Ask the Expert

Encrypting folders for Win2k laptops

Am I correct in thinking that if we implement the right group policy and make use of a certified key we can recover encrypted data by specifying certain recovery agents. How do we do this for our directors who have laptops with sensitive information on them and who require encrypted folders but are not always connected to the domain?

    Requires Free Membership to View

You can have a central set of Data Recovery Agents that are used by laptops even when they are not connected to the network.

Be sure to have your laptop users log onto the domain even when they are on the road. The logon will pause a few seconds then proceed with cached credentials. The public key of the domain DRA is stored in the Registry. Because the user logged onto the domain (from the perspective of Winlogon), EFS running under the user's security context can access the domain DRA key.

It's very, very important that the users don't log onto their local desktop SAM rather than the domain. If they do, then the local Admin account on the Pro desktop will become the DRA for their encrypted files. Also, the password hash from their local SAM account will be used to encrypt the master Crypto key used to encrypt the user's private EFS key. When the user comes back to the office and logs onto the domain, they will not be able to open the files they encrypted while they were logged onto the local SAM.

Even worse, if a bad guy steals the laptop, it's a trivial process to change the local Admin password and use that account to open the encrypted files. File encryption is only secure when the laptop is a member of a domain and the user logs onto the domain account.

This was first published in March 2001

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: