2.8.5. EFS – Part 3 by Val Bakh. In Parts 1 and 2, we discussed the main concepts and explained how EFS encrypts or decrypts files. We also described how you can share those files to trusted colleagues and how a data recovery agency (DRA) can retrieve your files if you lose your private key. We’ll be looking at several scenarios in this final installment of the series on EFS.
The default is that the built-in domain administrator account is automatically designated a DRA by the Default Domain Policy Group Policy object. (GPO). This happens when the domain controller is installed. There is a good chance that there were no enterprise certificate authorities (CAs), especially if the domain was first in the forest. The DRA certificate is self signed, meaning that no one can trust it. The private key for this certificate is located on the Administrator account’s domain controller. Domain administrators cannot simply connect to the target computer via the network to open encrypted files. It would also be helpful if the administrator could log on to the computer that contains the encrypted files locally. The private key of the DRA must be accessible locally on the computer containing the encrypted files. Before he or she can retrieve files, the administrator must export the DRA certificate and the private key to a file.
Let’s say that an administrator installs an enterprise CA. The CA requests a trusted DRA certificate. The CA issues a certificate that has the Extended Key Usage attribute and is set to File Recovery. The certificate doesn’t appear to be missing when the administrator clicks Browse Directory. This is because the CA issues a certificate with the Extended Key Usage attribute. Instead, a message appears saying, “No certificate available.” There are no certificates that meet the requirements for this application.
This message is displayed because the new DRA certificate uses the EFS Recovery Agent certificate template. It is an old, Windows 2000-based template version 1, which doesn’t have any configurable options, except security permissions. The Publish certificate to Active Directory option in this template is not selected. Any certificates based upon that template are not automatically published to Active Directory Domain Services. They are therefore not visible in GPOs unless an administrator exports the certificate, clicks Browse Folders and selects that file (rather that clicking Browse Directory and selecting his/her user account).
If EFS DRAs will be used often, a better solution is to create a newer version of the certificate template, select the option for certificates to be published to AD DS automatically, then configure the CA to use the template. Other DRAs will request certificates using the new template. They won’t need to export their certificates into files to make them available for a GPO. You can also use an old-fashioned command line tool (in this instance Certutil) to do the work manually.
One more thing. The policy does not take effect immediately after the administrator has changed the DRA certificate in Default Domain Policy. GPO refreshes must be performed on target computers manually or automatically within an hour. In some cases, all encrypted files on target computers may be up
