Using the cipher Command to Add Data Recovery Agent

1. Click Start | Run, type cmd, and then click OK.

2. Type this command at the prompt and then press Enter to execute the command:

cipher /r:testdra

Note_

If you do not specify a filename when using the cipher lr: command, files named .CER and .PFX will be created (essentially, no filename, just the extension). Instead, use a filename such as the testdra we used earlier. Once you've added the DRA to the EFS policy, you can right-click on the DRA and edit the properties, such as giving it a user-friendly name and a description.

3. When prompted, enter a password and then re-enter the password to verify the password. You'll be notified that the .PFX and .CER files have been created. Make a note of the folder in which they reside so you can easily browse to them. This was shown in Figure 9.30 earlier in this chapter.

4. Next, follow steps 1 through 11 in the previous exercise, Exercise 9.06, to access the Add Data Recovery Agent Wizard. When prompted to select recovery agents (Exercise 9.06, step 11), browse to the location of the .CER file. By default, this file resides in the path in which it was created. If you look at Figure 9.30, you'll see it should be located in C:\Documents and Settings\Administrator. If another path was selected, the .CER file resides in that alternate path. As shown in Figure 9.34, when you locate the .CER file, click to select it, and then click Open.

Figure 9.34 Importing Certificate for Recovery Agent

Figure 9.34 Importing Certificate for Recovery Agent

5. If the certificate was created by EFS, you will receive a notice that Windows cannot determine if the certificate has been revoked. (Recall that we discussed that EFS does not maintain certificate revocation lists.) This warning is shown in Figure 9.35. Click Yes to accept or No to reject. Click Yes to display the final screen of the wizard, which shows the user and certificate you've selected. Click Finish to close the Add Recovery Agent Wizard and return to the MMC.

Figure 9.35 Windows Warning Regarding Certificate Status

Figure 9.35 Windows Warning Regarding Certificate Status

Adding recovery agents for the domain uses a similar process. Instead of selecting the Local Computer as the Group Policy Object (step 4 in the preceding exercise), you would select the GPO for which you want to establish the recovery agent (OU, domain, etc.). Figure 9.36 shows this node in the Default Domain Policy. Always back up recovery keys to floppy disk before making any changes. In a domain, the default recovery policy is implemented for the domain when the first controller is set up. The first domain administrator is issued a self-signed certificate used to designate the domain admin as the recovery agent. To change this default recovery policy for the domain, log on to the first DC as Administrator. If you want to add a recovery agent, you can use the steps outlined in the preceding exercise to Add Data Recovery Agents. However, the DC will contact a Windows Server 2003 CA to request a certificate. The certificate is based on the EFS Recovery Agent certificate template. If this template is not available or if you cannot obtain a certificate, you will receive an error and will be unable to add recovery agents.

Figure 9.36 Default Domain Policy Encrypting File System Node

Figure 9.36 Default Domain Policy Encrypting File System Node

In addition to creating recovery agents, you can configure a GPO so that it does not require a recovery agent.You can configure this for any OUs, domains, or sites in the Active Directory forest to allow you to use EFS without a recovery agent.You will be unable to configure the GPO in this manner if you have an EFS policy defined. If so, you must delete the policy first. In the MMC with the Group Policy Object editor open, if you select Encrypting File System in the left pane, click Action on the menu, and select All Tasks, you'll have an additional option of Do Not Require Data Recover Agents. If this option is not available, you have not deleted the existing EFS policy.

Removing Recovery Agent Policy

It is possible that a company might implement a data recovery policy and later decide to remove or eliminate that policy. When a recovery policy is removed from a domain, it is no longer applied via group policy. In Windows 2000, once the group policy has been updated, no new files can be encrypted. In Windows XP and Windows Server 2003, computers will not be impacted. Encrypted files can still be opened, but they cannot be re-encrypted. Existing encrypted files remain encrypted until they are accessed or updated by a user who has a private key to decrypt those files.

Recovering Files

Files can be recovered in one of several ways. A file that has been saved via the Backup tool (or another backup utility) can be restored to the user's machine (or previous location), and the user's credentials can then decrypt the file. Files backed up using the Windows Backup tool will remain encrypted on the backup media and will remain encrypted when restored from the backups. If a user's certificate is lost or destroyed, the encrypted file can be sent to the designated recovery agent, and the recovery agent can decrypt the file and transfer it back to the desired location. Remember that the transmitted file will not be encrypted, so use a secure transfer method or deliver the file to the recovery agent on removable media. Conversely, you can import the recovery agent credentials to the location of the encrypted file for decryption and file recovery. Once the file is recovered, the recovery agent credentials should be removed from the computer for security. The file and the credentials must both be on the same computer to recover the file, regardless of whether this occurs on a designated secure workstation or on the user's computer.

Exam Warning_

You are practically guaranteed to encounter one or more questions that involve the use of certificates in one form or another. It's likely that if you see an EFS-related question on the exam it will involve the loss of private keys or certificates and the recovery of encrypted files. Make sure you're comfortable with the concepts of EFS and data recovery for the exam.

Backing Up Keys

Certificates can be backed up with or without private keys. This is accomplished via the Certificates snap-in in the MMC. It's suggested you back up certificates with private keys to a floppy disk or other secure removable media and store this media in a secure location. For stand-alone computers or for mobile computers such as laptops, you should remove the private keys from the system and store them in a secure location. In the following exercise, we'll step through backing up certificates with private keys and you'll see how to remove the private key during this process.

Computer Hard Drive Data Recovery

Computer Hard Drive Data Recovery

Learn How To Recover Your Hard Drive Data After A Computer Failure.

Get My Free Ebook


Responses

Post a comment