Data recovery allows a designated EFS Recovery Agent to decrypt all EFS-encrypted files on a computer. By default, where the private key associated with the EFS Recovery Agent certificate exists depends on the domain membership of a computer. If the computer is a member of:
■ A domain The EFS recovery agent's certificate and private key are stored in the Administrator's profile of the first domain controller in a domain. When the first domain controller is promoted as a domain controller for the newly created domain, the local administrator's EFS Recovery Agent certificate is designated as the domain's EFS Recovery Agent.
■ A workgroup The EFS Recovery Agent's certificate and private key are stored in the user profile of the first member of the local Administrators group who logs on at the Windows 2000 computer. This is usually the local Administrator account, but it can be another account.
Caution Deploying EFS in a workgroup environment is risky. The storage of the EFS Recovery Agent's key pair on the local file system makes the computer subject to alternate operating system attacks, such as the Nordahl attack, that attempt to gain access to the key pair through other operating systems. It is recommended to deploy Syskey.exe with the system set to require either a password or a disk with the system key password at boot up before allowing access to the local hard disk. For more information on the system key, see Chapter 13, "Securing Mobile Computers," and Chapter 14, "Implementing Security for Domain Controllers," in my book with Ben Smith, Microsoft Windows Security Resource Kit (Microsoft Press, 2003).
A common misconception is that the Administrator account is the EFS Recovery Agent. Remember that EFS is a PKI-enabled application and has nothing to do with the user account. It only depends on who has the EFS Recovery Agent certificate's associated private key. You can lose access to the EFS Recovery Agent's private key in the following circumstances:
■ If you remove the first domain controller in a domain environment.
■ If you overwrite the Administrator profile with a roaming profile created at another computer.
■ If you delete the Administrator profile on the first domain controller in the domain or on the local computer in a workgroup.
Was this article helpful?