Problem solve Get help with specific problems with your technologies, process and projects.

Encrypting folders for Win2k laptops

Am I correct in thinking that if we implement the right group policy and make use of a certified key we can recover encrypted data by specifying certain recovery agents. How do we do this for our directors who have laptops with sensitive information on them and who require encrypted folders but are not always connected to the domain?

You can have a central set of Data Recovery Agents that are used by laptops even when they are not connected to the network.

Be sure to have your laptop users log onto the domain even when they are on the road. The logon will pause a few seconds then proceed with cached credentials. The public key of the domain DRA is stored in the Registry. Because the user logged onto the domain (from the perspective of Winlogon), EFS running under the user's security context can access the domain DRA key.

It's very, very important that the users don't log onto their local desktop SAM rather than the domain. If they do, then the local Admin account on the Pro desktop will become the DRA for their encrypted files. Also, the password hash from their local SAM account will be used to encrypt the master Crypto key used to encrypt the user's private EFS key. When the user comes back to the office and logs onto the domain, they will not be able to open the files they encrypted while they were logged onto the local SAM.

Even worse, if a bad guy steals the laptop, it's a trivial process to change the local Admin password and use that account to open the encrypted files. File encryption is only secure when the laptop is a member of a domain and the user logs onto the domain account.

Dig Deeper on Windows Server storage management

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.