Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
Home
Discussion GroupsWindows Server 2003Windows 2000Windows NTSmall Business ServerVirtual ServerExchange ServerIISHost Integration ServerISA ServerSMSWSUSMOMWindows Media ServerSecurityCertification
Related Topics
SQL ServerMS WindowsMS OfficePC HardwareMore Topics ...
Windows Server Forum / Windows Server 2003 / Security / July 2007

Tip: Looking for answers? Try searching our database.

Creating CA and self-signed cert for EFS recovery

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Bill Hobson - 19 Jul 2007 15:10 GMT
Sigh! When trying to discover a Step-by-Step (even in the so called
Step-by-Step section of Technet) method of setting up a simple (oxymoron?)
configuration of a CA and self-signed certificate for the sole purpose of
being able to recover EFS encrypted files and folders, I struck out.

Can anyone point me to some material on how to set this up? Our environment
is Windows 2003 servers (will make DC a CA for this purpose) and all
machines with EFS will belong to the domain where the CA exists.
Reply to this Message
Steve Riley [MSFT] - 22 Jul 2007 04:15 GMT
Have these files already been encrypted by EFS? If so, then setting up a CA
after-the-fact won't give you the ability recover those files. They'd have
to be decrypted then re-encrypted after you get the CA set up and all
clients switched over to using the EFS certificates it issues.

Or, if you're looking to deploy EFS the right way before users begin
encrypting anything, allow me to point you to the recently-released Data
Encryption Toolkit for Mobile PCs. The guidance and tool here will make EFS
much easier for you.

http://www.microsoft.com/technet/security/guidance/clientsecurity/dataencryption
/default.mspx

Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley

> Sigh! When trying to discover a Step-by-Step (even in the so called
> Step-by-Step section of Technet) method of setting up a simple (oxymoron?)
[quoted text clipped - 4 lines]
> environment is Windows 2003 servers (will make DC a CA for this purpose)
> and all machines with EFS will belong to the domain where the CA exists.
Reply to this Message
Bill Hobson - 23 Jul 2007 15:16 GMT
Exactly what I was looking for. I am setting this up before deploying EFS
(read your book, Steve! Protect Your Windows Network).

Thanks for the very enlightening post!

> Have these files already been encrypted by EFS? If so, then setting up a
> CA after-the-fact won't give you the ability recover those files. They'd
[quoted text clipped - 21 lines]
>> environment is Windows 2003 servers (will make DC a CA for this purpose)
>> and all machines with EFS will belong to the domain where the CA exists.
Reply to this Message
Steve Riley [MSFT] - 24 Jul 2007 02:52 GMT
Cool! And thanks for picking up the book :)

Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley

> Exactly what I was looking for. I am setting this up before deploying EFS
> (read your book, Steve! Protect Your Windows Network).
[quoted text clipped - 26 lines]
>>> environment is Windows 2003 servers (will make DC a CA for this purpose)
>>> and all machines with EFS will belong to the domain where the CA exists.
Reply to this Message
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2010 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.