Click here to get back home

DRA and access denied
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
DRA and access denied Eric Logsdon 09-28-2006
Posted by Eric Logsdon on September 28, 2006, 10:13 am
Please log in for more thread options
 I am trying to set up a CA so we can use EFS for sensitive customer data.
My environment (I am using VirtualPC for testing):
Windows2003 Enterprise DC and EnterpriseCA (one virtual machine)
Windows/XP workstation that is member of the domain.

Three users are set up:
User - this is the guy who has encrypted the files.
BadGuy - Can not decrypt the files
Adminstrator (domain) - is the DRA of record.

I set up administrator as DRA before User encrypted his files. I run
EFSInfo /R and the adminstrator@cttest.com shows up as the DRA for the file.
I think this is how it should look. Administrator has NTFS permissions to
the files and can read files that have been decrypted by User.

I log onto the workstation as the domain adminstrator, right click the file,
select properties, advanced and un-check the encrypt button. I click OK,
then Apply and get an "Access Denied" message.

I have seen references to this on standalone Windows/XP workstations where
the issue seemed to be importing the DRA key onto the workstation. My
understanding is that in a domain environment with an Enterprise CA I don't
have to import keys to the individual machines.

Any help or pointers would be appreciated.

--
Eric Logsdon
ELogsdon [at] cooperativetechnologies [dot] com



Posted by Brian Komar [MVP] on September 28, 2006, 10:36 am
Please log in for more thread options
 Some comments inline...

bugus1.cooperativetechnologies.com> says...
> I am trying to set up a CA so we can use EFS for sensitive customer data.
> My environment (I am using VirtualPC for testing):
> Windows2003 Enterprise DC and EnterpriseCA (one virtual machine)
> Windows/XP workstation that is member of the domain.
>
> Three users are set up:
> User - this is the guy who has encrypted the files.
> BadGuy - Can not decrypt the files
> Adminstrator (domain) - is the DRA of record.
>
> I set up administrator as DRA before User encrypted his files. I run
> EFSInfo /R and the adminstrator@cttest.com shows up as the DRA for the file.
> I think this is how it should look. Administrator has NTFS permissions to
> the files and can read files that have been decrypted by User.

What this actually means is that the subject of the DRA's certificate is the
Administrator.
The actual certificate and private key is stored in the Administrator's profile
on the first
domain controller in the forest. This does *not* mean that the Administrator can
log on at
*any* computer in the network and magically decrypt files.

The Administrator (in your case) would have to:
1) Export the EFS DRA certifcate and private key into a PFX format
2) Log on at the workstation where they wish to perform the recovery
3) Import the PFX into that profile
4) Decrypt the file.
>
> I log onto the workstation as the domain adminstrator, right click the file,
> select properties, advanced and un-check the encrypt button. I click OK,
> then Apply and get an "Access Denied" message.

This is expected. It is not the account that is the DRA, it is the holder of the
certificate
and private key. To be honest, you do not even have to logon as administrator in
my previous
step 2. You could create *any* account at this time, and then import the PFX
file and act as
the DRA
>
> I have seen references to this on standalone Windows/XP workstations where
> the issue seemed to be importing the DRA key onto the workstation. My
> understanding is that in a domain environment with an Enterprise CA I don't
> have to import keys to the individual machines.

You understanding is wrong.
>
> Any help or pointers would be appreciated.
>
>

Posted by Eric Logsdon on September 28, 2006, 3:34 pm
Please log in for more thread options
Thanks.

--
Eric Logsdon
ELogsdon [at] cooperativetechnologies [dot] com
> Some comments inline...
>
> <ELogsdon@
> bugus1.cooperativetechnologies.com> says...
>> I am trying to set up a CA so we can use EFS for sensitive customer data.
>> My environment (I am using VirtualPC for testing):
>> Windows2003 Enterprise DC and EnterpriseCA (one virtual machine)
>> Windows/XP workstation that is member of the domain.
>>
>> Three users are set up:
>> User - this is the guy who has encrypted the files.
>> BadGuy - Can not decrypt the files
>> Adminstrator (domain) - is the DRA of record.
>>
>> I set up administrator as DRA before User encrypted his files. I run
>> EFSInfo /R and the adminstrator@cttest.com shows up as the DRA for the
>> file.
>> I think this is how it should look. Administrator has NTFS permissions
>> to
>> the files and can read files that have been decrypted by User.
>
> What this actually means is that the subject of the DRA's certificate is
> the Administrator.
> The actual certificate and private key is stored in the Administrator's
> profile on the first
> domain controller in the forest. This does *not* mean that the
> Administrator can log on at
> *any* computer in the network and magically decrypt files.
>
> The Administrator (in your case) would have to:
> 1) Export the EFS DRA certifcate and private key into a PFX format
> 2) Log on at the workstation where they wish to perform the recovery
> 3) Import the PFX into that profile
> 4) Decrypt the file.
>>
>> I log onto the workstation as the domain adminstrator, right click the
>> file,
>> select properties, advanced and un-check the encrypt button. I click OK,
>> then Apply and get an "Access Denied" message.
>
> This is expected. It is not the account that is the DRA, it is the holder
> of the certificate
> and private key. To be honest, you do not even have to logon as
> administrator in my previous
> step 2. You could create *any* account at this time, and then import the
> PFX file and act as
> the DRA
>>
>> I have seen references to this on standalone Windows/XP workstations
>> where
>> the issue seemed to be importing the DRA key onto the workstation. My
>> understanding is that in a domain environment with an Enterprise CA I
>> don't
>> have to import keys to the individual machines.
>
> You understanding is wrong.
>>
>> Any help or pointers would be appreciated.
>>
>>



Similar ThreadsPosted
Getting Access is Denied March 2, 2006, 6:30 pm
Everybody denied access to a folder June 19, 2006, 4:52 am
Access XP Permission Denied July 12, 2006, 9:52 pm
CDROM Drive access denied October 31, 2005, 10:40 am
Certificate services Access Denied November 9, 2005, 9:02 pm
Access denied to event viewer? December 22, 2005, 4:07 pm
DCOM access denied after SP1 applied January 6, 2006, 3:46 pm
Event Viewer Access Denied January 27, 2006, 12:37 pm
EnumPrinters(PRINTER_ENUM_NAME) = Access Is Denied September 25, 2006, 10:20 am
Access Denied after changing Servers September 25, 2006, 8:03 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap