|Find out how to recover encrypted files with advice from Windows hardening expert Jonathan Hassell.|
Question: When I try to open a certain file, I get an error message that says "access denied." I was able to open the same file two days before. I checked the permission and I have full control over it. When I tried to use the EFSINFO utility to check the encryption details, I found my name under the user who can open the file, but there is no name under the recovery agent's column. I cannot decrypt the file. I did not rebuild my machine, and all of the configurations are the same without any changes. What is happening here?
- Posed by a SearchWindowsSecurity.com reader.
Jonathan Hassell offered his response:
It can be somewhat disconcerting that, in emergency or recovery situations, encrypted files can be decrypted by a user other than the user who encrypted the file originally. This is actually a feature, and it is quite secure. Designated user accounts, called recovery agent accounts, are issued recovery agent certificates with public keys and private keys upon their creation. Those, then, are used for EFS data recovery operations.
The top box of the Encryption Details dialog is a new feature in Windows Server 2003 that makes it quite a bit easier to enable other users to decrypt a file without them being recovery agents. By designating their user accounts in the top list, the users can access and use the file transparently. This may help you. Simply click Add and select your user account, and then try to decrypt the file.
Ask Jonathan Hassell a Windows security question of your own.
About the author: Jonathan Hassell is an author, consultant and speaker residing in Charlotte, N.C. Jonathan's books include RADIUS and Learning Windows Server 2003 for O'Reilly Media and Hardening Windows for Apress. His work is seen regularly in popular periodicals such as Windows IT Pro magazine, SecurityFocus, PC Pro and Microsoft's TechNet Magazine. He speaks around the world on topics including networking, security and Windows administration. He can be reached at firstname.lastname@example.org.
This was first published in May 2007