Difference between revisions of "Deploy EFS using GPO"

This has been a fun ride figuring out what Windows wanted from me in order to make this happen.

Without Using CA Server

What I really needed was a way to deploy EFS using existing servers knowing that new ones will be brought online within the month, and creating a temporary CA in Windows Server didn't sound like a good idea. I needed to accomplish the following

1. Enable EFS
2. Push EFS to all users on the domain
3. Only encrypt sensitive files
4. Have a way to decrypt in an emergency (should never be needed, but I get paranoid with data).

1.

• Create a DRA (Data Recovery Agent) user. This user does not need any special permissions other than being able to log in.
• Log in as the new DRA user, open a command prompt, and run the following command to create the self signed certs.

 cipher /r:<certname>

• You will be asked for a password to protect the private key with. Please make sure you remember what it is.
• Move the cert to a secure location and now head back to the domain controller as admin.

2.

• Open up Group Policy Manager
• Either edit the default domain policy or create a new GPO under the OU of your choice.
  

NOTE : The GPO will be applying policies to the computer and not just the users, so ensure the computers that will be included for encryption are in an OU under the GPO.

• Edit the following fields

Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Public Key Policies - Encrypting File System

• Right Click "Encrypting File System" then "Properties"
• Under General enable EFS.
• Under Certificates make sure "Allow EFS to generate self-signed certificates"
• I do recommend changing the default key values to something a little stronger, but that is optional.
• Click OK

3.

• Right Click "Encrypting File System" then "Add Recovery Agent"
• Select "Browse Folders" and find the Public .cer file that was previously created.
• You will be informed that there is no way of knowing if the cert was revoked, just click Yes then Finish.
• Under Public Key Policies right click "Trusted Root Certificate" and click import.
• Import the same .cert Public key as before.

Users should now be able to encrypt their files on their workstations (or, as I will be showing later, run a login script that will take care of it for them.

Page File / Offline Files

We need to ensure that the Page File and Offline files from network shares are encrypted as well. Thankfully this is an easy GPO switch

• NOTE THAT THE FOLLOWING DOES NOT ENCRYPT THE PAGE FILE. WILL FIX SOON

Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options

• Enable"Shutdown: Clear Virtual memory pagefile"

Commputer Configuration -> Administrative Templates -> Network -> Offline Files

• Enable "Encrypt Offline Files Cache"

logon Script

Here is a partial batch script for encrypting sensitive areas of the computer

cipher /e /s:%userprofile%\Desktop
cipher /e /s:%userprofile%\Documents
cipher /e /s:%userprofile%\Downloads
cipher /e /s:%userprofile%\AppData\Local\Google
cipher /e /s:%userprofile%\AppData\Local\Microsoft\Outlook
cipher /e /s:%userprofile%\AppData\Local\Mozilla\Firefox\Profiles
cipher /e /s:%userprofile%\AppData\Roaming\Mozilla\Firefox\Profiles

Save your script, then back in your GPO head to

User Configuration -> Windows Settings -> Scripts (Logon/Logoff)

Open up Logon Properties, then click Show Files. Copy the script to this location and close the window. Back in Logon Properties click Add, Browse, then select the script. Apply and Ok all around.

Decrypt

To decrypt using the DRA:

1. Log into the workstation that has the encrypted files.
2. Import the private key with extension .pfx by
   1. Open Run and type mmc.
   2. File -> Add/Remove Snap-in -> Certificates -> Add -> Ok
   3. Certificates - Current User -> Right click "Personal" -> All Tasks -> Import
   4. Browse for the .pfx private key, and make install the cert into the Personal Certificates Store.
3. Now you should be able to open the encrypted files as well as decrypt them.

Things to Look out for

• When you copy files from an encrypted source to a network share, the files will remain encrypted. These will need to be decrypted before they can be shared with others.

• Sometimes when downloading files directly to a shared drive using Chrome, the downloaded file may be saved to the local Downloads directory first then sent to the server. If this happens the file will be encrypted and will not be accessible to anyone else (except the DRA if the server falls under the GPO's scope)

https://www.youtube.com/watch?v=vUCf4SPDqCQ
https://technet.microsoft.com/en-us/magazine/2007.02.securitywatch.aspx
https://technet.microsoft.com/en-us/magazine/2007.03.securitywatch.aspx
https://mizitechinfo.wordpress.com/2014/07/29/step-by-step-encrypting-user-data-with-efs-in-windows-server-2012-r2/
https://support.microsoft.com/en-us/kb/937536
https://technet.microsoft.com/en-us/library/cc770315(v=ws.10).aspx
https://www.experts-exchange.com/questions/23958388/EFS-Recovery-Agent-DRA-certificate-imported-in-Group-Policy-but-not-deployed-to-clients.html
https://technet.microsoft.com/en-us/library/cc759721(v=ws.10).aspx
http://www.sevenforums.com/tutorials/143662-page-file-encryption-enable-disable.html
http://www.sevenforums.com/tutorials/50718-offline-files-encrypt-unencrypt.html