EFS Setup
Hi all,
I need to configure EFS in our domain to achieve the following goals:
Allow only users in specified groups to encrypt files
Allow domain administrators to decrypt files
I have very little experience with EFS so need some help.
Backstory: I had a problem the other day where a user who had used the EFS attribute to encrypt a folder in their documents found they were unable to decrypt it and nor could a domain admin (I presume because it used a local computer cert to encrypt and because I had not setup EFS in the domain?). I recovered the files from a backup but it highlighted that I should have configured EFS.
I need to configure EFS in our domain to achieve the following goals:
Allow only users in specified groups to encrypt files
Allow domain administrators to decrypt files
I have very little experience with EFS so need some help.
Backstory: I had a problem the other day where a user who had used the EFS attribute to encrypt a folder in their documents found they were unable to decrypt it and nor could a domain admin (I presume because it used a local computer cert to encrypt and because I had not setup EFS in the domain?). I recovered the files from a backup but it highlighted that I should have configured EFS.
Hi Dead_Eyes.
May I ask why you would like to utilise EFS at all? Unless there are good reason for using it, I would restrict its usage completely and deny it for anyone.
May I ask why you would like to utilise EFS at all? Unless there are good reason for using it, I would restrict its usage completely and deny it for anyone.
I did pose this question to the powers that be as files & folders are locked down with permissions and the disks in the SANs are encrypted as standard on a hardware level but the "special projects" manager is having a e-safety moment and insisting they are allowed to encrypt files so I going to have to bend the knee for the moment :(
I thought that might be the case as I had found the same post. Not a problem the GPO structure is flexable enough to easy disable EFS access to all but machines used by management staff. Just leaves the question of to correcly setup EFS. Don't know if this will be a show stopper but I don't have an internal CA setup so it would have be a self signed certificate
The certificates are "just there", they are even there on non-domained machines. So users can encrypt without creating additional certificates for them. As for the recovery process, you need to set up a data recovery agent I am not sure if that is so easy without a domain PKI/CA - I would need to google it myself.
After doing a little digging you do indeed need an internal CA in order to get EFS setup correctly with nominated data recovery admins. I have pushed back on the political side and my manager agrees that the safeguards I have in place are more than adequate so I think I may be in the clear
Fine. Honestly, there are not many scenarios where EFS adds security if, yes if, bitlocker is already used. And yes, we should use encrypted hard drives anywhere. If stakeholders think EFS is worth something, ask them who they think should be able to get their hands on those files when NTFS permissions already block. The answer will be "you admins" ;-) And these very admins are setting up data recovery agents for them...