Sign in
 
HomeWindows Server 2012Windows Server 2008 R2Windows Server 2003LibraryForums
Windows Server TechCenter >
EFS Question: Same User, Different Machines, Network

Answered EFS Question: Same User, Different Machines, Network

  • Thursday, November 15, 2012 8:21 PM
     
     
    Sign In to Vote
    0

    I have a user account, let's say USER1.  USER1 is logging onto a Windows 2003 domain.

    Can someone tell me what happens in these scenarios?

    1.  USER1 gets a new computer.  They log onto the new computer as the same USER1 domain account.  They pop the hard drive out of the old computer, plug it into the new computer as a secondary drive, and attempt to access encrypted files on the old hard drive.

    2.  USER1 saves a file on the network and encrypts it.  They then try to access the file from another machine, logged in as the same USER1.  Will they be able to, or is the encryption key tied to the individual machine?

    To me it seems like the old computer and the new computer cannot access files that were created on each other.  Each has a different EFS thumbprint.  But the files that are stored on the network also have a different thumbprint, and you can access them from any machine over the network.

    So how does this all tie in together?

    OLD COMPUTER = EDE8 47AA...
    NEW COMPUTER = 4984 3806...
    SERVER1 = AB0E 98B7...
    SERVER2 = 749E C58E...

     

All Replies

  • Monday, November 19, 2012 7:04 AM
    Moderator
     
     
    Sign In to Vote
    0

    Hi,

    Thanks for your post.

    Please note user use Encrypting File System certificate to encrypt and decrypt data. It’s stored on user personal container. In a domain environment, User1 can decrypt any file which encrypted by itself (the same EFS certificate). In order to enable another authorized person to read encrypted data, you can give them your private key, or you can make them a data recovery agent.

    For more detailed information about EFS, please refer to the following article. Hope it helps.

    Protecting Data by Using EFS to Encrypt Hard Drives

    http://technet.microsoft.com/en-us/library/cc875821.aspx

    Best Regards,

    Aiden

    Aiden Cao

    TechNet Community Support

     
  • Monday, November 19, 2012 3:27 PM
     
     
    Sign In to Vote
    0

    I have a domain environment.  

    When I save a file to my PC, SERVER1, and SERVER2 ... they all have different thumbprints on each machine, so I am assuming they all have different certificates.

    Why is that?

     
  • Wednesday, November 21, 2012 7:35 AM
    Moderator
     
     
    Sign In to Vote
    0

    Hi,

    It will use the User EFS certificate currently logged on. Certificates -Current User -> Personal


    Best Regards,
    Aiden

     

    Aiden Cao

    TechNet Community Support

     
  • Saturday, November 24, 2012 5:05 AM
     
     
    Sign In to Vote
    0

    If that is the case, why is it I can't take the hard drive out of the computer and put it into another computer, then log in as that domain user and access it?

    And why is the thumbprint on each server different?

     
  • Saturday, November 24, 2012 6:46 AM
     
     Answered
    Sign In to Vote
    0

    On Thu, 15 Nov 2012 20:21:07 +0000, Willard J. Hoppe wrote:

    I have a user account, let's say USER1. ?USER1 is logging onto a Windows 2003 domain.

    Can someone tell me what happens in these scenarios?

    1. ?USER1 gets a new computer. ?They log onto the new computer as the same USER1 domain account. ?They pop the hard drive out of the old computer, plug it into the new computer as a secondary drive, and attempt to access encrypted files on the old hard drive.

    The user will not be able to access the encrypted files on the old drive.


    2. ?USER1 saves a file on the network and encrypts it. ?They then try to access the file from another machine, logged in as the same USER1. ?Will they be able to, or is the encryption key tied to the individual machine?

    Yes, the encrypted files stored on the server will be accessible from another computer on the network.


    To me it seems like the old computer and the new computer cannot access files that were created on each other. ?Each has a different EFS thumbprint. ?But the files that are stored on the network also have a different thumbprint, and you can access them from any machine over the network.

    So how does this all tie in together?

    OLD COMPUTER = EDE8 47AA...
    NEW COMPUTER = 4984 3806...
    SERVER1 = AB0E 98B7...
    SERVER2 = 749E C58E...

    You need to think about where the private key for the EFS certificate is stored. In your first scenario, the private key is stored in the local user profile. When you provide the user with a new computer, he or she gets a new user profile the first time they log onto the new computer and this new user profile does not contain the private key used to encrypt the original files on what is now a second drive, therefore they won't be able to decrypt the file. The private key and certificate are still on the new computer, but they are in the wrong place. They are on the old disk, in the old user profile, not in the new user profile.

    In your second scenario, the first time they logon to the server and encrypt a file on that server, they get a user profile created on the server and a new EFS certificate that is stored in that remote user profile. Subsequent attempts to decrypt that file from other computers on the network will access the certificate and private key that are stored on the server, therefore they will be able to decrypt that file from any machine on the network because the certificate and private key are stored on the server.

    Paul Adare
    MVP - Forefront Identity Manager
    http://www.identit.ca
    Maybe Computer Science should be in the College of Theology.  -- R. S.
    Barton

     
  • Tuesday, November 27, 2012 4:23 AM
     
     
    Sign In to Vote
    0

    Is there a way to have them use one EFS certificate for all encrypting activity on the network, regardless of whether it is on the local machine or the domain?

     
  • Tuesday, November 27, 2012 7:09 AM
     
     Answered
    Sign In to Vote
    0

    There is one way.

    1) You must enable Credential roaming so that whatever machine a user logs on to, their credentials follow them. This will use up extensive space in Active Directory, as the credentials are stored in AD (requires a domain joined machine with a GPO configured that enables Credential Roaming.

    http://blogs.technet.com/b/instan/archive/2009/05/26/considerations-for-implementing-credential-roaming.aspx

    2) You connect to network shares using WebDAV (not CIFS/SMB). This means you do not connect to shares by using the \\server\share connection paths. Instead, you are connecting using SSL. The WebDAV shares utilize the local EFS certificate and sends the data encrypted over the wire to the WebDAV share. With normal CIFS-based EFS, the file is sent in the clear over the network and encrypted at the server using the profile generated at the server (like Paul explained). This takes some setting up to work. See

    http://www.iis.net/learn/publish/using-webdav/how-to-use-custom-properties-with-webdav

    http://paranoidmike.blogspot.com/search/label/EFS  (written my Mike Lonergan <G>)

    http://paranoidmike.blogspot.com/2005/07/encrypting-files-on-server-wtf.html

    That being said, I would recommend against using EFS. It really is a local file encryption protocol. If you go forward, I would recommend only using it locally and ensuring that credential roaming is in place. In addition, I would only use a custom certificate that enables key archival to allow recovery when a user's profile is corrupted.

    Brian

     
  • Wednesday, November 28, 2012 2:50 PM
     
     
    Sign In to Vote
    0

    If I were to only use EFS on my local (domain joined) machine, with a self-signed domain recovery agent (we do not have the MS CA server installed), and I had the appropriate backups of all certificates and passwords, would you then recommend it?

    Couple more questions for my own knowledge...

    1.  The the domain encryption example ... I now get why that works.  But say the server died, and you had to copy the data onto another server.  Would it then become unreadable?

    2.  Let's say I export the certificate and private key to removable media.  Will this be how I unlock the files in the case of problem forever, unless I encrypt with another certificate?  So if I change my domain password 5 times, these original exported files will still unlock the encrypted files?


     
  • Wednesday, November 28, 2012 2:58 PM
     
     
    Sign In to Vote
    0

    On Wed, 28 Nov 2012 14:50:45 +0000, Willard J. Hoppe wrote:

    If I were to only use EFS on my local (domain joined) machine, with a self-signed domain recovery agent (we do not have the MS CA server installed), and I had the?appropriate?backups of all certificates and passwords, would you then recommend it?

    The simple answer is yes, but a lot of that is going to depend on your
    company's security policy and the number of users involved.


    Couple more questions for my own knowledge...

    1. ?The the domain encryption example ... I now get why that works. ?But say the server died, and you had to copy the data onto another server. ?Would it then become unreadable?

    If the server died and you no longer had access to the certificates and
    private keys, you wouldn't be able to copy the files in the first place.


    2. ?Let's say I export the certificate and private key to removable media. ?Will this be how I unlock the files in the case of problem forever, unless I encrypt with another certificate? ?So if I change my domain password 5 times, these original exported files will still unlock the encrypted files?

    Yes, though I'm a little confused about the reference to a password change.

    What is threat that you're trying to protect against here exactly? EFS may
    not even be the correct or only solution.

    Paul Adare
    MVP - Forefront Identity Manager
    http://www.identit.ca
    Life would be so much easier if we could just look at the source code.

     
  • Wednesday, November 28, 2012 5:58 PM
     
     
    Sign In to Vote
    0

    Good point about the server.  I guess I was thinking more if, say, the motherboard died, and I just wanted to plug the drive into another server to access the data.  In that scenario the data would be unreadable, correct? 

    I am trying to protect files on certain users' laptops.  In case they are stolen.

    Most of our drives have self-encrypting drives which solves the issue, but some people, like me, have SSDs that aren't self-encrypting, and products like TrueCrypt do not work well with.  I love the functionality of EFS ... just trying to wrap my head around it.  Anything else you could recommend I'd gladly look at.

    My question about the password change:  does the password on my domain account (which I use to log onto my local PC) have anything to do with my certificate or private key?

     
  • Thursday, December 06, 2012 3:12 AM
     
     
    Sign In to Vote
    0
    Asked differently ... if I backup up my certificate, and 5 years later my hard drive crashes .. will that certificate still decrypt the files?