Difference between revisions of "Deploy EFS using GPO"
Michael.mast (talk | contribs) |
Michael.mast (talk | contribs) |
||
Line 57: | Line 57: | ||
https://technet.microsoft.com/en-us/library/cc770315(v=ws.10).aspx<br> | https://technet.microsoft.com/en-us/library/cc770315(v=ws.10).aspx<br> | ||
https://www.experts-exchange.com/questions/23958388/EFS-Recovery-Agent-DRA-certificate-imported-in-Group-Policy-but-not-deployed-to-clients.html<br> | https://www.experts-exchange.com/questions/23958388/EFS-Recovery-Agent-DRA-certificate-imported-in-Group-Policy-but-not-deployed-to-clients.html<br> | ||
+ | https://technet.microsoft.com/en-us/library/cc759721(v=ws.10).aspx<br> |
Revision as of 14:44, 20 June 2016
This has been a fun ride figuring out what Windows wanted from me in order to make this happen.
Without Using CA Server
What I really needed was a way to deploy EFS using existing servers knowing that new ones will be brought online within the month, and creating a temporary CA in Windows Server didn't sound like a good idea. I needed to accomplish the following
- Enable EFS
- Push EFS to all users on the domain
- Only encrypt sensitive files
- Have a way to decrypt in an emergency (should never be needed, but I get paranoid with data).
1.
- Create a DRA (Data Recovery Agent) user. This user does not need any special permissions other than being able to log in.
- Log in as the new DRA user, open a command prompt, and run the following command to create the self signed certs.
cipher /r:<certname>
- You will be asked for a password to protect the private key with. Please make sure you remember what it is.
- Move the cert to a secure location and now head back to the domain controller as admin.
2.
- Open up Group Policy Manager
- Either edit the default domain policy or create a new GPO under the OU of your choice.
NOTE : The GPO will be applying policies to the computer and not just the users, so ensure the computers that will be included for encryption are in an OU under the GPO.
- Edit the following fields
Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Public Key Policies - Encrypting File System
- Right Click "Encrypting File System" then "Properties"
- Under General enable EFS.
- Under Certificates make sure "Allow EFS to generate self-signed certificates"
- I do recommend changing the default key values to something a little stronger, but that is optional.
- Click OK
3.
- Right Click "Encrypting File System" then "Add Recovery Agent"
- Select "Browse Folders" and find the Public .cer file that was previously created.
- You will be informed that there is no way of knowing if the cert was revoked, just click Yes then Finish.
- Under Public Key Policies right click "Trusted Root Certificate" and click import.
- Import the same .cert Public key as before.
Users should now be able to encrypt their files on their workstations (or, as I will be showing later, run a login script that will take care of it for them.
Decrypt
To decrypt using the DRA:
- Log into the workstation that has the encrypted files.
- Import the private key with extension .pfx by
- Open Run and type mmc.
- File -> Add/Remove Snap-in -> Certificates -> Add -> Ok
- Certificates - Current User -> Right click "Personal" -> All Tasks -> Import
- Browse for the .pfx private key, and make install the cert into the Personal Certificates Store.
- Now you should be able to open the encrypted files as well as decrypt them.
https://www.youtube.com/watch?v=vUCf4SPDqCQ
https://technet.microsoft.com/en-us/magazine/2007.02.securitywatch.aspx
https://technet.microsoft.com/en-us/magazine/2007.03.securitywatch.aspx
https://mizitechinfo.wordpress.com/2014/07/29/step-by-step-encrypting-user-data-with-efs-in-windows-server-2012-r2/
https://support.microsoft.com/en-us/kb/937536
https://technet.microsoft.com/en-us/library/cc770315(v=ws.10).aspx
https://www.experts-exchange.com/questions/23958388/EFS-Recovery-Agent-DRA-certificate-imported-in-Group-Policy-but-not-deployed-to-clients.html
https://technet.microsoft.com/en-us/library/cc759721(v=ws.10).aspx