EFS Setup

Hi all,
I need to configure EFS in our domain to achieve the following goals:
Allow only users in specified groups to encrypt files
Allow domain administrators to decrypt files
I have very little experience with EFS so need some help.
Backstory: I had a problem the other day where a user who had used the EFS attribute to encrypt a folder in their documents found they were unable to decrypt it and nor could a domain admin (I presume because it used a local computer cert to encrypt and because I had not setup EFS in the domain?). I recovered the files from a backup but it highlighted that I should have configured EFS.
Dead_EyesAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

McKnifeCommented:
Hi Dead_Eyes.

May I ask why you would like to utilise EFS at all? Unless there are good reason for using it, I would restrict its usage completely and deny it for anyone.
0
Dead_EyesAuthor Commented:
I did pose this question to the powers that be as files & folders are locked down with permissions and the disks in the SANs are encrypted as standard on a hardware level but the "special projects" manager is having a e-safety moment and insisting they are allowed to encrypt files so I going to have to bend the knee for the moment :(
0
McKnifeCommented:
As far as I know, there's no way to let only certain users use EFS via GPO. We could restrict the usage to certain PCs and here http://www.alexheer.co.uk/it-blog/disable-efs-using-group-policy is the way to setup such a GPO. You see, the policy is per computer, not per user, so it would need to be applied to the computers of the users you don't want to use EFS.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

Dead_EyesAuthor Commented:
I thought that might be the case as I had found the same post. Not a problem the GPO structure is flexable enough to easy disable EFS access to all but machines used by management staff. Just leaves the question of to correcly setup EFS. Don't know if this will be a show stopper but I don't have an internal CA setup so it would have be  a self signed certificate
0
McKnifeCommented:
The certificates are "just there", they are even there on non-domained machines. So users can encrypt without creating additional certificates for them. As for the recovery process, you need to set up a data recovery agent I am not sure if that is so easy without a domain PKI/CA - I would need to google it myself.
0
Dead_EyesAuthor Commented:
After doing a little digging you do indeed need an internal CA in order to get EFS setup correctly with nominated data recovery admins. I have pushed back on the political side and my manager agrees that the safeguards I have in place are more than adequate so I think I may be in the clear
0
Dead_EyesAuthor Commented:
Question no longer relevant
0
McKnifeCommented:
Fine. Honestly, there are not many scenarios where EFS adds security if, yes if, bitlocker is already used. And yes, we should use encrypted hard drives anywhere. If stakeholders think EFS is worth something, ask them who they think should be able to get their hands on those files when NTFS permissions already block. The answer will be "you admins" ;-) And these very admins are setting up data recovery agents for them...
0
Dead_EyesAuthor Commented:
My thoughts exactly lol
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 10

From novice to tech pro — start learning today.