EFS provides for built-in data recovery by enforcing a recovery policy requirement. The requirement is that a recovery policy must be in place before users can encrypt files. The recovery policy provides for a person to be designated as the recovery agent. Again, this is a transparent process. The default recovery policy is automatically put in place when the administrator logs on to the system for the first time (during installation), making the administrator the recovery agent.
What is the recovery agent? Well, the recovery agent is the account that has a special certificate and associated private key that allow data recovery for the scope of influence of the recovery policy. In other words, if you are the recovery agent for the domain, any time someone loses his key or leaves the company without being polite enough to decrypt his files, you will be called on.
How secure is the system if there is a master certificate and key floating around? That is a good point. You need to protect your recovery certificate and private key. So, if you are the recovery agent, you should be sure to use the export command from Certificates in Microsoft Management Console (MMC) to back up the recovery certificate and associated private key to a secure location. After backing up, you should use Certificates in MMC to delete the recovery certificate from the recovery agent's personal store, not from the recovery policy. Then, when you need to perform a recovery operation for a user, you would start by first restoring the recovery certificate and associated private key to the recovery agent's personal store, using the Import command from Certificates in MMC. After recovering the data, you should again delete the recovery certificate from the recovery agent's personal store. You do not have to repeat the export process. Deleting the recovery agent's recovery certificate from the computer and keeping it in a secure location apart from the computer is an additional security measure for the protection of sensitive data. In this case a secure location would be a safe.
The default recovery policy is configured locally for stand-alone computers. For computers that are part of a network, the recovery policy is configured at either the domain, organizational unit, or individual computer level, and applies to all Windows 2000-based computers within the defined scope of influence. Recovery certificates are issued by a Certificate Authority (CA) and managed using Certificates in MMC.
In a network environment, the domain administrator controls how EFS is implemented for users for all computers in the domain. In a default Windows 2000 installation, when the first domain controller is set up, the domain administrator is the specified recovery agent for the domain. The way the domain administrator configures the recovery policy determines how EFS is implemented for users on their local machines. The domain administrator logs on to the first domain controller to change the recovery policy for the domain.
Was this article helpful?