Книга: Windows Server 2012 R2 Storage, Security, & Networking Pocket Consultant

Understanding encryption certificates and recovery policy

Understanding encryption certificates and recovery policy

File encryption is supported on a per-folder or per-file basis. Any file placed in a folder marked for encryption is automatically encrypted. Files in encrypted format can be read only by the person who encrypted the file. Before other users can read an encrypted file, the user must decrypt the file.

Every file that’s encrypted has a unique encryption key. This means that encrypted files can be copied, moved, and renamed just like any other file-and in most cases these actions don’t affect the encryption of the data. The user who encrypted the file always has access to the file if the user’s private key is available in the user’s profile on the computer or the user has credential roaming with Digital Identification Management Service (DIMS). For this user, the encryption and decryption process is handled automatically and is transparent.

EFS is the process that handles encryption and decryption. The default setup for EFS makes it possible for users to encrypt files without needing special permission. Files are encrypted by using a public/private key that EFS generates automatically on a per-user basis. By default, Windows uses the Advanced Encryption Standard (AES) algorithm for encrypting files with EFS. Internet Information Services 7 and later can use an AES provider for encrypting passwords by default.

Encryption certificates are stored as part of the data in user profiles. If a user works with multiple computers and wants to use encryption, an administrator needs to configure a roaming profile for that user. A roaming profile ensures that the user’s profile data and public-key certificates are accessible from other computers. Without this, users won’t be able to access their encrypted files on another computer.

TIP An alternative to a roaming profile is to copy the user’s encryption certificate to the computers the user uses. You can do this by using the certificate backup and restore process discussed in “Backing up and restoring encrypted data and certificates” later in this chapter. Just back up the certificate on the user’s original computer, and then restore the certificate on each of the other computers the user logs on to.

EFS has a built-in, data-recovery system to guard against data loss. This recovery system ensures that encrypted data can be recovered if a user’s public-key certificate is lost or deleted. The most common scenario in which this occurs is when a user leaves the company and the associated user account is deleted. Although a manager might have been able to log on to the user’s account, check files, and save important files to other folders, encrypted files will be accessible afterward only if the encryption is removed by the manager acting as the user who encrypted the files or, if while logged on as the user, the manager moves the files to a FAT or FAT32 volume (where encryption isn’t supported).

To access encrypted files after the user account has been deleted, you need to use a recovery agent. Recovery agents have access to the file encryption key that’s necessary to unlock data in encrypted files. However, to protect sensitive data, recovery agents don’t have access to a user’s private key or any private key information.

Recovery agents are designated automatically, and the necessary recovery certificates are generated automatically as well to ensure that encrypted files can always be recovered.

EFS recovery agents are configured at two levels:

? Domain The recovery agent for a domain is configured automatically when the first Windows Server 2012 R2 domain controller is installed. By default, the recovery agent is the domain administrator. Through Group Policy, domain administrators can designate additional recovery agents. Domain administrators can also delegate recovery agent privileges to designated security administrators.

? Local computer When a computer is part of a workgroup or in a standalone configuration, the recovery agent is the administrator of the local computer by default. You can designate additional recovery agents. Further, if you want local recovery agents in a domain environment rather than domain-level recovery agents, you must delete the recovery policy from the Group Policy for the domain.

You can delete recovery policies if you don’t want them to be available. However, deleting recovery policies is not recommended because there can be severe unintentional consequences.

Оглавление книги


Генерация: 0.053. Запросов К БД/Cache: 0 / 0
поделиться
Вверх Вниз