*****************************illegal for non~trainer use ******************************
Introduction Developing an effective data recovery plan is important when you are implementing EFS in an organization. An effective data recovery strategy will help to ensure that you can access encrypted data without the private encryption key, for example if an employee who has encrypted data leaves the organization, or when users lose their private keys.
DRA function Implementing a data recovery strategy using DRAs is possible when implementing EFS as a part of the overall security policy for a standalone system or an entire organization. For example, if you ever lose your file encryption certificate and associated private key through disk failure, arson, or any other reason, the DRA can recover the data. The DRA has the ability to decrypt files that were encrypted by the user because the public key of the DRA is added to the recovery field when a file is encrypted. Windows 2000 requires that a DRA be present before a user can encrypt a file. Windows Server 2003 and Windows XP do not have this limitation.
Note In a standalone environment, the DRA must be located on the computer on which the file is being decrypted.
DRA for a standalone Windows XP and Windows Server 2003 do not require DRAs on newly computer installed computers in a workgroup or in a domain environment. If a computer is joined to a domain, all users, including local users, inherit the DRA from the domain. However, in Windows XP and Windows Server 2003, the DRA must be created manually on a standalone computer using the Cipher.exe program.
The Cipher.exe program creates two importable files—a .cer file and a .pfx file—that can be used as a DRA on the local computer. The .cer file is imported to the local Group Policy object to allow it to be used as the DRA for the local computer. The .pfx file can be used for data recovery if certificates become lost or corrupted on the local computer.
Note Store the .pfx file in a secure location to ensure that the information is not compromised.
Procedure To create a DRA, perform the following steps:
1. At the command prompt, type CIPHER /R:LocalDRA
2. At the prompt, specify a strong password to protect the .pfx file, confirm the password, and then press ENTER.
The .cer and .pfx files are created in the directory from which you run the command.
3. Log on to the computer using the account that is going to be designated as the DRA, generally the administrator.
Note On a Windows XP computer that is not a member of a domain, Windows XP displays a Welcome screen instead of a logon screen. To log on as an Administrator, press CTL+ALT+DEL twice at the Welcome screen.
4. Click Start, click Run and in the Open dialog box, type MMC, and then click OK.
5. In the Microsoft Management Console (MMC) console, load the Group Policy Object Editor MMC snap-in.
6. Expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Public Key Policies, and then expand Encrypting File System.
7. Right-click Encrypting File System, and then click Add Data Recovery Agent.
8. On the Add Recovery Agent Wizard page, click Next.
9. On the Select Recovery Agents page, click Browse Folders, and then navigate to the location of the .cer file.
10. Select the .cer file, and then click Open.
11. On the Select Recovery Agents page, click Next.
12. On the Completing the Add Recovery Agent Wizard page, click Finish.
Tip Do not encrypt files with the DRA account. There is no way to recover the file if the certificate is lost or corrupted, since the DDF and DRF will use the same certificate.
Was this article helpful?