EFS Setup

Dead_Eyes
Dead_Eyes used Ask the Experts™
on
Hi all,
I need to configure EFS in our domain to achieve the following goals:
Allow only users in specified groups to encrypt files
Allow domain administrators to decrypt files
I have very little experience with EFS so need some help.
Backstory: I had a problem the other day where a user who had used the EFS attribute to encrypt a folder in their documents found they were unable to decrypt it and nor could a domain admin (I presume because it used a local computer cert to encrypt and because I had not setup EFS in the domain?). I recovered the files from a backup but it highlighted that I should have configured EFS.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2018

Commented:
Hi Dead_Eyes.

May I ask why you would like to utilise EFS at all? Unless there are good reason for using it, I would restrict its usage completely and deny it for anyone.

Author

Commented:
I did pose this question to the powers that be as files & folders are locked down with permissions and the disks in the SANs are encrypted as standard on a hardware level but the "special projects" manager is having a e-safety moment and insisting they are allowed to encrypt files so I going to have to bend the knee for the moment :(
Distinguished Expert 2018
Commented:
As far as I know, there's no way to let only certain users use EFS via GPO. We could restrict the usage to certain PCs and here http://www.alexheer.co.uk/it-blog/disable-efs-using-group-policy is the way to setup such a GPO. You see, the policy is per computer, not per user, so it would need to be applied to the computers of the users you don't want to use EFS.
Introduction to Web Design

Develop a strong foundation and understanding of web design by learning HTML, CSS, and additional tools to help you develop your own website.

Author

Commented:
I thought that might be the case as I had found the same post. Not a problem the GPO structure is flexable enough to easy disable EFS access to all but machines used by management staff. Just leaves the question of to correcly setup EFS. Don't know if this will be a show stopper but I don't have an internal CA setup so it would have be  a self signed certificate
Distinguished Expert 2018

Commented:
The certificates are "just there", they are even there on non-domained machines. So users can encrypt without creating additional certificates for them. As for the recovery process, you need to set up a data recovery agent I am not sure if that is so easy without a domain PKI/CA - I would need to google it myself.

Author

Commented:
After doing a little digging you do indeed need an internal CA in order to get EFS setup correctly with nominated data recovery admins. I have pushed back on the political side and my manager agrees that the safeguards I have in place are more than adequate so I think I may be in the clear

Author

Commented:
Question no longer relevant
Distinguished Expert 2018

Commented:
Fine. Honestly, there are not many scenarios where EFS adds security if, yes if, bitlocker is already used. And yes, we should use encrypted hard drives anywhere. If stakeholders think EFS is worth something, ask them who they think should be able to get their hands on those files when NTFS permissions already block. The answer will be "you admins" ;-) And these very admins are setting up data recovery agents for them...

Author

Commented:
My thoughts exactly lol

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial