Avatar of Dead_Eyes
Dead_Eyes
Flag for United Kingdom of Great Britain and Northern Ireland asked on

EFS Setup

Hi all,
I need to configure EFS in our domain to achieve the following goals:
Allow only users in specified groups to encrypt files
Allow domain administrators to decrypt files
I have very little experience with EFS so need some help.
Backstory: I had a problem the other day where a user who had used the EFS attribute to encrypt a folder in their documents found they were unable to decrypt it and nor could a domain admin (I presume because it used a local computer cert to encrypt and because I had not setup EFS in the domain?). I recovered the files from a backup but it highlighted that I should have configured EFS.
Windows 10Encryption

Avatar of undefined
Last Comment
Dead_Eyes

8/22/2022 - Mon
McKnife

Hi Dead_Eyes.

May I ask why you would like to utilise EFS at all? Unless there are good reason for using it, I would restrict its usage completely and deny it for anyone.
Dead_Eyes

ASKER
I did pose this question to the powers that be as files & folders are locked down with permissions and the disks in the SANs are encrypted as standard on a hardware level but the "special projects" manager is having a e-safety moment and insisting they are allowed to encrypt files so I going to have to bend the knee for the moment :(
ASKER CERTIFIED SOLUTION
McKnife

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
Dead_Eyes

ASKER
I thought that might be the case as I had found the same post. Not a problem the GPO structure is flexable enough to easy disable EFS access to all but machines used by management staff. Just leaves the question of to correcly setup EFS. Don't know if this will be a show stopper but I don't have an internal CA setup so it would have be  a self signed certificate
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
McKnife

The certificates are "just there", they are even there on non-domained machines. So users can encrypt without creating additional certificates for them. As for the recovery process, you need to set up a data recovery agent I am not sure if that is so easy without a domain PKI/CA - I would need to google it myself.
Dead_Eyes

ASKER
After doing a little digging you do indeed need an internal CA in order to get EFS setup correctly with nominated data recovery admins. I have pushed back on the political side and my manager agrees that the safeguards I have in place are more than adequate so I think I may be in the clear
Dead_Eyes

ASKER
Question no longer relevant
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
McKnife

Fine. Honestly, there are not many scenarios where EFS adds security if, yes if, bitlocker is already used. And yes, we should use encrypted hard drives anywhere. If stakeholders think EFS is worth something, ask them who they think should be able to get their hands on those files when NTFS permissions already block. The answer will be "you admins" ;-) And these very admins are setting up data recovery agents for them...
Dead_Eyes

ASKER
My thoughts exactly lol