Defining an EFS Recovery Agent involves two steps:
1. Obtain a certificate with the File Recovery application policy OID (or EKU if using Windows 2000).
2. Designate the certificate as the EFS Recovery Agent (in the domain or local group policy).
The first step is to ensure that the user assigned the EFS Recovery Agent role acquires an EFS Recovery Agent certificate. An EFS Recovery Agent certificate includes the File Recovery application policy OID (126.96.36.199.4.1.3188.8.131.52.1). There are four ways this type of certificate can be obtained:
■ Request a certificate based on the EFS Recovery Agent certificate template. You must modify the default template permissions to assign Read and Enroll permissions.
■ Request a certificate based on a custom version 2 certificate template based on the EFS Recovery Agent certificate template. The advantage of a version 2 certificate template is that you can require CA certificate manager approval before issuance.
Important If you overwrite or lose the EFS Recovery Agent's private key, you must designate a different EFS Recovery Agent for data recovery.
■ Use the cipher /Rfilename command to generate a certificate file and a PKCS #12 file containing the private key on a Windows XP or Windows Server 2003 computer.
■ In a Group Policy Object (GPO), right-click the Computer Configuration \Windows Settings\Security Settings\Public Key Policies\Encrypting File System policy, and then click Create Data Recovery Agent.
Note The Create Data Recovery Agent option requires that the EFS Recovery Agent certificate template be available for enrollment at an enterprise CA in the forest, and that the user performing the procedure is assigned the Read and Enroll permissions for the EFS Recovery Agent certificate template.
Designate the EFS Recovery Agent.
Once you issue the certificate with the File Recovery application policy OID, you must import the certificate, as follows:
■ In a domain environment, you can import the EFS Recovery Agent's certificate into the Computer Configuration\Windows Settings\Security Settings\PubHc Key Policies\Encrypting File System policy of a GPO. The GPO must be linked to the organizational unit (OU) where the user's computer account, not the user account, exists. The certificate can be imported from either a Base-64 or DER-encoded certificate file, or from Active Directory if the certificate template enables publication of the certificate file.
■ In a workgroup environment, you can import the EFS Recovery Agent's certificate into the Computer Configuration\Windows Settings\Security Settings \Public Key Policies\Encrypting File System policy (of the local computer). In this scenario, the EFS Recovery Agent certificate must be imported from a file.
Note If you generated the EFS Recovery Agent certificate by using the Create Data Recovery Agent option in Group Policy, you do not have to import the certificate. The EFS Recovery Agent certificate is automatically added to the GPO policy.
If you work for a large organization, you should provide the internal audit department with the private key associated with the EFS Recovery Agent certificate. Members of the Internal Audit department can then import the certificate and private key and open any file stored on the corporate network without intervention by network administrators when performing an audit. Removing control of the private key from the network administrator also prevents the network administrator from opening encrypted files.
Large organizations might also require more than one EFS recovery agent. In forests with multiple domains, an organization can implement a different EFS recovery agent per domain. Rather than having disjointed EFS recovery agents, consider implementing two EFS recovery agents at each domain: one EFS recovery agent that is unique to the domain and another that is common to all domains in the forest. The common EFS recovery agent provides the organization with centralized recovery and the unique EFS recovery agent provides decentralized recovery.
Was this article helpful?