Encryption problems

advertisement
Encryption problems
Depending upon the community that your network serves and the information contained on that
network, you might be required by law to encrypt that data. Users have many responsibilities and
low on their list of priorities is managing security for the network. If you have a small business
network or just a few Windows computers at home and run your computers in a workgroup
environment, you can still use EFS (Windows Encryption File System).
If you aren’t running EFS on your home or workgroup, I strongly advise you to do so, but you
need to plan for failure. Encryption is great at securing information, but it’s useless if you can’t
read that information due to a lost or damaged EFS key. If you’ve enabled EFS, but forgot to
backup your keys, here’s how the solution to that problem:
Creating a local recovery agent
In a non-domain environment, such as on a standalone computer or in a workgroup, you must
first create a local recovery agent if the computer is shared by multiple users. If your computers
have only a single user account on them, you can jump ahead to key recovery, but I still advise
on creating a local recovery agent because you never know when you might add a user to that
machine.
To create the recovery agent, first logon to the computer with an account that has administrator
credentials, then:
1.
Click Start | Run and type mmc and click OK
2.
On the File menu, click Add/Remove Snap-in and click Add
3.
Under Add Standalone Snap-in, click Group Policy Object Editor | Add
4.
Under Group Policy Object, make sure that Local Computer is displayed, and then click
Finish
5.
Click Close | OK
6.
In Local Computer Policy, navigate to the Local\Computer Policy\Computer
Configuration\Windows Settings\Security Settings\Public Key Policies folder
7.
Right-click Encrypting File System and click Add Data Recovery Agent or Create Data
Recovery Agent
Note: The Wizard prompts you for a user name for a recovery agent. You can supply the wizard
with the name of a user with a published file recovery certificate, or you can browse for file
recovery certificates (.cer files) that contain information about the recovery agent you want to
add. File recovery certificates can be obtained from Certification Authorities. To identify a file
recovery certificate, in the Certificates snap-in, in the details pane, in the Enhanced Key Usage
field, look for the value File Recovery (1.3.6.1.4.1.311.10.3.4.1). File recovery certificates are
stored as .cer files in the local computer file system or in Active Directory.
When you add a recovery agent from a file, the user is identified as USER_UNKNOWN because
the user name is not stored in the file.
8.
Follow the instructions in the wizard to complete the process.
Key recovery
Once you have EFS running and a key recovery agent specified, you can backup the private
keys:
1.
Log on to the computer by using the recovery agent’s local user account
2.
Click Start | Run, type mmc, and click OK
3.
On the File menu, click Add/Remove Snap-in and click Add.
4.
Under Available Standalone Snap-ins, click Certificates then click Add
5.
Click My user account then click Finish
6.
Click Close | OK
7.
Double-click Certificates - Current User, double-click Personal, and then double-click
Certificates
8.
Locate the certificate that displays the words "File Recovery" (without the quotation
marks) in the Intended Purposes column
9.
Right-click that certificate, point to All Tasks then click Export. The Certificate Export
Wizard will start
10.
Click Next
11.
Click Yes, export the private key then click Next
12.
Click Personal Information Exchange – PKCS #12 (.PFX)
13.
Select the Enable strong protection
Note: DO NOT select Delete the private key if the export is successful check box, the private key
will be removed from the computer and you will not be able to decrypt any encrypted files.
14.
Click Next
15.
Specify a password then click Next
16.
Specify a file name and location where you want to export the certificate and the private
key then click Next
Note: I recommend that you back up the file to a removable media device (USB or
CDROM/DVD store that backup in a physically secure location.
17.
Verify the settings that are displayed on the Completing the Certificate Export Wizard
page then click Finish
Final thoughts
Encryption is an easy painless method to adding a layer of security for your data. Regardless of
whether it’s a home computer, it’s still your personal and private information and you need to
take steps that will keep that information private and secure.
Download