Sign in with
Sign up | Sign in
Your question

Certificates, Keys, Mobile Users, Intended Usage

Last response: in Windows 2000/NT
Share
Anonymous
November 28, 2004 1:13:03 PM

Archived from groups: microsoft.public.win2000.security (More info?)

I am trying to devise a plan whereby my client can safely use encrypting file
system (EFS). Mobile computer users benefit from encrypting sensitive files.
In the event the computer is stolen, the data does not enter the public
domain. When mobile users return to the home office, they can use NTBACKUP
to make backup copies of encrypted files, which remain encrypted in backup
form. Were the computer lost, a new computer would be provided and sensitive
files would be restored from backup (NTBACKUP). In order to be able to read
the files, the mobile user would be required to provide a certificate and an
associated private key. The point of my question has to do with the private
key, which I know how to export and import. When on the road, should the
mobile user always logon using his cached domain credentials so that the
private key matches the private key that he would have at the home office
when he is actually logged on to the domain? I assume that the user's
private key when logged on to the domain is different from the private key
that he has when he is logged on locally to his mobile computer. For
recovery purposes, I suppose, the corporate system administrator should
export the local logon private key and the domain logon private key of each
mobile user and vault them to ensure the keys are available for decrypting
backed up data. Is there some official Microsoft guidance on this?
--
William McIlroy
Anonymous
November 28, 2004 9:57:29 PM

Archived from groups: microsoft.public.win2000.security (More info?)

One thing to consider would be to define a Recovery Agent for the domain as
part of Group/security policy that applies to all these computers. Windows
2000 requires a RA while XP Pro does not. The RA would be able to recover
any EFS files that have been created or accessed since the RA was defined.
The RA is computer policy and would apply to EFS files for domain and local
accounts. It still would be good practice to archive the private keys of the
users just in case if the data is extremely important. I would also highly
recommend that the mobile users use cached domain credentials to logon to
their computers as their passwords will be safe that way where if the
computer was stolen an attacker could use an utility to crack the local
administrator account and then use a utility like LC5 to crack the local
users password to gain access to the EFS files if the user's EFS private key
is still on the computer. As far as I know there is no way to do such for
cached credentials - just be sure that the users are forced to use complex
passwords.

XP Pro is much more secure than W2K for using EFS because an RA is not
required and resetting a user's password will not allow access to their EFS
files. Keep in mind that if there is a local RA on the computer that an
attacker may be able to use it to access a users EFS files. So be sure to
check that the RA is working the way you expect it to. You can use the
efsinfo utility to see exactly what Recovery Agents and user can decrypt and
EFS file. The links below may help. --- Steve

http://labmice.techtarget.com/windows2000/FileMgmt/EFS....
http://www.microsoft.com/technet/prodtechnol/winxppro/d...

"William McIlroy" <WilliamMcIlroy@discussions.microsoft.com> wrote in
message news:CF29E81B-7C73-4668-82EF-F7EE664AF7A8@microsoft.com...
>I am trying to devise a plan whereby my client can safely use encrypting
>file
> system (EFS). Mobile computer users benefit from encrypting sensitive
> files.
> In the event the computer is stolen, the data does not enter the public
> domain. When mobile users return to the home office, they can use
> NTBACKUP
> to make backup copies of encrypted files, which remain encrypted in backup
> form. Were the computer lost, a new computer would be provided and
> sensitive
> files would be restored from backup (NTBACKUP). In order to be able to
> read
> the files, the mobile user would be required to provide a certificate and
> an
> associated private key. The point of my question has to do with the
> private
> key, which I know how to export and import. When on the road, should the
> mobile user always logon using his cached domain credentials so that the
> private key matches the private key that he would have at the home office
> when he is actually logged on to the domain? I assume that the user's
> private key when logged on to the domain is different from the private key
> that he has when he is logged on locally to his mobile computer. For
> recovery purposes, I suppose, the corporate system administrator should
> export the local logon private key and the domain logon private key of
> each
> mobile user and vault them to ensure the keys are available for decrypting
> backed up data. Is there some official Microsoft guidance on this?
> --
> William McIlroy
>
Anonymous
November 28, 2004 10:48:34 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi William,

Option that you think about uses self signed EFS certificates. While this is
a valid option, you might want to setup own CA server and deploy EFS
certificates from your own CA.

Users should always use their domain profile (even on the laptops while out
of the office). Using local accounts doesn't add anything to security, but
adds a lot to complexity and you loose manageability...
Still with self signed certificates keys will probably be different on
office PC and laptop computer unless you create one key and export it and
then import it to another computer.

Better then exporting user's private key as backup is to setup DRA (Data
Recovery Agents) in domain (and) or OUs. Users assigned DRA role will be
able to decrypt any files encrypted by domain users that fall under the
policy where you setup DRA.
There could be a problem if you only rely on exported keys. E.g. user by
mistake deletes his profile and with this profile he deletes his private
keys. After successful logon new profile is created without any EFS keys
till user tries to encrypt something. Operating system will detect that
there is no EFS certificate and it will generate a new one. Now you don't
have a backup for this EFS certificate while you are still able to decrypt
the files using DRA.
If you setup your own CA, you can archive the keys automatically.

EFS:
http://www.microsoft.com/technet/prodtechnol/winxppro/d...

Very important with EFS implementation is to teach users to pick good --
hard to guess passwords. While private keys are encrypted in user's profile
in case the laptop is stolen and if I can easily guess the password I can
gain access to profile and private keys and consequently to the files.

Account Passwords and Policies
http://www.microsoft.com/technet/prodtechnol/windowsser...

Feel free to post back with any additional questions that you might have...

***

New features:
http://www.microsoft.com/technet/prodtechnol/winxppro/p...
Operations guide:
http://www.microsoft.com/technet/prodtechnol/windowsser...
Managing PKI:
http://www.microsoft.com/technet/prodtechnol/windowsser...
Best Practices:
http://www.microsoft.com/technet/prodtechnol/windowsser...
Certificate templates -
http://www.microsoft.com/technet/prodtechnol/windowsser...
Certificate Autoenrollment in Windows Server 2003
http://www.microsoft.com/technet/prodtechnol/windowsser...
Key archival -
http://www.microsoft.com/technet/prodtechnol/windowsser...
Advanced certificate enrollment:
http://www.microsoft.com/technet/prodtechnol/windowsser...
web enrollment:
http://www.microsoft.com/technet/prodtechnol/windowsser...
CRLS: http://www.microsoft.com/technet/security/topics/crypto...

Mike

"William McIlroy" <WilliamMcIlroy@discussions.microsoft.com> wrote in
message news:CF29E81B-7C73-4668-82EF-F7EE664AF7A8@microsoft.com...
>I am trying to devise a plan whereby my client can safely use encrypting
>file
> system (EFS). Mobile computer users benefit from encrypting sensitive
> files.
> In the event the computer is stolen, the data does not enter the public
> domain. When mobile users return to the home office, they can use
> NTBACKUP
> to make backup copies of encrypted files, which remain encrypted in backup
> form. Were the computer lost, a new computer would be provided and
> sensitive
> files would be restored from backup (NTBACKUP). In order to be able to
> read
> the files, the mobile user would be required to provide a certificate and
> an
> associated private key. The point of my question has to do with the
> private
> key, which I know how to export and import. When on the road, should the
> mobile user always logon using his cached domain credentials so that the
> private key matches the private key that he would have at the home office
> when he is actually logged on to the domain? I assume that the user's
> private key when logged on to the domain is different from the private key
> that he has when he is logged on locally to his mobile computer. For
> recovery purposes, I suppose, the corporate system administrator should
> export the local logon private key and the domain logon private key of
> each
> mobile user and vault them to ensure the keys are available for decrypting
> backed up data. Is there some official Microsoft guidance on this?
> --
> William McIlroy
>
!