We help IT Professionals succeed at work.

EFS Setup

Dead_Eyes
Dead_Eyes asked
on
231 Views
Last Modified: 2018-02-08
Hi all,
I need to configure EFS in our domain to achieve the following goals:
Allow only users in specified groups to encrypt files
Allow domain administrators to decrypt files
I have very little experience with EFS so need some help.
Backstory: I had a problem the other day where a user who had used the EFS attribute to encrypt a folder in their documents found they were unable to decrypt it and nor could a domain admin (I presume because it used a local computer cert to encrypt and because I had not setup EFS in the domain?). I recovered the files from a backup but it highlighted that I should have configured EFS.
Comment
Watch Question

CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Hi Dead_Eyes.

May I ask why you would like to utilise EFS at all? Unless there are good reason for using it, I would restrict its usage completely and deny it for anyone.

Author

Commented:
I did pose this question to the powers that be as files & folders are locked down with permissions and the disks in the SANs are encrypted as standard on a hardware level but the "special projects" manager is having a e-safety moment and insisting they are allowed to encrypt files so I going to have to bend the knee for the moment :(
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION

Author

Commented:
I thought that might be the case as I had found the same post. Not a problem the GPO structure is flexable enough to easy disable EFS access to all but machines used by management staff. Just leaves the question of to correcly setup EFS. Don't know if this will be a show stopper but I don't have an internal CA setup so it would have be  a self signed certificate
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
The certificates are "just there", they are even there on non-domained machines. So users can encrypt without creating additional certificates for them. As for the recovery process, you need to set up a data recovery agent I am not sure if that is so easy without a domain PKI/CA - I would need to google it myself.

Author

Commented:
After doing a little digging you do indeed need an internal CA in order to get EFS setup correctly with nominated data recovery admins. I have pushed back on the political side and my manager agrees that the safeguards I have in place are more than adequate so I think I may be in the clear

Author

Commented:
Question no longer relevant
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Fine. Honestly, there are not many scenarios where EFS adds security if, yes if, bitlocker is already used. And yes, we should use encrypted hard drives anywhere. If stakeholders think EFS is worth something, ask them who they think should be able to get their hands on those files when NTFS permissions already block. The answer will be "you admins" ;-) And these very admins are setting up data recovery agents for them...

Author

Commented:
My thoughts exactly lol