Managing Encryption Recovery Policy


If you're an administrator for an organization that uses the Encrypting File System (EFS), your disaster recovery planning must include additional procedures and preparations . You'll need to consider how to handle issues related to personal encryption certificates, EFS recovery agents , and EFS recovery policy. These issues are discussed in the sections that follow.

Understanding Encryption Certificates and Recovery Policy

File encryption is supported on a per folder or per file basis. Any file placed in a folder marked for encryption is automatically encrypted. Files in encrypted format can be read only by the person who encrypted the file. Before other users can read an encrypted file, the user must decrypt the file.

Every file that's encrypted has a unique encryption key. This means that encrypted files can be copied , moved, and renamed just like any other file ”and these actions don't affect the encryption of the data in most cases. The user who encrypted the file always has access to the file, provided the user's public-key certificate is available on the computer that the user is using. For this user the encryption and decryption process is handled automatically and is transparent.

The process that handles encryption and decryption is called the Encrypting File System (EFS). The default setup for EFS allows users to encrypt files without needing special permission. Files are encrypted using a public/private key that EFS generates automatically on a per user basis. The encryption algorithm used is the expanded Data Encryption Standard (DESX), which is enforced using 56-bit encryption by default. For stricter security, North American users can order the Enhanced CryptoPAK from Microsoft. The Enhanced CryptoPAK provides 128-bit encryption. Files that use 128-bit encryption can be used only on a system that supports 128-bit encryption.

Encryption certificates are stored as part of the data in user profiles. If a user works with multiple computers and wants to use encryption, an administrator will need to configure a roaming profile for that user. A roaming profile ensures that the user's profile data and public-key certificates are accessible from other computers. Without this, users won't be able to access their encrypted files on another computer.

Tip

An alternative to a roaming profile is to copy the user's encryption certificate to the computers the user uses. You can do this using the certificate backup and restore process discussed later in this chapter. Simply back up the certificate on the user's original computer and then restore the certificate on each of the other computers the user logs on to.


EFS has a built-in data recovery system to guard against data loss. This recovery system ensures that encrypted data can be recovered in the event a user's public-key certificate is lost or deleted. The most common scenario in which this occurs is when a user leaves the company and the associated user account is deleted. Although a manager might have been able to log on to the user's account, check files, and save important files to other folders, encrypted files will be accessible afterward only if the encryption is removed or they're moved to a FAT or FAT32 volume (where encryption isn't supported).

To access encrypted files after the user account has been deleted, you'll need to use a recovery agent. Recovery agents have access to the file encryption key that's necessary to unlock data in encrypted files. To protect sensitive data, recovery agents don't, however, have access to a user's private key or any private key information.

Windows Server 2003 won't encrypt files without designated EFS recovery agents. For this reason, recovery agents are designated automatically and the necessary recovery certificates are generated automatically as well. This ensures that encrypted files can always be recovered.

EFS recovery agents are configured at two levels:

  • Domain

    The recovery agent for a domain is configured automatically when the first Windows Server 2003 domain controller is installed. By default, the recovery agent is the domain administrator. Through Group Policy, domain administrators can designate additional recovery agents. Domain administrators can also delegate recovery agent privileges to designated security administrators.

  • Local computer

    When a computer is part of a workgroup or in a stand-alone configuration, the recovery agent is the administrator of the local computer by default. You can designate additional recovery agents. Further, if you want local recovery agents in a domain environment rather than domain-level recovery agents, you must delete the recovery policy from the Group Policy for the domain.

You can delete recovery policies if you don't want them to be available. However, if you delete all recovery policies, EFS will no longer encrypt files. Recovery agents must be configured for EFS to function.

Configuring the EFS Recovery Policy

Recovery policies are configured automatically for domain controllers and workstations. By default, domain administrators are the designated recovery agents for domains and the local administrator is the designated recovery agent for a stand-alone workstation.

Through Group Policy, you can view, assign, and delete recovery agents. Follow these steps:

  1. Access the Group Policy console for the local computer, site, domain, or organizational unit you want to work with. For details on working with Group Policy, see the section entitled "Group Policy Management" in Chapter 4 , "Automating Administrative Tasks, Policies, and Procedures."

  2. Access the Encrypted Data Recovery Agents node in Group Policy. To do this, expand Computer Configuration, Windows Settings, Security Settings, and Public Key Policies, and then click Encrypting File System.

  3. As shown in Figure 15-10, the right-hand pane lists the recovery certificates currently assigned. Recovery certificates are listed according to whom they're issued to, whom they're issued by, expiration data, purpose, and more. In the figure the certificate was self-issued by the administrator for the purpose of file recovery (it's a recovery certificate for the local administrator).

  4. To designate an additional recovery agent, right-click Encrypting File System and then select Add Data Recovery Agent. This starts the Add Recovery Agent Wizard, which you can use to select a previously generated certificate that has been assigned to a user and mark it as a designated recovery certificate. Click Next. In the Select Recovery Agents window, click Browse Directory and then use the Finds Users, Contacts, And Groups dialog box to select the user you want to work with.

    Note

    Before you can designate additional recovery agents, you must set up a Root Certificate Authority (CA) in the domain. Afterward, you must use the Certificates snap-in to generate a personal certificate that uses the EFS Recovery Agent template. The root CA must then approve the certificate request so that the certificate can be used.


  5. To delete a recovery agent, select the recovery agent's certificate in the right pane and then press Delete. When prompted to confirm the action, click Yes to permanently and irrevocably delete the certificate. If the recovery policy is empty (meaning it has no other designated recovery agents), EFS is turned off so that files can no longer be encrypted.

    Figure 15-10. Use the Encrypted Data Recovery Agents node in Group Policy to view, assign, and delete recovery agents.

    graphics/f15ap10.jpg



Microsoft Windows Server 2003 Administrator[ap]s Pocket Consultant
Microsoft Windows Server 2003 Administrator[ap]s Pocket Consultant
ISBN: 735622450
EAN: N/A
Year: 2003
Pages: 141

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net