Basic EFS Certificate Question

Basic EFS Certificate Question
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Basic EFS Certificate Question Snowmizer 04-12-2006
Posted by Paul Adare on April 12, 2006, 3:11 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
microsoft.public.security news group, =?Utf-8?B?U25vd21pemVy?=

> Everything we have is Windows 2000 and above. The desktops are Windows 2000
> Pro (latest patches and service packs). The CA server is a Windows 2003
> Enterprise Edition server (latest patches and service packs).

You're missing the point. See below. You stated that you don't know of
any software you have that encrypts files. I was telling you that
Windows 2000 and above has the ability natively to perform file level
encryption.

>
>
>
> "Paul Adare" wrote:
>
> > microsoft.public.security news group, =?Utf-8?B?U25vd21pemVy?=
> >
> > > I just know that we don't purposely have anything on our network
configured
> > > to specifically use encryption. I don't know of any software that we have
> > > that encrypts files.
> > >
> >
> > Try Windows 2000 and above.
> >
> > --
> > Paul Adare - MVP Virtual Machines
> > It all began with Adam. He was the first man to tell a joke--or a lie.
> > How lucky Adam was. He knew when he said a good thing, nobody had said
> > it before. Adam was not alone in the Garden of Eden, however, and does
> > not deserve all the credit; much is due to Eve, the first woman, and
> > Satan, the first consultant." - Mark Twain
> >
>

--
Paul Adare - MVP Virtual Machines
It all began with Adam. He was the first man to tell a joke--or a lie.
How lucky Adam was. He knew when he said a good thing, nobody had said
it before. Adam was not alone in the Garden of Eden, however, and does
not deserve all the credit; much is due to Eve, the first woman, and
Satan, the first consultant." - Mark Twain

Posted by Roger Abell [MVP] on April 12, 2006, 9:36 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
>I didn't actually ever disable the ability to obtain a Basic EFS
>certificate.

If you want to explicitly disable use of EFS encryption there is a
policy setting you can use via GPO so that users on client systems
would not, at their option, choose to use EFS to encrypt files.

I believe the issue you have is actually in determining why you see
repeated certs issued to the same user in a short interval, if, that is,
you are correctly interpreting what trail you see.


> I just know that we don't purposely have anything on our network
> configured
> to specifically use encryption. I don't know of any software that we have
> that encrypts files. The fact that it's only associated with a couple of
> our
> users makes me believe they are visiting some site or something that needs
> an
> EFS certificate. Could this be the case? If so is there a way to find out
> what is requesting the certificate? Is this something that is typically
> disabled? Is there any harm with them having this certificate?
>
> "Brian Komar [MVP]" wrote:
>
>> Snowmizer@discussions.microsoft.com says...
>> > We are looking through our Issued certificates on or CA (Windows 2003
>> > Enterprise Edition) and have noticed that there are a couple of users
>> > who
>> > have Basic EFS certificates issued
>> > to them (multiple certs issued in a matter of minutes). My
>> > understanding is
>> > that these certificates are used with file encryption. We don't have
>> > encryption enabled on our network so I'm confused as to why only these
>> > two
>> > users have Basic EFS certificates instead of everyone in the company.
>> > From
>> > everything I have read so far it appears that these certificates get
>> > issued
>> > automatically. What are these certificates? How do they get issued? If
>> > they're issued automatically is there a way to tell what requested the
>> > certificate?
>> >
>> > I just need an explanation about how this happens and why.
>> >
>> > Thanks.
>> >
>> >
>> >
>> It appears that y ou do not have EFS blocked as you state. A client will
>> request a Basic EFS certificate automatically if EFS is enabled and they
>> either encrypt a file or save a file to a folder enabled for encryption.
>>
>> How did you go about disabling EFS?
>>
>> Brian
>>



Posted by =?Utf-8?B?U25vd21pemVy?= on April 13, 2006, 9:30 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Sorry about the Windows 2000 thing....yeah I missed the point with that one
but everything makes sense now. So I guess the only way to determine what is
requesting the certificate would be to revoke the certificates and then
disable them so they can't be requested and see if we get any errors from
these particular users. That would narrow down what they're doing that's
different from any of our other users.

Thanks everyone for verifying that I was interpretting things correctly. Now
I can comfortably explain this to my boss.


"Roger Abell [MVP]" wrote:

> >I didn't actually ever disable the ability to obtain a Basic EFS
> >certificate.
>
> If you want to explicitly disable use of EFS encryption there is a
> policy setting you can use via GPO so that users on client systems
> would not, at their option, choose to use EFS to encrypt files.
>
> I believe the issue you have is actually in determining why you see
> repeated certs issued to the same user in a short interval, if, that is,
> you are correctly interpreting what trail you see.
>
>
> > I just know that we don't purposely have anything on our network
> > configured
> > to specifically use encryption. I don't know of any software that we have
> > that encrypts files. The fact that it's only associated with a couple of
> > our
> > users makes me believe they are visiting some site or something that needs
> > an
> > EFS certificate. Could this be the case? If so is there a way to find out
> > what is requesting the certificate? Is this something that is typically
> > disabled? Is there any harm with them having this certificate?
> >
> > "Brian Komar [MVP]" wrote:
> >
> >> Snowmizer@discussions.microsoft.com says...
> >> > We are looking through our Issued certificates on or CA (Windows 2003
> >> > Enterprise Edition) and have noticed that there are a couple of users
> >> > who
> >> > have Basic EFS certificates issued
> >> > to them (multiple certs issued in a matter of minutes). My
> >> > understanding is
> >> > that these certificates are used with file encryption. We don't have
> >> > encryption enabled on our network so I'm confused as to why only these
> >> > two
> >> > users have Basic EFS certificates instead of everyone in the company.
> >> > From
> >> > everything I have read so far it appears that these certificates get
> >> > issued
> >> > automatically. What are these certificates? How do they get issued? If
> >> > they're issued automatically is there a way to tell what requested the
> >> > certificate?
> >> >
> >> > I just need an explanation about how this happens and why.
> >> >
> >> > Thanks.
> >> >
> >> >
> >> >
> >> It appears that y ou do not have EFS blocked as you state. A client will
> >> request a Basic EFS certificate automatically if EFS is enabled and they
> >> either encrypt a file or save a file to a folder enabled for encryption.
> >>
> >> How did you go about disabling EFS?
> >>
> >> Brian
> >>
>
>
>

Posted by Paul Adare on April 13, 2006, 11:31 am
If you were  Registered and logged in, you could reply and use other advanced thread options
microsoft.public.security news group, =?Utf-8?B?U25vd21pemVy?=

> Sorry about the Windows 2000 thing....yeah I missed the point with that one
> but everything makes sense now. So I guess the only way to determine what is
> requesting the certificate would be to revoke the certificates and then
> disable them so they can't be requested and see if we get any errors from
> these particular users. That would narrow down what they're doing that's
> different from any of our other users.
>
> Thanks everyone for verifying that I was interpretting things correctly. Now
> I can comfortably explain this to my boss.
>

Revoking the issued certificates and then disabling the certificate
template is also not going to get you any closer to figuring out what is
going on.
The only time EFS ever checks the certificate revocation list is when
one tries to add another user to an encrypted file, and that
functionality is only available in Windows XP and above and is not very
discoverable.
Disabling the certificate template also won't do any good as far as
preventing users from using EFS. If EFS can't get a certificate from a
CA it will simply create a self signed certificate and use that.
If you want to know who is using EFS simply check the subject of the
issued certificates.

--
Paul Adare - MVP Virtual Machines
It all began with Adam. He was the first man to tell a joke--or a lie.
How lucky Adam was. He knew when he said a good thing, nobody had said
it before. Adam was not alone in the Garden of Eden, however, and does
not deserve all the credit; much is due to Eve, the first woman, and
Satan, the first consultant." - Mark Twain

Posted by =?Utf-8?B?U25vd21pemVy?= on April 13, 2006, 12:17 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Thanks for the guidance....it helps me out tremendously as far as
understanding what's happening.


"Paul Adare" wrote:

> microsoft.public.security news group, =?Utf-8?B?U25vd21pemVy?=
>
> > Sorry about the Windows 2000 thing....yeah I missed the point with that one
> > but everything makes sense now. So I guess the only way to determine what is
> > requesting the certificate would be to revoke the certificates and then
> > disable them so they can't be requested and see if we get any errors from
> > these particular users. That would narrow down what they're doing that's
> > different from any of our other users.
> >
> > Thanks everyone for verifying that I was interpretting things correctly. Now
> > I can comfortably explain this to my boss.
> >
>
> Revoking the issued certificates and then disabling the certificate
> template is also not going to get you any closer to figuring out what is
> going on.
> The only time EFS ever checks the certificate revocation list is when
> one tries to add another user to an encrypted file, and that
> functionality is only available in Windows XP and above and is not very
> discoverable.
> Disabling the certificate template also won't do any good as far as
> preventing users from using EFS. If EFS can't get a certificate from a
> CA it will simply create a self signed certificate and use that.
> If you want to know who is using EFS simply check the subject of the
> issued certificates.
>
> --
> Paul Adare - MVP Virtual Machines
> It all began with Adam. He was the first man to tell a joke--or a lie.
> How lucky Adam was. He knew when he said a good thing, nobody had said
> it before. Adam was not alone in the Garden of Eden, however, and does
> not deserve all the credit; much is due to Eve, the first woman, and
> Satan, the first consultant." - Mark Twain
>

Similar ThreadsPosted
Basic question on SSL handshake March 2, 2007, 10:12 am
Very basic network security question November 17, 2005, 6:44 pm
Expired Certs (This MUST be basic question) June 25, 2007, 9:15 pm
Certificate Request Question March 3, 2006, 10:31 am
Certificate install question February 27, 2007, 10:55 am
Certificate store question February 4, 2008, 1:01 pm
Newbie Client Certificate Question December 1, 2006, 2:22 pm
PKI Question - User Certificate Renewal February 21, 2008, 4:56 pm
Question on autoenrollment process with revoked certificate. April 1, 2007, 4:01 am
Question on autoenrollment process with revoked certificate April 1, 2007, 2:03 pm

The site map in XML format XML site map

Contact Us | Privacy Policy