[unisog] Windows Encrypted File System (EFS)
Gaddis, Jeremy L.
jeremy at linuxwiz.net
Fri Feb 10 22:43:24 GMT 2006
Reg Quinton wrote:
> In theory yes, in practice no. The default configuration has the
> Administrator account as a key recovery agent. See the "User Beware" section
> in our discussion of EFS here:
That's not true for Windows XP and/or Windows Server 2003 -- in this
case, there is no default recovery agent. Users can encrypt files with
just their own EFS certificates and no recovery certificates are needed
or generated. This eliminates the need to export and delete the
Administrator's EFS private key on stand-alone computers, but it also
prevents recoverability by default.
If the machine is a member of an Active Directory domain, then GPOs can
be used to add data recovery agents.
Jeremy L. Gaddis, GCWN, Linux+, Network+
More information about the unisog