Q

Encrypting folders for Win2k laptops

Am I correct in thinking that if we implement the right group policy and make use of a certified key we can recover encrypted data by specifying certain recovery agents. How do we do this for our directors who have laptops with sensitive information on them and who require encrypted folders but are not always connected to the domain?

You can have a central set of Data Recovery Agents that are used by laptops even when they are not connected to the network.

Be sure to have your laptop users log onto the domain even when they are on the road. The logon will pause a few seconds then proceed with cached credentials. The public key of the domain DRA is stored in the Registry. Because the user logged onto the domain (from the perspective of Winlogon), EFS running under the user's security context can access the domain DRA key.

It's very, very important that the users don't log onto their local desktop SAM rather than the domain. If they do, then the local Admin account on the Pro desktop will become the DRA for their encrypted files. Also, the password hash from their local SAM account will be used to encrypt the master Crypto key used to encrypt the user's private EFS key. When the user comes back to the office and logs onto the domain, they will not be able to open the files they encrypted while they were logged onto the local SAM.

Even worse, if a bad guy steals the laptop, it's a trivial process to change the local Admin password and use that account to open the encrypted files. File encryption is only secure when the laptop is a member of a domain and the user logs onto the domain account.

This was first published in March 2001

Dig deeper on Microsoft Windows Data Backup and Protection

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close