One of the fundamental responsibilities of an administrator is to protect the company’s information. This means that it is your responsibility to be able to recover any lost or inaccessible data. There are several reasons that an administrator may need to recover content users encrypted via EFS. A user can accidentally delete their decryption key, or a user may forget their password and need to have it reset. (Resetting a user’s password disables a user’s ability to decrypt their EFS content.) The decryption key is stored inside the user profile. If this profile gets deleted, the decryption key is lost.
Since you have been configured as an EFS Data Recovery Agent, you can decrypt users’ encrypted content and recover the inaccessible data.
Scenario
As a security administrator, you are responsible for protecting sensitive information and implementing EFS. After cleaning up the User Account database, you realize there is critical data that has been encrypted by a deleted user account. You must recover the data and provide access to that data to another user.
Scope of Task
Duration
This task should take 20 minutes.
Setup
EFS is enabled through the use of a Public Key Infrastructure (PKI) and digital certificates that contain an encryption key. If the decryption key is lost, the user may never regain access to the EFS content.
A safety mechanism to minimize data loss is the EFS Data Recovery Agent. Typically the Local Administrator or a Domain Administrator should be configured as the EFS Data Recovery Agent.
Taking advantage of the work performed in Task 4.1, you will delete a user account that had created secured content. You will then confirm that other users cannot access the content. With that completed, you will work through the steps to recover (decrypt) the content and grant access to the content to another user. That user would then have access to the secure EFS content utilizing their encryption key.
Caveat
There are combinations of events that can permanently prevent decryption of the content. Data can be lost. Implement EFS with care. If you implement EFS for your users, provide proper training and warnings to those users regarding these issues.
Procedure
For this task, you will delete a user (User2) that you created in Task 4.1. User2 created a secure data file called User2Secure.txt. You will then log on as User1 and confirm that even though permissions should allow access to the content, EFS does not allow User1 to access the User2 secured content.
You will then walk through the steps to decrypt the content and grant ownership of the critical data to another user. This new owner should implement EFS using their encryption key to secure this sensitive data. This task requires the completion of Task 4.1, “The Encrypting File System”.
Equipment Used
For this task, you must have:
- Windows XP Pro system with the following configuration:
- A member of a workgroup (not a member of a domain)
- At least one NTFS volume
- Local Administrator access
Details
Losing an EFS Encryption Key
1. Log on to the Windows XP Pro system as the Local Administrator with the password Password1.
2. Right-click on My Computer and select Manage to open the Computer Management console.
3. Expand Local Users And Groups. Select the Users subfolder.
4. In the right pane, right-click on User2 and select Delete.
5. Review the warning regarding the deletion of user accounts. Click Yes to confirm the deletion of User2.
6. Close the Computer Management console. You have just deleted User2, the only user account that had access to User2Secrets.txt.
Implementing EFS Data Recovery
1. Launch Explorer by right-clicking the Start button and selecting Explore.
2. Select the root of the C: drive in the left pane.
3. In the right pane, double-click the folder GOODSTUFF.
4. In Explorer, double-click User2Secrets.txt.
5. User2Secrets.txt opens correctly in Notepad. This is because the Local Administrator, by default, has Full Control permissions on all user files and, in Task 4.1, was configured as an EFS Data Recovery Agent for any EFS content produced on the system.
6. Close User2Secrets.txt in Notepad.
7. Right-click the file User2Secrets.txt and select Properties.
8. Select the Security tab.
Notice that Administrators, a local security group, has full control of the file. The Local Administrator is a member of this group.
9. Select the General tab.
10. Click the Advanced button. Doing so opens the Advanced Attributes dialog box. In this dialog box, click the Details button, which takes you to the Encryption Details dialog box. To transfer access to User1, you must add User1 to the Users Who Can Transparently Access This File list. Click the Add button.
11. Select User1 in the Select User dialog box and click OK.
12. To tighten up the EFS security on this sensitive file, select User2, the deleted user, in the Users Who Can Transparently Access This File list, and then click the Remove button.
13. Click OK in the Encryption Details dialog box.
14. Click OK in the Advanced Attributes dialog box.
15. Click OK in the User2Secrets.txt Properties dialog box.
16. Log off as Administrator.
Testing the EFS Data Recovery
1. Log on to the Windows XP Pro system as User1 with the password Password1.
2. Launch Explorer by right-clicking the Start button and selecting Explore.
3. Select the root of the C: drive in the left pane.
4. In the right pane, double-click the folder GOODSTUFF.
5. In Explorer, double-click User2Secrets.txt. User2Secrets.txt opens correctly in Notepad. This is because User1 has sufficient permissions on all GOODSTUFF files and was added to the list of Users Who Can Transparently Access This File by the EFS Data Recovery Agent.
6. Close User2Secrets.txt in Notepad.
7. Log off as User1.
Criteria for Completion
You have completed this task when you have removed User2 from the local system; successfully transferred access to the EFS content, the User2Secrets.txt file, to User1 by implementing EFS Data Recovery; and confirmed this access as User1.