).

I'm trying to sort out why that group policy is not applying, but in the meantime I thought I'd ask if I'm missing something else or if I'm even going about this the right way. Everything else I do with group policy works fine except for this, so I'm beginning to wonder if I'm going about it wrong to begin with.

Thanks in advance!
0
Comment
Question by:jostafew
  • 8
  • 7
16 Comments
 
LVL 61

Expert Comment

by:btan
ID: 35199264
You have a multi-tier CA hence it should also push the subCA certificate as a trusted intermediate CA. also assume the firewall is not blocking the push down. You could also try running ' cipher / u' and that should update all encrypted files and folders on your workstation.

The default ACL on the EFSRecovery template lets only members of the Domain Admins and Enterprise Admins groups

also understand that for win2k3 above server, EFS is not controlled by the inclusion of the data recovery agent certificate in the GPO as in old win2k server. therefore your steps should be correct.

hence, you may want to Run rsop.msc on a computer to see if it shows configured via your domain Group Policy and you can also examine the properties of an EFS file in properties /advanced - details [or use efsinfo] to see if a recovery agent is associated with the EFS file.

note the when EFS file are exported out into non ntfs format media the efs protection maybe removed inadvertently. applies if you send the EFS file over network too, it becomes plain.
0
 
LVL 61

Expert Comment

by:btan
ID: 35199313
Group Policy settings can be forced to refresh with the command gpupdate /force when run on the domain workstation.

see also this http://www.windowskb.com/Uwe/Forum.aspx/windows-xp-security/37035/Recovery-Agent-configured-in-GPO-but-cannot-see-it
0
 
LVL 3

Author Comment

by:jostafew
ID: 35201343
Hello breadtan, thank you for the info on how to confirm things at the client side (it appears that was a big part of my problem). I ran rsop at the client and confirmed that the GPOs were applied correctly (was running gpedit.msc which was not getting the whole picture). I also looked at the details of the encrypted files and confirmed that the Recovery Agents' certificates are listed as well as the client's certificate.

Earlier on I confirmed that I can export the user's cert. and use it do decrypt files on another machine in a recovery scenario, but I'd rather not have to gather everyone's certificate, so the last part of my project is to be able to recover files using the Recovery Agent (which I am still working on). I assumed that if I were to log on to a system as the recovery agent I would have access to the user's encrypted material. This is not working. I'll continue to search for the correct procedure but if you have it handy it would be a great help.
0
 
LVL 61

Expert Comment

by:btan
ID: 35207157
if the encrypted file is done on a machine with the recovery agent already well defined, the file exported should rightfully be able to be decrypted by the recovery agent.
check out this relevnt info
http://www.experts-exchange.com/Q_23858995.html

Once you assign the recovery agent in GPO that contains users , you ' re set for whatever that GPO is applied to.

0
 
LVL 3

Author Comment

by:jostafew
ID: 35236278
Success, sort of... Breadtan, I read through that other E-E post you linked and within there was a link to a Microsoft article going over EFS. For some reason which I have yet to discover, I am not able to simply sign onto a system with the EFS account and decrypt files, however I am able to import the archived recovery key (once I learned how to do it properly) and decrypt the test users files. Originally I was trying to import the key into the Personal Certificates, but no success. After reading the referenced article simply double-clicking the .pfx file and following the import wizard would import the certificate in a manor that would allow me to decrypt the files. So, misison sort of accomplished; user can request a key, use it to encrypt files, and as an admin I can retrieve the EFS key from a secure location and use it to decrypt the user's files without needing their key to do it.
0
 
LVL 61

Expert Comment

by:btan
ID: 35237300
strange though the user account should be able to login as being a domain user admin. nonetheless, having the pfx has the private keys installed into the machine to enable decryption too. pfx file in this case is exportable, for some in exporting this file, it is stated to be exportable. probably has to attempt other admin user or machine. a check on the personal store can help yo check if the user certificate is available too. more importantly, the availability of private keys...
0
 
LVL 3

Author Comment

by:jostafew
ID: 35261188
Hey breadtan thank you for your reply, unfortunatly I'm having a hard time understanding you last post, but I will do my best to respond;

I am able to login to windows using the admin (also the EFS Recovery Agent) but am not able to decrypt a user's file. What I tried to do was place a folder containing files on a USB flash drive, and encrypt them using from the test user's account. I then took that flash drive containing the encrypted files to another machine where I was signed in as the admin (EFS R.A.) and attempted to decrypt. Would not work until I opened the pfx file that I had previously exported when the GPO was created. I was trying to simulate recovering encrypted files from a hard drive on a non-booting system.

Could you explain a little more on how to check the personal store and to check the availability of private keys?

Thank you
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 61

Expert Comment

by:btan
ID: 35266771
For EFS to work, the file or folder must be located on an NTFS disk partition. By default , in XP Professional and later, EFS highlights encrypted files in green , but you can disable this behavior by choosing Tools, Folder Options in Windows Explorer , then clearing the Show encrypted or compressed NTFS files in color check box on the View tab. n a domain environment, the DRA is the domain administrator's account , not the local administrator account

try efsinfo to know more info of the efs file. also available in sysinternal

http://support.microsoft.com/kb/243026

see if this can help to know abt the key

http://www.stackoverflow.com/questions/657622/where-is-private-key
0
 
LVL 3

Author Comment

by:jostafew
ID: 35316434
Hey breadtan, thank you for the further info. I am tied up with another project for a few days but when I get back at this next week I will be sure to report my progress.
0
 
LVL 3

Author Comment

by:jostafew
ID: 35370771
Finally, I'm able to get back to this. Breadtan I fooled around with EFSINFO a bit and it seems to be reporting the same thing that I am seeing under file properties -> advanced -> Encrypt Details. I see my User account under the Users category and my two recovery agents listed.

My guess is that my problem has to do with me not understanding how the EFS system works (or should work) in a domain environment. It seems as if the certificates are being tied to the local user account instead of the domain account, so when I logon to a machine as the recovery agent the key that was generated with that account is not coming with it and therefore cannot act as EFS RA. Also when I logon with a user account and request a certificate, that cert does not come with the user when I logon at another workstation.

I may be missunderstanding how things are supposed to work, but I feel I should also mention that I do not have any Enterprise operating systems on my CA's, they are all 2k3, 2k3 R2, 2k8 R2 Standard Edition servers. I'm not sure if this is causing issues with certificates being published to active directory perhaps?
0
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 35406859
Pardon for the long story, I am thinking through sequential to reflect....

Did a quick check on CA in Win2K3 standard and Enterprise. The latter (on top of the standard edition) supports the following:
- Create a certificate template
- Configure a certificate template for client autoenrollment
- Configure the CA to issue certificates based on the certificate template (Enterprise Edition if a version 2 certificate template is needed. Otherwise, Standard Edition, version template means the template is able to be modified. Currently Win2K8 uses V3 that use enhanced cryptography)

Reference @ http://technet.microsoft.com/en-us/library/cc875810.aspx

I do not see you needing of the features above even under the change of recovery agent as it should be independent of edition. But we need to be sure that it is domain policy of the "Public Key Policies" and not the local policy in all the GPO setting. This is already highlighted in your posting it is default domain (with your domain name tagged to it).

However, I am suspecting the gap maybe in autoenrollment. It allows you to configure clients to automatically enroll for certificates, retrieve issued certificates, and renew expiring certificates without requiring client interaction. A client does not need to be aware of any certificate operations, unless you configure the certificate template to interact with the client.

@ http://technet.microsoft.com/en-us/library/cc787781%28WS.10%29.aspx

I am not totally sure if this root cause but in EFS context, I understand that if the certificates do not exist when the user logs on to the network, and the user attempt to encrypt the file, the OS will builds them automatically. It would mean retrieving or issue the certificate if it does not exist locally or at the domain. In the EFS file, it stated the actual credentials crypto keys (e.g. in the one user data decryption and many data recovery field) is embedded in the file's streams (its alternate data streams). By default, ff the owner's private key is unavailable (for example, because it is damaged), a recovery agent account can open the file by using the private key for recovery, which is applied to the data recovery field to unlock the actual file encryption key. It is not working as needed. Would it be the certificate is not available in local and is asking domain to supply as agent is roaming. But it is not doing it....manually we can do the importing of the agent's private key but it is not supposed (or advised) to be on domain machine

@ http://technet.microsoft.com/en-us/library/cc962103.aspx
@ http://technet.microsoft.com/en-us/library/cc962099.aspx

Each user has a personal certificate store that contains certificates that are issued to that user. User certificates reside in (taking example Windows XP SP3 and below) Documents and Settings\< username >\ApplicationData\Microsoft\SystemCertificates\My\Certificates for each user profile. These certificates in the user profile are written to the user's personal store in the system registry each time the user logs on to the computer. For roaming profiles, the user's certificates are located on the domain controller so the certificates follow users when they log on to different computers in the domain. The policy can be viewed for local and domain (should see the recovery agent cert)

@ http://technet.microsoft.com/en-us/library/cc962104.aspx

The troubleshooting of EFS is useful reference as well specifically on the below excerpt for "I can't open files I have encrypted."

>>Make sure you have the correct EFS certificate and private key for the file. If it is an old file, the public key and private key set might no longer be available. Expired certificates and private keys are archived. However, users can delete archived certificates and private keys, or they might be damaged. If so, recover the file as described earlier in this chapter.

>>If the computer previously operated in stand-alone mode and is now a member of a domain, this can make a difference. The file might have been encrypted by using a local self-signed certificate issued by the computer, whereas the CA designated at the domain level is now the issuing authority.

@ http://technet.microsoft.com/en-us/library/cc962106.aspx
0
 
LVL 3

Author Comment

by:jostafew
ID: 35485597
Breadtan, thank you for the detailed reply. I'm working my way through all the info (here and in the attached references) in between crisis here and will report back when complete.
0
 
LVL 61

Expert Comment

by:btan
ID: 36104444
not much comments from me as the various options are supplied for considerations, also if the best practice and requirement are adhered it would give more leads
0
 
LVL 3

Author Comment

by:jostafew
ID: 36105388
I must appologize as this project has been put on the back-burner for the moment. Based on what I'd learned before and after going through some of the material Breadtan suggested my feeling is that some of my issues are stemming from the fact that I'm not running an enterprise version of server as the main CA. That being said I should have budget to install a new server (which will run 2008 R2 Enterprise) and move the existing machine elsewhere in the company. I hope to get that rolling in the next month or so. Once that's installed I intend to revisit the EFS project. Breadtan I very much appreciate the time you've put into assisting me on this; my appologies for leaving things hanging.
0
 
LVL 61

Expert Comment

by:btan
ID: 36111851
please keep us informed. tks
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now