Difference between revisions of "Deploy EFS using GPO"

From Michael's Information Zone
Jump to navigation Jump to search
Line 39: Line 39:
 
<br>
 
<br>
 
Users should now be able to encrypt their files on their workstations (or, as I will be showing later, run a login script that will take care of it for them.
 
Users should now be able to encrypt their files on their workstations (or, as I will be showing later, run a login script that will take care of it for them.
==Page File / Offline Files==
+
===Page File / Offline Files===
 
We need to ensure that the Page File and Offline files from network shares are encrypted as well. Thankfully this is an easy GPO switch
 
We need to ensure that the Page File and Offline files from network shares are encrypted as well. Thankfully this is an easy GPO switch
 
  Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options
 
  Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options
Line 45: Line 45:
 
  Commputer Configuration -> Administrative Templates -> Network -> Offline Files
 
  Commputer Configuration -> Administrative Templates -> Network -> Offline Files
 
*Enable "Encrypt Offline Files Cache"
 
*Enable "Encrypt Offline Files Cache"
 +
===logon Script===
 +
Here is a partial batch script for encrypting sensitive areas of the computer
 +
<pre>
 +
cipher /e /s:%userprofile%\Desktop
 +
cipher /e /s:%userprofile%\Documents
 +
cipher /e /s:%userprofile%\Downloads
 +
cipher /e /s:%userprofile%\AppData\Local\Google
 +
cipher /e /s:%userprofile%\AppData\Local\Microsoft\Outlook
 +
cipher /e /s:%userprofile%\AppData\Local\Mozilla\Firefox\Profiles
 +
cipher /e /s:%userprofile%\AppData\Roaming\Mozilla\Firefox\Profiles
 +
</pre>
 +
Save your script, then back in your GPO head to
 +
User Configuration -> Windows Settings -> Scripts (Logon/Logoff)
 +
Open up Logon Properties, then click Show Files. Copy the script to this location and close the window. Back in Logon Properties click Add, Browse, then select the script. Apply and Ok all around.
  
 
===Decrypt===
 
===Decrypt===

Revision as of 08:36, 22 June 2016

This has been a fun ride figuring out what Windows wanted from me in order to make this happen.

Without Using CA Server

What I really needed was a way to deploy EFS using existing servers knowing that new ones will be brought online within the month, and creating a temporary CA in Windows Server didn't sound like a good idea. I needed to accomplish the following

  1. Enable EFS
  2. Push EFS to all users on the domain
  3. Only encrypt sensitive files
  4. Have a way to decrypt in an emergency (should never be needed, but I get paranoid with data).


1.

  • Create a DRA (Data Recovery Agent) user. This user does not need any special permissions other than being able to log in.
  • Log in as the new DRA user, open a command prompt, and run the following command to create the self signed certs.
 cipher /r:<certname>
  • You will be asked for a password to protect the private key with. Please make sure you remember what it is.
  • Move the cert to a secure location and now head back to the domain controller as admin.


2.

  • Open up Group Policy Manager
  • Either edit the default domain policy or create a new GPO under the OU of your choice.

NOTE : The GPO will be applying policies to the computer and not just the users, so ensure the computers that will be included for encryption are in an OU under the GPO.

  • Edit the following fields
Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Public Key Policies - Encrypting File System
  • Right Click "Encrypting File System" then "Properties"
  • Under General enable EFS.
  • Under Certificates make sure "Allow EFS to generate self-signed certificates"
  • I do recommend changing the default key values to something a little stronger, but that is optional.
  • Click OK


3.

  • Right Click "Encrypting File System" then "Add Recovery Agent"
  • Select "Browse Folders" and find the Public .cer file that was previously created.
  • You will be informed that there is no way of knowing if the cert was revoked, just click Yes then Finish.
  • Under Public Key Policies right click "Trusted Root Certificate" and click import.
  • Import the same .cert Public key as before.


Users should now be able to encrypt their files on their workstations (or, as I will be showing later, run a login script that will take care of it for them.

Page File / Offline Files

We need to ensure that the Page File and Offline files from network shares are encrypted as well. Thankfully this is an easy GPO switch

Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options
  • Enable"Shutdown: Clear Virtual memory pagefile"
Commputer Configuration -> Administrative Templates -> Network -> Offline Files
  • Enable "Encrypt Offline Files Cache"

logon Script

Here is a partial batch script for encrypting sensitive areas of the computer

cipher /e /s:%userprofile%\Desktop
cipher /e /s:%userprofile%\Documents
cipher /e /s:%userprofile%\Downloads
cipher /e /s:%userprofile%\AppData\Local\Google
cipher /e /s:%userprofile%\AppData\Local\Microsoft\Outlook
cipher /e /s:%userprofile%\AppData\Local\Mozilla\Firefox\Profiles
cipher /e /s:%userprofile%\AppData\Roaming\Mozilla\Firefox\Profiles

Save your script, then back in your GPO head to

User Configuration -> Windows Settings -> Scripts (Logon/Logoff)

Open up Logon Properties, then click Show Files. Copy the script to this location and close the window. Back in Logon Properties click Add, Browse, then select the script. Apply and Ok all around.

Decrypt

To decrypt using the DRA:

  1. Log into the workstation that has the encrypted files.
  2. Import the private key with extension .pfx by
    1. Open Run and type mmc.
    2. File -> Add/Remove Snap-in -> Certificates -> Add -> Ok
    3. Certificates - Current User -> Right click "Personal" -> All Tasks -> Import
    4. Browse for the .pfx private key, and make install the cert into the Personal Certificates Store.
  3. Now you should be able to open the encrypted files as well as decrypt them.


https://www.youtube.com/watch?v=vUCf4SPDqCQ
https://technet.microsoft.com/en-us/magazine/2007.02.securitywatch.aspx
https://technet.microsoft.com/en-us/magazine/2007.03.securitywatch.aspx
https://mizitechinfo.wordpress.com/2014/07/29/step-by-step-encrypting-user-data-with-efs-in-windows-server-2012-r2/
https://support.microsoft.com/en-us/kb/937536
https://technet.microsoft.com/en-us/library/cc770315(v=ws.10).aspx
https://www.experts-exchange.com/questions/23958388/EFS-Recovery-Agent-DRA-certificate-imported-in-Group-Policy-but-not-deployed-to-clients.html
https://technet.microsoft.com/en-us/library/cc759721(v=ws.10).aspx
http://www.sevenforums.com/tutorials/143662-page-file-encryption-enable-disable.html
http://www.sevenforums.com/tutorials/50718-offline-files-encrypt-unencrypt.html